13. NZ SAMS Constraints on the OASIS SAML v2.0 Authentication Context
Specification Name:Authentication Context for OASIS SAML v2.0
SAML Specification Reference: Saml-authn-context-2.0-os
This html page contains lines 879-897 from Part 2 of the PDF version of NZ SAMS v1.0
If a service provider is to rely on the authentication of the principal by an authentication authority, e.g. the GLS, then the identity provider MAY provide additional information about the assertion to access the level of confidence at which the assertion has been generated. Secondly the authentication context MAY be used to request the required method of authentication, that is the authentication method may specify two-factor authentication or stronger.
Authentication contexts MAY be ranked in order of strength and
complexity. Where custom <AuthnContext> elements are
used, they MUST be communicated out of band by the IdP to the service
providers. This includes the ranking of the authentication
contexts.
The following table, Table 11 sets out the authentication context requirements for NZ SAMS.
Table 11 – NZ SAMS constraints on OASIS SAML v2.0 authentication context
Authentication Context for SAML v2.0
Subsection 2.2 Extensibility
Line: 195-200
What is Excluded or Altered from the SAML v2.0:
Extensions to the defined authentication contexts MUST NOT occur. Custom schema snippets have the potential to allow non-standard implementations and prevent interoperability between partners.
Subsection 3. Authentication Context classes
Line: 1062 – 3834
<AuthenticationContextClassDecl> MUST NOT be
used.
Line: 1133 – 1143
Deployment alignment
Custom authentication contexts are defined for the GLS. The default for
the authentication context is 'basic'. This is required in the GLS to
send key strength. Further details on authentication contexts can be
obtained in [GLSMS].
This html page contains lines 879-897 from Part 2 of the PDF version of NZ SAMS v1.0
