ComplexAuthenticator
Supports Authenticators with nested combinations of
additional complexity.
Element information
Namespace: None
Schema document: saml-2.0-os/saml-schema-authn-context-types-2.0.xsd
Type: ComplexAuthenticatorType
Properties: Global, Qualified
Content
- Sequence [1..1]
- Choice [1..1]
- PreviousSession Indicates that the Principal has been strongly authenticated in a previous session during which the IdP has set a cookie in the UA. During the present session the Principal has only been authenticated by the UA returning the cookie to the IdP.
- ResumeSession Rather like PreviousSession but using stronger security. A secret that was established in a previous session with the Authentication Authority has been cached by the local system and is now re-used (e.g. a Master Secret is used to derive new session keys in TLS, SSL, WTLS).
- DigSig This element indicates that the Principal has been authenticated by a mechanism which involves the Principal computing a digital signature over at least challenge data provided by the IdP.
- Password This element indicates that a password (or passphrase) has been used to authenticate the Principal to a remote system.
- RestrictedPassword
- ZeroKnowledge This element indicates that the Principal has been authenticated by a zero knowledge technique as specified in ISO/IEC 9798-5.
- SharedSecretChallengeResponse
- SharedSecretDynamicPlaintext The local system and Authentication Authority share a secret key. The local system uses this to encrypt a randomised string to pass to the Authentication Authority.
- IPAddress This element indicates that the Principal has been authenticated through connection from a particular IP address.
- AsymmetricDecryption The local system has a private key but it is used in decryption mode, rather than signature mode. For example, the Authentication Authority generates a secret and encrypts it using the local system's public key: the local system then proves it has decrypted the secret.
- AsymmetricKeyAgreement The local system has a private key and uses it for shared secret key agreement with the Authentication Authority (e.g. via Diffie Helman).
- SubscriberLineNumber
- UserSuffix
- ComplexAuthenticator Supports Authenticators with nested combinations of additional complexity.
- PreviousSession [0..1] Indicates that the Principal has been strongly authenticated in a previous session during which the IdP has set a cookie in the UA. During the present session the Principal has only been authenticated by the UA returning the cookie to the IdP.
- ResumeSession [0..1] Rather like PreviousSession but using stronger security. A secret that was established in a previous session with the Authentication Authority has been cached by the local system and is now re-used (e.g. a Master Secret is used to derive new session keys in TLS, SSL, WTLS).
- DigSig [0..1] This element indicates that the Principal has been authenticated by a mechanism which involves the Principal computing a digital signature over at least challenge data provided by the IdP.
- Password [0..1] This element indicates that a password (or passphrase) has been used to authenticate the Principal to a remote system.
- RestrictedPassword [0..1]
- ZeroKnowledge [0..1] This element indicates that the Principal has been authenticated by a zero knowledge technique as specified in ISO/IEC 9798-5.
- SharedSecretChallengeResponse [0..1]
- SharedSecretDynamicPlaintext [0..1] The local system and Authentication Authority share a secret key. The local system uses this to encrypt a randomised string to pass to the Authentication Authority.
- IPAddress [0..1] This element indicates that the Principal has been authenticated through connection from a particular IP address.
- AsymmetricDecryption [0..1] The local system has a private key but it is used in decryption mode, rather than signature mode. For example, the Authentication Authority generates a secret and encrypts it using the local system's public key: the local system then proves it has decrypted the secret.
- AsymmetricKeyAgreement [0..1] The local system has a private key and uses it for shared secret key agreement with the Authentication Authority (e.g. via Diffie Helman).
- SubscriberLineNumber [0..1]
- UserSuffix [0..1]
- Extension [0..*]
from group AuthenticatorChoiceGroupfrom group AuthenticatorSequenceGroup - Choice [1..1]
Attributes
None
Used in
- Group AuthenticatorChoiceGroup
- Type AuthenticatorBaseType via reference to AuthenticatorChoiceGroup (Element Authenticator)
- Type ComplexAuthenticatorType via reference to AuthenticatorChoiceGroup (Element ComplexAuthenticator)
Sample instance
<ComplexAuthenticator> <PreviousSession> <Extension> <!--any element--> </Extension> </PreviousSession> <PreviousSession> <Extension> <!--any element--> </Extension> </PreviousSession> <ResumeSession> <Extension> <!--any element--> </Extension> </ResumeSession> <DigSig> <Extension> <!--any element--> </Extension> </DigSig> <Password> <Length min="1"/> <Alphabet requiredChars="string"/> <Generation mechanism="principalchosen"/> <Extension> <!--any element--> </Extension> </Password> <RestrictedPassword> <Length min="1"/> <Generation mechanism="principalchosen"/> <Extension> <!--any element--> </Extension> </RestrictedPassword> <ZeroKnowledge> <Extension> <!--any element--> </Extension> </ZeroKnowledge> <SharedSecretChallengeResponse> <Extension> <!--any element--> </Extension> </SharedSecretChallengeResponse> <SharedSecretDynamicPlaintext> <Extension> <!--any element--> </Extension> </SharedSecretDynamicPlaintext> <IPAddress> <Extension> <!--any element--> </Extension> </IPAddress> <AsymmetricDecryption> <Extension> <!--any element--> </Extension> </AsymmetricDecryption> <AsymmetricKeyAgreement> <Extension> <!--any element--> </Extension> </AsymmetricKeyAgreement> <SubscriberLineNumber> <Extension> <!--any element--> </Extension> </SubscriberLineNumber> <UserSuffix> <Extension> <!--any element--> </Extension> </UserSuffix> <Extension> <!--any element--> </Extension> </ComplexAuthenticator>