This document is a product of the Universal Login Experience Work Group. It records the requirements for the user experience based on scenarios and use cases.
This document is currently under active development. Its latest version can always be found here. See the ulx:Change History at the end of this document for its revision number.
The Universal Login Experience Work Group operates under Option Liberty and the publication of this document is governed by the policies outlined in this option.
This is a summary of the collective set of information supplied by all of the actors (IdP, RP, User Agent) in constructing a suitable pop-up experience for discovery.
Comments:
IDP's supported attributes and claims
Already defined in SAML Metadata specifications
Example :
<IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> ... <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:saml_attribute_name_1" /> <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:saml_attribute_name_2" /> ... </IDPSSODescriptor> |
Explicitly advertize OP's supported attributes/claims part of XRDS document published by the OP ?
Help needed on best way to do it with XRDS…
Supported claims are advertized at the creation/import of the Information Card.
IDP's supported Authentication Contexts and Assurance Levels
Generic mechanism defined in "SAML Metadata Extension for Entity Attributes" and specific attribute already defined in "SAML Identity Assurance Profiles"
Proposal for ACs : define a new attribute name for Authentication Context classes :
urn:oasis:names:tc:SAML:attribute:authn-context-class |
Supported Authentication policies can already be advertized in the Yadis XRDS document as specified in "OpenID Provider Authentication Policy Extension 1.0" (should also be used to advertize supported Assurance Level ?)
Can PAPE be used as well to advertize the OP's Assurance Level ? (and how does it relates to the OIX Listing Service ?)
icam-assurance-level-1 icam-assurance-level-2 icam-assurance-level-3 |
An OASIS working draft exists with SAML metadata extensions for capturing this information. It is protocol agnostic.
http://wiki.oasis-open.org/security/SAML2MetadataUI
Proposal : Extension to the YADIS XRDS document
Advertize OP's DisplayName and Logo URL part of XRDS document published by the OP ?
Help needed on best way to do it with XRDS…
N/A (either just the "InfoCard" logo or CardTile of the last used InfoCard)