1 /* $Id$ 2 * 3 * Lasso - A free implementation of the Liberty Alliance specifications. 4 * 5 * Copyright (C) 2004-2007 Entr'ouvert 6 * http://lasso.entrouvert.org 7 * 8 * Authors: See AUTHORS file in top-level directory. 9 * 10 * This program is free software; you can redistribute it and/or modify 11 * it under the terms of the GNU General Public License as published by 12 * the Free Software Foundation; either version 2 of the License, or 13 * (at your option) any later version. 14 * 15 * This program is distributed in the hope that it will be useful, 16 * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 * GNU General Public License for more details. 19 * 20 * You should have received a copy of the GNU General Public License 21 * along with this program; if not, see <http://www.gnu.org/licenses/>. 22 * 23 */ 24 25 /* 26 * This header file copy part of the SOAP 1.1 specification you can found there: 27 * http://www.w3.org/TR/soap12-part1/ 28 * whom copyright is: 29 * Copyright © 2007 W3C® (MIT, ERCIM, Keio), All Rights Reserved. W3C liability, trademark and 30 * document use rules apply. 31 */ 32 33 34 /** 35 * SECTION:strings 36 * @short_description: General strings constants for Lasso 37 * @include: lasso/xml/strings.h 38 * 39 **/ 40 41 #ifndef __LASSO_STRINGS_H__ 42 #define __LASSO_STRINGS_H__ 43 44 #include "saml-2.0/saml2_strings.h" 45 #include "dsig/strings.h" 46 47 /*****************************************************************************/ 48 /* SOAP 1.1 */ 49 /*****************************************************************************/ 50 /** 51 * LASSO_SOAP_ENV_HREF: 52 * 53 * Namespace for SOAP 1.1 messages 54 * 55 */ 56 #define LASSO_SOAP_ENV_HREF "http://schemas.xmlsoap.org/soap/envelope/" 57 /** 58 * LASSO_SOAP_ENV_PREFIX: 59 * 60 * Preferred prefix for namespace of SOAP 1.1 messages 61 * 62 */ 63 #define LASSO_SOAP_ENV_PREFIX "s" 64 65 #define LASSO_SOAP_ENV_ACTOR "http://schemas.xmlsoap.org/soap/actor/next" 66 /** 67 * LASSO_SOAP_FAULT_CODE_SERVER: 68 * 69 * Quoting from SOAP 1.1 specifications: 70 * « The Server class of errors indicate that the message could not be processed for reasons not 71 * directly attributable to the contents of the message itself but rather to the processing of the 72 * message. For example, processing could include communicating with an upstream processor, which 73 * didn't respond. The message may succeed at a later point in time. See also section 4.4 for a 74 * description of the SOAP Fault detail sub-element. » 75 */ 76 #define LASSO_SOAP_FAULT_CODE_SERVER "s:Server" 77 78 /** 79 * LASSO_SOAP_FAULT_CODE_CLIENT: 80 * 81 * Quoting from SOAP 1.1 specifications: 82 * « The Client class of errors indicate that the message was incorrectly formed or did not contain 83 * the appropriate information in order to succeed. For example, the message could lack the proper 84 * authentication or payment information. It is generally an indication that the message should not 85 * be resent without change. See also section 4.4 for a description of the SOAP Fault detail 86 * sub-element. » 87 */ 88 #define LASSO_SOAP_FAULT_CODE_CLIENT "s:Client" 89 90 /** 91 * LASSO_SOAP_FAULT_CODE_MUST_UNDERSTAND: 92 * 93 * Quoting from SOAP 1.1 specifications: 94 * « The processing party found an invalid namespace for the SOAP Envelope element (see section 95 * 4.1.2) » 96 */ 97 #define LASSO_SOAP_FAULT_CODE_MUST_UNDERSTAND "s:MustUnderstand" 98 99 /** 100 * LASSO_SOAP_FAULT_CODE_CLIENT: 101 * 102 * Quoting from SOAP 1.1 specifications: 103 * « An immediate child element of the SOAP Header element that was either not understood or not 104 * obeyed by the processing party contained a SOAP mustUnderstand attribute with a value of "1" (see 105 * section 4.2.3) » 106 */ 107 #define LASSO_SOAP_FAULT_CODE_VERSION_MISMATCH "s:VersionMismatch" 108 109 /** 110 * LASSO_PRIVATE_STATUS_CODE_FAILED_TO_RESTORE_ARTIFACT: 111 * 112 * An artifact content is present but Lasso failed to rebuild the corresponding XML content. 113 */ 114 #define LASSO_PRIVATE_STATUS_CODE_FAILED_TO_RESTORE_ARTIFACT "FailedToRestoreArtifact" 115 116 /* 117 * WS-Security Utility 118 */ 119 120 /** 121 * LASSO_WSUTIL1_HREF: 122 * 123 * Namespace for FIXME 124 * 125 */ 126 #define LASSO_WSUTIL1_HREF \ 127 "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 128 /** 129 * LASSO_WSUTIL1_PREFIX: 130 * 131 * Preferred prefix for namespace of FIXME 132 * 133 */ 134 #define LASSO_WSUTIL1_PREFIX "wsutil" 135 136 /** 137 * LASSO_XMLENC_HREF 138 * 139 * Namespace for xmlenc-core 140 */ 141 #define LASSO_XMLENC_HREF "http://www.w3.org/2001/04/xmlenc#" 142 143 /** 144 * LASSO_XMLENC_PREFIX 145 * 146 * Preferred prefix for namespace of xmlenc-core 147 */ 148 #define LASSO_XMLENC_PREFIX "xmlenc" 149 150 /*****************************************************************************/ 151 /* Lasso */ 152 /*****************************************************************************/ 153 154 /** 155 * LASSO_LASSO_HREF: 156 * 157 * Namespace for Lasso internal serialization format 158 */ 159 #define LASSO_LASSO_HREF "http://www.entrouvert.org/namespaces/lasso/0.0" 160 /** 161 * LASSO_LASSO_PREFIX: 162 * 163 * Preferred prefix for the lasso internal serialization format namespace. 164 */ 165 #define LASSO_LASSO_PREFIX "lasso" 166 167 /** 168 * LASSO_PYHTON_HREF: 169 * 170 * Namespace for translation of Lasso symbols to the python namespace. 171 */ 172 #define LASSO_PYTHON_HREF "http://www.entrouvert.org/namespaces/python/0.0" 173 174 /** 175 * LASSO_SIGNATURE_TYPE_ATTRIBUTE: 176 * 177 * Attribute name for the Lasso signature type attribute. 178 */ 179 #define LASSO_SIGNATURE_TYPE_ATTRIBUTE BAD_CAST "SignatureType" 180 181 /** 182 * LASSO_SIGNATURE_METHOD_ATTRIBUTE: 183 * 184 * Attribute name for the Lasso signature type attribute. 185 */ 186 #define LASSO_SIGNATURE_METHOD_ATTRIBUTE BAD_CAST "SignatureMethod" 187 188 /** 189 * LASSO_PRIVATE_KEY_ATTRIBUTE: 190 * 191 * Attribute name for the Lasso private key attribute. 192 */ 193 #define LASSO_PRIVATE_KEY_ATTRIBUTE BAD_CAST "PrivateKey" 194 195 /** 196 * LASSO_PRIVATE_KEY_PASSWORD_ATTRIBUTE: 197 * 198 * Attribute name for the Lasso private key attribute. 199 */ 200 #define LASSO_PRIVATE_KEY_PASSWORD_ATTRIBUTE BAD_CAST "PrivateKeyPassword" 201 202 /** 203 * LASSO_CERTIFICATE_ATTRIBUTE: 204 * 205 * Attribute name for the Lasso private key attribute. 206 */ 207 #define LASSO_CERTIFICATE_ATTRIBUTE BAD_CAST "Certificate" 208 209 /*****************************************************************************/ 210 /* Liberty Alliance ID-FF */ 211 /*****************************************************************************/ 212 213 /** 214 * LASSO_LIB_HREF: 215 * 216 * Namespace for the elements specific to ID-FF 1.2 (not part of SAML 1.0) 217 */ 218 #define LASSO_LIB_HREF "urn:liberty:iff:2003-08" 219 /** 220 * LASSO_LIB_PREFIX: 221 * 222 * Preferred prefix for the ID-FF 1.2 namespace 223 */ 224 #define LASSO_LIB_PREFIX "lib" 225 226 /* Versioning */ 227 /** 228 * LASSO_LIB_MAJOR_VERSION_N: 229 * 230 * Major version of the ID-FF protocol supported. 231 */ 232 #define LASSO_LIB_MAJOR_VERSION_N 1 233 /** 234 * LASSO_LIB_MINOR_VERSION_N 235 * 236 * Minor version of the ID-FF protocol supported. 237 */ 238 #define LASSO_LIB_MINOR_VERSION_N 2 239 240 /* NameIDPolicyType */ 241 242 /** 243 * LASSO_LIB_NAMEID_POLICY_TYPE_NONE: 244 * 245 * <emphasis>None</emphasis> policy for use in #LassoLibAuthnRequest. It 246 * means an existing federation must be used and an error should be produced if 247 * none existed beforehand. 248 */ 249 #define LASSO_LIB_NAMEID_POLICY_TYPE_NONE "none" 250 251 /** 252 * LASSO_LIB_NAMEID_POLICY_TYPE_ONE_TIME: 253 * 254 * <emphasis>Onetime</emphasis> policy for use in #LassoLibAuthnRequest. It 255 * means a federation must not be created between identity and service 256 * provider. A temporary name identifier should be used instead. 257 */ 258 #define LASSO_LIB_NAMEID_POLICY_TYPE_ONE_TIME "onetime" 259 260 /** 261 * LASSO_LIB_NAMEID_POLICY_TYPE_FEDERATED: 262 * 263 * <emphasis>Federated</emphasis> policy for use in #LassoLibAuthnRequest. It 264 * means a federation may be created between identity and service provider (if 265 * it didn't exist before). 266 */ 267 #define LASSO_LIB_NAMEID_POLICY_TYPE_FEDERATED "federated" 268 269 /** 270 * LASSO_LIB_NAMEID_POLICY_TYPE_ANY: 271 * 272 * <emphasis>Any</emphasis> policy for use in #LassoLibAuthnRequest. It means 273 * a federation may be created if the principal agrees and it can fall back to 274 * <emphasis>onetime</emphasis> if he does not. 275 */ 276 #define LASSO_LIB_NAMEID_POLICY_TYPE_ANY "any" 277 278 /* AuthenticationClassRef */ 279 /** 280 * LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_INTERNET_PROTOCOL: 281 * 282 * The Internet Protocol class is identified when a Principal is authenticated through the use of a 283 * provided IP address. 284 * Source: Liberty ID-FF Authentication Context Specification v1.3 285 */ 286 #define LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_INTERNET_PROTOCOL \ 287 "http://www.projectliberty.org/schemas/authctx/classes/InternetProtocol" 288 /** 289 * LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_INTERNET_PROTOCOL_PASSWORD: 290 * 291 * The Internet Protocol Password class is identified when a Principal is authenticated through the 292 * use of a provided IP address, in addition to username/password. 293 * Source: Liberty ID-FF Authentication Context Specification v1.3 294 */ 295 #define LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_INTERNET_PROTOCOL_PASSWORD \ 296 "http://www.projectliberty.org/schemas/authctx/classes/InternetProtocolPassword" 297 /** 298 * LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_MOBILE_ONE_FACTOR_UNREGISTERED: 299 * 300 * Reflects no mobile customer registration procedures and an authentication of the mobile device 301 * without requiring explicit end-user interaction. Again, this context authenticates only the 302 * device and never the user, it is useful when services other than the mobile operator want to add 303 * a secure device authentication to their authentication process. 304 * 305 * Source: Liberty ID-FF Authentication Context Specification v1.3 306 */ 307 #define LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_MOBILE_ONE_FACTOR_UNREGISTERED \ 308 "http://www.projectliberty.org/schemas/authctx/classes/MobileOneFactorUnregistered" 309 /** 310 * LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_MOBILE_TWO_FACTOR_UNREGISTERED: 311 * 312 * Reflects no mobile customer registration procedures and a two-factor based authentication, such 313 * as secure device and user PIN. This context class is useful when a service other than the mobile 314 * operator wants to link their customer ID to a mobile supplied two-factor authentication service 315 * by capturing mobile phone data at enrollment. 316 * 317 * Source: Liberty ID-FF Authentication Context Specification v1.3 318 */ 319 #define LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_MOBILE_TWO_FACTOR_UNREGISTERED \ 320 "http://www.projectliberty.org/schemas/authctx/classes/MobileTwoFactorUnregistered" 321 /** 322 * LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_MOBILE_ONE_FACTOR_CONTRACT: 323 * 324 * Reflects mobile contract customer registration procedures and a single factor authentication. For 325 * example, a digital signing device with tamper resistant memory for key storage, such as the 326 * mobile MSISDN, but no required PIN or biometric for real-time user authentication. 327 * 328 * Source: Liberty ID-FF Authentication Context Specification v1.3 329 */ 330 #define LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_MOBILE_ONE_FACTOR_CONTRACT \ 331 "http://www.projectliberty.org/schemas/authctx/classes/MobileOneFactorContract" 332 /** 333 * LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_MOBILE_TWO_FACTOR_CONTRACT: 334 * 335 * Reflects mobile contract customer registration procedures and a two-factor based authentication. 336 * For example, a digital signing device with tamper resistant memory for key storage, such as a GSM 337 * SIM, that requires explicit proof of user identity and intent, such as a PIN or biometric. 338 * 339 * Source: Liberty ID-FF Authentication Context Specification v1.3 340 */ 341 #define LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_MOBILE_TWO_FACTOR_CONTRACT \ 342 "http://www.projectliberty.org/schemas/authctx/classes/MobileTwoFactorContract" 343 /** 344 * LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_PASSWORD: 345 * 346 * The Password class is identified when a Principal authenticates to an identity provider through 347 * the presentation of a password over an unprotected HTTP session. 348 * 349 * Source: Liberty ID-FF Authentication Context Specification v1.3 350 */ 351 #define LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_PASSWORD \ 352 "http://www.projectliberty.org/schemas/authctx/classes/Password" 353 /** 354 * LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_PASSWORD_PROTECTED_TRANSPORT: 355 * 356 * The PasswordProtectedTransport class is identified when a Principal authenticates to an identity 357 * provider through the presentation of a password over a protected session. 358 * 359 * Source: Liberty ID-FF Authentication Context Specification v1.3 360 */ 361 #define LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_PASSWORD_PROTECTED_TRANSPORT \ 362 "http://www.projectliberty.org/schemas/authctx/classes/PasswordProtectedTransport" 363 /** 364 * LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_PREVIOUS_SESSION: 365 * 366 * The PreviousSession class is identified when a Principal had authenticated to an identity 367 * provider at some point in the past using any authentication context supported by that identity 368 * provider. Consequently, a subsequent authentication event that the identity provider will assert 369 * to the service provider may be significantly separated in time from the Principals current 370 * resource access request. The context for the previously authenticated session is explicitly not 371 * included in this context class because the user has not authenticated during this session, and so 372 * the mechanism that the user employed to authenticate in a previous session should not be used as 373 * part of a decision on whether to now allow access to a resource. 374 * 375 * Source: Liberty ID-FF Authentication Context Specification v1.3 376 */ 377 #define LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_PREVIOUS_SESSION \ 378 "http://www.projectliberty.org/schemas/authctx/classes/PreviousSession" 379 /** 380 * LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_SMARTCARD: 381 * 382 * The Smartcard class is identified when a Principal authenticates to an identity provider using a 383 * smartcard. 384 * 385 * Source: Liberty ID-FF Authentication Context Specification v1.3 386 */ 387 #define LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_SMARTCARD \ 388 "http://www.projectliberty.org/schemas/authctx/classes/Smartcard" 389 /** 390 * LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_SMARTCARD_PKI: 391 * 392 * The SmartcardPKI class is identified when a Principal authenticates to an identity provider 393 * through a two-factor 394 authentication mechanism using a smartcard with enclosed private key and a PIN. 395 396 * 397 * Source: Liberty ID-FF Authentication Context Specification v1.3 398 */ 399 #define LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_SMARTCARD_PKI \ 400 "http://www.projectliberty.org/schemas/authctx/classes/SmartcardPKI" 401 /** 402 * LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_SOFTWARE_PKI: 403 * 404 * The Software-PKI class is identified when a Principal uses an X.509 certificate stored in 405 * software to authenticate to the identity provider. 406 * 407 * Source: Liberty ID-FF Authentication Context Specification v1.3 408 */ 409 #define LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_SOFTWARE_PKI \ 410 "http://www.projectliberty.org/schemas/authctx/classes/SoftwarePKI" 411 /** 412 * LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_TIME_SYNC_TOKEN: 413 414 * The TimeSyncToken class is identified when a Principal authenticates through a time 415 * synchronization token. 416 * 417 * Source: Liberty ID-FF Authentication Context Specification v1.3 418 */ 419 #define LASSO_LIB_AUTHN_CONTEXT_CLASS_REF_TIME_SYNC_TOKEN \ 420 "http://www.projectliberty.org/schemas/authctx/classes/TimeSyncToken" 421 422 /* AuthnContextComparison */ 423 /** 424 * LASSO_LIB_AUTHN_CONTEXT_COMPARISON_EXACT: 425 * 426 * Ask for the exact authentication context. 427 */ 428 #define LASSO_LIB_AUTHN_CONTEXT_COMPARISON_EXACT "exact" 429 /** 430 * LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MINIMUM: 431 * 432 * Ask for at least this authentication context. 433 */ 434 #define LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MINIMUM "minimum" 435 /** 436 * LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MAXIMUM: 437 * 438 * Ask for at most this authentication context. 439 */ 440 #define LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MAXIMUM "maximum" 441 /** 442 * LASSO_LIB_AUTHN_CONTEXT_COMPARISON_BETTER : 443 * 444 * Ask for a better authentication context than that. 445 */ 446 #define LASSO_LIB_AUTHN_CONTEXT_COMPARISON_BETTER "better" 447 448 /* StatusCodes */ 449 /** 450 * LASSO_LIB_STATUS_CODE_FEDERATION_DOES_NOT_EXIST: 451 * 452 * <para>Second level status code.</para> 453 * 454 * Used by an identity provider to indicate that the Principal has not federated his or her identity 455 * with the service provider, and the service provider indicated a requirement for 456 federation. 457 * 458 * Source: Liberty ID-FF Protocols and Schema Specification 1.2 459 */ 460 #define LASSO_LIB_STATUS_CODE_FEDERATION_DOES_NOT_EXIST "lib:FederationDoesNotExist" 461 /** 462 * LASSO_LIB_STATUS_CODE_INVALID_ASSERTION_CONSUMER_SERVICE_INDEX: 463 * 464 * <para>Second level status code.</para> 465 * 466 * If the <AssertionConsumerServiceID> element is provided, then the identity provider <emphasis>MUST</emphasis> search 467 * for the value among the id attributes in the <AssertionConsumerServiceURL> elements in the 468 * provider’s meta- data to determine the URL to use. If no match can be found, then the provider 469 * <emphasis>MUST</emphasis> return an error with a second-level <samlp:StatusCode> of 470 * lib:InvalidAssertionConsumerServiceIndex to the default URL (the <AssertionConsumerServiceURL> 471 * with an isDefault attribute of "true"). 472 * 473 * Source: Liberty ID-FF Protocols and Schema Specification 1.2 474 */ 475 #define LASSO_LIB_STATUS_CODE_INVALID_ASSERTION_CONSUMER_SERVICE_INDEX \ 476 "lib:InvalidAssertionConsumerServiceIndex" 477 /** 478 * LASSO_LIB_STATUS_CODE_INVALID_SIGNATURE: 479 * 480 * <para>Second level status code.</para> 481 * 482 * Indicate a failure in the processing of the signature of the request. 483 * This code is not part of the ID-FF 1.2 specification. 484 * 485 */ 486 #define LASSO_LIB_STATUS_CODE_INVALID_SIGNATURE "lib:InvalidSignature" 487 /** 488 * LASSO_LIB_STATUS_CODE_NO_AUTHN_CONTEXT: 489 * 490 * Used by an identity provider to indicate that the specified authentication context information in 491 * the request prohibits authentication from taking place. 492 * 493 * Source: Liberty ID-FF Protocols and Schema Specification 1.2 494 */ 495 #define LASSO_LIB_STATUS_CODE_NO_AUTHN_CONTEXT "lib:NoAuthnContext" 496 /** 497 * LASSO_LIB_STATUS_CODE_NO_AVAILABLEIDP: 498 * 499 * Used by an intermediary to indicate that none of the supported identity provider URLs from the 500 * <IDPList> can be resolved or that none of the supported identity providers are available. 501 * 502 * Source: Liberty ID-FF Protocols and Schema Specification 1.2 503 */ 504 #define LASSO_LIB_STATUS_CODE_NO_AVAILABLEIDP "lib:NoAvailableIDP" 505 /** 506 * LASSO_LIB_STATUS_CODE_NO_PASSIVE: 507 * 508 * Used by an identity provider or an intermediary to indicate that authentication of the Principal 509 * requires interaction and cannot be performed passively. 510 * 511 * Source: Liberty ID-FF Protocols and Schema Specification 1.2 512 */ 513 #define LASSO_LIB_STATUS_CODE_NO_PASSIVE "lib:NoPassive" 514 /** 515 * LASSO_LIB_STATUS_CODE_NO_SUPPORTEDIDP : 516 * 517 * Used by an intermediary to indicate that none of the identity providers are supported by the 518 * intermediary. 519 * 520 * Source: Liberty ID-FF Protocols and Schema Specification 1.2 521 */ 522 #define LASSO_LIB_STATUS_CODE_NO_SUPPORTEDIDP "lib:NoSupportedIDP" 523 /** 524 * LASSO_LIB_STATUS_CODE_PROXY_COUNT_EXCEEDED : 525 * 526 * Used by an identity provider to indicate that it cannot authenticate the principal itself, and 527 * was not permitted to relay the request further. 528 * 529 * Source: Liberty ID-FF Protocols and Schema Specification 1.2 530 */ 531 #define LASSO_LIB_STATUS_CODE_PROXY_COUNT_EXCEEDED "lib:ProxyCountExceeded" 532 /** 533 * LASSO_LIB_STATUS_CODE_UNKNOWN_PRINCIPAL : 534 * 535 * Used by an identity provider to indicate that the Principal is not known to it. 536 * 537 * Source: Liberty ID-FF Protocols and Schema Specification 1.2 538 */ 539 #define LASSO_LIB_STATUS_CODE_UNKNOWN_PRINCIPAL "lib:UnknownPrincipal" 540 /** 541 * LASSO_LIB_STATUS_CODE_UNSIGNED_AUTHN_REQUEST : 542 * 543 * If the requesting provider’s <AuthnRequestsSigned> metadata element is "true", then any request 544 * messages it generates <emphasis>MUST</emphasis> be signed. If an unsigned request is received, then the provider <emphasis>MUST</emphasis> 545 * return an error with a second- level <samlp:StatusCode> of lib:UnsignedAuthnRequest. 546 * 547 * Source: Liberty ID-FF Protocols and Schema Specification 1.2 548 */ 549 #define LASSO_LIB_STATUS_CODE_UNSIGNED_AUTHN_REQUEST "lib:UnsignedAuthnRequest" 550 /** 551 * LASSO_LIB_STATUS_CODE_UNSUPPORTED_PROFILE : 552 * 553 * If an error occurs during this further processing of the logout (for example, relying service 554 * providers may not all implement the Single Logout profile used by the requesting service 555 * provider), then the identity provider <emphasis>MUST</emphasis> respond to the original requester with a 556 * <LogoutResponse> message, indicating the status of the logout request. The value 557 * "lib:UnsupportedProfile" is provided for a second-level <samlp:StatusCode>, indicating that a 558 * service provider should retry the <LogoutRequest> using a different profile. 559 * 560 * Source: Liberty ID-FF Protocols and Schema Specification 1.2 561 */ 562 #define LASSO_LIB_STATUS_CODE_UNSUPPORTED_PROFILE "lib:UnsupportedProfile" 563 564 /* ProtocolProfile */ 565 566 /** 567 * LASSO_LIB_PROTOCOL_PROFILE_BRWS_ART: 568 * 569 * Identifies the Single Sign-On "Artifact" profile; where an artifact is 570 * passed from identity provider to service provider and back to get the 571 * #LassoLibAssertion. 572 */ 573 #define LASSO_LIB_PROTOCOL_PROFILE_BRWS_ART \ 574 "http://projectliberty.org/profiles/brws-art" 575 576 /** 577 * LASSO_LIB_PROTOCOL_PROFILE_BRWS_POST: 578 * 579 * Identifies the Single Sign-On "POST" profile; where the #LassoLibAssertion 580 * is sent directly from the identity provider to the service provider in an 581 * HTML form submission message. 582 */ 583 #define LASSO_LIB_PROTOCOL_PROFILE_BRWS_POST \ 584 "http://projectliberty.org/profiles/brws-post" 585 586 /** 587 * LASSO_LIB_PROTOCOL_PROFILE_BRWS_LECP: 588 * 589 * Identifies the Single Sign-On "LECP" profile; where the #LassoLibAssertion 590 * is sent directly from the identity provider to the service provider in a 591 * PAOS response. See #LassoLecp. 592 * 593 */ 594 #define LASSO_LIB_PROTOCOL_PROFILE_BRWS_LECP \ 595 "http://projectliberty.org/profiles/lecp" 596 /** 597 * LASSO_LIB_PROTOCOL_PROFILE_FED_TERM_IDP_HTTP: 598 * 599 * Identifies the Federation Termination "Redirect" profile; where the request for federation 600 * termination is sent from the identity provider to the service provider in a redirected GET request. 601 * 602 */ 603 #define LASSO_LIB_PROTOCOL_PROFILE_FED_TERM_IDP_HTTP \ 604 "http://projectliberty.org/profiles/fedterm-idp-http" 605 #define LASSO_LIB_PROTOCOL_PROFILE_FED_TERM_IDP_SOAP \ 606 "http://projectliberty.org/profiles/fedterm-idp-soap" 607 #define LASSO_LIB_PROTOCOL_PROFILE_FED_TERM_SP_HTTP \ 608 "http://projectliberty.org/profiles/fedterm-sp-http" 609 #define LASSO_LIB_PROTOCOL_PROFILE_FED_TERM_SP_SOAP \ 610 "http://projectliberty.org/profiles/fedterm-sp-soap" 611 #define LASSO_LIB_PROTOCOL_PROFILE_NIM_SP_HTTP \ 612 "http://projectliberty.org/profiles/nim-sp-http" 613 #define LASSO_LIB_PROTOCOL_PROFILE_RNI_IDP_HTTP "http://projectliberty.org/profiles/rni-idp-http" 614 #define LASSO_LIB_PROTOCOL_PROFILE_RNI_IDP_SOAP "http://projectliberty.org/profiles/rni-idp-soap" 615 #define LASSO_LIB_PROTOCOL_PROFILE_RNI_SP_HTTP "http://projectliberty.org/profiles/rni-sp-http" 616 #define LASSO_LIB_PROTOCOL_PROFILE_RNI_SP_SOAP "http://projectliberty.org/profiles/rni-sp-soap" 617 #define LASSO_LIB_PROTOCOL_PROFILE_SLO_SP_HTTP "http://projectliberty.org/profiles/slo-sp-http" 618 #define LASSO_LIB_PROTOCOL_PROFILE_SLO_SP_SOAP "http://projectliberty.org/profiles/slo-sp-soap" 619 #define LASSO_LIB_PROTOCOL_PROFILE_SLO_IDP_HTTP "http://projectliberty.org/profiles/slo-idp-http" 620 #define LASSO_LIB_PROTOCOL_PROFILE_SLO_IDP_SOAP "http://projectliberty.org/profiles/slo-idp-soap" 621 622 /* NameIdentifier formats */ 623 624 /** 625 * LASSO_LIB_NAME_IDENTIFIER_FORMAT_FEDERATED: 626 * 627 * <emphasis>Federated</emphasis> name identifier constant, used in 628 * #LassoSamlNameIdentifier. It implies the name identifier belongs to 629 * a federation established between SP and IdP. 630 */ 631 #define LASSO_LIB_NAME_IDENTIFIER_FORMAT_FEDERATED "urn:liberty:iff:nameid:federated" 632 633 /** 634 * LASSO_LIB_NAME_IDENTIFIER_FORMAT_ONE_TIME: 635 * 636 * "One-time" name identifier constant, used in #LassoSamlNameIdentifier. 637 */ 638 #define LASSO_LIB_NAME_IDENTIFIER_FORMAT_ONE_TIME "urn:liberty:iff:nameid:one-time" 639 640 /** 641 * LASSO_LIB_NAME_IDENTIFIER_FORMAT_ENCRYPTED: 642 * 643 * "Encrypted" name identifier constant, used in #LassoSamlNameIdentifier. 644 */ 645 #define LASSO_LIB_NAME_IDENTIFIER_FORMAT_ENCRYPTED "urn:liberty:iff:nameid:encrypted" 646 #define LASSO_LIB_NAME_IDENTIFIER_FORMAT_ENTITYID "urn:liberty:iff:nameid:entityID" 647 648 /* Consent */ 649 #define LASSO_LIB_CONSENT_OBTAINED "urn:liberty:consent:obtained" 650 #define LASSO_LIB_CONSENT_OBTAINED_PRIOR "urn:liberty:consent:obtained:prior" 651 #define LASSO_LIB_CONSENT_OBTAINED_CURRENT_IMPLICIT "urn:liberty:consent:obtained:current:implicit" 652 #define LASSO_LIB_CONSENT_OBTAINED_CURRENT_EXPLICIT "urn:liberty:consent:obtained:current:explicit" 653 #define LASSO_LIB_CONSENT_UNAVAILABLE "urn:liberty:consent:unavailable" 654 #define LASSO_LIB_CONSENT_INAPPLICABLE "urn:liberty:consent:inapplicable" 655 656 /*****************************************************************************/ 657 /* METADATA */ 658 /*****************************************************************************/ 659 660 /* prefix & href */ 661 /** 662 * LASSO_METADATA_HREF: 663 * 664 * Namespace for ID-FF 1.2 metadatas. 665 * 666 */ 667 #define LASSO_METADATA_HREF "urn:liberty:metadata:2003-08" 668 /** 669 * LASSO_METADATA_PREFIX: 670 * 671 * Preferred prefix for ID-FF 1.2 metadata namespace. 672 */ 673 #define LASSO_METADATA_PREFIX "md" 674 675 /*****************************************************************************/ 676 /* SAML */ 677 /*****************************************************************************/ 678 679 /* prefix & href */ 680 /** 681 * LASSO_SAML_ASSERTION_HREF: 682 * 683 * Namespace for SAML 1.0 assertion elements. 684 */ 685 #define LASSO_SAML_ASSERTION_HREF "urn:oasis:names:tc:SAML:1.0:assertion" 686 /** 687 * LASSO_SAML_ASSERTION_PREFIX: 688 * 689 * Preferred prefix for assertion elements. 690 */ 691 #define LASSO_SAML_ASSERTION_PREFIX "saml" 692 /** 693 * LASSO_SAML_PROTOCOL_HREF: 694 * 695 * Namespace for SAML 1.0 protocol elements. 696 */ 697 #define LASSO_SAML_PROTOCOL_HREF "urn:oasis:names:tc:SAML:1.0:protocol" 698 /** 699 * LASSO_SAML_PROTOCOL_PREFIX: 700 * 701 * Preferred prefix for assertion elements. 702 */ 703 #define LASSO_SAML_PROTOCOL_PREFIX "samlp" 704 705 /* Versioning */ 706 /** 707 * LASSO_SAML_MAJOR_VERSION_N: 708 * 709 * Major version number of the SAML specification used for ID-FF support in Lasso. 710 */ 711 #define LASSO_SAML_MAJOR_VERSION_N 1 712 /** 713 * LASSO_SAML_MINOR_VERSION_N: 714 * 715 * Minor version number of the SAML specification used for ID-FF support in Lasso. 716 */ 717 #define LASSO_SAML_MINOR_VERSION_N 1 718 719 /* First level StatusCodes */ 720 721 /** 722 * LASSO_SAML_STATUS_CODE_SUCCESS: 723 * 724 * A protocol request succeeded. 725 */ 726 #define LASSO_SAML_STATUS_CODE_SUCCESS "samlp:Success" 727 /** 728 * LASSO_SAML_STATUS_CODE_VERSION_MISMATCH: 729 * 730 * Request failed, because the version is not supported by the provider. Look at second level status 731 * for more details. 732 */ 733 #define LASSO_SAML_STATUS_CODE_VERSION_MISMATCH "samlp:VersionMismatch" 734 /** 735 * LASSO_SAML_STATUS_CODE_REQUESTER: 736 * 737 * Request failed because of the requester. Look at second level status for more details. 738 */ 739 #define LASSO_SAML_STATUS_CODE_REQUESTER "samlp:Requester" 740 /** 741 * LASSO_SAML_STATUS_CODE_RESPONDER: 742 * 743 * Request failed because of the responder. Look at second level status for more details. 744 */ 745 #define LASSO_SAML_STATUS_CODE_RESPONDER "samlp:Responder" 746 747 /* Second level status codes */ 748 /** 749 * LASSO_SAML_STATUS_CODE_REQUEST_VERSION_TOO_HIGH: 750 * 751 * Request failed because the version of protocol used is too high. 752 * Used with #LASSO_SAML_STATUS_CODE_VERSION_MISMATCH. 753 */ 754 #define LASSO_SAML_STATUS_CODE_REQUEST_VERSION_TOO_HIGH "samlp:RequestVersionTooHigh" 755 /** 756 * LASSO_SAML_STATUS_CODE_REQUEST_VERSION_TOO_LOW: 757 * 758 * Request failed because the version of protocol used is too low. 759 * Used with #LASSO_SAML_STATUS_CODE_VERSION_MISMATCH. 760 */ 761 #define LASSO_SAML_STATUS_CODE_REQUEST_VERSION_TOO_LOW "samlp:RequestVersionTooLow" 762 /** 763 * LASSO_SAML_STATUS_CODE_REQUEST_VERSION_DEPRECATED: 764 * 765 * Request failed because the version of protocol used is deprecated. 766 * Used with #LASSO_SAML_STATUS_CODE_VERSION_MISMATCH. 767 */ 768 #define LASSO_SAML_STATUS_CODE_REQUEST_VERSION_DEPRECATED "samlp:RequestVersionDeprecated" 769 /** 770 * LASSO_SAML_STATUS_CODE_TOO_MANY_RESPONSES: 771 * 772 * Request failed because too many data should be returned. 773 * Used with #LASSO_SAML_STATUS_CODE_RESPONDER. 774 */ 775 #define LASSO_SAML_STATUS_CODE_TOO_MANY_RESPONSES "samlp:TooManyResponses" 776 /** 777 * LASSO_SAML_STATUS_CODE_RESOURCE_NOT_RECOGNIZED: 778 * 779 * Request failed because the responder does not wish to support resource-specific attribute 780 * queries, or the resource value provided is invalid or unrecognized. 781 * Use with #LASSO_SAML_STATUS_CODE_RESPONDER. 782 */ 783 #define LASSO_SAML_STATUS_CODE_RESOURCE_NOT_RECOGNIZED "samlp:ResourceNotRecognized" 784 /** 785 * LASSO_SAML_STATUS_CODE_REQUEST_DENIED: 786 * 787 * The SAML responder or SAML authority is able to process the request but has chosen not to 788 * respond. This status code MAY be used when there is concern about the security context of the 789 * request message or the sequence of request messages received from a particular requester. 790 * 791 * Source: Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1 792 * 793 */ 794 #define LASSO_SAML_STATUS_CODE_REQUEST_DENIED "samlp:RequestDenied" 795 796 /* AuthenticationMethods */ 797 /** 798 * LASSO_SAML_AUTHENTICATION_METHOD_PASSWORD: 799 * 800 * The authentication was performed by means of a password. 801 */ 802 #define LASSO_SAML_AUTHENTICATION_METHOD_PASSWORD "urn:oasis:names:tc:SAML:1.0:am:password" 803 /** 804 * LASSO_SAML_AUTHENTICATION_METHOD_KERBEROS: 805 * 806 * The authentication was performed by means of the Kerberos protocol [RFC 1510], an instantiation 807 * of the Needham-Schroeder symmetric key authentication mechanism [Needham78]. 808 * 809 */ 810 #define LASSO_SAML_AUTHENTICATION_METHOD_KERBEROS "urn:ietf:rfc:1510" 811 /** 812 * LASSO_SAML_AUTHENTICATION_METHOD_SECURE_REMOTE_PASSWORD: 813 * 814 * The authentication was performed by means of Secure Remote Password protocol as specified in [RFC 815 * 2945]. 816 * 817 */ 818 #define LASSO_SAML_AUTHENTICATION_METHOD_SECURE_REMOTE_PASSWORD "urn:ietf:rfc:2945" 819 /** 820 * LASSO_SAML_AUTHENTICATION_METHOD_HARDWARE_TOKEN: 821 * 822 * The authentication was performed using some (unspecified) hardware token. 823 */ 824 #define LASSO_SAML_AUTHENTICATION_METHOD_HARDWARE_TOKEN \ 825 "urn:oasis:names:tc:SAML:1.0:am:HardwareToken" 826 /** 827 * LASSO_SAML_AUTHENTICATION_METHOD_SMARTCARD_PKI: 828 * 829 * The authentication was performed using either the SSL or TLS protocol with certificate-based 830 * client authentication. TLS is described in [RFC 2246]. 831 * 832 */ 833 #define LASSO_SAML_AUTHENTICATION_METHOD_SMARTCARD_PKI "urn:ietf:rfc:2246" 834 /** 835 * LASSO_SAML_AUTHENTICATION_METHOD_SOFTWARE_PKI: 836 * 837 * The authentication was performed by some (unspecified) mechanism on a key authenticated by means 838 * of an X.509 PKI [X.500][PKIX]. It may have been one of the mechanisms for which a more specific 839 * identifier has been defined below. 840 * 841 */ 842 #define LASSO_SAML_AUTHENTICATION_METHOD_SOFTWARE_PKI "urn:oasis:names:tc:SAML:1.0:am:X509-PKI" 843 /** 844 * LASSO_SAML_AUTHENTICATION_METHOD_PGP: 845 * 846 * The authentication was performed by some (unspecified) mechanism on a key authenticated by means 847 * of a PGP web of trust [PGP]. It may have been one of the mechanisms for which a more specific 848 * identifier has been defined below. 849 * 850 */ 851 #define LASSO_SAML_AUTHENTICATION_METHOD_PGP "urn:oasis:names:tc:SAML:1.0:am:PGP" 852 /** 853 * LASSO_SAML_AUTHENTICATION_METHODS_PKI: 854 * 855 * The authentication was performed by some (unspecified) mechanism on a key authenticated by means 856 * of a PGP web of trust [PGP]. It may have been one of the mechanisms for which a more specific 857 * identifier has been defined below. 858 * 859 */ 860 #define LASSO_SAML_AUTHENTICATION_METHODS_PKI "urn:oasis:names:tc:SAML:1.0:am:SPKI" 861 /** 862 * LASSO_SAML_AUTHENTICATION_METHOD_XKMS: 863 * 864 * The authentication was performed by some (unspecified) mechanism on a key authenticated by means 865 * of a PGP web of trust [PGP]. It may have been one of the mechanisms for which a more specific 866 * identifier has been defined below. 867 * 868 */ 869 #define LASSO_SAML_AUTHENTICATION_METHOD_XKMS "urn:oasis:names:tc:SAML:1.0:am:XKMS" 870 /** 871 * LASSO_SAML_AUTHENTICATION_METHOD_XMLD_SIG: 872 * 873 * The authentication was performed by means of an XML digital signature [RFC 3075]. 874 */ 875 #define LASSO_SAML_AUTHENTICATION_METHOD_XMLD_SIG "urn:ietf:rfc:3075" 876 /** 877 * LASSO_SAML_AUTHENTICATION_METHOD_UNSPECIFIED: 878 * 879 * The authentication was performed by an unspecified means. 880 */ 881 #define LASSO_SAML_AUTHENTICATION_METHOD_UNSPECIFIED \ 882 "urn:oasis:names:tc:SAML:1.0:am:unspecified" 883 /** 884 * LASSO_SAML_AUTHENTICATION_METHOD_LIBERTY: 885 * 886 * 887 * The authentication was performed by a liberty alliance protocol. 888 */ 889 #define LASSO_SAML_AUTHENTICATION_METHOD_LIBERTY "urn:liberty:ac:2003-08" 890 891 /* ConfirmationMethods */ 892 /** 893 * LASSO_SAML_CONFIRMATION_METHOD_ARTIFACT: 894 * 895 * Confirmation method when the browser-artifact binding is used. 896 */ 897 #define LASSO_SAML_CONFIRMATION_METHOD_ARTIFACT "urn:oasis:names:tc:SAML:1.0:cm:artifact" 898 /** 899 * LASSO_SAML_CONFIRMATION_METHOD_ARTIFACT01: 900 * 901 * 902 * Deprecated confirmation method when the browser-artifact binding is used. 903 */ 904 #define LASSO_SAML_CONFIRMATION_METHOD_ARTIFACT01 "urn:oasis:names:tc:SAML:1.0:cm:artifact-01" 905 /** 906 * LASSO_SAML_CONFIRMATION_METHOD_BEARER: 907 * 908 * Confirmation method when subject of the assertion is the one holding it. 909 */ 910 #define LASSO_SAML_CONFIRMATION_METHOD_BEARER "urn:oasis:names:tc:SAML:1.0:cm:bearer" 911 /** 912 * LASSO_SAML_CONFIRMATION_METHOD_HOLDER_OF_KEY: 913 * 914 * A ds:KeyInfo must be present in the SubjecConfirmation element. It <emphasis>MUST</emphasis> be 915 * used to confirm assertion subject identity. 916 */ 917 #define LASSO_SAML_CONFIRMATION_METHOD_HOLDER_OF_KEY \ 918 "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key" 919 /** 920 * LASSO_SAML_CONFIRMATION_METHOD_SENDER_VOUCHES: 921 * 922 * Indicates that no other information is available about the context of use of the assertion. The 923 * relying party 924 * <emphasis>SHOULD</emphasis> utilize other means to determine if it should process the assertion further. 925 * 926 */ 927 #define LASSO_SAML_CONFIRMATION_METHOD_SENDER_VOUCHES \ 928 "urn:oasis:names:tc:SAML:1.0:cm:sender-vouches" 929 930 /* Extensions */ 931 932 /** 933 * LASSO_SAML_EXT_CHANNEL_BINDING: 934 * 935 * Indicates support for channel binding 936 * 937 */ 938 #define LASSO_SAML_EXT_CHANNEL_BINDING "urn:oasis:names:tc:SAML:protocol:ext:channel-binding" 939 940 /*****************************************************************************/ 941 /* POAS BINDING */ 942 /*****************************************************************************/ 943 944 /** 945 * LASSO_PAOS_HREF: 946 * 947 * Namespace for FIXME 948 * 949 */ 950 #define LASSO_PAOS_HREF "urn:liberty:paos:2003-08" 951 /** 952 * LASSO_PAOS_PREFIX: 953 * 954 * URN binding name for PAOS 955 * 956 */ 957 #define LASSO_PAOS_PREFIX "paos" 958 959 /*****************************************************************************/ 960 /* ECP PROFILE */ 961 /*****************************************************************************/ 962 963 /** 964 * LASSO_ECP_HREF: 965 * 966 * Namespace for FIXME 967 * 968 */ 969 #define LASSO_ECP_HREF "urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" 970 /** 971 * LASSO_ECP_PREFIX: 972 * 973 * SAML 2 URN profile name for Enhanced Client & Proxy (ECP) 974 * 975 */ 976 #define LASSO_ECP_PREFIX "ecp" 977 978 /*****************************************************************************/ 979 /* Others */ 980 /*****************************************************************************/ 981 982 /* xsi prefix & href */ 983 /** 984 * LASSO_XSI_HREF: 985 * 986 * Namespace for XMLSchema instance 987 * 988 */ 989 #define LASSO_XSI_HREF "http://www.w3.org/2001/XMLSchema-instance" 990 /** 991 * LASSO_XSI_PREFIX: 992 * 993 * Preferred prefix for namespace of XMLSChema instance 994 * 995 */ 996 #define LASSO_XSI_PREFIX "xsi" 997 998 999 /** 1000 * LASSO_XML_HREF: 1001 * 1002 * Namespace for XML namespace 1003 */ 1004 #define LASSO_XML_HREF "http://www.w3.org/XML/1998/namespace" 1005 1006 /** 1007 * LASSO_XML_PREFIX: 1008 * 1009 * Preferred prefix for XML namespace 1010 */ 1011 #define LASSO_XML_PREFIX "xml" 1012 1013 1014 #endif /* __LASSO_STRINGS_H__ */ 1015