OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss] the saml token profile depends on non-global attributes in key identifier/wsse schema does not support keyIdentifier element extensibility

I believe if you trace back the type of EncodedString you will find that
it does support attribute extensibility.  EncodedString extends
AttributedString which allows for any attributes:

	<xsd:anyAttribute namespace="##other" processContents="lax"/>

What am I missing?

-----Original Message-----
From: Ron Monzillo [mailto:Ronald.Monzillo@Sun.COM] 
Sent: Tuesday, January 20, 2004 2:04 PM
To: wss@lists.oasis-open.org
Cc: Levinson, Richard
Subject: [wss] the saml token profile depends on non-global attributes
in key identifier/wsse schema does not support keyIdentifier element
extensibility

The schema for wsse:KeyIdentifier does not support element
extensibility.

The SAML token profile relies on non-global saml attributes (i.e. 
saml:local
and saml:binding) to format keyIdentifier SecurityTokenReferences.

The non-global attributes could be replaced with the global 
saml:AuthorityBinding
element, if the wsse:KeyIdentifier supported element extensibility.

There are 2 paths forward.

. Modify the wsse:schema to allow any element to be included in 
keyIdentifiers

. use Direct References with  an optional contained AuthorityBinding
element
  to reference SAML assertions, when the authority and binding must be 
sepcified
  to acquire the assertion.

I am working on modifying the profile to take the latter approach, but
would
appreciate feedback from the TC.

Any comments?

Ron

<xsd:complexType name="KeyIdentifierType">
-
    <xsd:annotation>
<xsd:documentation>A security token key identifier</xsd:documentation>
</xsd:annotation>
-
    <xsd:simpleContent>
-
    <xsd:extension base="wsse:EncodedString">
<xsd:attribute name="ValueType" type="xsd:anyURI"/>
</xsd:extension>
</xsd:simpleContent>
</xsd:complexType>

Ron Monzillo wrote:

> BTW, in section 3.3, we need to change the way SAML keyIdentifier 
> references
> are composed, as the Binding and Location attributes are not global. 
> Perhaps we can
> use the SAML AuthorityBinding construct, as apposed to its internal 
> attributes.



To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup
.php.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]