xacml-dev message

Subject: Re: [xacml-dev] questions on the SAML profile for XACML.

From: Anne Anderson <Anne.Anderson@sun.com>
To: Shawn Ma <sma@bea.com>
Date: Fri, 06 Jan 2006 11:06:15 -0500

Hi Shawn,

Please look at the # SAML 2.0 profile of XACML v2.0 Errata: 
http://www.oasis-open.org/committees/download.php/15447/xacml-2.0-saml-errata-wd.zip 


This describes how to actually extend SAML to use the new types.  The 
new schemas do not define elements, but just types.  This is not yet 
approved as a Committee Specification, but solved the problems of other 
SAML profile users.  Please let us know if you find further changes that 
are needed.

As to your question about a SOAP profile, there was no interest in doing 
that from the members of the TC.  The SAML envelope provides the types 
of envelope information that are helpful in doing signatures, and also 
eases interoperability with other components that are using SAML.

Regards,
Anne Anderson

Shawn Ma wrote:
> Hi all,
>  
> I'm trying to do something with the SAML profile for XACML. But found
> some confusing questions.
>  
> 1. The SAML profile for XACML specifies an element
> <XACMLAuthzDecisionQuery>, which is a replacement of
> <samlp:AuthzDecisionQuery> element. In section 6 of that spec, there's a
> requirement saying "An <XACMLAuthzDecisionQuery> or <XACMLPolicyQuery>
> SHALL be encapsulated in a <samlp:RequestAbstractType> element, which
> MAY be signed."
>  
> My question is, the samlp:RequestAbstractType in SAML 2.0 is not an
> element, it is just a type, how can a XACML query be put in such an
> element/type?
>  
> In other words, how to fill the 'ELEMENT_NAME' in the following soap
> call? <XACMLAuthzDecisionQuery>?
> <SOAP-ENV:Body>
>  <samlp:ELEMENT_NAME xmlns:... ID="123456" Version="2.0"...>
>   <ds:Signature>...</ds:Signature>
>   <xacml-context:Request xmlns:xacml-context="...">
>    ...<Action>...<Subject>...
>   </xacml-context:Request>
>  </samlp:ELEMENT_NAME>
> </SOAP-ENV:Body>
> 
> 2: in the response, the <XACMLAuthzDecisionStatement>, as a replacement
> of <samlp:AuthzDecisionStatement>, is stated to be put in a
> <saml:Assertion>. But the <saml:Assertion> by schema can't conatain an
> <XACMLAuthzDecisionStatement> directly. Does this mean that the
> <XACMLAuthzDecisionStatement> should be put in a <saml:Statement> with
> xsi:type like this?
> <saml:Assertion>
> ...
>    <saml:Statement xsi:type="xacml-saml:XACMLAuthzDecisionStatement">
>         <xacml-saml:Response>....
>   </....>
>  
> 3. Why so complicated? Why don't we just have a SOAP profile for XACML,
> so we can directly <xacml-context:Request> and <xacml-context:Response>
> in a SOAP body? I'm a bit curious.
>  
> Thanks,
> Shawn
> 

-- 
Anne H. Anderson               Anne.Anderson@sun.com
Sun Microsystems Labs          1-781-442-0928
Burlington, MA USA

References:
- questions on the SAML profile for XACML.
  - From: "Shawn Ma" <sma@bea.com>