[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] questions on the SAML profile for XACML.
Hi Shawn, Please look at the # SAML 2.0 profile of XACML v2.0 Errata: http://www.oasis-open.org/committees/download.php/15447/xacml-2.0-saml-errata-wd.zip This describes how to actually extend SAML to use the new types. The new schemas do not define elements, but just types. This is not yet approved as a Committee Specification, but solved the problems of other SAML profile users. Please let us know if you find further changes that are needed. As to your question about a SOAP profile, there was no interest in doing that from the members of the TC. The SAML envelope provides the types of envelope information that are helpful in doing signatures, and also eases interoperability with other components that are using SAML. Regards, Anne Anderson Shawn Ma wrote: > Hi all, > > I'm trying to do something with the SAML profile for XACML. But found > some confusing questions. > > 1. The SAML profile for XACML specifies an element > <XACMLAuthzDecisionQuery>, which is a replacement of > <samlp:AuthzDecisionQuery> element. In section 6 of that spec, there's a > requirement saying "An <XACMLAuthzDecisionQuery> or <XACMLPolicyQuery> > SHALL be encapsulated in a <samlp:RequestAbstractType> element, which > MAY be signed." > > My question is, the samlp:RequestAbstractType in SAML 2.0 is not an > element, it is just a type, how can a XACML query be put in such an > element/type? > > In other words, how to fill the 'ELEMENT_NAME' in the following soap > call? <XACMLAuthzDecisionQuery>? > <SOAP-ENV:Body> > <samlp:ELEMENT_NAME xmlns:... ID="123456" Version="2.0"...> > <ds:Signature>...</ds:Signature> > <xacml-context:Request xmlns:xacml-context="..."> > ...<Action>...<Subject>... > </xacml-context:Request> > </samlp:ELEMENT_NAME> > </SOAP-ENV:Body> > > 2: in the response, the <XACMLAuthzDecisionStatement>, as a replacement > of <samlp:AuthzDecisionStatement>, is stated to be put in a > <saml:Assertion>. But the <saml:Assertion> by schema can't conatain an > <XACMLAuthzDecisionStatement> directly. Does this mean that the > <XACMLAuthzDecisionStatement> should be put in a <saml:Statement> with > xsi:type like this? > <saml:Assertion> > ... > <saml:Statement xsi:type="xacml-saml:XACMLAuthzDecisionStatement"> > <xacml-saml:Response>.... > </....> > > 3. Why so complicated? Why don't we just have a SOAP profile for XACML, > so we can directly <xacml-context:Request> and <xacml-context:Response> > in a SOAP body? I'm a bit curious. > > Thanks, > Shawn > -- Anne H. Anderson Anne.Anderson@sun.com Sun Microsystems Labs 1-781-442-0928 Burlington, MA USA
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]