[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Storing policies in a policy Repository
Massimiliano,
I think, the body is not defined in either SAML or XACML-SAML specs. SAML spec
doesn't know anything about XACML. XACML-SAML profile says that XACMLPolicyStmt
can be used for storing a policy in a repo and provides syntax that is compliant
with SAML's <Statement>, which makes possible to pass a <xacml:Policy> in an
assertrion.
How a Policy is retrieved from the SOAP message and stored in a repo is
implementation specific, I think.
I might be wrong, check with TC.
Oleg.
----- Original Message ----
From: "massimiliano.masi@gmail.com" <massimiliano.masi@gmail.com>
To: Oleg Gryb <oleg@gryb.info>
Cc: xacml-users@lists.oasis-open.org
Sent: Fri, July 30, 2010 8:21:58 AM
Subject: Re: [xacml-users] Storing policies in a policy Repository
Hello,
Oleg, thank you for your answer. This is exactly my problem.
In order to create a valid soap message, I have to create a
soap header and a body, with a SOAP Action. I use the following:
SOAPAction "http://www.oasis-open.org/committees/security";
Header: as you suggested, SAML assertion containing the XACMLPolicyStmt
Body: ? What to put here? For now I am using a WS-Trust 1.3 RST/RSTRC,
because I didn't find any standard for that.
I saw in the email of Rich Levinson (thanks) about the new errata version,
and it is more clear, but my problem remains.
Thank you,
Massimiliano
On Thu, Jul 29, 2010 at 8:06 PM, Oleg Gryb <oleg_gryb@yahoo.com> wrote:
> Massimiliano,
>
> XACMLPolicyStatement extends SAML statement (or it's of
> saml:StatementAbstractType type to be exact), WSS prescribes to use something
> like that to embed an assertion:
>
> <wsse:SecurityTokenReference>
> <wsse:Embedded wsu:Id="tok1">
> <saml:Assertion xmlns:saml="...">
> ...
> </saml:Assertion>
> </wsse:Embedded>
> </wsse:SecurityTokenReference>
>
> SAML <Statement> is an internal element of <Assertion>. Since
> XACMLPolicyStatement is an extension of <Statement> it should work as well.
Why
> would you need to put anything to the SOAP Body?
>
> You can do something like that, I think:
>
> <wsse:SecurityTokenReference>
> <wsse:Embedded wsu:Id="tok1">
> <saml:Assertion xmlns:saml="...">
> ...
> <Statement xsi:type=ā€¯xacml-saml:XACMLPolicyStatementTypeā€¯>
> <xacml:Policy> ... </xacml:Policy>
> </Statement>
> ...
> </saml:Assertion>
> </wsse:Embedded>
> </wsse:SecurityTokenReference>
>
> (you'll need to define xsi and xacml-saml namespaces somewhere).
>
>
>
>
> ----- Original Message ----
> From: "massimiliano.masi@gmail.com" <massimiliano.masi@gmail.com>
> To: xacml-users@lists.oasis-open.org
> Sent: Thu, July 29, 2010 9:16:44 AM
> Subject: [xacml-users] Storing policies in a policy Repository
>
> Hello,
>
> I was reading the SAML 2.0 profile of XACML v2.0. In section 4.2 is written:
>
> The <XACMLPolicyStatement> may also be used in a SAML Assertion as a
> format for storing the <XACMLPolicyStatement> in a repository.
>
> How was wondering how the XACMLPolicyStatement can be used
> for storing a policy or a policy set in a policy repository.
>
> I understand that the XACMLPolicyStatement extends a SAML Statement,
> but in this case, how to place the SAML Assertion in the SOAP Message?
>
> If the SAML Assertion is placed using WS-Security, what to write in
> the SOAP Body?
> A WS-Trust RST is acceptable in my opinion, but it can lead to potential
> different implementation, breaking the interoperability. And more, the
> SAML assertion
> in the header does not authenticate the message, potentially breaking
> WS-Security.
>
> But since the namespace is
>
> <xacml-samlp:XACMLPolicyStatement
>xmlns:xacml-samlp="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:protocol">
>>
>
>
> it can be also acceptable to write it in the body, in my opinion.
>
> What is your suggestion?
>
> Thanks in advance,
>
> Massimiliano
>
>
> --
> Massimiliano Masi
>
> http://www.mascanc.net/~max
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
>
>
>
>
--
Massimiliano Masi
http://www.mascanc.net/~max
---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]