OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] XPATH expressions pointing to SAML Assertions

Title: [xacml] XPATH expressions pointing to SAML Assertions
Hal - Perhaps you have a point.  Attribute types should be identified by URIs.  Our policy statements should also indicate which authorities can be considered authoritative for the attribute.  This too can be a URI.
 
Perhaps, the "reserved words" we have talked about should be XPATH expressions into the saml authorization query message.  That would allow us to make statements about the particular resource and the particular principal identified in the authorization query message.  These would then be fixed values.
 
All the best.  Tim.

-----------------------------------------
Tim Moses
Tel: 613.270.3183

 
-----Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
Sent: Thursday, November 29, 2001 9:45 AM
To: 'xacml@lists.oasis-open.org'
Subject: [xacml] XPATH expressions pointing to SAML Assertions

There has been repeated mention of the use of XPATH expressions to specify portions of a SAML Assertion. I do not understand what the intention behind doing this is. I do understand why it would be useful to use XPATH to specify a resource, when the resource is a portion of an XML document.

First of all SAML assertions contain many elements, such as Issuer, Validity Period, Conditions, Audience, Signature and so forth, that should be processed any time an assertion is used. Surely the use of an XPATH expression would not be intended to imply that these fields should be ignored if thay are outside of the specified scope?

As I understand our intentions, a policy rule might reference a particular attribute of a principal, for example. It is true that a SAML Attribute Assertion might contain several attributes, however I assume that the PDP would look through the Assertion to see if the referenced Attribute is present or not and and what its value is. So I see no use for XPATH here either.

In SAML Assertions, the Subject element can contain another SAML Assertion or a reference to another SAML Assertion. The semantics of this are the same as if the Subject field of the referenced Assertion had been cut and pasted into that location. There is no ambiguity and the use of XPATH was never considered for SAML.

Can somebody explain why we need to use XPATH in XACML to reference portions of SAML Assertions?

Hal

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC