xacml message

Subject: Agenda item: approval of revised SAML profile schemas

From: Anne Anderson <Anne.Anderson@sun.com>
To: Erik Rissanen <mirty@sics.se>
Date: Wed, 16 Feb 2005 15:58:47 -0500

Colleagues,

I have made additional corrections to the SAML profile schemas to
address the problems that Erik encountered:

1) I inserted the URLs of the most recent SAML CD schemas into the
"schemaLocation" attribute for the SAML schema import elements.  It
would be nice if we could use the SAML 2.0 OASIS Standard locations, but
in the past they have not used "fixed" file URLs that can be predicted
prior to standardization.  This is at least correct for the current
version of SAML, and will continue to be "correct" if SAML 2.0 is
approved in its current form.

2) I removed the samlp namespace definition from the assertion schema,
since, as Erik notes, it is not used.

The corrected schemas are attached.

If the TC is willing to approve these corrected schemas tomorrow, I can
include them in a non-normative SAML Errata link on our home page at the
same time I update all our other links to point to the normative documents.

Anne

Erik Rissanen wrote:
> On Mon, 2005-02-14 at 11:30 -0500, Anne Anderson wrote: 
> 
>>Erik,
>>
>>Attached are revised versions of the XACML SAML profile schemas that I
>>think incorporate all the necessary corrections for the errors that you
>>found.
>>
>>Could you please take the time to review these and get a quick "OK" or
>>not back to me?
>>
>>Thanks,
>>Anne Anderson
> 
> 
> My application does not use the protocol schema, so I have not tested
> it, but I tried the assertion schema.
> 
> The parser I am using (Xerces) does not like the schema location for the
> SAML schemas. I get the following error:
> 
> org.xml.sax.SAXParseException: The declaration for the entity
> "ContentType" must end with '>'.
> 
> When I changed the locations from 
> 
>   <xs:import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
>       schemaLocation="http://www.oasis-open.org/committees/tc_home.php?
> wg_abbrev=security"/>
>   <xs:import namespace="urn:oasis:names:tc:SAML:2.0:protocol"
>       schemaLocation="http://www.oasis-open.org/committees/tc_home.php?
> wg_abbrev=security"/>
> 
> to
> 
>   <xs:import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
>       schemaLocation="http://www.oasis-
> open.org/committees/download.php/11027/sstc-saml-schema-
> assertion-2.0.xsd"/>
>   <xs:import namespace="urn:oasis:names:tc:SAML:2.0:protocol"
>       schemaLocation="http://www.oasis-
> open.org/committees/download.php/11026/sstc-saml-schema-
> protocol-2.0.xsd"/>
> 
> the error went away.
> 
> It also seems like the XACML 2.0 "-os.xsd" schema files are not up at
> the oasis web site yet, so the parser could not load them. I tried with
> the cd:04 schema instead which worked fine.
> 
> Just a small note: The samlp namespace prefix is not used in the
> assertion schema, so it could be removed.
> 
> The schema seem ok for me now.
> 
> Just one final caveat: I still use XACML 1.1, so to test my application
> I have to change the references to the XACML 2.0 schemas to XACML 1.0. I
> have not run anything with real XACML 2.0 data, but I doubt there are
> any more errors since running the schemas you posted, with the above
> corrections, gives no errors except the conflict between XACML 1.0 and
> 2.0.
> 
> /Erik
> 
> 
> 
> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php.
> 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

<?xml version="1.0" encoding="UTF-8"?>
<schema
    targetNamespace="urn:oasis:xacml:2.0:saml:assertion:schema:os"
    xmlns="http://www.w3.org/2001/XMLSchema";
    xmlns:xs="http://www.w3.org/2001/XMLSchema";
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
    xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
    xmlns:xacml-saml="urn:oasis:xacml:2.0:saml:assertion:schema:os"
    elementFormDefault="unqualified"
    attributeFormDefault="unqualified"
    blockDefault="substitution"
    version="2.0">
  <xs:import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
      schemaLocation="http://www.oasis-open.org/committees/download.php/11027/sstc-saml-schema-assertion-2.0.xsd"/>
  <xs:import namespace="urn:oasis:names:tc:SAML:2.0:protocol"
      schemaLocation="http://www.oasis-open.org/committees/download.php/11026/sstc-saml-schema-protocol-2.0.xsd"/>
  <xs:import namespace="urn:oasis:names:tc:xacml:2.0:context:schema:os"
      schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd"/>
  <xs:import namespace="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
      schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd"/>
  <xs:annotation>
    <xs:documentation>
        Document identifier: access_control-xacml-2.0-saml-assertion-schema-cd-02.xsd
        Location: http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-assertion-schema-cd-os.xsd
    </xs:documentation>
  </xs:annotation>
  <!--    -->
  <xs:element name="XACMLAuthzDecisionStatement"
           type="xacml-saml:XACMLAuthzDecisionStatementType"/>
  <xs:complexType name="XACMLAuthzDecisionStatementType">
    <xs:complexContent>
      <xs:extension base="saml:StatementAbstractType">
        <xs:sequence>
          <xs:element ref="xacml-context:Response"/>
          <xs:element ref="xacml-context:Request"  minOccurs="0"/>
        </xs:sequence>
      </xs:extension>
    </xs:complexContent>
  </xs:complexType>
  <!--    -->
  <xs:element name="XACMLPolicyStatement"
           type="xacml-saml:XACMLPolicyStatementType"/>
  <xs:complexType name="XACMLPolicyStatementType">
    <xs:complexContent>
      <xs:extension base="saml:StatementAbstractType">
        <xs:choice minOccurs="0" maxOccurs="unbounded">
          <xs:element ref="xacml:Policy"/>
          <xs:element ref="xacml:PolicySet"/>
        </xs:choice>
      </xs:extension>
    </xs:complexContent>
  </xs:complexType>
</schema>

<?xml version="1.0" encoding="UTF-8"?>
<schema
    targetNamespace="urn:oasis:xacml:2.0:saml:protocol:schema:os"
    xmlns:xs="http://www.w3.org/2001/XMLSchema";
    xmlns="http://www.w3.org/2001/XMLSchema";
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
    xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
    xmlns:xacml-samlp="urn:oasis:xacml:2.0:saml:protocol:schema:os"
    elementFormDefault="unqualified"
    attributeFormDefault="unqualified"
    blockDefault="substitution"
    version="2.0">
  <xs:import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
      schemaLocation="http://www.oasis-open.org/committees/download.php/11027/sstc-saml-schema-assertion-2.0.xsd"/>
  <xs:import namespace="urn:oasis:names:tc:SAML:2.0:protocol"
      schemaLocation="http://www.oasis-open.org/committees/download.php/11026/sstc-saml-schema-protocol-2.0.xsd"/>
  <xs:import namespace="urn:oasis:names:tc:xacml:2.0:context:schema:os"
      schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd"/>
  <xs:import namespace="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
      schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd"/>
  <xs:annotation>
    <xs:documentation>
        Document identifier: access_control-xacml-2.0-saml-protocol-schema-os.xsd
        Location: http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-protocol-schema-os.xsd
    </xs:documentation>
  </xs:annotation>
  <!--    -->
  <xs:element name="XACMLAuthzDecisionQuery"
           type="xacml-samlp:XACMLAuthzDecisionQueryType"/>
  <xs:complexType name="XACMLAuthzDecisionQueryType">
    <xs:complexContent>
      <xs:extension base="samlp:RequestAbstractType">
        <xs:sequence>
          <xs:element ref="xacml-context:Request"/>
        </xs:sequence>
        <xs:attribute name="InputContextOnly"
                      type="boolean"
                      use="optional"
                      default="false"/>
        <xs:attribute name="ReturnContext"
                      type="boolean"
                      use="optional"
                      default="false"/>
      </xs:extension>
    </xs:complexContent>
  </xs:complexType>
  <!--    -->
  <xs:element name="XACMLPolicyQuery"
           type="xacml-samlp:XACMLPolicyQueryType"/>
  <xs:complexType name="XACMLPolicyQueryType">
    <xs:complexContent>
      <xs:extension base="samlp:RequestAbstractType">
        <xs:choice minOccurs="0" maxOccurs="unbounded">
          <xs:element ref="xacml-context:Request"/>
          <xs:element ref="xacml:Target"/>
          <xs:element ref="xacml:PolicySetIdReference"/>
          <xs:element ref="xacml:PolicyIdReference"/>
        </xs:choice>
      </xs:extension>
    </xs:complexContent>
  </xs:complexType>
</schema>

References:
- Re: [xacml] Typos in the SAML profile schema
  - From: Anne Anderson <Anne.Anderson@Sun.COM>
- Re: [xacml] Typos in the SAML profile schema
  - From: Erik Rissanen <mirty@sics.se>