OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [Fwd: Re: Draft new version of the SAML 2.0 Profile of XACML 2.1]

Today seems to be my big day for TC mailings :-)  Attached are comments 
from Scott Cantor on the "SAML 2.0 Profile of XACML 2.1" that I mailed 
out on April 12 
(http://www.oasis-open.org/committees/download.php/17672/xacml-2.1-profile-saml2.0-wd-1.zip). 


Regards,
Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692
--- Begin Message --- 
> I would appreciate any comments you have.  Some of you have more 
> experience using the SAML Profile of XACML than most of the XACML TC 
> members, so your expertise will be appreciated.

I haven't gone through this in detail yet, but I would strongly urge some
significant changes to the schemas. In particular, I think the heavy use of
sequence extensions and replacement of SAML elements like Assertion and
Advice are the wrong way to approach this kind of extension. It was the same
mistake Liberty made originally, but with SAML 1.1 we didn't have the schema
right to provide alternatives.

You have the basics all there correctly, new Statement types, new Request
and Response message types, etc. But that's all you should need to do. The
core Assertion and Advice elements are already extensible to include new
statement and advice content, and I think it would be a mistake to force
these XACML elements to the end of the those sequences, or to replace
elements like Assertion with your own. That makes life much harder for SAML
applications.

It is the case that statement extensions can't natively appear in element
form because we got rid of substitution, but that's still the proper way to
embed a new statement type:

<saml:Statement xsi:type="xacml-saml:XACMLStatementType">

With Advice, you don't need anything special, because the choice already
includes <any namespace="#other"> in the sequence, so your advice element
can appear. But since I'm suggesting you don't want or need an
XACMLAssertion element either, you don't really have ny need for anything
new in Advice anyway, since Assertions can already appear there.

-- Scott
--- End Message ---

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]