xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Use of XACML SAML profile elements

Rich,

I think you will find your problems addressed in the errata documents 
for the SAML Profile:

http://www.oasis-open.org/committees/download.php/15447/xacml-2.0-saml-errata-wd.zip

We removed the element definitions in the SAML Errata schemas since, as 
you observe, they are not useful.  The Errata specification also says to 
use xsi:type to make use of the XACML...Type extensions.

So if you want to use an element with XACMLAuthzDecisionStatementType in 
a SAML Response, you could write it as:

<samlp:Response ID=".." Version=".." IssueInstant="..">
  <saml:Issuer>...</saml:Issuer>
  <ds:Signature>...</ds:Signature>
  <samlp:Status>...</samlp:Status>
  <saml:Assertion Version=".." ID=".." IssueInstant="..">
   <saml:Issuer>...</saml:Issuer>
   <ds:Signature>...</ds:Signature>
   <saml:Advice>...</saml:Advice>
   <saml:Statement
        xsi:type="xacml-saml:XACMLAuthzDecisionStatementType">
      <xacml-context:Response>
          ...
      </xacml-context>
   </saml:Statement>
   <saml:AttributeStatement>...</saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

In the current Working Draft of the SAML 2.0 Profile of XACML **2.1**, I 
added a full set of extended SAML elements that could be used with the 
new XACML types.  Review by XML and SAML experts, however, has convinced 
me that this is the wrong approach, and we should revert to using only 
the basic XACML extended types that are in the current Errata document.

Does this help?  In general, please use the current Errata documents for 
the SAML profile, not the approved standard versions.

Regards,
Anne Anderson

comment-form@oasis-open.org wrote:

> Comment from: rfought@psislidell.com
> 
> Name:Rich Fought
> Title:Senior Security Software Engineer
> Organization:Planning Systems Incorporated
> Regarding Specification: SAML 2.0 profile of XACML v2.0
> 
> The profile defines a new element XACMLAuthzDecisionResponse that is intended to be substituted for the standard SAML AuthzDecisionRequest element.  However, there is no extension to the saml:Response or saml:Assertion elements that would allow this new XACMLAuthzDecisionResponse to be legitimately inserted inside a SAML response (legitimate meaning passing XML validation).  This also has the effect of there is no standardized way of specifying such an entity in interfaces such as WSDLs.  Was this by design?  It seems there should be new or extended versions of saml:Response and saml:Assertion to fully realize standardized embedding of XACMLAuthzDecisionResponse elements in SAML.  I propose including these in the XACML-SAML assertion schema.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-comment-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-comment-help@lists.oasis-open.org
> 

-- 
Anne H. Anderson               Anne.Anderson@sun.com
Sun Microsystems Labs          1-781-442-0928
Burlington, MA USA

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]