[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: XACML Architecture Error?
James, If you declare a <saml:Statement xsi:type="xacml-saml:XACMLAuthzDecisionStatementType>, then it is recognized as a valid <saml:Statement>, and can be included in an instance of <saml:Assertion> with no problems. Regards, Anne James Moore wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello Anne, > > I received the XACML mailing list contact information, as well as your > Sun contact information, from Frank Siebenlist at Argonne National > Lab. I've been working with Frank on a new Authz system that relies > upon XACML but have recently come into an issue with our > implementation of the spec. I see that the > XACMLAuthzDecisionStatementType must be encapsulated in a > saml:Assertion in order to be transmitted using a samlp:Response. It > looks like the XACMLAuthzDecisionStatementType extends the > saml:StatementAbstractType in the same way as the saml:AuthnStatement, > saml:AuthzDecisionStatement, and saml:AttributeStatement elements. > This seems normal but when you look at the saml:AssertionType it > provides a "choice" of either saml:Statement, saml:AuthnStatement, > saml:AuthzDecisionStatement or saml:AttributeStatement. There is no > extensibility for the AssertionType from what I can see. This causes > issues with the encapsulation of an XACMLAuthzDecisionStatement > doesn't it? Should there be an addition to the choice selection for > saml:Assertion to include the XACMLAuthzDecisionStatement or will this > element fall under the category of saml:Statement? > > Any info here would be great. I've attached the xsd element type > definitions from their corresponding schemas for reference below: > > > XACMLAuthzDecisionStatementType Definition (from > access_control-xacml-2.0-saml-assertion-schema-os.xsd): > <xs:complexType name="XACMLAuthzDecisionStatementType"> > <xs:complexContent> > <xs:extension base="saml:StatementAbstractType"> > <xs:sequence> > <xs:element ref="xacml-context:Response"/> > <xs:element ref="xacml-context:Request" minOccurs="0"/> > </xs:sequence> > </xs:extension> > </xs:complexContent> > </xs:complexType> > > SAML Assertion Definition (from saml-schema-assertion-2.0.xsd): > <complexType name="AssertionType"> > <sequence> > <element ref="saml:Issuer"/> > <element ref="ds:Signature" minOccurs="0"/> > <element ref="saml:Subject" minOccurs="0"/> > <element ref="saml:Conditions" minOccurs="0"/> > <element ref="saml:Advice" minOccurs="0"/> > <choice minOccurs="0" maxOccurs="unbounded"> > <element ref="saml:Statement"/> > <element ref="saml:AuthnStatement"/> > <element ref="saml:AuthzDecisionStatement"/> > <element ref="saml:AttributeStatement"/> > </choice> > </sequence> > <attribute name="Version" type="string" use="required"/> > <attribute name="ID" type="ID" use="required"/> > <attribute name="IssueInstant" type="dateTime" use="required"/> > </complexType> > > SAML ResponseType Definition (from saml-schema-protocol-2.0.xsd) > <complexType name="ResponseType"> > <complexContent> > <extension base="samlp:StatusResponseType"> > <choice minOccurs="0" maxOccurs="unbounded"> > <element ref="saml:Assertion"/> > <element ref="saml:EncryptedAssertion"/> > </choice> > </extension> > </complexContent> > </complexType> > > > Any help would be greatly appreciated. Thanks in advance: > > > > > - -- > __________________________________________________________________________________ > > James J. Moore > > IBM Systems Group > Advanced Systems Infrastructure Development > Fellowship Assignee > > USC/Information Sciences Institute > Center for Grid Technologies > PhD Graduate Research Assistant > Email: mooreja [at] isi.edu > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (MingW32) > > iD8DBQFEz8/W7M2tBQuwvKoRAgfhAJ9QGPqpVJRwdlTpKl2E2gNjtod31wCfdjUO > Zzbx8X1gY+75M0k0Amz+m7M= > =rJyJ > -----END PGP SIGNATURE----- -- Anne H. Anderson Anne.Anderson@sun.com Sun Microsystems Labs 1-781-442-0928 Burlington, MA USA
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]