OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [saml-dev] Extending SAML to all Generic XML documents


Good day,

We've been working with SAML to assist in the exchange of data between
two systems, which will grow to other systems in the future for the past
few months.  We're using SAML in a somewhat non-standard way.  Instead
of the current SAML question, "tell me something about this user", we're
asking more of the question "I know something you know, but I need more
information related to that piece of information."  The major reason
we're asking this question is that a lot of our data is relational, not
the standard ldap.

After doing some background research into our data partners' data
models, we discovered that the current attributeQuery that assumes flat
translation, meaning all attributes are hierarchical didn't quite cut it
for us.  We also spent time to look at looking at how relational data
can be mapped in XML and vice versa to look again at if XML is even the
right data model for us.  What we found is yes it's the right data
model, but the current SAML doesn't fully support what we need to make
our project successful.  We also looked at well why are we using SAML,
our conclusion was that first we don't want to develop a new standard
that everyone will have to support, we also found that although we're
only using 20% of SAML the framework was correct for us.  Therefore we
asked the question what can we do to extend SAML, to support our
business model.

This is what we came up with.  Our use case is the following, for each
of our business partners we have defined a XML namespace and schema that
defines that data that we wish to exchange.  We realized that we liked a
lot of the SAML framework, so we decided to look at what would it take
to be able to use SAML to exchange a generic XML document.  In our
particular use case, the requestor has some information that can be
filled into a partially filled out XML document, they then send in a
"modified SAML" request this document in what's called the
DocumentDesignator, which has an element DocumentDescription, where this
instance of the XML document exists.  The server responds with the
completed XML document to the requestor, who then makes use of the data.
The key in our data is that it's almost all relational data, not LDAP
OO-hierarchy based.

I'd like to find out if anyone else has any thoughts on this idea.
Realize my customers are government based, so we see a good application
of this in our environment, question is there a commercial usefulness
for this also (I think there is).  I've included some modified schema
files that meet our needs.  Basiclly I've defined a structure close to
the attribute portion of the SAML standard, but with a XML Document
spin, everything has a prefix of Document.

Obviously everything is up for discussion; our hope is that something to
this effect could exist in a future iteration of SAML.

Thanks,

evan

Evan Montgomery-Recht, CISSP
Booz Allen Hamilton
mail: recht_evan@bah.com
work: 703.902.5496
fax: 703.902.3409
mobile: 571.332.8663
<?xml version="1.0" encoding="UTF-8"?>
<!-- edited with XMLSPY v5 rel. 3 U (http://www.xmlspy.com) by Evan Montgomery-Recht (MiAnetworks LLC) -->
<!-- edited with XML Spy v4.2 U (http://www.xmlspy.com) by Phillip Hallam-Baker (Phillip Hallam-Baker) -->
<schema targetNamespace="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified">
	<import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="C:\Documents and Settings\509404\My Documents\DLA\schema's\document-assertion.xsd"/>
	<import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
	<annotation>
		<documentation>
                Document identifier: cs-sstc-schema-protocol-01
                Location: http://www.oasis-open.org/committees/security/docs/
                </documentation>
	</annotation>
	<complexType name="RequestAbstractType" abstract="true">
		<sequence>
			<element ref="samlp:RespondWith" minOccurs="0" maxOccurs="unbounded"/>
			<element ref="ds:Signature" minOccurs="0"/>
		</sequence>
		<attribute name="RequestID" type="saml:IDType" use="required"/>
		<attribute name="MajorVersion" type="integer" use="required"/>
		<attribute name="MinorVersion" type="integer" use="required"/>
		<attribute name="IssueInstant" type="dateTime" use="required"/>
	</complexType>
	<element name="RespondWith" type="QName"/>
	<element name="Request" type="samlp:RequestType"/>
	<complexType name="RequestType">
		<complexContent>
			<extension base="samlp:RequestAbstractType">
				<choice>
					<element ref="samlp:Query"/>
					<element ref="samlp:SubjectQuery"/>
					<element ref="samlp:AuthenticationQuery"/>
					<element ref="samlp:AttributeQuery"/>
					<element ref="samlp:DocumentQuery"/>
					<element ref="samlp:AuthorizationDecisionQuery"/>
					<element ref="saml:AssertionIDReference" maxOccurs="unbounded"/>
					<element ref="samlp:AssertionArtifact" maxOccurs="unbounded"/>
				</choice>
			</extension>
		</complexContent>
	</complexType>
	<element name="AssertionArtifact" type="string"/>
	<element name="Query" type="samlp:QueryAbstractType"/>
	<complexType name="QueryAbstractType" abstract="true"/>
	<element name="SubjectQuery" type="samlp:SubjectQueryAbstractType"/>
	<complexType name="SubjectQueryAbstractType" abstract="true">
		<complexContent>
			<extension base="samlp:QueryAbstractType">
				<sequence>
					<element ref="saml:Subject"/>
				</sequence>
			</extension>
		</complexContent>
	</complexType>
	<element name="AuthenticationQuery" type="samlp:AuthenticationQueryType"/>
	<complexType name="AuthenticationQueryType">
		<complexContent>
			<extension base="samlp:SubjectQueryAbstractType">
				<attribute name="AuthenticationMethod" type="anyURI"/>
			</extension>
		</complexContent>
	</complexType>
	<element name="AttributeQuery" type="samlp:AttributeQueryType"/>
	<complexType name="AttributeQueryType">
		<complexContent>
			<extension base="samlp:SubjectQueryAbstractType">
				<sequence>
					<element ref="saml:AttributeDesignator" minOccurs="0" maxOccurs="unbounded"/>
				</sequence>
				<attribute name="Resource" type="anyURI" use="optional"/>
			</extension>
		</complexContent>
	</complexType>
	<element name="DocumentQuery" type="samlp:DocumentQueryType"/>
	<complexType name="DocumentQueryType">
		<complexContent>
			<extension base="samlp:SubjectQueryAbstractType">
				<sequence>
					<element ref="saml:DocumentDesignator" minOccurs="0" maxOccurs="unbounded"/>
				</sequence>
				<attribute name="Resource" type="anyURI" use="optional"/>
			</extension>
		</complexContent>
	</complexType>
	<element name="AuthorizationDecisionQuery" type="samlp:AuthorizationDecisionQueryType"/>
	<complexType name="AuthorizationDecisionQueryType">
		<complexContent>
			<extension base="samlp:SubjectQueryAbstractType">
				<sequence>
					<element ref="saml:Action" maxOccurs="unbounded"/>
					<element ref="saml:Evidence" minOccurs="0"/>
				</sequence>
				<attribute name="Resource" type="anyURI" use="required"/>
			</extension>
		</complexContent>
	</complexType>
	<complexType name="ResponseAbstractType" abstract="true">
		<sequence>
			<element ref="ds:Signature" minOccurs="0"/>
		</sequence>
		<attribute name="ResponseID" type="saml:IDType" use="required"/>
		<attribute name="InResponseTo" type="saml:IDReferenceType" use="optional"/>
		<attribute name="MajorVersion" type="integer" use="required"/>
		<attribute name="MinorVersion" type="integer" use="required"/>
		<attribute name="IssueInstant" type="dateTime" use="required"/>
		<attribute name="Recipient" type="anyURI" use="optional"/>
	</complexType>
	<element name="Response" type="samlp:ResponseType"/>
	<complexType name="ResponseType">
		<complexContent>
			<extension base="samlp:ResponseAbstractType">
				<sequence>
					<element ref="samlp:Status"/>
					<element ref="saml:Assertion" minOccurs="0" maxOccurs="unbounded"/>
				</sequence>
			</extension>
		</complexContent>
	</complexType>
	<element name="Status" type="samlp:StatusType"/>
	<complexType name="StatusType">
		<sequence>
			<element ref="samlp:StatusCode"/>
			<element ref="samlp:StatusMessage" minOccurs="0"/>
			<element ref="samlp:StatusDetail" minOccurs="0"/>
		</sequence>
	</complexType>
	<element name="StatusCode" type="samlp:StatusCodeType"/>
	<complexType name="StatusCodeType">
		<sequence>
			<element ref="samlp:StatusCode" minOccurs="0"/>
		</sequence>
		<attribute name="Value" type="QName" use="required"/>
	</complexType>
	<element name="StatusMessage" type="string"/>
	<element name="StatusDetail" type="samlp:StatusDetailType"/>
	<complexType name="StatusDetailType">
		<sequence>
			<any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
		</sequence>
	</complexType>
</schema>
<?xml version="1.0" encoding="UTF-8"?>
<!-- edited with XMLSPY v5 rel. 3 U (http://www.xmlspy.com) by Evan Montgomery-Recht (MiAnetworks LLC) -->
<!-- edited with XML Spy v3.5 NT (http://www.xmlspy.com) by Phill Hallam-Baker (VeriSign Inc.) -->
<schema targetNamespace="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified">
	<import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
	<annotation>
		<documentation>
                Document identifier: cs-sstc-schema-assertion-01
                Location: http://www.oasis-open.org/committees/security/docs/
                </documentation>
	</annotation>
	<simpleType name="IDType">
		<restriction base="string"/>
	</simpleType>
	<simpleType name="IDReferenceType">
		<restriction base="string"/>
	</simpleType>
	<simpleType name="DecisionType">
		<restriction base="string">
			<enumeration value="Permit"/>
			<enumeration value="Deny"/>
			<enumeration value="Indeterminate"/>
		</restriction>
	</simpleType>
	<element name="AssertionIDReference" type="saml:IDReferenceType"/>
	<element name="Assertion" type="saml:AssertionType"/>
	<complexType name="AssertionType">
		<sequence>
			<element ref="saml:Conditions" minOccurs="0"/>
			<element ref="saml:Advice" minOccurs="0"/>
			<choice maxOccurs="unbounded">
				<element ref="saml:Statement"/>
				<element ref="saml:SubjectStatement"/>
				<element ref="saml:AuthenticationStatement"/>
				<element ref="saml:AuthorizationDecisionStatement"/>
				<element ref="saml:AttributeStatement"/>
				<element ref="saml:DocumentStatement"/>
			</choice>
			<element ref="ds:Signature" minOccurs="0"/>
		</sequence>
		<attribute name="MajorVersion" type="integer" use="required"/>
		<attribute name="MinorVersion" type="integer" use="required"/>
		<attribute name="AssertionID" type="saml:IDType" use="required"/>
		<attribute name="Issuer" type="string" use="required"/>
		<attribute name="IssueInstant" type="dateTime" use="required"/>
	</complexType>
	<element name="Conditions" type="saml:ConditionsType"/>
	<complexType name="ConditionsType">
		<choice minOccurs="0" maxOccurs="unbounded">
			<element ref="saml:AudienceRestrictionCondition"/>
			<element ref="saml:Condition"/>
		</choice>
		<attribute name="NotBefore" type="dateTime" use="optional"/>
		<attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
	</complexType>
	<element name="Condition" type="saml:ConditionAbstractType"/>
	<complexType name="ConditionAbstractType" abstract="true"/>
	<element name="AudienceRestrictionCondition" type="saml:AudienceRestrictionConditionType"/>
	<complexType name="AudienceRestrictionConditionType">
		<complexContent>
			<extension base="saml:ConditionAbstractType">
				<sequence>
					<element ref="saml:Audience" maxOccurs="unbounded"/>
				</sequence>
			</extension>
		</complexContent>
	</complexType>
	<element name="Audience" type="anyURI"/>
	<element name="Advice" type="saml:AdviceType"/>
	<complexType name="AdviceType">
		<choice minOccurs="0" maxOccurs="unbounded">
			<element ref="saml:AssertionIDReference"/>
			<element ref="saml:Assertion"/>
			<any namespace="##other" processContents="lax"/>
		</choice>
	</complexType>
	<element name="Statement" type="saml:StatementAbstractType"/>
	<complexType name="StatementAbstractType" abstract="true"/>
	<element name="SubjectStatement" type="saml:SubjectStatementAbstractType"/>
	<complexType name="SubjectStatementAbstractType" abstract="true">
		<complexContent>
			<extension base="saml:StatementAbstractType">
				<sequence>
					<element ref="saml:Subject"/>
				</sequence>
			</extension>
		</complexContent>
	</complexType>
	<element name="Subject" type="saml:SubjectType"/>
	<complexType name="SubjectType">
		<choice>
			<sequence>
				<element ref="saml:NameIdentifier"/>
				<element ref="saml:SubjectConfirmation" minOccurs="0"/>
			</sequence>
			<element ref="saml:SubjectConfirmation"/>
		</choice>
	</complexType>
	<element name="NameIdentifier" type="saml:NameIdentifierType"/>
	<complexType name="NameIdentifierType">
		<simpleContent>
			<extension base="string">
				<attribute name="NameQualifier" type="string" use="optional"/>
				<attribute name="Format" type="anyURI" use="optional"/>
			</extension>
		</simpleContent>
	</complexType>
	<element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
	<complexType name="SubjectConfirmationType">
		<sequence>
			<element ref="saml:ConfirmationMethod" maxOccurs="unbounded"/>
			<element ref="saml:SubjectConfirmationData" minOccurs="0"/>
			<element ref="ds:KeyInfo" minOccurs="0"/>
		</sequence>
	</complexType>
	<element name="SubjectConfirmationData" type="anyType"/>
	<element name="ConfirmationMethod" type="anyURI"/>
	<element name="AuthenticationStatement" type="saml:AuthenticationStatementType"/>
	<complexType name="AuthenticationStatementType">
		<complexContent>
			<extension base="saml:SubjectStatementAbstractType">
				<sequence>
					<element ref="saml:SubjectLocality" minOccurs="0"/>
					<element ref="saml:AuthorityBinding" minOccurs="0" maxOccurs="unbounded"/>
				</sequence>
				<attribute name="AuthenticationMethod" type="anyURI" use="required"/>
				<attribute name="AuthenticationInstant" type="dateTime" use="required"/>
			</extension>
		</complexContent>
	</complexType>
	<element name="SubjectLocality" type="saml:SubjectLocalityType"/>
	<complexType name="SubjectLocalityType">
		<attribute name="IPAddress" type="string" use="optional"/>
		<attribute name="DNSAddress" type="string" use="optional"/>
	</complexType>
	<element name="AuthorityBinding" type="saml:AuthorityBindingType"/>
	<complexType name="AuthorityBindingType">
		<attribute name="AuthorityKind" type="QName" use="required"/>
		<attribute name="Location" type="anyURI" use="required"/>
		<attribute name="Binding" type="anyURI" use="required"/>
	</complexType>
	<element name="AuthorizationDecisionStatement" type="saml:AuthorizationDecisionStatementType"/>
	<complexType name="AuthorizationDecisionStatementType">
		<complexContent>
			<extension base="saml:SubjectStatementAbstractType">
				<sequence>
					<element ref="saml:Action" maxOccurs="unbounded"/>
					<element ref="saml:Evidence" minOccurs="0"/>
				</sequence>
				<attribute name="Resource" type="anyURI" use="required"/>
				<attribute name="Decision" type="saml:DecisionType" use="required"/>
			</extension>
		</complexContent>
	</complexType>
	<element name="Action" type="saml:ActionType"/>
	<complexType name="ActionType">
		<simpleContent>
			<extension base="string">
				<attribute name="Namespace" type="anyURI"/>
			</extension>
		</simpleContent>
	</complexType>
	<element name="Evidence" type="saml:EvidenceType"/>
	<complexType name="EvidenceType">
		<choice maxOccurs="unbounded">
			<element ref="saml:AssertionIDReference"/>
			<element ref="saml:Assertion"/>
		</choice>
	</complexType>
	<element name="AttributeStatement" type="saml:AttributeStatementType"/>
	<complexType name="AttributeStatementType">
		<complexContent>
			<extension base="saml:SubjectStatementAbstractType">
				<sequence>
					<element ref="saml:Attribute" maxOccurs="unbounded"/>
				</sequence>
			</extension>
		</complexContent>
	</complexType>
	<element name="AttributeDesignator" type="saml:AttributeDesignatorType"/>
	<complexType name="AttributeDesignatorType">
		<attribute name="AttributeName" type="string" use="required"/>
		<attribute name="AttributeNamespace" type="anyURI" use="required"/>
	</complexType>
	<element name="Attribute" type="saml:AttributeType"/>
	<complexType name="AttributeType">
		<complexContent>
			<extension base="saml:AttributeDesignatorType">
				<sequence>
					<element ref="saml:AttributeValue" maxOccurs="unbounded"/>
				</sequence>
			</extension>
		</complexContent>
	</complexType>
	<element name="AttributeValue" type="anyType"/>
	<element name="DocumentStatement" type="saml:DocumentStatementType"/>
	<complexType name="DocumentStatementType">
		<complexContent>
			<extension base="saml:SubjectStatementAbstractType">
				<sequence>
					<element ref="saml:Document" maxOccurs="unbounded"/>
				</sequence>
			</extension>
		</complexContent>
	</complexType>
	<element name="DocumentDesignator" type="saml:DocumentDesignatorType"/>
	<complexType name="DocumentDesignatorType">
		<complexContent>
			<extension base="saml:DocumentDescriptionType">
				<attribute name="DocumentNamespace" type="anyURI" use="required"/>
			</extension>
		</complexContent>
	</complexType>
	<element name="Document" type="saml:DocumentType"/>
	<complexType name="DocumentType">
		<complexContent>
			<extension base="saml:DocumentDesignatorType">
				<sequence>
					<element ref="saml:DocumentValue" maxOccurs="unbounded"/>
				</sequence>
			</extension>
		</complexContent>
	</complexType>
	<element name="DocumentValue" type="anyType"/>
	<complexType name="DocumentDescriptionType">
		<sequence>
			<element name="DocumentDescription" type="anyType" minOccurs="0"/>
		</sequence>
	</complexType>
</schema>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]