[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [saml-dev] Extending SAML to all Generic XML documents
Good day, We've been working with SAML to assist in the exchange of data between two systems, which will grow to other systems in the future for the past few months. We're using SAML in a somewhat non-standard way. Instead of the current SAML question, "tell me something about this user", we're asking more of the question "I know something you know, but I need more information related to that piece of information." The major reason we're asking this question is that a lot of our data is relational, not the standard ldap. After doing some background research into our data partners' data models, we discovered that the current attributeQuery that assumes flat translation, meaning all attributes are hierarchical didn't quite cut it for us. We also spent time to look at looking at how relational data can be mapped in XML and vice versa to look again at if XML is even the right data model for us. What we found is yes it's the right data model, but the current SAML doesn't fully support what we need to make our project successful. We also looked at well why are we using SAML, our conclusion was that first we don't want to develop a new standard that everyone will have to support, we also found that although we're only using 20% of SAML the framework was correct for us. Therefore we asked the question what can we do to extend SAML, to support our business model. This is what we came up with. Our use case is the following, for each of our business partners we have defined a XML namespace and schema that defines that data that we wish to exchange. We realized that we liked a lot of the SAML framework, so we decided to look at what would it take to be able to use SAML to exchange a generic XML document. In our particular use case, the requestor has some information that can be filled into a partially filled out XML document, they then send in a "modified SAML" request this document in what's called the DocumentDesignator, which has an element DocumentDescription, where this instance of the XML document exists. The server responds with the completed XML document to the requestor, who then makes use of the data. The key in our data is that it's almost all relational data, not LDAP OO-hierarchy based. I'd like to find out if anyone else has any thoughts on this idea. Realize my customers are government based, so we see a good application of this in our environment, question is there a commercial usefulness for this also (I think there is). I've included some modified schema files that meet our needs. Basiclly I've defined a structure close to the attribute portion of the SAML standard, but with a XML Document spin, everything has a prefix of Document. Obviously everything is up for discussion; our hope is that something to this effect could exist in a future iteration of SAML. Thanks, evan Evan Montgomery-Recht, CISSP Booz Allen Hamilton mail: recht_evan@bah.com work: 703.902.5496 fax: 703.902.3409 mobile: 571.332.8663
<?xml version="1.0" encoding="UTF-8"?> <!-- edited with XMLSPY v5 rel. 3 U (http://www.xmlspy.com) by Evan Montgomery-Recht (MiAnetworks LLC) --> <!-- edited with XML Spy v4.2 U (http://www.xmlspy.com) by Phillip Hallam-Baker (Phillip Hallam-Baker) --> <schema targetNamespace="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified"> <import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="C:\Documents and Settings\509404\My Documents\DLA\schema's\document-assertion.xsd"/> <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/> <annotation> <documentation> Document identifier: cs-sstc-schema-protocol-01 Location: http://www.oasis-open.org/committees/security/docs/ </documentation> </annotation> <complexType name="RequestAbstractType" abstract="true"> <sequence> <element ref="samlp:RespondWith" minOccurs="0" maxOccurs="unbounded"/> <element ref="ds:Signature" minOccurs="0"/> </sequence> <attribute name="RequestID" type="saml:IDType" use="required"/> <attribute name="MajorVersion" type="integer" use="required"/> <attribute name="MinorVersion" type="integer" use="required"/> <attribute name="IssueInstant" type="dateTime" use="required"/> </complexType> <element name="RespondWith" type="QName"/> <element name="Request" type="samlp:RequestType"/> <complexType name="RequestType"> <complexContent> <extension base="samlp:RequestAbstractType"> <choice> <element ref="samlp:Query"/> <element ref="samlp:SubjectQuery"/> <element ref="samlp:AuthenticationQuery"/> <element ref="samlp:AttributeQuery"/> <element ref="samlp:DocumentQuery"/> <element ref="samlp:AuthorizationDecisionQuery"/> <element ref="saml:AssertionIDReference" maxOccurs="unbounded"/> <element ref="samlp:AssertionArtifact" maxOccurs="unbounded"/> </choice> </extension> </complexContent> </complexType> <element name="AssertionArtifact" type="string"/> <element name="Query" type="samlp:QueryAbstractType"/> <complexType name="QueryAbstractType" abstract="true"/> <element name="SubjectQuery" type="samlp:SubjectQueryAbstractType"/> <complexType name="SubjectQueryAbstractType" abstract="true"> <complexContent> <extension base="samlp:QueryAbstractType"> <sequence> <element ref="saml:Subject"/> </sequence> </extension> </complexContent> </complexType> <element name="AuthenticationQuery" type="samlp:AuthenticationQueryType"/> <complexType name="AuthenticationQueryType"> <complexContent> <extension base="samlp:SubjectQueryAbstractType"> <attribute name="AuthenticationMethod" type="anyURI"/> </extension> </complexContent> </complexType> <element name="AttributeQuery" type="samlp:AttributeQueryType"/> <complexType name="AttributeQueryType"> <complexContent> <extension base="samlp:SubjectQueryAbstractType"> <sequence> <element ref="saml:AttributeDesignator" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Resource" type="anyURI" use="optional"/> </extension> </complexContent> </complexType> <element name="DocumentQuery" type="samlp:DocumentQueryType"/> <complexType name="DocumentQueryType"> <complexContent> <extension base="samlp:SubjectQueryAbstractType"> <sequence> <element ref="saml:DocumentDesignator" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Resource" type="anyURI" use="optional"/> </extension> </complexContent> </complexType> <element name="AuthorizationDecisionQuery" type="samlp:AuthorizationDecisionQueryType"/> <complexType name="AuthorizationDecisionQueryType"> <complexContent> <extension base="samlp:SubjectQueryAbstractType"> <sequence> <element ref="saml:Action" maxOccurs="unbounded"/> <element ref="saml:Evidence" minOccurs="0"/> </sequence> <attribute name="Resource" type="anyURI" use="required"/> </extension> </complexContent> </complexType> <complexType name="ResponseAbstractType" abstract="true"> <sequence> <element ref="ds:Signature" minOccurs="0"/> </sequence> <attribute name="ResponseID" type="saml:IDType" use="required"/> <attribute name="InResponseTo" type="saml:IDReferenceType" use="optional"/> <attribute name="MajorVersion" type="integer" use="required"/> <attribute name="MinorVersion" type="integer" use="required"/> <attribute name="IssueInstant" type="dateTime" use="required"/> <attribute name="Recipient" type="anyURI" use="optional"/> </complexType> <element name="Response" type="samlp:ResponseType"/> <complexType name="ResponseType"> <complexContent> <extension base="samlp:ResponseAbstractType"> <sequence> <element ref="samlp:Status"/> <element ref="saml:Assertion" minOccurs="0" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> <element name="Status" type="samlp:StatusType"/> <complexType name="StatusType"> <sequence> <element ref="samlp:StatusCode"/> <element ref="samlp:StatusMessage" minOccurs="0"/> <element ref="samlp:StatusDetail" minOccurs="0"/> </sequence> </complexType> <element name="StatusCode" type="samlp:StatusCodeType"/> <complexType name="StatusCodeType"> <sequence> <element ref="samlp:StatusCode" minOccurs="0"/> </sequence> <attribute name="Value" type="QName" use="required"/> </complexType> <element name="StatusMessage" type="string"/> <element name="StatusDetail" type="samlp:StatusDetailType"/> <complexType name="StatusDetailType"> <sequence> <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </sequence> </complexType> </schema>
<?xml version="1.0" encoding="UTF-8"?> <!-- edited with XMLSPY v5 rel. 3 U (http://www.xmlspy.com) by Evan Montgomery-Recht (MiAnetworks LLC) --> <!-- edited with XML Spy v3.5 NT (http://www.xmlspy.com) by Phill Hallam-Baker (VeriSign Inc.) --> <schema targetNamespace="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified"> <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/> <annotation> <documentation> Document identifier: cs-sstc-schema-assertion-01 Location: http://www.oasis-open.org/committees/security/docs/ </documentation> </annotation> <simpleType name="IDType"> <restriction base="string"/> </simpleType> <simpleType name="IDReferenceType"> <restriction base="string"/> </simpleType> <simpleType name="DecisionType"> <restriction base="string"> <enumeration value="Permit"/> <enumeration value="Deny"/> <enumeration value="Indeterminate"/> </restriction> </simpleType> <element name="AssertionIDReference" type="saml:IDReferenceType"/> <element name="Assertion" type="saml:AssertionType"/> <complexType name="AssertionType"> <sequence> <element ref="saml:Conditions" minOccurs="0"/> <element ref="saml:Advice" minOccurs="0"/> <choice maxOccurs="unbounded"> <element ref="saml:Statement"/> <element ref="saml:SubjectStatement"/> <element ref="saml:AuthenticationStatement"/> <element ref="saml:AuthorizationDecisionStatement"/> <element ref="saml:AttributeStatement"/> <element ref="saml:DocumentStatement"/> </choice> <element ref="ds:Signature" minOccurs="0"/> </sequence> <attribute name="MajorVersion" type="integer" use="required"/> <attribute name="MinorVersion" type="integer" use="required"/> <attribute name="AssertionID" type="saml:IDType" use="required"/> <attribute name="Issuer" type="string" use="required"/> <attribute name="IssueInstant" type="dateTime" use="required"/> </complexType> <element name="Conditions" type="saml:ConditionsType"/> <complexType name="ConditionsType"> <choice minOccurs="0" maxOccurs="unbounded"> <element ref="saml:AudienceRestrictionCondition"/> <element ref="saml:Condition"/> </choice> <attribute name="NotBefore" type="dateTime" use="optional"/> <attribute name="NotOnOrAfter" type="dateTime" use="optional"/> </complexType> <element name="Condition" type="saml:ConditionAbstractType"/> <complexType name="ConditionAbstractType" abstract="true"/> <element name="AudienceRestrictionCondition" type="saml:AudienceRestrictionConditionType"/> <complexType name="AudienceRestrictionConditionType"> <complexContent> <extension base="saml:ConditionAbstractType"> <sequence> <element ref="saml:Audience" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> <element name="Audience" type="anyURI"/> <element name="Advice" type="saml:AdviceType"/> <complexType name="AdviceType"> <choice minOccurs="0" maxOccurs="unbounded"> <element ref="saml:AssertionIDReference"/> <element ref="saml:Assertion"/> <any namespace="##other" processContents="lax"/> </choice> </complexType> <element name="Statement" type="saml:StatementAbstractType"/> <complexType name="StatementAbstractType" abstract="true"/> <element name="SubjectStatement" type="saml:SubjectStatementAbstractType"/> <complexType name="SubjectStatementAbstractType" abstract="true"> <complexContent> <extension base="saml:StatementAbstractType"> <sequence> <element ref="saml:Subject"/> </sequence> </extension> </complexContent> </complexType> <element name="Subject" type="saml:SubjectType"/> <complexType name="SubjectType"> <choice> <sequence> <element ref="saml:NameIdentifier"/> <element ref="saml:SubjectConfirmation" minOccurs="0"/> </sequence> <element ref="saml:SubjectConfirmation"/> </choice> </complexType> <element name="NameIdentifier" type="saml:NameIdentifierType"/> <complexType name="NameIdentifierType"> <simpleContent> <extension base="string"> <attribute name="NameQualifier" type="string" use="optional"/> <attribute name="Format" type="anyURI" use="optional"/> </extension> </simpleContent> </complexType> <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/> <complexType name="SubjectConfirmationType"> <sequence> <element ref="saml:ConfirmationMethod" maxOccurs="unbounded"/> <element ref="saml:SubjectConfirmationData" minOccurs="0"/> <element ref="ds:KeyInfo" minOccurs="0"/> </sequence> </complexType> <element name="SubjectConfirmationData" type="anyType"/> <element name="ConfirmationMethod" type="anyURI"/> <element name="AuthenticationStatement" type="saml:AuthenticationStatementType"/> <complexType name="AuthenticationStatementType"> <complexContent> <extension base="saml:SubjectStatementAbstractType"> <sequence> <element ref="saml:SubjectLocality" minOccurs="0"/> <element ref="saml:AuthorityBinding" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="AuthenticationMethod" type="anyURI" use="required"/> <attribute name="AuthenticationInstant" type="dateTime" use="required"/> </extension> </complexContent> </complexType> <element name="SubjectLocality" type="saml:SubjectLocalityType"/> <complexType name="SubjectLocalityType"> <attribute name="IPAddress" type="string" use="optional"/> <attribute name="DNSAddress" type="string" use="optional"/> </complexType> <element name="AuthorityBinding" type="saml:AuthorityBindingType"/> <complexType name="AuthorityBindingType"> <attribute name="AuthorityKind" type="QName" use="required"/> <attribute name="Location" type="anyURI" use="required"/> <attribute name="Binding" type="anyURI" use="required"/> </complexType> <element name="AuthorizationDecisionStatement" type="saml:AuthorizationDecisionStatementType"/> <complexType name="AuthorizationDecisionStatementType"> <complexContent> <extension base="saml:SubjectStatementAbstractType"> <sequence> <element ref="saml:Action" maxOccurs="unbounded"/> <element ref="saml:Evidence" minOccurs="0"/> </sequence> <attribute name="Resource" type="anyURI" use="required"/> <attribute name="Decision" type="saml:DecisionType" use="required"/> </extension> </complexContent> </complexType> <element name="Action" type="saml:ActionType"/> <complexType name="ActionType"> <simpleContent> <extension base="string"> <attribute name="Namespace" type="anyURI"/> </extension> </simpleContent> </complexType> <element name="Evidence" type="saml:EvidenceType"/> <complexType name="EvidenceType"> <choice maxOccurs="unbounded"> <element ref="saml:AssertionIDReference"/> <element ref="saml:Assertion"/> </choice> </complexType> <element name="AttributeStatement" type="saml:AttributeStatementType"/> <complexType name="AttributeStatementType"> <complexContent> <extension base="saml:SubjectStatementAbstractType"> <sequence> <element ref="saml:Attribute" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> <element name="AttributeDesignator" type="saml:AttributeDesignatorType"/> <complexType name="AttributeDesignatorType"> <attribute name="AttributeName" type="string" use="required"/> <attribute name="AttributeNamespace" type="anyURI" use="required"/> </complexType> <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <complexContent> <extension base="saml:AttributeDesignatorType"> <sequence> <element ref="saml:AttributeValue" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> <element name="AttributeValue" type="anyType"/> <element name="DocumentStatement" type="saml:DocumentStatementType"/> <complexType name="DocumentStatementType"> <complexContent> <extension base="saml:SubjectStatementAbstractType"> <sequence> <element ref="saml:Document" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> <element name="DocumentDesignator" type="saml:DocumentDesignatorType"/> <complexType name="DocumentDesignatorType"> <complexContent> <extension base="saml:DocumentDescriptionType"> <attribute name="DocumentNamespace" type="anyURI" use="required"/> </extension> </complexContent> </complexType> <element name="Document" type="saml:DocumentType"/> <complexType name="DocumentType"> <complexContent> <extension base="saml:DocumentDesignatorType"> <sequence> <element ref="saml:DocumentValue" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> <element name="DocumentValue" type="anyType"/> <complexType name="DocumentDescriptionType"> <sequence> <element name="DocumentDescription" type="anyType" minOccurs="0"/> </sequence> </complexType> </schema>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]