Re: [security-services] Groups - XPath Attribute Profile(draft-saml2-xpath-attribute-profile.sxw) uploaded

[Anne Anderson <Anne.Anderson@Sun.COM>]

XACML allows Attributes to be referenced via XPath expressions, and that
functionality seems to be very useful, so your idea certainly has value.

In your case, you are not just referencing Attributes via XPath
expressions, but also using that XPath expression as an identifier.
There are cases where it is very helpful if there is a 1-1 mapping
between identifiers and their corresponding attributes, yet unrestricted
XPath expressions will not give you that property: the same Attribute
might be referenced as /a/b[c="xxx"]/c, //c, /a/b[2]/c,
/a/b/c/d[e="yyy"/.., etc.  Two use cases:

1) a party needs a copy of an Attribute identified by its XPath
expression, and wants to re-use its cached value (if it has one) rather
than get a fresh copy.  If identifiers are not unique, it is difficult
to know whether a cached Attribute is the same as the one needed.

2) two parties are trying to match up their sets of required Attributes
(as in a policy negotiation).  If there are multiple ways of identifying
the same Attribute, this will be difficult if not impossible.

I would be very interested in ideas people have for defining a subset of
XPath that can be used for uniquely identifying Attributes within an XML
document, even if that subset restricts the ability to identify
Attributes based on query functions.

Anne Anderson

cmorris@novell.com wrote:
> Hello SSTC folk, 
> 
> I'm using both Liberty and SAML 2 in our implementation.  Our problem is
> that customers who take the time to create Liberty Data services (employee
> profile, personal profile) will probably also want to re-use this
> information for SAML partners.  So currently we map Liberty attributes to
> SAML and then, on the other side, from SAML back into Liberty.    
> 
> I'd like a attribute profile to make this easier.  It should be fairly
> simple.  I took a stab at it and uploaded this document.  It's not
> formatted all fancy, I really just wanted to upload it to get some
> discussion going.  My thinking is that this profile could apply to any XML
> document (not just Liberty) where attributes are referenced via XPath.
> 
> I talked with some Liberty guys here at Novell and they felt that such a
> profile would belong in this TC and not in Liberty.
> 
> So my questions are:
> - Are other people interested in such a profile?
> - Are there uses for such a profile outside of Liberty?
> - Is there a standard urn prefix I should for XPath (I didn't see anything
> on w3c.org so I just picked urn:xpath:...)
> 
> Thanks, Cameron
> 
>  -- Mr Cameron Morris
> 
> The document named XPath Attribute Profile
> (draft-saml2-xpath-attribute-profile.sxw) has been submitted by Mr Cameron
> Morris to the OASIS Security Services (SAML) TC document repository.
> 
> Document Description:
> This profiles the use of SAML attributes for xPath queries as attribute
> names.  This allows parts of XML documents and Web services (Such as
> Liberty  data services) to be referenced in attribute statements and
> attribute queries. 
> 
> View Document Details:
> http://www.oasis-open.org/apps/org/workgroup/security/document.php?document_id=12064
> 
> Download Document:  
> http://www.oasis-open.org/apps/org/workgroup/security/download.php/12064/draft-saml2-xpath-attribute-profile.sxw
> 
> 
> PLEASE NOTE:  If the above links do not work for you, your email application
> may be breaking the link into two pieces.  You may be able to copy and paste
> the entire link address into the address field of your web browser.
> 
> -OASIS Open Administration

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692