On allowing multiple value types for an attribute

Hello,

I wanted to ask some feedback from the TC about allowing multiple types for the values of an attribute in SAML and see if the TC sees any technical/conceptual issues around this. In our most recent XSPA TC meeting, the TC decided, based on an earlier comment from the SAML TC to use simple URN strings for representing values that come from a specific vocabulary. For example, the purpose of RECORDMGT defined by the HL7 purpose-of-use vocabulary would be represented as follows:

<saml:Attribute

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

Name="urn:oasis:names:tc:xacml:2.0:action:purpose">

<saml:AttributeValue xsi:type="anyURI" >

urn:hl7-org:v3:2.16.840.1.113883.1.11.20448:RECORDMGT

</saml:AttributeValue>

</saml:Attribute>

Additionally, the TC is inclined to allow, as a non-normative, using XML-encoded values for the same attribute. The format used for encoding the attribute will be determined based on the xsi:type on the AttributeValue. For example, using HL7 CD XML, the above example will be encoded as:

<saml:Attribute

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

Name="urn:oasis:names:tc:xacml:2.0:action:purpose">

<saml:AttributeValue xsi:type="urn:hl7-org:v3:CD">

<value xmlns="urn:hl7-org:v3" xsi:type="CD"

code="RECORDMGT"

displayName="records management"

codeSystem="2.16.840.1.113883.1.11.20448"

codeSystemName="Purpose of Use" />

</saml:AttributeValue>

</saml:Attribute>

Or using HL7 FHIR Coding XML:

<saml:Attribute

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

Name="urn:oasis:names:tc:xacml:2.0:action:purpose">

<saml:AttributeValue xsi:type="http://hl7.org/fhir/coding">

</code>

</saml:AttributeValue>

</saml:Attribute>

I will appreciate any feedback from the TC in this regard.

Regards,

Mohammad Jafari, Ph.D.

Chair, OASIS Cross-Enterprise Security and Privacy Authorization (XSPA) Technical Committee

security-services message