OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: questions on the SAML profile for XACML.

Hi all,
I'm trying to do something with the SAML profile for XACML. But found some confusing questions.
1. The SAML profile for XACML specifies an element <XACMLAuthzDecisionQuery>, which is a replacement of <samlp:AuthzDecisionQuery> element. In section 6 of that spec, there's a requirement saying "An <XACMLAuthzDecisionQuery> or <XACMLPolicyQuery> SHALL be encapsulated in a <samlp:RequestAbstractType> element, which MAY be signed."
My question is, the samlp:RequestAbstractType in SAML 2.0 is not an element, it is just a type, how can a XACML query be put in such an element/type?
In other words, how to fill the 'ELEMENT_NAME' in the following soap call? <XACMLAuthzDecisionQuery>?
 <samlp:ELEMENT_NAME xmlns:… ID=”123456” Version=”2.0”…>
  <xacml-context:Request xmlns:xacml-context=”…”>
2: in the response, the <XACMLAuthzDecisionStatement>, as a replacement of <samlp:AuthzDecisionStatement>, is stated to be put in a <saml:Assertion>. But the <saml:Assertion> by schema can't conatain an <XACMLAuthzDecisionStatement> directly. Does this mean that the <XACMLAuthzDecisionStatement> should be put in a <saml:Statement> with xsi:type like this?
   <saml:Statement xsi:type="xacml-saml:XACMLAuthzDecisionStatement">
3. Why so complicated? Why don't we just have a SOAP profile for XACML, so we can directly <xacml-context:Request> and <xacml-context:Response> in a SOAP body? I'm a bit curious.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]