Subject: RE: [xacml-dev] questions on the SAML profile for XACML.
Thanks Anne. But this errata only answers one of my question: the statement should be <samlp:Statement xsi:type="ns:XACMLAuthzDecisionStatement">... For the request/query, I'm can't find a clue to enclose it. In saml protocol, there's not an element corresponding to the samlp:RequestAbstractType, and our XACML extension now defines only a subtype of samlp:RequestAbstractType, so, what should be the element name? I mean, I can NOT write <samlp:Request xsi:type="ns:XACMLAuthzDecisionQuery>...? Thanks, Shawn > -----Original Message----- > From: Anne Anderson [mailto:Anne.Anderson@sun.com] > Sent: Saturday, January 07, 2006 12:06 AM > To: Shawn Ma > Cc: firstname.lastname@example.org > Subject: Re: [xacml-dev] questions on the SAML profile for XACML. > > Hi Shawn, > > Please look at the # SAML 2.0 profile of XACML v2.0 Errata: > http://www.oasis-open.org/committees/download.php/15447/xacml- > 2.0-saml-errata-wd.zip > > > This describes how to actually extend SAML to use the new types. The > new schemas do not define elements, but just types. This is not yet > approved as a Committee Specification, but solved the > problems of other > SAML profile users. Please let us know if you find further > changes that > are needed. > > As to your question about a SOAP profile, there was no > interest in doing > that from the members of the TC. The SAML envelope provides > the types > of envelope information that are helpful in doing signatures, > and also > eases interoperability with other components that are using SAML. > > Regards, > Anne Anderson > > Shawn Ma wrote: > > Hi all, > > > > I'm trying to do something with the SAML profile for XACML. > But found > > some confusing questions. > > > > 1. The SAML profile for XACML specifies an element > > <XACMLAuthzDecisionQuery>, which is a replacement of > > <samlp:AuthzDecisionQuery> element. In section 6 of that > spec, there's a > > requirement saying "An <XACMLAuthzDecisionQuery> or > <XACMLPolicyQuery> > > SHALL be encapsulated in a <samlp:RequestAbstractType> > element, which > > MAY be signed." > > > > My question is, the samlp:RequestAbstractType in SAML 2.0 is not an > > element, it is just a type, how can a XACML query be put in such an > > element/type? > > > > In other words, how to fill the 'ELEMENT_NAME' in the following soap > > call? <XACMLAuthzDecisionQuery>? > > <SOAP-ENV:Body> > > <samlp:ELEMENT_NAME xmlns:... ID="123456" Version="2.0"...> > > <ds:Signature>...</ds:Signature> > > <xacml-context:Request xmlns:xacml-context="..."> > > ...<Action>...<Subject>... > > </xacml-context:Request> > > </samlp:ELEMENT_NAME> > > </SOAP-ENV:Body> > > > > 2: in the response, the <XACMLAuthzDecisionStatement>, as a > replacement > > of <samlp:AuthzDecisionStatement>, is stated to be put in a > > <saml:Assertion>. But the <saml:Assertion> by schema can't > conatain an > > <XACMLAuthzDecisionStatement> directly. Does this mean that the > > <XACMLAuthzDecisionStatement> should be put in a > <saml:Statement> with > > xsi:type like this? > > <saml:Assertion> > > ... > > <saml:Statement > xsi:type="xacml-saml:XACMLAuthzDecisionStatement"> > > <xacml-saml:Response>.... > > </....> > > > > 3. Why so complicated? Why don't we just have a SOAP > profile for XACML, > > so we can directly <xacml-context:Request> and > <xacml-context:Response> > > in a SOAP body? I'm a bit curious. > > > > Thanks, > > Shawn > > > > -- > Anne H. Anderson Anne.Anderson@sun.com > Sun Microsystems Labs 1-781-442-0928 > Burlington, MA USA > > --------------------------------------------------------------------- > This publicly archived list supports open discussion on > implementing the XACML OASIS Standard. To minimize spam in the > archives, you must subscribe before posting. > > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ > Alternately, using email: list-[un]email@example.com > List archives: http://lists.oasis-open.org/archives/xacml-dev/ > Committee homepage: http://www.oasis-open.org/committees/xacml/ > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > Join OASIS: http://www.oasis-open.org/join/ > > >