OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] SAML statement extension for XACML

Hi Frédéric,

You have indeed found a bug in our profile schemas.  Rather than using
substitutionGroups, however, our SAML and XML experts suggest we use
xsi:type, as that is what the SAML designers intended extenders to use.
 One of the TC members has volunteered to work on the necessary schema

We have a mechanism for approving errata fixes within the TC and
publishing them as non-normative documents or schemas on our web page.
They can then be used as de facto standards until we can incorporate
them into the next official XACML release.

I will let you know when we have a proposed solution for this.

Thanks again for your comment.


Frederic Deleon wrote On 09/23/05 11:42,:
> Hello,
> Specification of SAML 2.0 profile of XACML defines XACMLPolicyStatement 
> and XACMLAuthzDecisionStatement whose types are extensions of SAML 
> StatementAbstractType element.
> It says that these statements should be placed in SAML Assertion 
> elements (themselves placed inside SAML Response elements).
> As extended type from Statement I suppose.
> However, XACMLPolicyStatement and XACMLAuthzDecisionStatement are not 
> defined as possible substitutions for Statement, as there is no 
> "substitutionGroup" attribute in the XML schema, and substitutions are 
> blocked anyway by blobkDefault="substitution" in both schemas (SAML and 
> XACML-SAML profile).
> So, it seems that putting XACMLPolicyStatement and 
> XACMLAuthzDecisionStatement in SAML assertions is not correct according 
> to schemas.
> What is your mind about this ?
> Is schema of SAML extension for XACML profile normative ?
> Thanks in advance,
> Sincerely
> Frédéric Deléon
> ---------------------------------------------------------------------
> This publicly archived list supports open discussion on using the 
> XACML OASIS Standard. To minimize spam in the archives, you 
> must subscribe before posting.
> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> Alternately, using email: list-[un]subscribe@lists.oasis-open.org
> List archives: http://lists.oasis-open.org/archives/xacml-users/
> Committee homepage: http://www.oasis-open.org/committees/xacml/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Join OASIS: http://www.oasis-open.org/join/

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]