[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] XPATH expressions pointing to SAML Assertions
There has been repeated mention of the use of XPATH expressions to specify portions of a SAML Assertion. I do not understand what the intention behind doing this is. I do understand why it would be useful to use XPATH to specify a resource, when the resource is a portion of an XML document.
First of all SAML assertions contain many elements, such as Issuer, Validity Period, Conditions, Audience, Signature and so forth, that should be processed any time an assertion is used. Surely the use of an XPATH expression would not be intended to imply that these fields should be ignored if thay are outside of the specified scope?
As I understand our intentions, a policy rule might reference a particular attribute of a principal, for example. It is true that a SAML Attribute Assertion might contain several attributes, however I assume that the PDP would look through the Assertion to see if the referenced Attribute is present or not and and what its value is. So I see no use for XPATH here either.
In SAML Assertions, the Subject element can contain another SAML Assertion or a reference to another SAML Assertion. The semantics of this are the same as if the Subject field of the referenced Assertion had been cut and pasted into that location. There is no ambiguity and the use of XPATH was never considered for SAML.
Can somebody explain why we need to use XPATH in XACML to reference portions of SAML Assertions?
Hal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC