[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Issues about XACML Request Context schema
When I wrote a sample SAML->XACML Context transformation, I noticed the following problems. 1) In SAML Request, Format attribute in the NameIdentifier element is optional while the same Format attribute of SubjectId element in XACML Context is mandatory. I think the Format attribute of SubjectId element might be optional. 2) In my sample XSLT transformation, I just copied the whole SAML Evidence element into SubjectAttribute element as an Evidence attribute of the subject in XACML Context. If we take this approach, a Namespace attribute in the AttributeMetaData element in XACML context has no corresponding information in SAML request. However this Namespace attribute is mandatory in XACML. I think the Namespace attribute of AttributeMetaData element might be optional. 3) In XACML Context, there is an AuthenticationInfo element in the Subject element that is zero or one occurrence. I think that it is not clear which authentication information in the SAML request corresponds to AuthenticationInfo in the XACML Context. In addition, SAML request may have multiple authentication information about the subject. In that case, single AuthenticationInfo element does not work. Then I think that the occurrence of AuthenticationInfo should be zero to unlimited, or the element itself should be deleted from the XACML context (I mean any authentication information goes into the subject attribute section) 4) In XACML Context, Action element has no attribute while Action element in SAML request has Namespace attribute. It seems to me that the action in SAML request is more appropriate format. Michiharu IBM Tokyo Research Laboratory, Internet Technology Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC