OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SAML Issuer changes

The current SAML 2.0 draft defines the Issuer element in an
Assertion as being of NameIdentifierType.  Previously it was
"xsi:string".

A NameIdentifierType is defined as:

    <complexType name="NameIdentifierType" mixed="false">
        <simpleContent>
            <restriction base="saml:BaseIdentifierAbstractType">
                <simpleType>
                    <restriction base="string"/>
                </simpleType>
                <attribute name="Format" type="anyURI" use="optional"/>
                <attribute name="SPProvidedIdentifier" type="string" use="optional"/>
            </restriction>
        </simpleContent>
    </complexType>

This finally allow a distinction between names of different
datatypes (Formats).

We asked for this, so now we have to decide how we will use it.

I suggest we add an optional IssuerFormat XML attribute to our
AttributeType as follows:

	<xs:complexType name="AttributeType">
		<xs:sequence>
			<xs:element ref="xacml-context:AttributeValue"/>
		</xs:sequence>
		<xs:attribute name="AttributeId" type="xs:anyURI" use="required"/>
		<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
		<xs:attribute name="Issuer" type="xs:string" use="optional"/>
        <xs:attribute name="IssuerFormat" type="xs:anyURI" use="optional"/>
		<xs:attribute name="IssueInstant" type="xs:dateTime" use="optional"/>
	</xs:complexType>

We might also add an optional SPProvidedIdentifier XML attribute,
but my initial thought is that it is not needed in an XACML
context.  Here is the description:

  SPProvidedIdentifier

    The name identifier established by the service provider or
    affiliation of providers for the principal, if different from
    the primary name identifier given in the content of the
    <NameIdentifier> element.

In an XACML context, either the Issuer name or the
SPProvidedIdentifier name would be used, but not both.  If an
SPProvidedIdentifier is included, then that would indicate that
we are in a context where that is the operative issuer name, so
our Issuer would be populated from SPProvidedIdentifier rather
than from SAML Issuer.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]