OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: normative text from XACML Profile for SAML V2.0 Attributes

Colleagues,

Just so you won't have to open up a separate document, here, for
quick reference is the normative text from the "XACML Profile for
SAML V2.0 Attributes" that we want to submit to the SSTC.

--------------------Normative Text Begin-------------------------
2 Data Type

{Normative}

XACML requires each Attribute to have an explicit data type.  To
supply this data type value, a  SAML Attribute to be used as
input to an XACML processor SHALL have the following metadata
provided.

<xs:attribute name="DataType" type="xs:anyURI" use="optional"
              default="http://www.w3.org/2001/XMLSchema#string"/>

The standard values for the DataType attribute are specified in
Appendix A of the XACML 2.0 Specification [XACML].

If non-standard values are used for the DataType attribute , each
XACML PDP that will be consuming Attributes with these new
DataType values must be extended to support the new data types.

3 Attribute Identifiers

{Normative}

XACML requires each Attribute to have a single identifier that is
sufficient to distinguish instances of the Attribute from
instances of other Attributes that have different semantics.  In
SAML 2.0, two standard identifiers - Name and NameFormat  - are
required to distinguish two Attributes that may have different
semantics.  SAML 2.0 also allows the use of arbitrary additional
identifiers.  In order to map a SAML Attribute to an XACML
Attribute, there must be a canonical way to generate a single
XACML Attribute identifier from the set of SAML attributes that
are sufficient to distinguish instances of the SAML Attribute
that have different semantics.  

In order to satisfy this requirement, a SAML Attribute that is to
be used as input to an XACML processor SHALL have a NameFormat
value of "urn:oasis:names:tc:SAML:2.0:attname-format:uri".  The
value of the SAML Attribute's Name attribute SHALL be a URI or
URI reference  that is sufficient to distinguish instances of
this Attribute from instances of other SAML or XACML Attributes
that have different semantics.  Additional attributes not
necessary for distinguishing the SAML Attribute semantics MAY be
used in the SAML metadata, but will not be used in the
corresponding XACML Attribute.
--------------------Normative Text End-------------------------

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]