OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [security-services] Groups - sstc-saml-profiles-2.0-draft-17.sxwuploaded. Forwarded message from cantor.2@osu.edu.


I have reviewed the XACML section of the SAML Profiles
specification, and, as far as I can tell from my limited SAML
knowledge, everything looks fine.  I have a few questions below.

I have thanked Scott Cantor for the additional work he did to
supply a few elements for the XACML section our our draft profile
did not spell out.

Here are the differences from what we supplied:

- added a URN to identify the XACML Attribute Profile
  (each SAML profile has one, so this seems fine).
- does NOT explicitly say that the "Name" XML attribute must be
  sufficient to distinguish the attribute from any other SAML or
  XACML attribute that has different syntax or semantics.  Just
  says "The Name XML attribute MUST adhere to the rules specified
  for that format, as defined by [SAMLCore]." (I don't see this
  stated explicitly in SAMLCore, either, so this may be an
- "For purposes of human readability, there may also
  be a requirement for some applications to carry an optional
  string name together with the OID URN. The optional XML
  attribute FriendlyName (defined in [SAMLCore]) MAY be used for
  this purpose, but is not translatable into the XACML attribute
  equivalent."  (seems fine - FriendlyName is defined in SAMLCore
  as an option for any Attribute)
- Defines two <AttributeDesignator> elements to be equal iff
  their Name XML attributes are equal in a binary comparison.
  (does not say their NameFormat attributes must also be equal,
  but I think this is OK since the rules for using the XACML
  profile says the NameFormat must be ..."URI".)
- "The syntax of the <AttributeValue> element's content MUST
  correspond to the data type expressed in the profile-specific
  DataType XML attribute appearing in the parent <Attribute>
  element. For data types corresponding to the types defined in
  section 3.3 of [XML-Schema-Part2], the xsi:type XML attribute
  SHOULD also be used." (is this OK?  this means we will have to
  translate back and forth between
  "http://www.w3.org/2001/XMLSchema#string"; and "xsd:string",
  etc., as in example shown next).
- Supplies an example where the profile:DataType is
  "http://www.w3.org/2001/XMLSchema#string";, but the
  <saml:AttributeValue xsi:type="xsd:string"> (is this OK?)

--- Begin Message ---
The document sstc-saml-profiles-2.0-draft-17.sxw has been submitted by Scott Cantor (cantor.2@osu.edu) to the OASIS Security Services TC document repository.

Document Description:
Added Jeff's diagram, terminology changes and new intro text for logout, reworked LDAP/DCE/UUID profiles, added attribute examples.

Download Document:  

View Document Details:

PLEASE NOTE:  If the above links do not work for you, your email application
may be breaking the link into two pieces.  You may be able to copy and paste
the entire link address into the address field of your web browser.

To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.

--- End Message ---
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]