[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [security-services] Groups - sstc-saml-profiles-2.0-draft-17.sxwuploaded. Forwarded message from firstname.lastname@example.org.
Colleagues, I have reviewed the XACML section of the SAML Profiles specification, and, as far as I can tell from my limited SAML knowledge, everything looks fine. I have a few questions below. I have thanked Scott Cantor for the additional work he did to supply a few elements for the XACML section our our draft profile did not spell out. Here are the differences from what we supplied: - added a URN to identify the XACML Attribute Profile (each SAML profile has one, so this seems fine). - does NOT explicitly say that the "Name" XML attribute must be sufficient to distinguish the attribute from any other SAML or XACML attribute that has different syntax or semantics. Just says "The Name XML attribute MUST adhere to the rules specified for that format, as defined by [SAMLCore]." (I don't see this stated explicitly in SAMLCore, either, so this may be an issue). - "For purposes of human readability, there may also be a requirement for some applications to carry an optional string name together with the OID URN. The optional XML attribute FriendlyName (defined in [SAMLCore]) MAY be used for this purpose, but is not translatable into the XACML attribute equivalent." (seems fine - FriendlyName is defined in SAMLCore as an option for any Attribute) - Defines two <AttributeDesignator> elements to be equal iff their Name XML attributes are equal in a binary comparison. (does not say their NameFormat attributes must also be equal, but I think this is OK since the rules for using the XACML profile says the NameFormat must be ..."URI".) - "The syntax of the <AttributeValue> element's content MUST correspond to the data type expressed in the profile-specific DataType XML attribute appearing in the parent <Attribute> element. For data types corresponding to the types defined in section 3.3 of [XML-Schema-Part2], the xsi:type XML attribute SHOULD also be used." (is this OK? this means we will have to translate back and forth between "http://www.w3.org/2001/XMLSchema#string" and "xsd:string", etc., as in example shown next). - Supplies an example where the profile:DataType is "http://www.w3.org/2001/XMLSchema#string", but the <saml:AttributeValue xsi:type="xsd:string"> (is this OK?) Anne
--- Begin Message ---
- From: email@example.com
- To: firstname.lastname@example.org
- Date: Sat, 17 Jul 2004 22:33:02 +0000The document sstc-saml-profiles-2.0-draft-17.sxw has been submitted by Scott Cantor (email@example.com) to the OASIS Security Services TC document repository. Document Description: Added Jeff's diagram, terminology changes and new intro text for logout, reworked LDAP/DCE/UUID profiles, added attribute examples. Download Document: http://www.oasis-open.org/apps/org/workgroup/security/download.php/7806/sstc-saml-profiles-2.0-draft-17.sxw View Document Details: http://www.oasis-open.org/apps/org/workgroup/security/document.php?document_id=7806 PLEASE NOTE: If the above links do not work for you, your email application may be breaking the link into two pieces. You may be able to copy and paste the entire link address into the address field of your web browser. To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.--- End Message ---
-- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692