OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [Fwd: [xacml-users] SAML statement extension for XACML]


XML experts:

Is a substitutionGroup actually needed in order for instances of
XACMLAuthzDecisionStatement and XACMLPolicyStatement to be included in a
SAML Assertion?  Both are defined as extensions of SAML
StatementAbstractType, which is "abstract".  SAML Assertion includes
Statement as one of the inclusion choices, and Statement is also defined
as type StatementAbstractType, but it does indeed seem that does not
allow something else that is StatementAbstractType to be included in an
Assertion.

Do we need to get the SSTC to define a SAML substitutionGroup for
Statement?  It was certainly their intention to allow us to define such
extensions.  I have forwarded this to Eve Maler.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692
--- Begin Message ---
Hello,

Specification of SAML 2.0 profile of XACML defines XACMLPolicyStatement 
and XACMLAuthzDecisionStatement whose types are extensions of SAML 
StatementAbstractType element.
It says that these statements should be placed in SAML Assertion 
elements (themselves placed inside SAML Response elements).
As extended type from Statement I suppose.

However, XACMLPolicyStatement and XACMLAuthzDecisionStatement are not 
defined as possible substitutions for Statement, as there is no 
"substitutionGroup" attribute in the XML schema, and substitutions are 
blocked anyway by blobkDefault="substitution" in both schemas (SAML and 
XACML-SAML profile).

So, it seems that putting XACMLPolicyStatement and 
XACMLAuthzDecisionStatement in SAML assertions is not correct according 
to schemas.
What is your mind about this ?
Is schema of SAML extension for XACML profile normative ?

Thanks in advance,
Sincerely


Frédéric Deléon


---------------------------------------------------------------------
This publicly archived list supports open discussion on using the
XACML OASIS Standard. To minimize spam in the archives, you
must subscribe before posting.

[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
Alternately, using email: list-[un]subscribe@lists.oasis-open.org
List archives: http://lists.oasis-open.org/archives/xacml-users/
Committee homepage: http://www.oasis-open.org/committees/xacml/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
Join OASIS: http://www.oasis-open.org/join/

--- End Message ---


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]