Subject: Re: [xacml-dev] questions on the SAML profile for XACML.
Hi Shawn, I checked this with Eve Maler, since she is both an XML expert and a SAML expert, and helped me design the schema extensions. Eve says you can bind the XACML query type to whatever element you like. It will be treated like a SAML request to the extent that its SAML-defined semantics and elements/attributes are recognized as such. She goes on to say that it would be reasonable for XACML to define an element in its own characteristic namespace and bind this type to it, since we want the whole thing to be easily recognizable for what it is: an XACML-defined query (relying on type processing could be iffy, and seems to be unnecessary in this case); it would also be nice to be explicit about saying we "reuse" the SAML SOAP binding (and any other bindings), if that's what we intend to do. She mentions that since XACML is a fairly deep extension of SAML, it would be worthwhile being explicit about all parts of SAML that we want to "inherit", so that there's no question about any semantics. We will consider this advice for incorporation into our SAML Errata document. Regards, Anne Anderson Shawn Ma wrote On 01/08/06 20:46,: > Thanks Anne. > > But this errata only answers one of my question: the statement should be > <samlp:Statement xsi:type="ns:XACMLAuthzDecisionStatement">... > > For the request/query, I'm can't find a clue to enclose it. In saml > protocol, there's not an element corresponding to the > samlp:RequestAbstractType, and our XACML extension now defines only a > subtype of samlp:RequestAbstractType, so, what should be the element > name? I mean, I can NOT write <samlp:Request > xsi:type="ns:XACMLAuthzDecisionQuery>...? > > Thanks, > Shawn > > >>-----Original Message----- >>From: Anne Anderson [mailto:Anne.Anderson@sun.com] >>Sent: Saturday, January 07, 2006 12:06 AM >>To: Shawn Ma >>Cc: firstname.lastname@example.org >>Subject: Re: [xacml-dev] questions on the SAML profile for XACML. >> >>Hi Shawn, >> >>Please look at the # SAML 2.0 profile of XACML v2.0 Errata: >>http://www.oasis-open.org/committees/download.php/15447/xacml- >>2.0-saml-errata-wd.zip >> >> >>This describes how to actually extend SAML to use the new types. The >>new schemas do not define elements, but just types. This is not yet >>approved as a Committee Specification, but solved the >>problems of other >>SAML profile users. Please let us know if you find further >>changes that >>are needed. >> >>As to your question about a SOAP profile, there was no >>interest in doing >>that from the members of the TC. The SAML envelope provides >>the types >>of envelope information that are helpful in doing signatures, >>and also >>eases interoperability with other components that are using SAML. >> >>Regards, >>Anne Anderson >> >>Shawn Ma wrote: >> >>>Hi all, >>> >>>I'm trying to do something with the SAML profile for XACML. >> >>But found >> >>>some confusing questions. >>> >>>1. The SAML profile for XACML specifies an element >>><XACMLAuthzDecisionQuery>, which is a replacement of >>><samlp:AuthzDecisionQuery> element. In section 6 of that >> >>spec, there's a >> >>>requirement saying "An <XACMLAuthzDecisionQuery> or >> >><XACMLPolicyQuery> >> >>>SHALL be encapsulated in a <samlp:RequestAbstractType> >> >>element, which >> >>>MAY be signed." >>> >>>My question is, the samlp:RequestAbstractType in SAML 2.0 is not an >>>element, it is just a type, how can a XACML query be put in such an >>>element/type? >>> >>>In other words, how to fill the 'ELEMENT_NAME' in the following soap >>>call? <XACMLAuthzDecisionQuery>? >>><SOAP-ENV:Body> >>> <samlp:ELEMENT_NAME xmlns:... ID="123456" Version="2.0"...> >>> <ds:Signature>...</ds:Signature> >>> <xacml-context:Request xmlns:xacml-context="..."> >>> ...<Action>...<Subject>... >>> </xacml-context:Request> >>> </samlp:ELEMENT_NAME> >>></SOAP-ENV:Body> >>> >>>2: in the response, the <XACMLAuthzDecisionStatement>, as a >> >>replacement >> >>>of <samlp:AuthzDecisionStatement>, is stated to be put in a >>><saml:Assertion>. But the <saml:Assertion> by schema can't >> >>conatain an >> >>><XACMLAuthzDecisionStatement> directly. Does this mean that the >>><XACMLAuthzDecisionStatement> should be put in a >> >><saml:Statement> with >> >>>xsi:type like this? >>><saml:Assertion> >>>... >>> <saml:Statement >> >>xsi:type="xacml-saml:XACMLAuthzDecisionStatement"> >> >>> <xacml-saml:Response>.... >>> </....> >>> >>>3. Why so complicated? Why don't we just have a SOAP >> >>profile for XACML, >> >>>so we can directly <xacml-context:Request> and >> >><xacml-context:Response> >> >>>in a SOAP body? I'm a bit curious. >>> >>>Thanks, >>>Shawn >>> >> >>-- >>Anne H. Anderson Anne.Anderson@sun.com >>Sun Microsystems Labs 1-781-442-0928 >>Burlington, MA USA >> >>--------------------------------------------------------------------- >>This publicly archived list supports open discussion on >>implementing the XACML OASIS Standard. To minimize spam in the >>archives, you must subscribe before posting. >> >>[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ >>Alternately, using email: list-[un]email@example.com >>List archives: http://lists.oasis-open.org/archives/xacml-dev/ >>Committee homepage: http://www.oasis-open.org/committees/xacml/ >>List Guidelines: http://www.oasis-open.org/maillists/guidelines.php >>Join OASIS: http://www.oasis-open.org/join/ >> >> >> -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692