Comments on SAML 2.0 Profile of XACML, Version 2, Working Draft 4,15 June 2007

[Anne Anderson - Sun Microsystems <Anne.Anderson@sun.com>]

Colleagues,

I have submitted Working Draft 4 of the SAML 2.0 Profile of XACML, 
Version 2.  The XACML TC Home Page "Work in Progress" section has been 
updated to link to this new draft.  I will be on vacation until 28 June 
2007, so will not be able to respond to comments until then.

This is the last SAML Profile Working Draft that I will be editing, so 
we need a volunteer to take this on - I believe almost all of the work 
has now been done; there are only two open issues, and a some additions 
to the Holders element that Erik will be providing.

Why are we doing a "Version 2" of this Profile?  Version 2 fixes the 
various errors that have been discovered in the OASIS Standard version 
that was approved in February 2005.  It includes a much better 
description of how to use the new types with standard SAML elements, 
since this has been very confusing to implementers.  It includes support 
for XACML 3.0 Administrative Policy, adds the ability to pass policies 
with the XACMLAuthzDecisionQuery (with or without XACML 3.0 
Administrative Policy), and makes a first pass at defining SAML Metadata.

Version 2 is also designed to work with any version of XACML, so there 
are separate versions of the schemas for use with XACML 1.0, 1.1, 2.0, 
and 3.0.  Only the 3.0 schema versions, however, have the types and 
elements that require XACML 3.0 Administrative Policy support.

The following changes have been made since Working Draft 3

-throughout: used actual schema elements rather than invented names 
except when speaking about instances embedded in other instances (e.g. 
rather than SAML Attribute, but SAML Attribute Response rather than ).
-throughout: changed SHALL to MUST
-throughout: added namespace designators to schema items and added 
additional namespace prefixes to list in Section 1.4
-Figure 1 updated the “Components and messages diagram to use same names 
as text
-2.1.1 Clarified that implementations need not create actual instances 
so long as PDP can obtain corresponding values as if such instances existed.
-2.1.1 Reworded description of NotBefore, NotOnOrAfter relationship to 
XACML date/time Attributes to be more clear
-3.4,7,B.1 Inserted non-normative notes referring to open issues in 
relevant places
-3.4,4.1 Clarified that the ReferencedPolicies element need not contain 
policies that receiver is not authorized to view
-3.9 Clarified that Policy[Set]IdReference values must exactly match 
corresponding Policy[Set]Id values in the ReferencedPolicies element.
-3.7 Changed “AttributeMatch” to “Match” to fit 3.0 schema
-3.9,schemas:Fixed schema for ReferencedPolicies so it validates
-3.4,4.1 Reworded AssignedAttributes and XACMLAuthzDecisionQuery 
Policy[Set] descriptions to clarify that the values must not be used 
except with the given Request “unless associated with the ... 
independently of the Request”
-4.1,4.2 Add ReferencedPolicies element to XACMLPolicyStatementType
-4.6 Reworded so to allow Response that is not issued in response to a 
specific Query
-7 Added first draft of SAML Metadata
-8 Added urn for SAML Metadata functionality

Regards,
Anne
-- 
Anne H. Anderson, Sun Microsystems Laboratories
1 Network Drive,UBUR02-311, Burlington, MA 01803-0902 USA
Tel: 781/442-0928  Fax: 781/442-1692
Email: Anne.Anderson@Sun.COM until mid-August 2007
Email: Anne.Anderson@alum.swarthmore.edu after mid-August 2007

--- Begin Message ---

• From: Anne.Anderson@sun.com
• To: xacml@lists.oasis-open.org
• Date: Fri, 15 Jun 2007 21:19:09 +0000

The document named SAML 2.0 Profile of XACML, Version 2, Working Draft 4,
15 June 2007 (xacml-profile-saml2.0-v2-wd-4.zip) has been submitted by Anne
Anderson to the OASIS eXtensible Access Control Markup Language (XACML) TC
document repository.

Document Description:
This is a revision and extension of the SAML 2.0 Profile of XACML 2.0 that
became an OASIS Standard in February 2005.  This revision correct errors
that have been found in the February 2005 Standard and adds additional
functionality, primarily related to XACML 3.0 Administrative Policy.

View Document Details:
http://www.oasis-open.org/apps/org/workgroup/xacml/document.php?document_id=24389

Download Document:  
http://www.oasis-open.org/apps/org/workgroup/xacml/download.php/24389/xacml-profile-saml2.0-v2-wd-4.zip


PLEASE NOTE:  If the above links do not work for you, your email application
may be breaking the link into two pieces.  You may be able to copy and paste
the entire link address into the address field of your web browser.

-OASIS Open Administration

--- End Message ---