xacml message

Subject: Re: [security-services] FW: Invalid XSDs in SAML 2.0 profile of XACML

From: Rich Levinson <rich.levinson@oracle.com>
To: Prateek Mishra <prateek.mishra@oracle.com>
Date: Tue, 18 Sep 2007 15:38:16 -0400

Hi Prateek,

I sent the attached reply to Hal and lists earlier, but not
sure how far it got because I was not authorized for all
the lists.

    Thanks,
    Rich

Prateek Mishra wrote:
> This sounds to me like a XACML issue - I am resending the email to the 
> XACML list.
>
> Rich, did we run across this in the interop - or did we just use the 
> new draft that Anne had prepared?
>
> - prateek
>
>
>> -----Original Message-----
>> From: Rüdiger Gartmann [mailto:ruediger.gartmann@uni-muenster.de] 
>> Sent: Wednesday, August 29, 2007 12:33 PM
>> To: Hal Lockhart
>> Subject: Invalid XSDs in SAML 2.0 profile of XACML
>> Hal,
>>
>> I hope you are the right person to address, at least you may know the 
>> right person...
>>
>> Trying to implement the SAML 2.0 profile of XACML v2.0 (see 
>> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-profile-spec-os.pdf) 
>> we found out that the XSDs which are provided on the OASIS web site 
>> (http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-assertion-schema-os.xsd 
>> and 
>> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-protocol-schema-os.xsd) 
>> are invalid. They include a couple of typos, missing namespace 
>> declarations, etc. I attached two revised versions to this mail which 
>> validate correctly.
>>
>> I am wondering if nobody had the same problems, especially since this 
>> standard was released in 2005 (and the drafts had been out even 
>> earlier, including the same errors).
>>
>> Maybe you can send me some feedback if I did anything wrong or what 
>> the reason for these errors is.
>>
>> Best regards,
>> Rüdiger
>>
>> P.S.: I am using XMLSpy 2007...
>>   
>> ------------------------------------------------------------------------
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <schema xmlns="http://www.w3.org/2001/XMLSchema"; 
>> xmlns:xacmlsaml="urn:oasis:xacml:2.0:saml:assertion:schema:os" 
>> xmlns:xs="http://www.w3.org/2001/XMLSchema"; 
>> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
>> xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" 
>> xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os" 
>> targetNamespace="urn:oasis:xacml:2.0:saml:assertion:schema:os" 
>> elementFormDefault="unqualified" attributeFormDefault="unqualified" 
>> blockDefault="substitution" version="2.0">
>>     <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" 
>> schemaLocation="http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd"/> 
>>
>>     <import namespace="urn:oasis:names:tc:SAML:2.0:protocol" 
>> schemaLocation="http://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd"/> 
>>
>>     <import 
>> namespace="urn:oasis:names:tc:xacml:2.0:context:schema:os" 
>> schemaLocation="http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd"/> 
>>
>>     <import namespace="urn:oasis:names:tc:xacml:2.0:policy:schema:os" 
>> schemaLocation="http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"/> 
>>
>>     <annotation>
>>         <documentation>
>>         Document identifier: 
>> access_control-xacml-2.0-saml-assertion-schema-cd-02.xsd
>>         Location: 
>> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-assertion-schema-cd-os.xsd 
>>
>>     </documentation>
>>     </annotation>
>>     <!--    -->
>>     <element name="XACMLAuthzDecisionStatement" 
>> type="xacmlsaml:XACMLAuthzDecisionStatementType"/>
>>     <complexType name="XACMLAuthzDecisionStatementType">
>>         <complexContent>
>>             <extension base="saml:StatementAbstractType">
>>                 <sequence>
>>                     <element ref="xacml-context:Response"/>
>>                     <element ref="xacml-context:Request" minOccurs="0"/>
>>                 </sequence>
>>             </extension>
>>         </complexContent>
>>     </complexType>
>>     <!--    -->
>>     <element name="XACMLPolicyStatement" 
>> type="xacmlsaml:XACMLPolicyStatementType"/>
>>     <complexType name="XACMLPolicyStatementType">
>>         <complexContent>
>>             <extension base="saml:StatementAbstractType">
>>                 <choice minOccurs="0" maxOccurs="unbounded">
>>                     <element ref="xacml:Policy"/>
>>                     <element ref="xacml:PolicySet"/>
>>                 </choice>
>>             </extension>
>>         </complexContent>
>>     </complexType>
>> </schema>
>>   
>> ------------------------------------------------------------------------
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <schema
>>     targetNamespace="urn:oasis:xacml:2.0:saml:protocol:schema:os"
>>     xmlns:xacmlsamlp="urn:oasis:xacml:2.0:saml:protocol:schema:os"
>>     xmlns:xs="http://www.w3.org/2001/XMLSchema";
>>     xmlns="http://www.w3.org/2001/XMLSchema";
>>     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>>     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>>     xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
>>     xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
>>     elementFormDefault="unqualified"
>>     attributeFormDefault="unqualified"
>>     blockDefault="substitution"
>>     version="2.0">
>>   <xs:import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
>>       
>> schemaLocation="http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd"/> 
>>
>>   <xs:import namespace="urn:oasis:names:tc:SAML:2.0:protocol"
>>       
>> schemaLocation="http://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd"/> 
>>
>>   <xs:import namespace="urn:oasis:names:tc:xacml:2.0:context:schema:os"
>>       
>> schemaLocation="http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd"/> 
>>
>>   <xs:import namespace="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
>>       
>> schemaLocation="http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"/> 
>>
>>   <xs:annotation>
>>     <xs:documentation>
>>         Document identifier: 
>> access_control-xacml-2.0-saml-protocol-schema-os.xsd
>>         Location: 
>> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-protocol-schema-os.xsd 
>>
>>     </xs:documentation>
>>   </xs:annotation>
>>   <!--    -->
>>   <xs:element name="XACMLAuthzDecisionQuery"
>>            type="xacmlsamlp:XACMLAuthzDecisionQueryType"/>
>>   <xs:complexType name="XACMLAuthzDecisionQueryType">
>>     <xs:complexContent>
>>       <xs:extension base="samlp:RequestAbstractType">
>>         <xs:sequence>
>>           <xs:element ref="xacml-context:Request"/>
>>         </xs:sequence>
>>         <xs:attribute name="InputContextOnly"
>>                       type="boolean"
>>                       use="optional"
>>                       default="false"/>
>>         <xs:attribute name="ReturnContext"
>>                       type="boolean"
>>                       use="optional"
>>                       default="false"/>
>>       </xs:extension>
>>     </xs:complexContent>
>>   </xs:complexType>
>>   <!--    -->
>>   <xs:element name="XACMLPolicyQuery"
>>            type="xacmlsamlp:XACMLPolicyQueryType"/>
>>   <xs:complexType name="XACMLPolicyQueryType">
>>     <xs:complexContent>
>>       <xs:extension base="samlp:RequestAbstractType">
>>         <xs:choice minOccurs="0" maxOccurs="unbounded">
>>           <xs:element ref="xacml-context:Request"/>
>>           <xs:element ref="xacml:Target"/>
>>           <xs:element ref="xacml:PolicySetIdReference"/>
>>           <xs:element ref="xacml:PolicyIdReference"/>
>>         </xs:choice>
>>       </xs:extension>
>>     </xs:complexContent>
>>   </xs:complexType>
>> </schema>
>>   
>

--- Begin Message ---

From: Rich Levinson <rich.levinson@oracle.com>
To: Hal Lockhart <hlockhar@bea.com>
Date: Tue, 18 Sep 2007 11:29:49 -0400

Hal,

I expect that Rudiger should be using the .xsd's from the SAML 2.0 profile
for XACML Errata:

  
http://www.oasis-open.org/committees/download.php/11474/access_control-xacml-2.0-saml-assertion-schema-os.xsd

http://www.oasis-open.org/committees/download.php/11475/access_control-xacml-2.0-saml-protocol-schema-os.xsd

as well as the errata spec:

http://www.oasis-open.org/committees/download.php/15447/xacml-2.0-saml-errata-wd.zip

Note: the above .zip contains the correct schema. The XACML TC home page 
should
probably be updated to make this easier for people to obtain.

    Thanks,
    Rich

Hal Lockhart wrote:
> -----Original Message-----
> From: Rüdiger Gartmann [mailto:ruediger.gartmann@uni-muenster.de] 
> Sent: Wednesday, August 29, 2007 12:33 PM
> To: Hal Lockhart
> Subject: Invalid XSDs in SAML 2.0 profile of XACML 
>
> Hal,
>
> I hope you are the right person to address, at least you may know the 
> right person...
>
> Trying to implement the SAML 2.0 profile of XACML v2.0 (see 
> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-profile-spec-os.pdf) 
> we found out that the XSDs which are provided on the OASIS web site 
> (http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-assertion-schema-os.xsd 
> and 
> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-saml-protocol-schema-os.xsd) 
> are invalid. They include a couple of typos, missing namespace 
> declarations, etc. I attached two revised versions to this mail which 
> validate correctly.
>
> I am wondering if nobody had the same problems, especially since this 
> standard was released in 2005 (and the drafts had been out even earlier, 
> including the same errors).
>
> Maybe you can send me some feedback if I did anything wrong or what the 
> reason for these errors is.
>
> Best regards,
> Rüdiger
>
> P.S.: I am using XMLSpy 2007...
>

--- End Message ---

References:
- Re: [security-services] FW: Invalid XSDs in SAML 2.0 profile of XACML
  - From: Prateek Mishra <prateek.mishra@oracle.com>