OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] PrimeLife attribute predicates: the simple case

Dear Paul, All,

>> If the Context Handler is responsible for handling incoming SAML assertions, then the schema of the XACML
>> request context needs to be changed so that it can carry SAML assertions, rather than just attribute values.
Considering Paul's proposal [1] on using 'extended' <AttributeValue> elements in the request context, this would allow for choosing the ContextHandler as mapping instance without an actual change of the request schema.

However, a mapping from the incoming SAML assertion to the 'extended' <AttributeValue> elements would be needed. In my understanding, the 'SAML 2.0 profile of XACML' would be the place to to this. As you may already know, there are currently discussions going on with the SAML committee on whether it makes sense to introduce 'attribute predicates' in SAML. Under the assumption that those are indeed introduced, then the SAML profile of XACML would have to be extended for incorporating a translation from the new attribute predicates to the 'extended' <AttributeValue> elements.

In case it is not the Context Handler that does the mapping but, e.g., the PEP, then, if I understand correctly, neither the 'extended' <AttributeValue> elements nor an extension of the SAML profile for XACML are necessary.

[1] http://lists.oasis-open.org/archives/xacml/201011/msg00033.html

Best Regards,
Franz-Stefan Preiss

Franz-Stefan Preiss
IBM Research Zurich
Säumerstrasse 4, CH-8803 Rüschlikon, Switzerland
+41 44 724 8401

From: Gregory Neven <nev@zurich.ibm.com>
To: xacml <xacml@lists.oasis-open.org>
Date: 11/25/2010 10:28 AM
Subject: [xacml] PrimeLife attribute predicates: the simple case

Dear all,

As promised during last confcall, please find below a summary of the impact of attribute predicate assertions on XACML for the simple solution we had in mind. All discussion is welcome, in particular about the questions at the end of the email.

Best regards,

General Principle

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]