MHonArc v2.5.2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: [xacml] Issues about XACML Request Context schema
When I wrote a sample SAML->XACML Context transformation, I noticed the
following problems.
1) In SAML Request, Format attribute in the NameIdentifier element is
optional while the same Format attribute of SubjectId element in XACML
Context is mandatory. I think the Format attribute of SubjectId element
might be optional.
2) In my sample XSLT transformation, I just copied the whole SAML Evidence
element into SubjectAttribute element as an Evidence attribute of the
subject in XACML Context. If we take this approach, a Namespace attribute
in the AttributeMetaData element in XACML context has no corresponding
information in SAML request. However this Namespace attribute is mandatory
in XACML. I think the Namespace attribute of AttributeMetaData element
might be optional.
3) In XACML Context, there is an AuthenticationInfo element in the Subject
element that is zero or one occurrence. I think that it is not clear which
authentication information in the SAML request corresponds to
AuthenticationInfo in the XACML Context. In addition, SAML request may have
multiple authentication information about the subject. In that case, single
AuthenticationInfo element does not work. Then I think that the occurrence
of AuthenticationInfo should be zero to unlimited, or the element itself
should be deleted from the XACML context (I mean any authentication
information goes into the subject attribute section)
4) In XACML Context, Action element has no attribute while Action element
in SAML request has Namespace attribute. It seems to me that the action in
SAML request is more appropriate format.
Michiharu
IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC