OASIS eXtensible Access Control Markup Language (XACML) TC

Back to discussions

Expand all | Collapse all

[Fwd: Re: Draft new version of the SAML 2.0 Profile of XACML 2.1]

1. [Fwd: Re: Draft new version of the SAML 2.0 Profile of XACML 2.1]

Recommend

Anne Anderson

Posted 04-19-2006 17:36

MHonArc v2.5.0b2 -->

xacml message

Subject: [Fwd: Re: Draft new version of the SAML 2.0 Profile of XACML 2.1]

From: Anne Anderson <Anne.Anderson@sun.com>
To: OASIS XACML TC <xacml@lists.oasis-open.org>
Date: Wed, 19 Apr 2006 13:39:18 -0400

Today seems to be my big day for TC mailings :-)  Attached are comments 
from Scott Cantor on the "SAML 2.0 Profile of XACML 2.1" that I mailed 
out on April 12 
(http://www.oasis-open.org/committees/download.php/17672/xacml-2.1-profile-saml2.0-wd-1.zip). 


Regards,
Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

--- Begin Message ---

From: Scott Cantor <cantor.2@osu.edu>
To: Anne.Anderson@sun.com
Date: Wed, 19 Apr 2006 13:23:57 -0400

> I would appreciate any comments you have.  Some of you have more 
> experience using the SAML Profile of XACML than most of the XACML TC 
> members, so your expertise will be appreciated.

I haven't gone through this in detail yet, but I would strongly urge some
significant changes to the schemas. In particular, I think the heavy use of
sequence extensions and replacement of SAML elements like Assertion and
Advice are the wrong way to approach this kind of extension. It was the same
mistake Liberty made originally, but with SAML 1.1 we didn't have the schema
right to provide alternatives.

You have the basics all there correctly, new Statement types, new Request
and Response message types, etc. But that's all you should need to do. The
core Assertion and Advice elements are already extensible to include new
statement and advice content, and I think it would be a mistake to force
these XACML elements to the end of the those sequences, or to replace
elements like Assertion with your own. That makes life much harder for SAML
applications.

It is the case that statement extensions can't natively appear in element
form because we got rid of substitution, but that's still the proper way to
embed a new statement type:

<saml:Statement xsi:type="xacml-saml:XACMLStatementType">

With Advice, you don't need anything special, because the choice already
includes <any namespace="#other"> in the sequence, so your advice element
can appear. But since I'm suggesting you don't want or need an
XACMLAssertion element either, you don't really have ny need for anything
new in Advice anyway, since Assertions can already appear there.

-- Scott

--- End Message ---

OASIS eXtensible Access Control Markup Language (XACML) TC

[Fwd: Re: Draft new version of the SAML 2.0 Profile of XACML 2.1]

1. [Fwd: Re: Draft new version of the SAML 2.0 Profile of XACML 2.1]

xacml message

Contact Us

Membership

Privacy & Terms

OASIS eXtensible Access Control Markup Language (XACML) TC

[Fwd: Re: Draft new version of the SAML 2.0 Profile of XACML 2.1]

1. [Fwd: Re: Draft new version of the SAML 2.0 Profile of XACML 2.1]

xacml message

Related Content

Groups - SAML 2.0 Profile of XACML 2.1, WD 1 (xacml-2.1-profile-saml2.0-wd-1.zip) uploaded

Use of XACML SAML profile elements

Re: Timing of the XACML/SAML profile(s) of SAML/XACML. Forwardedmessage from Anne Anderson.

RE: XACML extensions to SAML. Scott Cantor response

RE: XACML extensions to SAML. Forwarded message from Scott Cantor..Forwarded message from Scott Cantor.

Contact Us

Membership

Privacy & Terms