[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Storing policies in a policy Repository
Massimiliano, XACMLPolicyStatement extends SAML statement (or it's of saml:StatementAbstractType type to be exact), WSS prescribes to use something like that to embed an assertion: <wsse:SecurityTokenReference> <wsse:Embedded wsu:Id="tok1"> <saml:Assertion xmlns:saml="..."> ... </saml:Assertion> </wsse:Embedded> </wsse:SecurityTokenReference> SAML <Statement> is an internal element of <Assertion>. Since XACMLPolicyStatement is an extension of <Statement> it should work as well. Why would you need to put anything to the SOAP Body? You can do something like that, I think: <wsse:SecurityTokenReference> <wsse:Embedded wsu:Id="tok1"> <saml:Assertion xmlns:saml="..."> ... <Statement xsi:type=ā€¯xacml-saml:XACMLPolicyStatementTypeā€¯> <xacml:Policy> ... </xacml:Policy> </Statement> ... </saml:Assertion> </wsse:Embedded> </wsse:SecurityTokenReference> (you'll need to define xsi and xacml-saml namespaces somewhere). ----- Original Message ---- From: "massimiliano.masi@gmail.com" <massimiliano.masi@gmail.com> To: xacml-users@lists.oasis-open.org Sent: Thu, July 29, 2010 9:16:44 AM Subject: [xacml-users] Storing policies in a policy Repository Hello, I was reading the SAML 2.0 profile of XACML v2.0. In section 4.2 is written: The <XACMLPolicyStatement> may also be used in a SAML Assertion as a format for storing the <XACMLPolicyStatement> in a repository. How was wondering how the XACMLPolicyStatement can be used for storing a policy or a policy set in a policy repository. I understand that the XACMLPolicyStatement extends a SAML Statement, but in this case, how to place the SAML Assertion in the SOAP Message? If the SAML Assertion is placed using WS-Security, what to write in the SOAP Body? A WS-Trust RST is acceptable in my opinion, but it can lead to potential different implementation, breaking the interoperability. And more, the SAML assertion in the header does not authenticate the message, potentially breaking WS-Security. But since the namespace is <xacml-samlp:XACMLPolicyStatement xmlns:xacml-samlp="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:protocol"> it can be also acceptable to write it in the body, in my opinion. What is your suggestion? Thanks in advance, Massimiliano -- Massimiliano Masi http://www.mascanc.net/~max --------------------------------------------------------------------- To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]