[OpenSAML] Problem with XACMLPolicyStatement
massimil...@gmail.com
I'm using opensaml 2.3.1. I have the following problem. I have created
this[1] assertion for
storing a policy in a policy repository.
But this assertion is wrong, according with the schema defined in [2]
(the schema in the
oasis home page is buggy).
org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content
was found starting with element 'xacml-saml:XACMLPolicyStatement'. One
of '{"urn:oasis:names:tc:SAML:2.0:assertion":Advice,
"urn:oasis:names:tc:SAML:2.0:assertion":Statement,
"urn:oasis:names:tc:SAML:2.0:assertion":AuthnStatement,
"urn:oasis:names:tc:SAML:2.0:assertion":AuthzDecisionStatement,
"urn:oasis:names:tc:SAML:2.0:assertion":AttributeStatement}' is
expected.
This means that instead of a XACMLPolicyStatement I should create a
Statement, with xsi:type as xacml,
<saml:Statement xsi:type="xacml-saml:XACMLAuthzDecisionStatementType">
<saml:Statement xsi:type="xacml-saml:XACMLPolicyStatementType">
But how to do it with opensaml? There's no Statement builder!
[1]
<saml2:Assertion ID="_091286d9-9f94-41c7-bdd5-5dbac110a52f"
IssueInstant="2010-07-31T09:19:49.628Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>com.spirit.ws.XACML.client.SAMLXACMLv2</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_091286d9-9f94-41c7-bdd5-5dbac110a52f">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ds saml2
xacml-saml #default xsi"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>vrybvmR1LByJKJgTAD2LaDyVrac=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
sd2onP2tKcGvcw9FnT6LgludZyxSrcXr1vnqA5ZVXkw86LfKrUXojTJs2AnAEkFu052N+rdDz84f
Pr2iOYyk+aarSCvbvSYnpVG77jXmvRISUdj+iQH/S/XWRF8I6NgPmalZoiMM8UAX02yRZhjANTX8
ks8EOZdfEdOd+hmsTUE=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQUFADCBuDELMAkGA1UEBhMCQVQxEDAOBgNVBAgT
B0F1c3RyaWExDzANBgNVBAcTBlZpZW5uYTEVMBMGA1UEChMMVGlhbmkgU3Bpcml0MRowGAYDVQQL
ExFUZXN0IENlcnRpZmljYXRlczEgMB4GA1UEAxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxMTAv
BgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJpdC5jb20wHhcNMTAwNTI1
MTI1NzMxWhcNMzUwMTE0MTI1NzMxWjCBlzELMAkGA1UEBhMCQVQxEDAOBgNVBAgTB0F1c3RyaWEx
FTATBgNVBAoTDFRpYW5pIFNwaXJpdDEaMBgGA1UECxMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNV
BAMTB3NlcnZlcjExMTAvBgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJp
dC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOKFHKAWDiI4GC4W1WFAHGkNuE3hzaMp
KaEkDYm9yJDqqEpw758iuiyOZdfRRiQuTmP6lNpT5DlJiQOLYhG5U9TS72VuK3rIncmtvAG0PPur
jsFyggbeuV169iRnkdbU2pyhu046gAINCVoJfp+9kb9EZHlDmcEs4NznFj+NtojHAgMBAAGjezB5
MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl
MB0GA1UdDgQWBBRcW+6sHYHdEZ69MdjUQ7ovetYeTzAfBgNVHSMEGDAWgBRPsGnZxUG4UGFrj7qu
E2FoiwZLQDANBgkqhkiG9w0BAQUFAAOCAQEAsqp5FZiRrkUZ72UB7lgxBxzh9Psuvb8cLoYbS/FZ
94DOrMyMscj4Nog9F006WFaVWX90NQFRPKlYRPeH52BkBGL/Dq7vbMmgAgnDAKj59BCQuPA9V8lR
ImdA9sZKH5wKjYXlonV9yIHsZFWlV0P9IEPX4RquAJXSE8ym3JwqCs65nXXDvSuaNDKRuVjkHu57
V1U7wxDDiu4aj8h4BjxkRuAf+h7PsefRycctQGhLhMPxgj+xUQzv+ribIn8cMulmxU5GvkhVmNVB
i2L1GLR8sgzv6IFsXRsIAmKUU7FS9eWx5UMZ9U5O1dZedgXFpASHQecHf0cbJqDG1jsURodZCw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Conditions NotBefore="2010-07-31T09:19:49.628Z"
NotOnOrAfter="2010-07-31T22:39:49.628Z">
<saml2:AudienceRestriction>
<saml2:Audience>testaudience</saml2:Audience>
<saml2:Audience>test2</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<xacml-saml:XACMLPolicyStatement
xmlns:xacml-saml="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion">
<PolicySet
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides"
PolicySetId="MAU.12675296158691-GLOB.OID.TESTMAURO_ENV.LOCAL.OS.2.PI-DOM"
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd">
<Description>Test policy that permits everything</Description>
<Target/>
<Policy PolicyId="policy_id"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
<Description>Test policy</Description>
<Target/>
<Rule Effect="Permit"
RuleId="urn:oasis:names:tc:xacml:2.0:example:SimpleRule1"/>
</Policy>
</PolicySet>
</xacml-saml:XACMLPolicyStatement>
</saml2:Assertion>
[2] http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml#XACML20errata
--
Massimiliano Masi
Chad La Joie
On 7/31/10 5:24 AM, massimil...@gmail.com wrote:
> But this assertion is wrong, according with the schema defined in [2]
> (the schema in the
> oasis home page is buggy).
Right, thats not the version that OpenSAML uses since it's invalid.
> This means that instead of a XACMLPolicyStatement I should create a
> Statement, with xsi:type as xacml,
>
> <saml:Statement xsi:type="xacml-saml:XACMLAuthzDecisionStatementType">
>
> <saml:Statement xsi:type="xacml-saml:XACMLPolicyStatementType">
>
>
> But how to do it with opensaml? There's no Statement builder!
The Builders have a number of build methods, you want to use the one
that takes 2 QNames (the element name and schema type). So it becomes
something like this:
QName statementElementName;
QName policyStatementSchemaType;
builder.buildObject(elementName, schemaType);
--
Chad La Joie
http://itumi.biz
trusted identities, delivered
massimil...@gmail.com
Thank you for your answer.
On Sat, Jul 31, 2010 at 1:55 PM, Chad La Joie <laj...@itumi.biz> wrote:
>> But this assertion is wrong, according with the schema defined in [2]
>> (the schema in the
>> oasis home page is buggy).
>
> Right, thats not the version that OpenSAML uses since it's invalid.
>
But the assertion created using a XACMLPolicyStatement does not validate against
the schema in the oasis home page. What is wrong in this case?
>> This means that instead of a XACMLPolicyStatement I should create a
>> Statement, with xsi:type as xacml,
>>
>> <saml:Statement xsi:type="xacml-saml:XACMLAuthzDecisionStatementType">
>>
>> <saml:Statement xsi:type="xacml-saml:XACMLPolicyStatementType">
>>
>>
>> But how to do it with opensaml? There's no Statement builder!
>
> The Builders have a number of build methods, you want to use the one that
> takes 2 QNames (the element name and schema type). So it becomes something
> like this:
>
> QName statementElementName;
> QName policyStatementSchemaType;
> builder.buildObject(elementName, schemaType);
I added the following:
QName statementElementName = new QName("Statement",SAMLConstants.SAML20_NS);
QName policyStatementSchemaType = new
QName(SAMLProfileConstants.SAML20XACML20_NS,
"XACMLPolicyStatementType",
SAMLProfileConstants.SAML20XACMLASSERTION_PREFIX);
XACMLPolicyStatementType policyStmt = policyStmtBuilder.
buildObject(statementElementName, policyStatementSchemaType);
Bu unfortunately I have the following error while marshalling it:
org.w3c.dom.DOMException: NAMESPACE_ERR: An attempt is made to create
or change an object in a way which is incorrect with regard to
namespaces.
at org.apache.xerces.dom.CoreDocumentImpl.checkNamespaceWF(Unknown Source)
at org.apache.xerces.dom.ElementNSImpl.setName(Unknown Source)
at org.apache.xerces.dom.ElementNSImpl.<init>(Unknown Source)
at org.apache.xerces.dom.CoreDocumentImpl.createElementNS(Unknown Source)
at org.opensaml.xml.util.XMLHelper.constructElement(XMLHelper.java:518)
at org.opensaml.xml.util.XMLHelper.constructElement(XMLHelper.java:488)
at org.opensaml.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:169)
at org.opensaml.xml.io.AbstractXMLObjectMarshaller.marshallChildElements(AbstractXMLObjectMarshaller.java:316)
at org.opensaml.xml.io.AbstractXMLObjectMarshaller.marshallInto(AbstractXMLObjectMarshaller.java:224)
at org.opensaml.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:130)
at org.opensaml.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:86)
at com.spirit.saml.SAML2Utils.toElement(SAML2Utils.java:73)
at com.spirit.xacml.utils.XACMLPolicyStatement.createSignedXACMLPolicyAssertion(XACMLPolicyStatement.java:109)
Chad La Joie
On 7/31/10 8:31 AM, massimil...@gmail.com wrote:
> But the assertion created using a XACMLPolicyStatement does not validate against
> the schema in the oasis home page. What is wrong in this case?
Which schema? The "standard" one is invalid, it extends SAML in a way
that is not allowed. There is a draft one that was meant to replace the
current standard that fixes this. That's what OpenSAML implements and
I'm pretty sure that's documented in the javadoc.
> QName statementElementName = new QName("Statement",SAMLConstants.SAML20_NS);
Your arguments are switched around.
massimil...@gmail.com
On Sat, Jul 31, 2010 at 2:35 PM, Chad La Joie <laj...@itumi.biz> wrote:
> Which schema? The "standard" one is invalid, it extends SAML in a way that
> is not allowed. There is a draft one that was meant to replace the current
> standard that fixes this. That's what OpenSAML implements and I'm pretty
> sure that's documented in the javadoc.
Yes, the standard schema is invalid (and it contains syntax errors)
and I am referring to the new errata that is in the TC's home page
(as in xacml-users ml pointed me).
>
>> QName statementElementName = new
>> QName("Statement",SAMLConstants.SAML20_NS);
>
> Your arguments are switched around.
Sorry, this is my stupid fault! ;-)
I follow the guide of
http://www.bccs.uni.no/~hakont/SAMLXACMLExtension/files/ProgrammingGuideSAML_XACML.pdf
and I create this strange fragment:
<saml2:Statement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xacml-saml="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xacml-saml:XACMLPolicyStatementType">
<PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides"
PolicySetId="MAU.12675296158691-GLOB.OID.TESTMAURO_ENV.LOCAL.OS.2.PI-DOM"
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd">
<Description>Test policy that permits everything</Description>
<Target/>
<Policy PolicyId="policy_id"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
<Description>Test policy</Description>
<Target/>
<Rule Effect="Permit"
RuleId="urn:oasis:names:tc:xacml:2.0:example:SimpleRule1"/>
</Policy>
</PolicySet>
</saml2:Statement>
(why the saml2 namespace is placed again?)
and anyway I receive the same error:
org.xml.sax.SAXParseException: cvc-elt.4.2: Cannot resolve
'xacml-saml:XACMLPolicyStatementType' to a type definition for element
'saml2:Statement'.
and using this code:
XACMLPolicyStatementTypeImplBuilder policyStmtBuilder =
(XACMLPolicyStatementTypeImplBuilder)
builderFactory.getBuilder(XACMLPolicyStatementType.TYPE_NAME_XACML20);
XACMLPolicyStatementType policyStmt =
policyStmtBuilder.buildObject(
Statement.DEFAULT_ELEMENT_NAME,
XACMLPolicyStatementType.TYPE_NAME_XACML20);
I am pretty sure that I'm using a wrong schema.
Chad La Joie
On 7/31/10 9:30 AM, massimil...@gmail.com wrote:
> I follow the guide of
> http://www.bccs.uni.no/~hakont/SAMLXACMLExtension/files/ProgrammingGuideSAML_XACML.pdf
> and I create this strange fragment:
What do you think is strange about it?
> <saml2:Statement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:xacml-saml="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xacml-saml:XACMLPolicyStatementType">
> <PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides"
> PolicySetId="MAU.12675296158691-GLOB.OID.TESTMAURO_ENV.LOCAL.OS.2.PI-DOM"
> xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
> http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd">
> <Description>Test policy that permits everything</Description>
> <Target/>
> <Policy PolicyId="policy_id"
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
> xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
> <Description>Test policy</Description>
> <Target/>
> <Rule Effect="Permit"
> RuleId="urn:oasis:names:tc:xacml:2.0:example:SimpleRule1"/>
> </Policy>
> </PolicySet>
> </saml2:Statement>
>
> (why the saml2 namespace is placed again?)
Again where? I only see it declared once.
> and anyway I receive the same error:
>
> org.xml.sax.SAXParseException: cvc-elt.4.2: Cannot resolve
> 'xacml-saml:XACMLPolicyStatementType' to a type definition for element
> 'saml2:Statement'.
From what? The code you give below wouldn't cause that error.
> and using this code:
>
> XACMLPolicyStatementTypeImplBuilder policyStmtBuilder =
> (XACMLPolicyStatementTypeImplBuilder)
> builderFactory.getBuilder(XACMLPolicyStatementType.TYPE_NAME_XACML20);
>
>
> XACMLPolicyStatementType policyStmt =
> policyStmtBuilder.buildObject(
> Statement.DEFAULT_ELEMENT_NAME,
> XACMLPolicyStatementType.TYPE_NAME_XACML20);
>
>
> I am pretty sure that I'm using a wrong schema.
>
>
>
--
massimil...@gmail.com
On Sat, Jul 31, 2010 at 3:52 PM, Chad La Joie <laj...@itumi.biz> wrote:
>
> What do you think is strange about it?
I didn't past you the whole XML, sorry:
<?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>
<saml2:Assertion ID="_405618cd-3db7-4013-93f7-f454ec95cb7f"
IssueInstant="2010-07-31T13:28:55.147Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">com.spirit.ws.XACML.client.SAMLXACMLv2</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_405618cd-3db7-4013-93f7-f454ec95cb7f">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ds saml2 xacml-saml
#default xsi" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>VYEuQH0bfTEYNQ9NMKeVbP2y0BU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
sA7uL07QpQU4rdqLnEU+eqztrchbvJNf3tIwg/JGHI9/OnmCT8Fk6zY2WOMrTXO5mZ6wokWgDL6o
bnKdB70/yNrZuYO1uO4frQFjJgGsBaw3gRmB/H2K02LwjY4f4vT8yUSsK4IzOKMalv6YRupi84E4
DoXQNYiRD+IMSMarppE=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQUFADCBuDELMAkGA1UEBhMCQVQxEDAOBgNVBAgT
B0F1c3RyaWExDzANBgNVBAcTBlZpZW5uYTEVMBMGA1UEChMMVGlhbmkgU3Bpcml0MRowGAYDVQQL
ExFUZXN0IENlcnRpZmljYXRlczEgMB4GA1UEAxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxMTAv
BgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJpdC5jb20wHhcNMTAwNTI1
MTI1NzMxWhcNMzUwMTE0MTI1NzMxWjCBlzELMAkGA1UEBhMCQVQxEDAOBgNVBAgTB0F1c3RyaWEx
FTATBgNVBAoTDFRpYW5pIFNwaXJpdDEaMBgGA1UECxMRVGVzdCBDZXJ0aWZpY2F0ZXMxEDAOBgNV
BAMTB3NlcnZlcjExMTAvBgkqhkiG9w0BCQEWIm1hc3NpbWlsaWFuby5tYXNpQHRpYW5pLXNwaXJp
dC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOKFHKAWDiI4GC4W1WFAHGkNuE3hzaMp
KaEkDYm9yJDqqEpw758iuiyOZdfRRiQuTmP6lNpT5DlJiQOLYhG5U9TS72VuK3rIncmtvAG0PPur
jsFyggbeuV169iRnkdbU2pyhu046gAINCVoJfp+9kb9EZHlDmcEs4NznFj+NtojHAgMBAAGjezB5
MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl
MB0GA1UdDgQWBBRcW+6sHYHdEZ69MdjUQ7ovetYeTzAfBgNVHSMEGDAWgBRPsGnZxUG4UGFrj7qu
E2FoiwZLQDANBgkqhkiG9w0BAQUFAAOCAQEAsqp5FZiRrkUZ72UB7lgxBxzh9Psuvb8cLoYbS/FZ
94DOrMyMscj4Nog9F006WFaVWX90NQFRPKlYRPeH52BkBGL/Dq7vbMmgAgnDAKj59BCQuPA9V8lR
ImdA9sZKH5wKjYXlonV9yIHsZFWlV0P9IEPX4RquAJXSE8ym3JwqCs65nXXDvSuaNDKRuVjkHu57
V1U7wxDDiu4aj8h4BjxkRuAf+h7PsefRycctQGhLhMPxgj+xUQzv+ribIn8cMulmxU5GvkhVmNVB
i2L1GLR8sgzv6IFsXRsIAmKUU7FS9eWx5UMZ9U5O1dZedgXFpASHQecHf0cbJqDG1jsURodZCw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Conditions NotBefore="2010-07-31T13:28:55.147Z"
NotOnOrAfter="2010-08-01T02:48:55.147Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AudienceRestriction>
<saml2:Audience>testaudience</saml2:Audience>
<saml2:Audience>test2</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:Statement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xacml-saml="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xacml-saml:XACMLPolicyStatementType">
<PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides"
PolicySetId="MAU.12675296158691-GLOB.OID.TESTMAURO_ENV.LOCAL.OS.2.PI-DOM"
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd">
<Description>Test policy that permits everything</Description>
<Target/>
<Policy PolicyId="policy_id"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
<Description>Test policy</Description>
<Target/>
<Rule Effect="Permit"
RuleId="urn:oasis:names:tc:xacml:2.0:example:SimpleRule1"/>
</Policy>
</PolicySet>
</saml2:Statement>
</saml2:Assertion>
Chad La Joie
assertion.
--
massimil...@gmail.com
Did you try to perform a schema validation, using the errata
schema?
--
Massimiliano Masi
massimil...@gmail.com
XACMLPolicyStatementType.TYPE_NAME_XACML20
is
{urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion}XACMLPolicyStatementType
but the standard says
{urn:oasis:xacml:2.0:saml:assertion:schema:os}XACMLPolicyStatementType.
with this uri, the assertion is correct, except the repetition of the
XML namespace.
richar...@ith-icoserve.com
my name is Richard Mair. I am working in a project where I need to be
compliant to Masi's (the creator of this thread) implementation of the
XACMLPolicyStatement.
I just tried with OpenSAML 2.4.1 to create a XACMLPolicyStatementType with the
corresponding Builder and still get a XML-Tag with the name
XACMLPolicyStatement.
<xacml-saml:XACMLPolicyStatement
xmlns:xacml-saml="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:asser
tion">
So I assume that this is correct, but if I read the answers to this thread it
seems as if the XML-Tag should have a name "Statement" an be of type
XACMLPolicyStatementType
<saml2:Statement xsi:type="xacml-saml:XACMLPolicyStatementType">
where this thread gives the answer how to create such an Statement with the
help of OpenSAML. But as this seems to be a bit complicated I suspect that
this is not the intended way of doing it. So I am a bit confused now.
Could you please tell me what is the correct way to inculde an
XACMLPolicyStatement into a SAML2.0 assertion?
Thanks and best regards
Richard Mair
Cantor, Scott E.
>thread it
>seems as if the XML-Tag should have a name "Statement" an be of type
>XACMLPolicyStatementType
>
><saml2:Statement xsi:type="xacml-saml:XACMLPolicyStatementType">
That is correct.
>where this thread gives the answer how to create such an Statement with
>the
>help of OpenSAML. But as this seems to be a bit complicated I suspect that
>this is not the intended way of doing it. So I am a bit confused now.
I couldn't say, but what you had is not legal SAML.
-- Scott