OpenSAML user discussion

[Martini Silvia <>]

I have tried to use SAMLAuthorizationDecisionQuery and
SAMLAuthorizationDecisionStatement, but I have problems with the element
Evidence (that I would like to fill in with an AttributeStatement). 
In fact, the two classes mentioned above, do not create the element Evidence
(they behave as in the case of the Action element). For example, the
following is a Request that is not SAML compliant: 

-------------------------> KO Request (the element Evidence is not included
as root of the Assertion element)

<Request xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
IssueInstant="2003-05-13T10:44:35Z" MajorVersion="1" MinorVersion="0"
RequestID="4693e466-ef5d-43af-b830-449cf988d416"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:names:tc:SAML:1.0:protocol"> 
<AuthorizationDecisionQuery Resource="www.resource.it"> 
<Subject xmlns="urn:oasis:names:tc:SAML:1.0:assertion"> 
<NameIdentifier
NameQualifier="dc=insiel,dc=it">uid=tmp457,ou=People,o=ServiziInRete,dc=insi
el,dc=it</NameIdentifier> 
</Subject> 
<Action xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
Namespace="insielNS">read</Action> 
<Action xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
Namespace="insielNS">write</Action> 
<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="086598bc-3c92-4f0f-aab7-013c56f06c17"
IssueInstant="2003-05-13T10:44:09Z" Issuer="sdelsal.insiel.it:8080"
MajorVersion="1" MinorVersion="0"> 
<AttributeStatement xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> 
<Subject> 
<NameIdentifier
NameQualifier="dc=insiel,dc=it">uid=tmp457,ou=People,o=ServiziInRete,dc=insi
el,dc=it</NameIdentifier> 
</Subject> 
<Attribute AttributeName="nome" AttributeNamespace="insielNS"> 
<AttributeValue>Stefano</AttributeValue> 
</Attribute> 
</AttributeStatement> 
</Assertion> 
</AuthorizationDecisionQuery> 
</Request>

----------------------- 
        
The PROBLEM is with toDOM() and fromDOM() methods. I have tried to modify
the code of the toDOM() method in the following way: 

public Node toDOM(Document doc) 
{ 
if ((root = super.toDOM(doc)) != null) 
return root; 
Element q = doc.createElementNS(XML.SAMLP_NS, "AuthorizationDecisionQuery");

q.setAttributeNS(null, "Resource", resource); 
q.appendChild(subject.toDOM(doc)); 
Iterator i = actions.iterator(); 
while (i.hasNext()) 
q.appendChild(((SAMLAction)i.next()).toDOM(doc)); 
// HERE START CORRECTIONS 
i = evidence.iterator(); 
Element evidence=null; 
if (i.hasNext()) { 

// ---------------------------> 
evidence = doc.createElementNS(XML.SAMLP_NS, "saml:Evidence"); 
//q.appendChild(doc.createElementNS(XML.SAML_NS,"saml:Evidence")).appendChil
d() 
} 
while (i.hasNext()) { 
Object o = i.next(); 
if (o instanceof SAMLAssertion) { 
evidence.appendChild(((SAMLAssertion)o).toDOM(doc)); 
//q.appendChild(((SAMLAssertion)o).toDOM(doc)); 
} 
else if (o instanceof String) { 
evidence.appendChild(doc.createElementNS(XML.SAML_NS,"saml:AssertionIDRefere
nce")).appendChild(doc.createTextNode((String)o)); 
//q.appendChild(doc.createElementNS(XML.SAML_NS,"saml:AssertionIDReference")
).appendChild(doc.createTextNode((String)o)); 
} 
} 
if (evidence!=null) { 
q.appendChild(evidence); 
} 
// -------------------------------
return root = q; 
}


I use the version 0.8 of OpenSAML classes.

I have an additional question:
why all elements are created as "nameOfTheElement" with an attribute
identifying the NS, instead of using "SAML:nameOfTheElement"?
(I know that the resulting xml is valid).

Thank you

SM

---------------------------------------------------mace-opensaml-users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

---------------------------------------------------mace-opensaml-users--