OpenSAML user discussion

[Scott Cantor <>]

> Okay, I've had some trouble figuring out what statements like that
> mean... consider some other mechanism...

Well, I'm not speaking for the SSTC, so take this as my opinion, and if you
want more, post there. I'm just saying, if you read the 2.0 draft, the Authz
stuff is frozen without quite being deprecated.

> Does that mean that you expect a non-SAML protocol that is built
> around a XACML protocol to be used to ask things like "what roles 
> are active",

That's not what a SAML AuthzDecision is for, that sounds like an
AttributeQuery/Statement to me.

> or "does this user, given whatever roles they're in, have this permission
> at this time"?

I would expect that XACML could be used for that.

> Is there any protocol work in XACML at all?

No, but the intent as I have heard it is for the XACML spec to extend the
SAML Query and Statement types to embed XACML the input/output messages into
SAML protocol.

> I rather thought XACML could be used to express information in
> SAML, and that SAML attribute assertions would likely continue
> to be useful.

I didn't say anything about attribute assertions, I was talking about the
AuthzDecision part. However, I don't quite know what your first sentence
would mean, so I'm not sure whether I agree or disagree...

-- Scott