[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-comment] XACMLAuthzDecision Response when there are multipledecisions
Hi Steven I support your general principle of each protocol layer reporting the outcome from its own perspective, and hence your proposal for what the SAML status code should be regards David On 07/12/2010 22:38, Steven Legg wrote: > > The description in the SAML 2.0 Profile of XACML (Version 2.0) of the > <samlp:StatusCode> in an XACMLAuthzDecision Response assumes there is > only one > <xacml-context:StatusCode> to consider and therefore does not account > for the > case where there are multiple results for a request for multiple decisions. > The Multiple Decision Profile does not provide any enlightenment on this > issue. > The SAML 2.0 profile also does not specify the treatment of the > urn:oasis:names:tc:xacml:1.0:status:processing-error status code. > > In my opinion, when facilities are layered upon other facilities the error > reporting at each layer should relate to just that layer. When error > conditions > have to cascade through the layers it generally just raises awkward > problems > (like: what if there are multiple results?). So in the XACML case the SAML > status code should just reflect the SAML processing of the XACML > response. If > the SAML layer has a legitimate XACML response to a legitimate XACML > request, > regardless of whether that response contains XACML errors, multiple > results or > whatever, then the SAML status should be "Success". This neatly addresses > questions such as "what if there are multiple results, some of which are > successful and some of which have errors?"; it's a legitimate XACML > response so > the SAML status code is "Success". The SAML "Requester" status code > should be > used in those cases where the request had syntax errors that prevented the > SAML layer from passing the request to the XACML layer for processing. > The "Responder" status code should be used in those cases where the > XACML layer > failed to produce a suitable response or if the subsequent SAML processing > failed. > > Regards, > Steven > -- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security School of Computing, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]