OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-comment] XACMLAuthzDecision Response when there are multipledecisions

Hi Steven

I support your general principle of each protocol layer reporting the 
outcome from its own perspective, and hence your proposal for what the 
SAML status code should be

regards

David


On 07/12/2010 22:38, Steven Legg wrote:
>
> The description in the SAML 2.0 Profile of XACML (Version 2.0) of the
> <samlp:StatusCode> in an XACMLAuthzDecision Response assumes there is
> only one
> <xacml-context:StatusCode> to consider and therefore does not account
> for the
> case where there are multiple results for a request for multiple decisions.
> The Multiple Decision Profile does not provide any enlightenment on this
> issue.
> The SAML 2.0 profile also does not specify the treatment of the
> urn:oasis:names:tc:xacml:1.0:status:processing-error status code.
>
> In my opinion, when facilities are layered upon other facilities the error
> reporting at each layer should relate to just that layer. When error
> conditions
> have to cascade through the layers it generally just raises awkward
> problems
> (like: what if there are multiple results?). So in the XACML case the SAML
> status code should just reflect the SAML processing of the XACML
> response. If
> the SAML layer has a legitimate XACML response to a legitimate XACML
> request,
> regardless of whether that response contains XACML errors, multiple
> results or
> whatever, then the SAML status should be "Success". This neatly addresses
> questions such as "what if there are multiple results, some of which are
> successful and some of which have errors?"; it's a legitimate XACML
> response so
> the SAML status code is "Success". The SAML "Requester" status code
> should be
> used in those cases where the request had syntax errors that prevented the
> SAML layer from passing the request to the XACML layer for processing.
> The "Responder" status code should be used in those cases where the
> XACML layer
> failed to produce a suitable response or if the subsequent SAML processing
> failed.
>
> Regards,
> Steven
>

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]