RE: [xacml-users] Case study Shibboleth for XACML

["Hal Lockhart" <hlockhar@bea.com>]

I agree with Seth's comment that most of these questions are more about Shiboleth than XACML, but I will take a crack at you questions as well as I understand them.

[comments in line]

> This case study is taken from the paper "First experiences 
> using XACML for
> acess control in distributed systems"
> 
> 
> I came across an issue during the study of shibboleth (one 
> case study from
> the above paper) and i wanted to ask from U people regarding 
> this issue:
> 
> 
> Suppose we have 2 educational sites Univ A and Univ B and a 
> user U in Univ A
> wants to access some reseource R on Univ B site (some slides).
> 
> 
> Now This is very much true that Univ B after recieving 
> request from User U
> of Univ A will ask the AA of Univ A ,but first of all what 
> attributes it is
> going to ask ??

Well the simplest thing is for B to ask for "all attributes that your privacy policy allows me to see." In most cases, having a few extra attributes, which are ignored is harmless. In my view a system in which each user has thousands of attributes is not practical to administer, so don't see this as a problem.

However, B could be clever and find all the attributes referenced by its policies, or even all the attributes which will be used as inputs to this particular decision and make a query which specifies just these attributes. The SAML query used by Shiboleth allows this.
 
> 
> On the side of Univ B , how Univ B is going to specify that 
> User U of Univ A
> has access to Resouce R and under which condition ??

This is what XACML is for. For example there might be an XACML policy that says:

All resources which are marked with the "general collection" attribute may be accessed by anyone with the "student" or "faculty" attribute.

 
> My question is that: In any case User U of Univ A will be 
> known to Univ B
> for Resouce R becaz when speicifing an access control Policy 
> for Resouce R ,
> Univ B will have to specify the condition under which User U 
> of Univ A has
> access to the resource R.

The reason we use what I call aggregator attributes (e.g. group) is to avoid having policies for individuals. In Shiboleth in particular, one of the important requirements is that users not be individually identifiable, for privacy reasons.

> 
> i am attaching the paragraph from its architecture for ur 
> kind consideration
> 
> 
> "We call the attribute request that the SHAR sends to the AA 
> an "AQM" for
> "attribute query
> 
> message". The response that the AA sends to the SHAR is an "ARM" for
> "attribute response
> 
> message".
> 
> The SHAR, once it has these attributes, will send them on to 
> the manager of
> the resource the user
> 
> is trying to access. The resource manager (RM) will then make 
> an access
> control decision based
> 
> on the user's attributes, and either grant or deny the user's 
> request. If
> the user is simply trying to
> 
> access a static web page or a typical application, this RM 
> may be the web
> server itself. In the
> 
> case where the user is attempting a more complex action (say updating
> experimental results or
> 
> transferring grant money), the RM may sit "behind" the web server on a
> separate machine."
> 
> 
> so how RM resource Manager is going to specify the access 
> control policy for
> the access of Resource R for Univ A's user A.
> 
> 
> am i getting the right scenireo ??

I think I have already answered the question, but the following points are key.

Universities will have pre-established relationships which define in general what classes of users from one school or schools are allowed to access what kinds of resoures.

Universities will create specific policies applying to particular resources that they control, defining the users who may access them and any other conditions that might apply. (time of day, type of authentication used, network location the request came from, etc.)

In Shiboleth, the real world identity of the user will not usually be revealed, but the attributes necessary to make a decision will be.

Normally the policies will be sufficiently uniform that a small number of policies will cover all possible access requests.

XACML allows you to create a policy such as: "George W. Bush" is allowed to read the book "See Spot Run." but such policies do not preserve privacy and will not scale very well.

Did I answer the question?

Hal 

> 
> i will waiting for your kind response.
> 
> with Best Regards.
> Muhammad Masoom Alam
> University of Innsbruck Austria
> +43 512 507 6462
> +43 512 22455 410
> 
>