[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Proposed resolution from PM-8-05
I would like to propose a resolution as follows:
-ISSUE: PM-8-05: How to return obligation via SAML
Here is an authorization decision syntax that returns obligation(s). SAML
AuthorizationDecisionStatement is extended to include xacml:obligations
element by type extension. "samle" namespace prefix is used to indicate
SAML extension for the decision assertion with obligation. Note that the
following example just shows the overview for simplicity.
<saml:Assertion>
<saml:AuthorizationDecisionStatement Resource="aaa" Decision="Permit"
xsi:type="samle:AuthorizationDecisionStatementWithObligations">
<saml:Subject>
<saml:NameIdentifier SecurityDomain="aaa" Name="Alice"/>
</saml:Subject>
<saml:Actions Namespace="http://www.oasis-open.org/xmlactions">
<saml:Action>Read</saml:Action>
</saml:Actions>
<xacml:obligations>
<xacml:obligation obligationId="myId">
...
</xacml:obligation>
</xacml:obligations>
</saml:AuthorizationDecisionStatement>
</saml:Assertion>
The following "samle" schema fragment defines an authorization decision
with obligations.
<complexType name="AuthorizationDecisionStatementWithObligations">
<complexContent>
<extension base="saml:AuthorizationDecisionStatementType">
<sequence>
<element ref="xacml:obligations"/>
</sequence>
</extension>
</complexContent>
</complexType>
Michiharu Kudo
IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC