[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Proposed resolution from PM-8-05
I would like to propose a resolution as follows: -ISSUE: PM-8-05: How to return obligation via SAML Here is an authorization decision syntax that returns obligation(s). SAML AuthorizationDecisionStatement is extended to include xacml:obligations element by type extension. "samle" namespace prefix is used to indicate SAML extension for the decision assertion with obligation. Note that the following example just shows the overview for simplicity. <saml:Assertion> <saml:AuthorizationDecisionStatement Resource="aaa" Decision="Permit" xsi:type="samle:AuthorizationDecisionStatementWithObligations"> <saml:Subject> <saml:NameIdentifier SecurityDomain="aaa" Name="Alice"/> </saml:Subject> <saml:Actions Namespace="http://www.oasis-open.org/xmlactions"> <saml:Action>Read</saml:Action> </saml:Actions> <xacml:obligations> <xacml:obligation obligationId="myId"> ... </xacml:obligation> </xacml:obligations> </saml:AuthorizationDecisionStatement> </saml:Assertion> The following "samle" schema fragment defines an authorization decision with obligations. <complexType name="AuthorizationDecisionStatementWithObligations"> <complexContent> <extension base="saml:AuthorizationDecisionStatementType"> <sequence> <element ref="xacml:obligations"/> </sequence> </extension> </complexContent> </complexType> Michiharu Kudo IBM Tokyo Research Laboratory, Internet Technology Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC