[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SAML Profile draft
Attached are three files representing a proposal for
incorporating the XACML Request and Response formats into SAML
2.0:
- Changes to the SAML 1.0 Specification
- Changes to the SAML 1.0 Assertion Schema
- Changes to the SAML 1.0 Protocol Schema
In order to retain backwards compatibility, the SAML 1.0
AuthorizationDecisionQuery and AuthorizationDecisionStatement are
retained. There are known users of these formats.
An overview of this proposal follows.
SAML 2.0 AuthorizationDecisionQuery contains:
1. XACML input context (xacml-context:Request)
2. flag (InputContextOnly) indicating whether
a) only the content of the context from the PEP can be used
("what if" mode), or
b) the PDP can use attribute values obtained from other
sources
3. flag (ReturnContext) indicating whether returned assertion
should contain input context that decision was based on.
The response to the AuthorizationDecisionQuery is returned in the
existing SAML Response, but uses a new
AuthorizationDecisionStatement containing
1. XACML output context (xacml-context:Response)
2. (optional) XACML input context used. (xacml-context:Request)
The input context is optional in the sense that it would not
normally be provided, but if the ReturnContext flag was set in
the request, the PDP must provide it.
Note that there is already a SAML attribute (InResponseTo) for
passing the RequestId back in the response. This attribute may
be used if the full context is not required as part of the
response.
If the AuthorizationDecisionStatement includes the
xacml-context:Request element, then the returned context MUST
contain all data that affected the decision. It is up to each
implementation whether the context is trimmed down to just the
values that "mattered" or whether the context was the superset of
all values known at the time of the decision whether they
affected the decision or not.
One reason for putting the input context in the assertion would
be to allow it to be saved by the PEP for audit purposes.
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
Changes to "Assertions and Protocol for the OASIS Security
Assertion Markup Language (SAML)" (OASIS Standard, 5 November
2002) to utilize the XACML Request and Response Context formats
for authorization decisions.
2.3.2 Element <Assertion>
Insert after line 403:
<saml2:AuthorizationDecisionStatement>
An authorization decision statement in the SAML 2.0 format.
Insert after line 416:
<element ref="saml2:AuthorizationDecisionStatement"/>
2.3.2.2 Element <Advice>
Replace line 533 with:
<element name="Advice" type="saml2:AdviceType"/>
Replace line 537 with:
<element ref="saml2:Assertion"/>
2.4.4 Element <AuthorizationDecisionStatement>
Replace lines 738-795 (entire section) with:
The <AuthorizationDecisionStatement> element supplies a
statement by the issuer that the request for access by the
specified subject or subjects to perform the specified action
on the specified resource has resulted in the specified
decision. The decision is in the form of an
xacml-context:Response.
The <AuthorizationDecisionStatement> optionally contains a
description of the context in which the decision was made, in
the form of an xacml-context:Request. This context may include
only the information used in making the authorization decision,
or may include additional information. This is
implementation-dependent.
See OASIS eXtensible Access Control Markup Language (XACML)
Version 1.0 for a description of the elements in an
xacml-context:Response or xacml-context:Request.
The <AuthorizationDecisionStatement> element is of type
saml2:AuthorizationDecisionStatementType, which extends
StatementAbstractType with the addition of the following
elements (in order) and attributes:
xacml-context:Response [Required]
The decision rendered by the issuer with respect to an
authorization decision query. The value is of the
xacml-context:Response type.
xacml-context:Request [Optional]
The information used to make the authorization decision.
This element MUST be supplied if the
AuthorizationDecisionRequest "ReturnContext" attribute is
TRUE and MUST NOT be supplied if the
AuthorizationDecisionRequest "ReturnContext" attribute is
FALSE. The xacml-context:Request MUST include all XACML
Attributes used in making the Authorization Decision,
whether supplied in the original AuthorizationDecisionQuery
or obtained from external sources. The
xacml-context:Request MAY include additional XACML
Attributes that were not used in making the Authorization
Decision.
The following schema fragment defines the
<AuthorizationDecisionStatement> element and its
AuthorizationDecisionStatementType complex type:
<element name="AuthorizationDecisionStatement" type="saml2:AuthorizationDecisionStatementType"/>
<complexType name="AuthorizationDecisionStatementType">
<complexContent>
<extension base="saml:StatementAbstractType">
<sequence>
<element ref="xacml-context:Response" />
<element ref="xacml-context:Request" minOccurs="0"/>
</sequence>
</extension>
</complexContent>
</complexType>
2.4.4.2 Element <Evidence>
Replace line 819 with:
<saml2:Assertion>
Replace line 830 with:
<element ref="saml2:Assertion>
3.2.2 Element <Request>
Insert after line 991:
<saml2p:AuthorizationDecisionQuery>
Makes a query for an authorization decision using the SAML
2.0 format.
Insert after line 1006:
<element ref="samlp2:AuthorizationDecisionQuery"/>
3.3.5 Element <AuthorizationDecisionQuery>
Replace lines 1110-1136 (entire section) with:
The <samlp2:AuthorizationDecisionQuery> element is used to make
the query "Should these actions on this resource be allowed for
this subject or subjects?" A successful response will be in
the form of an assertion containing an
AuthorizationDecisionStatement. This element is of type
AuthorizationDecisionQueryType, which extends QueryAbstractType
with the addition of the following element and attributes:
xacml-context:Request [Required]
A description of the authorization request. The value is of
the xacml-context:Request type.
InputContextOnly [Required]
If this attribute is TRUE, the authorization decision MUST
be made solely on the basis of information contained in the
AuthorizationDecisionQuery; no external attributes are to be
used. If FALSE, the authorization decision MAY be made on
the basis of external attributes not contained in the
AuthorizationDecisionQuery.
ReturnContext [Required]
If this attribute is TRUE, the
AuthorizationDecisionStatement returned MUST include the
XACML Attributes used to make the authorization decision in
the form of an xacml-context:Request; additional XACML
Attributes MAY be included in the returned
xacml-context:Request. If this attribute is FALSE, the
AuthorizationDecisionStatement returned MUST NOT include an
xacml-context:Request.
The following schema fragment defines the
<AuthorizationDecisionQuery> element and its
AuthorizationDecisionQueryType complex type:
<element name="AuthorizationDecisionQuery" type="samlp2:AuthorizationDecisionQueryType"/>
<complexType name="AuthorizationDecisionQueryType">
<complexContent>
<extension base="samlp:QueryAbstractType">
<sequence>
<element ref="xacml-context:Request" />
</sequence>
<attribute name="InputContextOnly" type="boolean" use="required"/>
<attribute name="ReturnContext" type="boolean" use="required"/>
</extension>
</complexContent>
</complexType>
3.4.2 Element <Response>
Replace line 1185 with:
<saml2:Assertion> [Any Number] (see Section 2.3.2)
Specifies an assertion by value.
Replace line 1194 with:
<element ref="saml2:Assertion" minOccurs="0"
<?xml version="1.0" encoding="UTF-8"?>
<!-- edited with XML Spy v3.5 NT (http://www.xmlspy.com) by Phill Hallam-Baker (VeriSign Inc.) -->
<schema targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xacml-context="urn:oasis:names:tc:xacml:1.0:context" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified">
<import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
<import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-assertion-1.0.xsd"/>
<import namespace="urn:oasis:names:tc:xacml:1.0:context" schemaLocation="http://www.oasis-open.org/committees/xacml/repository/cs-xacml-schema-context-01.xsd"/>
<annotation>
<documentation>
Document identifier: oasis-sstc-saml-schema-assertion-2.0
Location:
</documentation>
</annotation>
<element name="Assertion" type="saml2:AssertionType"/>
<complexType name="AssertionType">
<sequence>
<element ref="saml:Conditions" minOccurs="0"/>
<element ref="saml2:Advice" minOccurs="0"/>
<choice maxOccurs="unbounded">
<element ref="saml:Statement"/>
<element ref="saml:SubjectStatement"/>
<element ref="saml:AuthenticationStatement"/>
<element ref="saml:AuthorizationDecisionStatement"/>
<element ref="saml2:AuthorizationDecisionStatement"/>
<element ref="saml:AttributeStatement"/>
</choice>
<element ref="ds:Signature" minOccurs="0"/>
</sequence>
<attribute name="MajorVersion" type="integer" use="required"/>
<attribute name="MinorVersion" type="integer" use="required"/>
<attribute name="AssertionID" type="saml:IDType" use="required"/>
<attribute name="Issuer" type="string" use="required"/>
<attribute name="IssueInstant" type="dateTime" use="required"/>
</complexType>
<element name="Advice" type="saml2:AdviceType"/>
<complexType name="AdviceType">
<choice minOccurs="0" maxOccurs="unbounded">
<element ref="saml:AssertionIDReference"/>
<element ref="saml2:Assertion"/>
<any namespace="##other" processContents="lax"/>
</choice>
</complexType>
<element name="AuthorizationDecisionStatement" type="saml2:AuthorizationDecisionStatementType"/>
<complexType name="AuthorizationDecisionStatementType">
<complexContent>
<extension base="saml:StatementAbstractType">
<sequence>
<element ref="xacml-context:Response" />
<element ref="xacml-context:Request" minOccurs="0"/>
</sequence>
</extension>
</complexContent>
</complexType>
<element name="Evidence" type="saml2:EvidenceType"/>
<complexType name="EvidenceType">
<choice maxOccurs="unbounded">
<element ref="saml:AssertionIDReference"/>
<element ref="saml2:Assertion"/>
</choice>
</complexType>
</schema>
<?xml version="1.0" encoding="UTF-8"?>
<!-- edited with XML Spy v4.2 U (http://www.xmlspy.com) by Phillip Hallam-Baker (Phillip Hallam-Baker) -->
<schema targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xacml-context="urn:oasis:names:tc:xacml:1.0:context" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified">
<import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-assertion-1.0.xsd"/>
<import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="oasis-sstc-saml-schema-assertion-2.0.xsd"/>
<import namespace="urn:oasis:names:tc:SAML:1.0:protocol" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-protocol-1.0.xsd"/>
<import namespace="urn:oasis:names:tc:xacml:1.0:context" schemaLocation="http://www.oasis-open.org/committees/xacml/repository/cs-xacml-schema-context-01.xsd"/>
<annotation>
<documentation>
Document identifier: oasis-sstc-saml-schema-protocol-2.0
Location:
</documentation>
</annotation>
<element name="Request" type="samlp2:RequestType"/>
<complexType name="RequestType">
<complexContent>
<extension base="samlp:RequestAbstractType">
<choice>
<element ref="samlp:Query"/>
<element ref="samlp:SubjectQuery"/>
<element ref="samlp:AuthenticationQuery"/>
<element ref="samlp:AttributeQuery"/>
<element ref="samlp:AuthorizationDecisionQuery"/>
<element ref="samlp2:AuthorizationDecisionQuery"/>
<element ref="saml:AssertionIDReference" maxOccurs="unbounded"/>
<element ref="samlp:AssertionArtifact" maxOccurs="unbounded"/>
</choice>
</extension>
</complexContent>
</complexType>
<element name="AuthorizationDecisionQuery" type="samlp2:AuthorizationDecisionQueryType"/>
<complexType name="AuthorizationDecisionQueryType">
<complexContent>
<extension base="samlp:QueryAbstractType">
<sequence>
<element ref="xacml-context:Request" />
</sequence>
<attribute name="InputContextOnly" type="boolean" use="required"/>
<attribute name="ReturnContext" type="boolean" use="required"/>
</extension>
</complexContent>
</complexType>
<element name="Response" type="samlp2:ResponseType"/>
<complexType name="ResponseType">
<complexContent>
<extension base="samlp:ResponseAbstractType">
<sequence>
<element ref="samlp:Status"/>
<element ref="saml2:Assertion" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
</extension>
</complexContent>
</complexType>
</schema>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]