[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [xacml] Proposal for SAML 2.0 changes
Simon volunteered to write this up, but he is still incommunicado due to ISP problems. I think it is almost as much work for me to send him the information as for me just to write up what Hal and I have come up with so far. So here it is. Comments invited. Once the discussion stabilizes, we can put this in detail into the OASIS document format. -Anne Draft Proposal to SSTC for SAML 2.0 changes from XACML ====================================================== SAML 2.0 AuthorizationDecisionQuery contains: 1. XACML input context 2. flag indicating whether a) only the content of the context from the PEP can be used ("what if" mode), or b) the PDP can use attribute values obtained from other sources 3. flag indicating whether returned assertion should contain input context that decision was based on The response to the AuthorizationDecisionQuery is returned in the existing SAML Response, but uses a new AuthorizationDecisionStatement containing 1. XACML output context 2. (optional) XACML input context used. The context MUST contain all data which affected the decision, but it would be up to each implementation whether the context was trimed down to just the values that "mattered" or whether the context was the superset of all values known at the time of the decision whether they affected the decision or not. The reason for putting the input context in the assertion would be to allow it to be saved by the PEP for audit purposes. Discussion ========== Duplicate Subject Information ----------------------------- While this effectively introduces a duplicate format for subject information (the XACML Subject vs. the SAML Subject Assertion), the AuthorizationDecisionRequest can contain SAML AttributeAssertions, as it does now. The XACML PDP's "attribute finder" will need to be able to look for such SAML Attribute Assertions in the AuthorizationDecisionQuery that are outside of the XACML Request Context. Backwards Compatibility Issues ------------------------------ Since nobody seems to be using AuthZ Decision, we do not anticipate any need to provide backwards compatibility. -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]