OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [xacml] Proposal for SAML 2.0 changes


Simon volunteered to write this up, but he is still incommunicado
due to ISP problems.  I think it is almost as much work for me to
send him the information as for me just to write up what Hal and
I have come up with so far.  So here it is.  Comments invited.
Once the discussion stabilizes, we can put this in detail into
the OASIS document format.  -Anne

Draft Proposal to SSTC for SAML 2.0 changes from XACML
======================================================

SAML 2.0 AuthorizationDecisionQuery contains:

1. XACML input context
2. flag indicating whether
   a) only the content of the context from the PEP can be used
      ("what if" mode), or
   b) the PDP can use attribute values obtained from other
      sources
3. flag indicating whether returned assertion should contain
   input context that decision was based on

The response to the AuthorizationDecisionQuery is returned in the
existing SAML Response, but uses a new
AuthorizationDecisionStatement containing

1. XACML output context
2. (optional) XACML input context used.

   The context MUST contain all data which affected the decision,
   but it would be up to each implementation whether the context
   was trimed down to just the values that "mattered" or whether
   the context was the superset of all values known at the time
   of the decision whether they affected the decision or not.

   The reason for putting the input context in the assertion
   would be to allow it to be saved by the PEP for audit
   purposes.

Discussion
==========

Duplicate Subject Information
-----------------------------

While this effectively introduces a duplicate format for subject
information (the XACML Subject vs. the SAML Subject Assertion),
the AuthorizationDecisionRequest can contain SAML
AttributeAssertions, as it does now.  The XACML PDP's "attribute
finder" will need to be able to look for such SAML Attribute
Assertions in the AuthorizationDecisionQuery that are outside of
the XACML Request Context.

Backwards Compatibility Issues
------------------------------

Since nobody seems to be using AuthZ Decision, we do not
anticipate any need to provide backwards compatibility.

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692


----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]