[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: XACML/OGSA SAML AuthzDecisionQuery/Resp Working Session 21 Aug
Colleagues, We need an agenda of items to cover at our 21 August meeting in order to use the time productively. I propose the following: use the current XACML proposal (attached) as a base, with changes or additions needed to support the OGSA requirements as issues to be resolved. I have started a list of the OGSA requirements that are not met by the existing XACML proposal below. We can decide on the order in which to start addressing these at the meeting. We won't get to all of them, but we can make a start. Note that changes might involve the SAML AuthzDecisionQuery/Response wrapper, the XACML Request/Response payload, or other protocols, new or existing. Any other suggestions? -Anne Anderson I use "attribute" to mean the same thing (I hope) as "credential". [x] indicates a proposed solution at the bottom. - decision push mode: any changes needed to support this? - attribute pull mode (PDP pulls initiator's attributes from some other authority) o Way for client to provide pointer to the authorization service, giving it a hint where to find attributes - Multi-step authorization o Way for a set of attributes to be collected for a given subject and re-used in a sequence of subsequent AuthorizationDecisionQueries. Where is this state maintained? o Format for such a collection of attributes (a skeleton XACML Request?) - Linking an AuthorizationDecision to the set of information contained in the Query to which it is a response. o Is XACML proposal option for including the entire Request in the AuthzDecision sufficient? Does the unique ID in the SAML AuthorizationDecisionQuery need to be included in the AuthzDecision? Does each XACML Request need its own unique ID? - Multiple actions in a single request. [1,2] o Is Decision all-or-nothing? or a separate decision for each action? If separate, how do decisions specify action to which they pertain? - Multiple resources in a single request. [1,2] o Is Decision all-or-nothing? or a separate decision for each resource? If separate, how do decisions specify action to which they pertain? (XACML already supports multiple resources in a decision, but not in a Request). - Decisions where not all information was available. How to indicate that SAML Decision contains Conditions that must also be satisfied. Format for those Conditions (XACML Policy?) [3] - #X509SubjectName DataType: will XACML support this as a base DataType? If so, will it replace the current XACML x500Name DataType? Are comparison semantics the same? - Returning subject's rights to all resources of which the PDP is aware (wildcard resource URI). - Returning subject's rights to take all actions that apply to a specified resource. Possible solutions: [1] Multiple Actions, Associate Actions with Resource: It might be useful for the XACML Request to be of the form Subject Attributes Requested Permission 1 Resource Resource Attributes Action Action Attributes Requested Permission 2 ... where each Requested Permission contains a resource and an action, along with their attributes. The XACML Response should then be modified to return a Decision for each "Requested Permission", identifying the "Requested Permission". This would meet the need that various users have expressed for multiple actions, or for getting multiple decisions per Request. [It does not solve the Hierarchical Resource problems, but certainly does not make them worse :-)] The evaluation model would be to run the current evaluation model once for each Requested Permission. [2] Semantics for multiple resources and/or actions might be specified as: PDP runs the current evaluation engine once for each resource/action pair. Depending on a flag set by the PEP, either a single decision is returned ("Permit" only if every resource/action pair evaluated to "Permit") or a separate decision is returned for each, using existing XACML Response multiple-decision format, but specifying action-id as well as resource-id to which each decision applies. [3] Partial Evaluation: It might be useful to define "partial evaluation" for XACML, both for debugging purposes and for applications such as returning "Conditions". By "partial evaluation", I mean using all available attributes to resolve and factor out predicates that can be eliminated, leaving a Policy that that contains only predicates that depend on unavailable attributes. For example, if the Rule is: <Rule Effect="Permit"> <Condition FunctionId="and"> <Apply FunctionId="string-equals"> <AttributeValue>X</AttributeValue> <SubjectAttributeDesignator AttrId="subject-id"> </Apply> <Apply FunctionId="string-equals"> <AttributeValue>Y</AttributeValue> <ResourceAttributeDesignator AttrId="resource-id"> </Apply> </Condition> </Rule> and a Resource Attribute for resource-id with value "Y" is supplied, but there is no subject-id attribute available, then the Rule, given the input Context, simplifies to <Rule Effect="Permit"> <Condition FunctionId="string-equals"> <AttributeValue>X</AttributeValue> <SubjectAttributeDesignator AttrId="subject-id"> </Condition> </Rule> I can think of lots of problems in defining useful "partial evaluation" rules, but I can also think of lots of useful cases. -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
Title: Changes to SAML Specification for XACML-Compatible Authorization Authors: Anne Anderson, Hal Lockhart, Simon Godik Version: 1.4, 03/04/03 (yy/mm/dd) Approved by XACML TC on 3 April 2003 for submitting to SSTC. Description: This document contains recommended changes to "Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML)" (OASIS Standard, 5 November 2002) to utilize the XACML Request and Response Context formats for authorization decisions. The associated changes recommended to the SAML Assertion and Protocol schemas that are appended to this document. These changes are being proposed for inclusion in SAML 2.0. In order to distinguish SAML 2.0 XACML-Compatible elements from the corresponding SAML 1.0 elements with the same name, the recommended SAML 2.0 names are prefixed with "XC". The SSTC should change these names as appropriate. The QName "xacml-context" refers to "urn:oasis:names:tc:xacml:1.0:context", which is associated with the schema "cs-xacml-schema-context-01.xsd" located in the OASIS XACML TC Repository. See http://www.oasis-open.org/committees/xacml for links. 2.3.2 Element <XCAssertion> Insert after line 403: <saml2:XCAuthorizationDecisionStatement> An authorization decision statement in the SAML 2.0 format, containing an authorization decision in a format compatible with the OASIS XACML Version 1.0 Standard. Insert after line 416: <element ref="saml2:XCAuthorizationDecisionStatement"/> 2.3.2.2 Element <XCAdvice> Replace line 533 with: <element name="XCAdvice" type="saml2:XCAdviceType"/> Replace line 537 with: <element ref="saml2:XCAssertion"/> 2.4.4 Element <XCAuthorizationDecisionStatement> Replace lines 738-795 (entire section) with: The <XCAuthorizationDecisionStatement> element supplies a statement by the issuer that the request for access by the specified subject or subjects to perform the specified action on the specified resource has resulted in the specified decision. The decision is in the form of an xacml-context:Response. The <XCAuthorizationDecisionStatement> optionally contains a description of the context in which the decision was made, in the form of an xacml-context:Request. This context may include only the information used in making the authorization decision, or may include additional information. This is implementation-dependent. See OASIS eXtensible Access Control Markup Language (XACML) Version 1.0 for a description of the elements in an xacml-context:Response or xacml-context:Request. The <XCAuthorizationDecisionStatement> element is of type saml2:XCAuthorizationDecisionStatementType, which extends StatementAbstractType with the addition of the following elements (in order) and attributes: xacml-context:Response [Required] The decision rendered by the issuer with respect to an authorization decision query. The value is of the xacml-context:Response type. xacml-context:Request [Optional] The information used to make the authorization decision. If the XCAuthorizationDecisionRequest "ReturnContext" attribute is TRUE, then this element MUST be supplied and MUST include all XACML Attributes used in making the authorization decision, whether supplied in the original XCAuthorizationDecisionQuery or obtained from external sources. The xacml-context:Request MAY include additional XACML Attributes that were not used in making the authorization decision. If the XCAuthorizationDecisionRequest "ReturnContext" attribute is FALSE, then this element MUST NOT be supplied. The following schema fragment defines the <XCAuthorizationDecisionStatement> element and its XCAuthorizationDecisionStatementType complex type: <element name="XCAuthorizationDecisionStatement" type="saml2:XCAuthorizationDecisionStatementType"/> <complexType name="XCAuthorizationDecisionStatementType"> <complexContent> <extension base="saml:StatementAbstractType"> <sequence> <element ref="xacml-context:Response" /> <element ref="xacml-context:Request" minOccurs="0"/> </sequence> </extension> </complexContent> </complexType> 2.4.4.2 Element <XCEvidence> Replace line 819 with: <saml2:XCAssertion> Replace line 830 with: <element ref="saml2:XCAssertion> 3.2.2 Element <XCRequest> Insert after line 991: <saml2p:XCAuthorizationDecisionQuery> Makes a query for an authorization decision using the SAML 2.0 format. Insert after line 1006: <element ref="samlp2:XCAuthorizationDecisionQuery"/> 3.3.5 Element <XCAuthorizationDecisionQuery> Replace lines 1110-1136 (entire section) with: The <samlp2:XCAuthorizationDecisionQuery> element is used to make the query "Should these actions on this resource be allowed for this subject or subjects?" A successful response will be in the form of an assertion containing an XCAuthorizationDecisionStatement. This element is of type XCAuthorizationDecisionQueryType, which extends QueryAbstractType with the addition of the following element and attributes: xacml-context:Request [Required] A description of the authorization request. The value is of the xacml-context:Request type. InputContextOnly [Required] If this attribute is TRUE, the authorization decision MUST be made solely on the basis of information contained in the XCAuthorizationDecisionQuery; no external attributes are to be used. If FALSE, the authorization decision MAY be made on the basis of external attributes not contained in the XCAuthorizationDecisionQuery. ReturnContext [Required] If this attribute is TRUE, the XCAuthorizationDecisionStatement returned MUST include the XACML Attributes used to make the authorization decision in the form of an xacml-context:Request; additional XACML Attributes MAY be included in the returned xacml-context:Request. If this attribute is FALSE, the XCAuthorizationDecisionStatement returned MUST NOT include an xacml-context:Request. The following schema fragment defines the <XCAuthorizationDecisionQuery> element and its XCAuthorizationDecisionQueryType complex type: <element name="XCAuthorizationDecisionQuery" type="samlp2:XCAuthorizationDecisionQueryType"/> <complexType name="XCAuthorizationDecisionQueryType"> <complexContent> <extension base="samlp:QueryAbstractType"> <sequence> <element ref="xacml-context:Request" /> </sequence> <attribute name="InputContextOnly" type="boolean" use="required"/> <attribute name="ReturnContext" type="boolean" use="required"/> </extension> </complexContent> </complexType> 3.4.2 Element <Response> Replace line 1185 with: <saml2:XCAssertion> [Any Number] (see Section 2.3.2) Specifies an assertion by value. Replace line 1194 with: <element ref="saml2:XCAssertion" minOccurs="0" ====================================================================================== SAML Assertion Schema Changes ====================================================================================== <?xml version="1.0" encoding="UTF-8"?> <!-- edited with XML Spy v3.5 NT (http://www.xmlspy.com) by Phill Hallam-Baker (VeriSign Inc.) --> <schema targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xacml-context="urn:oasis:names:tc:xacml:1.0:context" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified"> <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/> <import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-assertion-1.0.xsd"/> <import namespace="urn:oasis:names:tc:xacml:1.0:context" schemaLocation="http://www.oasis-open.org/committees/xacml/repository/cs-xacml-schema-context-01.xsd"/> <annotation> <documentation> Document identifier: oasis-sstc-saml-schema-assertion-2.0 Location: </documentation> </annotation> <element name="XCAssertion" type="saml2:XCAssertionType"/> <complexType name="XCAssertionType"> <sequence> <element ref="saml:Conditions" minOccurs="0"/> <element ref="saml2:XCAdvice" minOccurs="0"/> <choice maxOccurs="unbounded"> <element ref="saml:Statement"/> <element ref="saml:SubjectStatement"/> <element ref="saml:AuthenticationStatement"/> <element ref="saml:AuthorizationDecisionStatement"/> <element ref="saml2:XCAuthorizationDecisionStatement"/> <element ref="saml:AttributeStatement"/> </choice> <element ref="ds:Signature" minOccurs="0"/> </sequence> <attribute name="MajorVersion" type="integer" use="required"/> <attribute name="MinorVersion" type="integer" use="required"/> <attribute name="AssertionID" type="saml:IDType" use="required"/> <attribute name="Issuer" type="string" use="required"/> <attribute name="IssueInstant" type="dateTime" use="required"/> </complexType> <element name="XCAdvice" type="saml2:XCAdviceType"/> <complexType name="XCAdviceType"> <choice minOccurs="0" maxOccurs="unbounded"> <element ref="saml:AssertionIDReference"/> <element ref="saml2:XCAssertion"/> <any namespace="##other" processContents="lax"/> </choice> </complexType> <element name="XCAuthorizationDecisionStatement" type="saml2:XCAuthorizationDecisionStatementType"/> <complexType name="XCAuthorizationDecisionStatementType"> <complexContent> <extension base="saml:StatementAbstractType"> <sequence> <element ref="xacml-context:Response" /> <element ref="xacml-context:Request" minOccurs="0"/> </sequence> </extension> </complexContent> </complexType> <element name="XCEvidence" type="saml2:XCEvidenceType"/> <complexType name="XCEvidenceType"> <choice maxOccurs="unbounded"> <element ref="saml:AssertionIDReference"/> <element ref="saml2:XCAssertion"/> </choice> </complexType> </schema> ====================================================================================== SAML Protocol Schema Changes ====================================================================================== <?xml version="1.0" encoding="UTF-8"?> <!-- edited with XML Spy v4.2 U (http://www.xmlspy.com) by Phillip Hallam-Baker (Phillip Hallam-Baker) --> <schema targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xacml-context="urn:oasis:names:tc:xacml:1.0:context" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified"> <import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-assertion-1.0.xsd"/> <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="oasis-sstc-saml-schema-assertion-2.0.xsd"/> <import namespace="urn:oasis:names:tc:SAML:1.0:protocol" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-protocol-1.0.xsd"/> <import namespace="urn:oasis:names:tc:xacml:1.0:context" schemaLocation="http://www.oasis-open.org/committees/xacml/repository/cs-xacml-schema-context-01.xsd"/> <annotation> <documentation> Document identifier: oasis-sstc-saml-schema-protocol-2.0 Location: </documentation> </annotation> <element name="XCRequest" type="samlp2:XCRequestType"/> <complexType name="XCRequestType"> <complexContent> <extension base="samlp:RequestAbstractType"> <choice> <element ref="samlp:Query"/> <element ref="samlp:SubjectQuery"/> <element ref="samlp:AuthenticationQuery"/> <element ref="samlp:AttributeQuery"/> <element ref="samlp:AuthorizationDecisionQuery"/> <element ref="samlp2:XCAuthorizationDecisionQuery"/> <element ref="saml:AssertionIDReference" maxOccurs="unbounded"/> <element ref="samlp:AssertionArtifact" maxOccurs="unbounded"/> </choice> </extension> </complexContent> </complexType> <element name="XCAuthorizationDecisionQuery" type="samlp2:XCAuthorizationDecisionQueryType"/> <complexType name="XCAuthorizationDecisionQueryType"> <complexContent> <extension base="samlp:QueryAbstractType"> <sequence> <element ref="xacml-context:Request" /> </sequence> <attribute name="InputContextOnly" type="boolean" use="required"/> <attribute name="ReturnContext" type="boolean" use="required"/> </extension> </complexContent> </complexType> <element name="XCResponse" type="samlp2:XCResponseType"/> <complexType name="XCResponseType"> <complexContent> <extension base="samlp:ResponseAbstractType"> <sequence> <element ref="samlp:Status"/> <element ref="saml2:XCAssertion" minOccurs="0" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> </schema>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]