Abstract XACML TC SAML AuthzDecisionQuery/Resp requirements

[Anne Anderson <Anne.Anderson@Sun.com>]

How do these sound as abstract requirements to present to SAML
for SAML 2.0?

1. Way to pass an XACML Request Context in the Query and an XACML
   Response Context in the Decision.
2. Way to indicate in the Query that an XACML Request Context is
   to be returned as part of the Decision.
3. Way to indicate in the Query whether the PDP is free to
   collect Attributes for use in making the Decision from sources
   other than the XACML Request Context passed in the Query.
4. Associate a DataType with an Issuer name, such that the name
   can be determined to be a string, an X.500 Distinguished Name,
   etc.

Newer requirements:
5. Way to return an XACML Policy/PolicySet in a Decision as a
   condition that must evaluate to "Permit" in order for the
   Decision to be valid.  Way to indicate that such a condition
   is associated with the Decision.  Might be appropriate to put
   this condition and indication into the XACML Response Context
   itself.
6. Way to pass an XACML Policy/PolicySet in a Query along with
   an indication as to whether this Policy/PolicySet is to be
   used alone or in conjunction with other Policies/PolicySets
   available to the PDP in evaluating the Query.
7. Better correspondence between SAML Attribute format and XACML
   Request Context Attribute format such that SAML Attributes can
   be translated into XACML Request Context Attributes
   mechanically and easily.
8. SAML Policy Assertion syntax, allowing an issuer to state and
   sign an XACML Policy/PolicySet.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692