OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Draft SAML 2.0 Change Requirements, v1.5


Attached is an updated draft of the joint XACML TC and OGSA
requirements for SAML 2.0 changes.  They are divided into
AuthzDecisionQuery/Response requirements, other abstract
requirements, suggested assertion schema changes, and suggested
protocol schema changes, and suggested specification changes
associated with the schema changes.

This is still a draft for discussion.  The plan is to finalize
this (although not necessarily the syntax and specification
changes) during our side meeting during the SAML Face-to-Face.

The time for this meeting is still not determined.  Suggested
times, along with draft SAML 2.0 Agenda conflicts:

  Monday  8 Sept  6pm-10pm, incl. dinner [no SAML conflicts]
  Tuesday 9 Sept  8am-10am [1 hour of SAML gap analysis]
  Tuesday 9 Sept  9am-12am [3 hours of SAML gap analysis]
  Tuesday 9 Sept 1pm-4pm [3.25 hours of SAML gap analysis,
                          .75 hour doc/editor/champion review]

If you are planning to participate, please indicate your
preference order and any times you absolutely would NOT be able
to attend.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

Proposed SAML 2.0 Changes from XACML TC and OGSA
Editor:  Anne Anderson <Anne.Anderson@sun.com>
Version: 1.5, 03/09/05 (yy/mm/dd)

*******************DISCUSSION DRAFT***************************

=====================================================================
A. Abstract Requirements for SAML AuthorizationDecisionQuery/Response
=====================================================================

1. Way to pass an XACML Request Context in the Query and an XACML
   Response Context in the Decision.  Should not extend
   SubjectQueryAbstractType and SubjectStatementAbstractType
   because Subject element is redundant and inconsistent with
   Subject information in the XACML Request and Response.
2. Way to indicate in the Query that an XACML Request Context
   (note: might not match input Request) is to be returned as
   part of the Decision.  This would usually be the input Request
   augmented with at least any additional attribute values used
   in evaluating the Request against applicable policies.
3. Way to indicate in the Query whether the PDP is free to
   collect Attributes for use in making the Decision from sources
   other than the XACML Request Context passed in the Query.
4. Associate a DataType with an Issuer name, such that the name
   can be determined to be a string, an X.500 Distinguished Name,
   etc.
5. Way to return an XACML Policy/PolicySet in a Decision as a
   condition that must evaluate to "Permit" in order for the
   Decision to be valid.  Way to indicate that such a condition
   is associated with the Decision.  Might be appropriate to put
   this condition and indication into the XACML Response Context
   itself rather than into the SAML envelope.
6. Way to pass an XACML Policy/PolicySet in a Query, along with
   an indication that such a policy is being supplied and whether
   this Policy/PolicySet is to be used alone or in conjunction
   with other Policies/PolicySets available to the PDP in
   evaluating the Query.

==============================
B. Other Abstract Requirements
==============================

1. Better correspondence between SAML Attribute format and XACML
   Request Context Attribute format such that SAML Attributes can
   be translated into XACML Request Context Attributes
   mechanically and easily.
2. SAML Policy Statement syntax, allowing an issuer to state and
   sign an XACML Policy/PolicySet.
3. SAML AttributeQuery and Response syntax, allowing an entity
   to request Attributes of a given Subject or Resource, plus an
   indication whether only specific Attributes (identified in the
   Query by AttributeId) are to be returned, or whether all
   Attributes of the given Subject or Resource known to the
   Attribute Authority are to be returned.
4. Schema-aware canonicalization for SAML schema instances and
   encapsulated payloads, including at least DataType
   normalization, deterministic ordering of elements and
   attributes, and default attribute and element values, such
   that digital signatures can be applied to the output and
   verified by another entity that may have parsed and re-encoded
   the signed content.
5. Possibly: SAML Policy Query syntax, allowing a PDP to request
   a Policy/PolicySet by its Policy[Set]Id from an on-line Policy
   Administration Point (are there any online PAPs?  If not, no
   need for this).

=======================================================
C. Suggested SAML Assertion Schema Changes [incomplete]
=======================================================

In order to distinguish SAML 2.0 XACML-Compatible elements from
the corresponding SAML 1.0 elements with the same name, the
recommended SAML 2.0 names are prefixed with "XC".  The SSTC
should change these names as appropriate.

The QName "xacml-context" refers to
"urn:oasis:names:tc:xacml:1.0:context", which is associated with
the schema "cs-xacml-schema-context-01.xsd" located in the OASIS
XACML TC Repository.  See
http://www.oasis-open.org/committees/xacml for links.

<?xml version="1.0" encoding="UTF-8"?>
<!-- edited with XML Spy v3.5 NT (http://www.xmlspy.com) by Phill Hallam-Baker (VeriSign Inc.) -->
<schema targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xacml-context="urn:oasis:names:tc:xacml:1.0:context" xmlns="http://www.w3.org/2001/XMLSchema"; elementFormDefault="unqualified">
        <import namespace="http://www.w3.org/2000/09/xmldsig#"; schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
        <import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-assertion-1.0.xsd"/>
        <import namespace="urn:oasis:names:tc:xacml:1.0:context" schemaLocation="http://www.oasis-open.org/committees/xacml/repository/cs-xacml-schema-context-01.xsd"/>
        <annotation>
                <documentation>
                Document identifier: oasis-sstc-saml-schema-assertion-2.0
                Location: 
                </documentation>
        </annotation>
        <element name="XCAssertion" type="saml2:XCAssertionType"/>
        <complexType name="XCAssertionType">
                <sequence>
                        <element ref="saml:Conditions" minOccurs="0"/>
                        <element ref="saml2:XCAdvice" minOccurs="0"/>
                        <choice maxOccurs="unbounded">
                                <element ref="saml:Statement"/>
                                <element ref="saml:SubjectStatement"/>
                                <element ref="saml:AuthenticationStatement"/>
                                <element ref="saml:AuthorizationDecisionStatement"/>
                                <element ref="saml2:XCAuthorizationDecisionStatement"/>
                                <element ref="saml:AttributeStatement"/>
                        </choice>
                        <element ref="ds:Signature" minOccurs="0"/>
                </sequence>
                <attribute name="MajorVersion" type="integer" use="required"/>
                <attribute name="MinorVersion" type="integer" use="required"/>
                <attribute name="AssertionID" type="saml:IDType" use="required"/>
                <attribute name="Issuer" type="string" use="required"/>
                <attribute name="IssueInstant" type="dateTime" use="required"/>
        </complexType>
        <element name="XCAdvice" type="saml2:XCAdviceType"/>
        <complexType name="XCAdviceType">
                <choice minOccurs="0" maxOccurs="unbounded">
                        <element ref="saml:AssertionIDReference"/>
                        <element ref="saml2:XCAssertion"/>
                        <any namespace="##other" processContents="lax"/>
                </choice>
        </complexType>
        <element name="XCAuthorizationDecisionStatement" type="saml2:XCAuthorizationDecisionStatementType"/>
        <complexType name="XCAuthorizationDecisionStatementType">
                <complexContent>
                        <extension base="saml:StatementAbstractType">
                                <sequence>
                                        <element ref="xacml-context:Response" />
                                        <element ref="xacml-context:Request" minOccurs="0"/>
                                </sequence>
                        </extension>
                </complexContent>
        </complexType>
        <element name="XCEvidence" type="saml2:XCEvidenceType"/>
        <complexType name="XCEvidenceType">
                <choice maxOccurs="unbounded">
                        <element ref="saml:AssertionIDReference"/>
                        <element ref="saml2:XCAssertion"/>
                </choice>
        </complexType>
</schema>

======================================================
D. Suggested SAML Protocol Schema Changes [incomplete]
======================================================

In order to distinguish SAML 2.0 XACML-Compatible elements from
the corresponding SAML 1.0 elements with the same name, the
recommended SAML 2.0 names are prefixed with "XC".  The SSTC
should change these names as appropriate.

The QName "xacml-context" refers to
"urn:oasis:names:tc:xacml:1.0:context", which is associated with
the schema "cs-xacml-schema-context-01.xsd" located in the OASIS
XACML TC Repository.  See
http://www.oasis-open.org/committees/xacml for links.

<?xml version="1.0" encoding="UTF-8"?>
<!-- edited with XML Spy v4.2 U (http://www.xmlspy.com) by Phillip Hallam-Baker (Phillip Hallam-Baker) -->
<schema targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xacml-context="urn:oasis:names:tc:xacml:1.0:context" xmlns="http://www.w3.org/2001/XMLSchema"; elementFormDefault="unqualified">
        <import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-assertion-1.0.xsd"/>
        <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="oasis-sstc-saml-schema-assertion-2.0.xsd"/>
        <import namespace="urn:oasis:names:tc:SAML:1.0:protocol" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-protocol-1.0.xsd"/>
        <import namespace="urn:oasis:names:tc:xacml:1.0:context" schemaLocation="http://www.oasis-open.org/committees/xacml/repository/cs-xacml-schema-context-01.xsd"/>
        <annotation>
                <documentation>
                Document identifier: oasis-sstc-saml-schema-protocol-2.0
                Location: 
                </documentation>
        </annotation>
        <element name="XCRequest" type="samlp2:XCRequestType"/>
        <complexType name="XCRequestType">
                <complexContent>
                        <extension base="samlp:RequestAbstractType">
                                <choice>
                                        <element ref="samlp:Query"/>
                                        <element ref="samlp:SubjectQuery"/>
                                        <element ref="samlp:AuthenticationQuery"/>
                                        <element ref="samlp:AttributeQuery"/>
                                        <element ref="samlp:AuthorizationDecisionQuery"/>
                                        <element ref="samlp2:XCAuthorizationDecisionQuery"/>
                                        <element ref="saml:AssertionIDReference" maxOccurs="unbounded"/>
                                        <element ref="samlp:AssertionArtifact" maxOccurs="unbounded"/>
                                </choice>
                        </extension>
                </complexContent>
        </complexType>
        <element name="XCAuthorizationDecisionQuery" type="samlp2:XCAuthorizationDecisionQueryType"/>
        <complexType name="XCAuthorizationDecisionQueryType">
                <complexContent>
                        <extension base="samlp:QueryAbstractType">
                                <sequence>
                                        <element ref="xacml-context:Request" />
                                </sequence>
                                <attribute name="InputContextOnly" type="boolean" use="required"/>
                                <attribute name="ReturnContext" type="boolean" use="required"/>
                        </extension>
                </complexContent>
        </complexType>
        <element name="XCResponse" type="samlp2:XCResponseType"/>
        <complexType name="XCResponseType">
                <complexContent>
                        <extension base="samlp:ResponseAbstractType">
                                <sequence>
                                        <element ref="samlp:Status"/>
                                        <element ref="saml2:XCAssertion" minOccurs="0" maxOccurs="unbounded"/>
                                </sequence>
                        </extension>
                </complexContent>
        </complexType>
</schema>

===============================================
E. Suggested Specification Changes [incomplete]
===============================================

Changes to "Assertions and Protocol for the OASIS Security
Assertion Markup Language (SAML)" (OASIS Standard, 5 November
2002) to utilize the XACML Request and Response Context formats
for authorization decisions.  These are associated with the
schema changes listed in sections C and D.

In order to distinguish SAML 2.0 XACML-Compatible elements from
the corresponding SAML 1.0 elements with the same name, the
recommended SAML 2.0 names are prefixed with "XC".  The SSTC
should change these names as appropriate.

The QName "xacml-context" refers to
"urn:oasis:names:tc:xacml:1.0:context", which is associated with
the schema "cs-xacml-schema-context-01.xsd" located in the OASIS
XACML TC Repository.  See
http://www.oasis-open.org/committees/xacml for links.

2.3.2 Element <XCAssertion>

Insert after line 403:

  <saml2:XCAuthorizationDecisionStatement>
      An authorization decision statement in the SAML 2.0 format,
      containing an authorization decision in a format compatible
      with the OASIS XACML Version 1.0 Standard.

Insert after line 416:
  <element ref="saml2:XCAuthorizationDecisionStatement"/>

2.3.2.2 Element <XCAdvice>

Replace line 533 with:

  <element name="XCAdvice" type="saml2:XCAdviceType"/>

Replace line 537 with:

  <element ref="saml2:XCAssertion"/>

2.4.4 Element <XCAuthorizationDecisionStatement>

Replace lines 738-795 (entire section) with:

  The <XCAuthorizationDecisionStatement> element supplies a
  statement by the issuer that the request for access by the
  specified subject or subjects to perform the specified action
  on the specified resource has resulted in the specified
  decision.  The decision is in the form of an
  xacml-context:Response.

  The <XCAuthorizationDecisionStatement> optionally contains a
  description of the context in which the decision was made, in
  the form of an xacml-context:Request.  This context may include
  only the information used in making the authorization decision,
  or may include additional information.  This is
  implementation-dependent.

  See OASIS eXtensible Access Control Markup Language (XACML)
  Version 1.0 for a description of the elements in an
  xacml-context:Response or xacml-context:Request.

  The <XCAuthorizationDecisionStatement> element is of type
  saml2:XCAuthorizationDecisionStatementType, which extends
  StatementAbstractType with the addition of the following
  elements (in order) and attributes:

  xacml-context:Response [Required]

     The decision rendered by the issuer with respect to an
     authorization decision query.  The value is of the
     xacml-context:Response type.

  xacml-context:Request [Optional]

     The information used to make the authorization decision.

     If the XCAuthorizationDecisionRequest "ReturnContext"
     attribute is TRUE, then this element MUST be supplied and
     MUST include all XACML Attributes used in making the
     authorization decision, whether supplied in the original
     XCAuthorizationDecisionQuery or obtained from external
     sources.  The xacml-context:Request MAY include additional
     XACML Attributes that were not used in making the
     authorization decision.

     If the XCAuthorizationDecisionRequest "ReturnContext"
     attribute is FALSE, then this element MUST NOT be supplied.

  The following schema fragment defines the
  <XCAuthorizationDecisionStatement> element and its
  XCAuthorizationDecisionStatementType complex type:

        <element name="XCAuthorizationDecisionStatement" type="saml2:XCAuthorizationDecisionStatementType"/>
        <complexType name="XCAuthorizationDecisionStatementType">
                <complexContent>
                        <extension base="saml:StatementAbstractType">
                                <sequence>
                                        <element ref="xacml-context:Response" />
                                        <element ref="xacml-context:Request" minOccurs="0"/>
                                </sequence>
                        </extension>
                </complexContent>
        </complexType>

2.4.4.2 Element <XCEvidence>

Replace line 819 with:

   <saml2:XCAssertion>

Replace line 830 with:
   
   <element ref="saml2:XCAssertion>

3.2.2 Element <XCRequest>

Insert after line 991:

  <saml2p:XCAuthorizationDecisionQuery>

     Makes a query for an authorization decision using the SAML
     2.0 format.

Insert after line 1006:

  <element ref="samlp2:XCAuthorizationDecisionQuery"/>

3.3.5 Element <XCAuthorizationDecisionQuery>

Replace lines 1110-1136 (entire section) with:

  The <samlp2:XCAuthorizationDecisionQuery> element is used to make
  the query "Should these actions on this resource be allowed for
  this subject or subjects?"  A successful response will be in
  the form of an assertion containing an
  XCAuthorizationDecisionStatement.  This element is of type
  XCAuthorizationDecisionQueryType, which extends QueryAbstractType
  with the addition of the following element and attributes:

  xacml-context:Request [Required]

     A description of the authorization request.  The value is of
     the xacml-context:Request type.

  InputContextOnly [Required]

     If this attribute is TRUE, the authorization decision MUST
     be made solely on the basis of information contained in the
     XCAuthorizationDecisionQuery; no external attributes are to be
     used.  If FALSE, the authorization decision MAY be made on
     the basis of external attributes not contained in the
     XCAuthorizationDecisionQuery.

  ReturnContext [Required]

     If this attribute is TRUE, the
     XCAuthorizationDecisionStatement returned MUST include the
     XACML Attributes used to make the authorization decision in
     the form of an xacml-context:Request; additional XACML
     Attributes MAY be included in the returned
     xacml-context:Request.  If this attribute is FALSE, the
     XCAuthorizationDecisionStatement returned MUST NOT include an
     xacml-context:Request.

  The following schema fragment defines the
  <XCAuthorizationDecisionQuery> element and its
  XCAuthorizationDecisionQueryType complex type:

        <element name="XCAuthorizationDecisionQuery" type="samlp2:XCAuthorizationDecisionQueryType"/>
        <complexType name="XCAuthorizationDecisionQueryType">
                <complexContent>
                        <extension base="samlp:QueryAbstractType">
                                <sequence>
                                        <element ref="xacml-context:Request" />
                                </sequence>
                                <attribute name="InputContextOnly" type="boolean" use="required"/>
                                <attribute name="ReturnContext" type="boolean" use="required"/>
                        </extension>
                </complexContent>
        </complexType>


3.4.2 Element <Response>

Replace line 1185 with:

  <saml2:XCAssertion> [Any Number] (see Section 2.3.2)

     Specifies an assertion by value.

Replace line 1194 with:

  <element ref="saml2:XCAssertion" minOccurs="0"


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]