[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Draft SAML 2.0 Change Requirements, v1.5
This is a physical meeting to occur during the SAML F2F here in Bedford, MA, but there will be dial-in facilities available for you and for one other participant. Anne On 5 September, D.W.Chadwick writes: Re: Draft SAML 2.0 Change Requirements, v1.5 > From: "D.W.Chadwick" <D.W.Chadwick@salford.ac.uk> > To: Anne.Anderson@sun.com > Subject: Re: Draft SAML 2.0 Change Requirements, v1.5 > Date: 5 Sep 2003 19:40:52 +0100 > > Anne > > Due to cultural differences, I am not sure if this is a telephone > meeting or physical one being proposed. If physical, I cant attend any > of them. If telephone, I would prefer anytime between 11am and 1pm > tuesday. > > David > > > Anne Anderson wrote: > > > > Attached is an updated draft of the joint XACML TC and OGSA > > requirements for SAML 2.0 changes. They are divided into > > AuthzDecisionQuery/Response requirements, other abstract > > requirements, suggested assertion schema changes, and suggested > > protocol schema changes, and suggested specification changes > > associated with the schema changes. > > > > This is still a draft for discussion. The plan is to finalize > > this (although not necessarily the syntax and specification > > changes) during our side meeting during the SAML Face-to-Face. > > > > The time for this meeting is still not determined. Suggested > > times, along with draft SAML 2.0 Agenda conflicts: > > > > Monday 8 Sept 6pm-10pm, incl. dinner [no SAML conflicts] > > Tuesday 9 Sept 8am-10am [1 hour of SAML gap analysis] > > Tuesday 9 Sept 9am-12am [3 hours of SAML gap analysis] > > Tuesday 9 Sept 1pm-4pm [3.25 hours of SAML gap analysis, > > .75 hour doc/editor/champion review] > > > > If you are planning to participate, please indicate your > > preference order and any times you absolutely would NOT be able > > to attend. > > > > Anne > > -- > > Anne H. Anderson Email: Anne.Anderson@Sun.COM > > Sun Microsystems Laboratories > > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > > Burlington, MA 01803-0902 USA Fax: 781/442-1692 > > > > ------------------------------------------------------------------------ > > Proposed SAML 2.0 Changes from XACML TC and OGSA > > Editor: Anne Anderson <Anne.Anderson@sun.com> > > Version: 1.5, 03/09/05 (yy/mm/dd) > > > > *******************DISCUSSION DRAFT*************************** > > > > ===================================================================== > > A. Abstract Requirements for SAML AuthorizationDecisionQuery/Response > > ===================================================================== > > > > 1. Way to pass an XACML Request Context in the Query and an XACML > > Response Context in the Decision. Should not extend > > SubjectQueryAbstractType and SubjectStatementAbstractType > > because Subject element is redundant and inconsistent with > > Subject information in the XACML Request and Response. > > 2. Way to indicate in the Query that an XACML Request Context > > (note: might not match input Request) is to be returned as > > part of the Decision. This would usually be the input Request > > augmented with at least any additional attribute values used > > in evaluating the Request against applicable policies. > > 3. Way to indicate in the Query whether the PDP is free to > > collect Attributes for use in making the Decision from sources > > other than the XACML Request Context passed in the Query. > > 4. Associate a DataType with an Issuer name, such that the name > > can be determined to be a string, an X.500 Distinguished Name, > > etc. > > 5. Way to return an XACML Policy/PolicySet in a Decision as a > > condition that must evaluate to "Permit" in order for the > > Decision to be valid. Way to indicate that such a condition > > is associated with the Decision. Might be appropriate to put > > this condition and indication into the XACML Response Context > > itself rather than into the SAML envelope. > > 6. Way to pass an XACML Policy/PolicySet in a Query, along with > > an indication that such a policy is being supplied and whether > > this Policy/PolicySet is to be used alone or in conjunction > > with other Policies/PolicySets available to the PDP in > > evaluating the Query. > > > > ============================== > > B. Other Abstract Requirements > > ============================== > > > > 1. Better correspondence between SAML Attribute format and XACML > > Request Context Attribute format such that SAML Attributes can > > be translated into XACML Request Context Attributes > > mechanically and easily. > > 2. SAML Policy Statement syntax, allowing an issuer to state and > > sign an XACML Policy/PolicySet. > > 3. SAML AttributeQuery and Response syntax, allowing an entity > > to request Attributes of a given Subject or Resource, plus an > > indication whether only specific Attributes (identified in the > > Query by AttributeId) are to be returned, or whether all > > Attributes of the given Subject or Resource known to the > > Attribute Authority are to be returned. > > 4. Schema-aware canonicalization for SAML schema instances and > > encapsulated payloads, including at least DataType > > normalization, deterministic ordering of elements and > > attributes, and default attribute and element values, such > > that digital signatures can be applied to the output and > > verified by another entity that may have parsed and re-encoded > > the signed content. > > 5. Possibly: SAML Policy Query syntax, allowing a PDP to request > > a Policy/PolicySet by its Policy[Set]Id from an on-line Policy > > Administration Point (are there any online PAPs? If not, no > > need for this). > > > > ======================================================= > > C. Suggested SAML Assertion Schema Changes [incomplete] > > ======================================================= > > > > In order to distinguish SAML 2.0 XACML-Compatible elements from > > the corresponding SAML 1.0 elements with the same name, the > > recommended SAML 2.0 names are prefixed with "XC". The SSTC > > should change these names as appropriate. > > > > The QName "xacml-context" refers to > > "urn:oasis:names:tc:xacml:1.0:context", which is associated with > > the schema "cs-xacml-schema-context-01.xsd" located in the OASIS > > XACML TC Repository. See > > http://www.oasis-open.org/committees/xacml for links. > > > > <?xml version="1.0" encoding="UTF-8"?> > > <!-- edited with XML Spy v3.5 NT (http://www.xmlspy.com) by Phill Hallam-Baker (VeriSign Inc.) --> > > <schema targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xacml-context="urn:oasis:names:tc:xacml:1.0:context" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified"> > > <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/> > > <import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-assertion-1.0.xsd"/> > > <import namespace="urn:oasis:names:tc:xacml:1.0:context" schemaLocation="http://www.oasis-open.org/committees/xacml/repository/cs-xacml-schema-context-01.xsd"/> > > <annotation> > > <documentation> > > Document identifier: oasis-sstc-saml-schema-assertion-2.0 > > Location: > > </documentation> > > </annotation> > > <element name="XCAssertion" type="saml2:XCAssertionType"/> > > <complexType name="XCAssertionType"> > > <sequence> > > <element ref="saml:Conditions" minOccurs="0"/> > > <element ref="saml2:XCAdvice" minOccurs="0"/> > > <choice maxOccurs="unbounded"> > > <element ref="saml:Statement"/> > > <element ref="saml:SubjectStatement"/> > > <element ref="saml:AuthenticationStatement"/> > > <element ref="saml:AuthorizationDecisionStatement"/> > > <element ref="saml2:XCAuthorizationDecisionStatement"/> > > <element ref="saml:AttributeStatement"/> > > </choice> > > <element ref="ds:Signature" minOccurs="0"/> > > </sequence> > > <attribute name="MajorVersion" type="integer" use="required"/> > > <attribute name="MinorVersion" type="integer" use="required"/> > > <attribute name="AssertionID" type="saml:IDType" use="required"/> > > <attribute name="Issuer" type="string" use="required"/> > > <attribute name="IssueInstant" type="dateTime" use="required"/> > > </complexType> > > <element name="XCAdvice" type="saml2:XCAdviceType"/> > > <complexType name="XCAdviceType"> > > <choice minOccurs="0" maxOccurs="unbounded"> > > <element ref="saml:AssertionIDReference"/> > > <element ref="saml2:XCAssertion"/> > > <any namespace="##other" processContents="lax"/> > > </choice> > > </complexType> > > <element name="XCAuthorizationDecisionStatement" type="saml2:XCAuthorizationDecisionStatementType"/> > > <complexType name="XCAuthorizationDecisionStatementType"> > > <complexContent> > > <extension base="saml:StatementAbstractType"> > > <sequence> > > <element ref="xacml-context:Response" /> > > <element ref="xacml-context:Request" minOccurs="0"/> > > </sequence> > > </extension> > > </complexContent> > > </complexType> > > <element name="XCEvidence" type="saml2:XCEvidenceType"/> > > <complexType name="XCEvidenceType"> > > <choice maxOccurs="unbounded"> > > <element ref="saml:AssertionIDReference"/> > > <element ref="saml2:XCAssertion"/> > > </choice> > > </complexType> > > </schema> > > > > ====================================================== > > D. Suggested SAML Protocol Schema Changes [incomplete] > > ====================================================== > > > > In order to distinguish SAML 2.0 XACML-Compatible elements from > > the corresponding SAML 1.0 elements with the same name, the > > recommended SAML 2.0 names are prefixed with "XC". The SSTC > > should change these names as appropriate. > > > > The QName "xacml-context" refers to > > "urn:oasis:names:tc:xacml:1.0:context", which is associated with > > the schema "cs-xacml-schema-context-01.xsd" located in the OASIS > > XACML TC Repository. See > > http://www.oasis-open.org/committees/xacml for links. > > > > <?xml version="1.0" encoding="UTF-8"?> > > <!-- edited with XML Spy v4.2 U (http://www.xmlspy.com) by Phillip Hallam-Baker (Phillip Hallam-Baker) --> > > <schema targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xacml-context="urn:oasis:names:tc:xacml:1.0:context" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified"> > > <import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-assertion-1.0.xsd"/> > > <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="oasis-sstc-saml-schema-assertion-2.0.xsd"/> > > <import namespace="urn:oasis:names:tc:SAML:1.0:protocol" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-protocol-1.0.xsd"/> > > <import namespace="urn:oasis:names:tc:xacml:1.0:context" schemaLocation="http://www.oasis-open.org/committees/xacml/repository/cs-xacml-schema-context-01.xsd"/> > > <annotation> > > <documentation> > > Document identifier: oasis-sstc-saml-schema-protocol-2.0 > > Location: > > </documentation> > > </annotation> > > <element name="XCRequest" type="samlp2:XCRequestType"/> > > <complexType name="XCRequestType"> > > <complexContent> > > <extension base="samlp:RequestAbstractType"> > > <choice> > > <element ref="samlp:Query"/> > > <element ref="samlp:SubjectQuery"/> > > <element ref="samlp:AuthenticationQuery"/> > > <element ref="samlp:AttributeQuery"/> > > <element ref="samlp:AuthorizationDecisionQuery"/> > > <element ref="samlp2:XCAuthorizationDecisionQuery"/> > > <element ref="saml:AssertionIDReference" maxOccurs="unbounded"/> > > <element ref="samlp:AssertionArtifact" maxOccurs="unbounded"/> > > </choice> > > </extension> > > </complexContent> > > </complexType> > > <element name="XCAuthorizationDecisionQuery" type="samlp2:XCAuthorizationDecisionQueryType"/> > > <complexType name="XCAuthorizationDecisionQueryType"> > > <complexContent> > > <extension base="samlp:QueryAbstractType"> > > <sequence> > > <element ref="xacml-context:Request" /> > > </sequence> > > <attribute name="InputContextOnly" type="boolean" use="required"/> > > <attribute name="ReturnContext" type="boolean" use="required"/> > > </extension> > > </complexContent> > > </complexType> > > <element name="XCResponse" type="samlp2:XCResponseType"/> > > <complexType name="XCResponseType"> > > <complexContent> > > <extension base="samlp:ResponseAbstractType"> > > <sequence> > > <element ref="samlp:Status"/> > > <element ref="saml2:XCAssertion" minOccurs="0" maxOccurs="unbounded"/> > > </sequence> > > </extension> > > </complexContent> > > </complexType> > > </schema> > > > > =============================================== > > E. Suggested Specification Changes [incomplete] > > =============================================== > > > > Changes to "Assertions and Protocol for the OASIS Security > > Assertion Markup Language (SAML)" (OASIS Standard, 5 November > > 2002) to utilize the XACML Request and Response Context formats > > for authorization decisions. These are associated with the > > schema changes listed in sections C and D. > > > > In order to distinguish SAML 2.0 XACML-Compatible elements from > > the corresponding SAML 1.0 elements with the same name, the > > recommended SAML 2.0 names are prefixed with "XC". The SSTC > > should change these names as appropriate. > > > > The QName "xacml-context" refers to > > "urn:oasis:names:tc:xacml:1.0:context", which is associated with > > the schema "cs-xacml-schema-context-01.xsd" located in the OASIS > > XACML TC Repository. See > > http://www.oasis-open.org/committees/xacml for links. > > > > 2.3.2 Element <XCAssertion> > > > > Insert after line 403: > > > > <saml2:XCAuthorizationDecisionStatement> > > An authorization decision statement in the SAML 2.0 format, > > containing an authorization decision in a format compatible > > with the OASIS XACML Version 1.0 Standard. > > > > Insert after line 416: > > <element ref="saml2:XCAuthorizationDecisionStatement"/> > > > > 2.3.2.2 Element <XCAdvice> > > > > Replace line 533 with: > > > > <element name="XCAdvice" type="saml2:XCAdviceType"/> > > > > Replace line 537 with: > > > > <element ref="saml2:XCAssertion"/> > > > > 2.4.4 Element <XCAuthorizationDecisionStatement> > > > > Replace lines 738-795 (entire section) with: > > > > The <XCAuthorizationDecisionStatement> element supplies a > > statement by the issuer that the request for access by the > > specified subject or subjects to perform the specified action > > on the specified resource has resulted in the specified > > decision. The decision is in the form of an > > xacml-context:Response. > > > > The <XCAuthorizationDecisionStatement> optionally contains a > > description of the context in which the decision was made, in > > the form of an xacml-context:Request. This context may include > > only the information used in making the authorization decision, > > or may include additional information. This is > > implementation-dependent. > > > > See OASIS eXtensible Access Control Markup Language (XACML) > > Version 1.0 for a description of the elements in an > > xacml-context:Response or xacml-context:Request. > > > > The <XCAuthorizationDecisionStatement> element is of type > > saml2:XCAuthorizationDecisionStatementType, which extends > > StatementAbstractType with the addition of the following > > elements (in order) and attributes: > > > > xacml-context:Response [Required] > > > > The decision rendered by the issuer with respect to an > > authorization decision query. The value is of the > > xacml-context:Response type. > > > > xacml-context:Request [Optional] > > > > The information used to make the authorization decision. > > > > If the XCAuthorizationDecisionRequest "ReturnContext" > > attribute is TRUE, then this element MUST be supplied and > > MUST include all XACML Attributes used in making the > > authorization decision, whether supplied in the original > > XCAuthorizationDecisionQuery or obtained from external > > sources. The xacml-context:Request MAY include additional > > XACML Attributes that were not used in making the > > authorization decision. > > > > If the XCAuthorizationDecisionRequest "ReturnContext" > > attribute is FALSE, then this element MUST NOT be supplied. > > > > The following schema fragment defines the > > <XCAuthorizationDecisionStatement> element and its > > XCAuthorizationDecisionStatementType complex type: > > > > <element name="XCAuthorizationDecisionStatement" type="saml2:XCAuthorizationDecisionStatementType"/> > > <complexType name="XCAuthorizationDecisionStatementType"> > > <complexContent> > > <extension base="saml:StatementAbstractType"> > > <sequence> > > <element ref="xacml-context:Response" /> > > <element ref="xacml-context:Request" minOccurs="0"/> > > </sequence> > > </extension> > > </complexContent> > > </complexType> > > > > 2.4.4.2 Element <XCEvidence> > > > > Replace line 819 with: > > > > <saml2:XCAssertion> > > > > Replace line 830 with: > > > > <element ref="saml2:XCAssertion> > > > > 3.2.2 Element <XCRequest> > > > > Insert after line 991: > > > > <saml2p:XCAuthorizationDecisionQuery> > > > > Makes a query for an authorization decision using the SAML > > 2.0 format. > > > > Insert after line 1006: > > > > <element ref="samlp2:XCAuthorizationDecisionQuery"/> > > > > 3.3.5 Element <XCAuthorizationDecisionQuery> > > > > Replace lines 1110-1136 (entire section) with: > > > > The <samlp2:XCAuthorizationDecisionQuery> element is used to make > > the query "Should these actions on this resource be allowed for > > this subject or subjects?" A successful response will be in > > the form of an assertion containing an > > XCAuthorizationDecisionStatement. This element is of type > > XCAuthorizationDecisionQueryType, which extends QueryAbstractType > > with the addition of the following element and attributes: > > > > xacml-context:Request [Required] > > > > A description of the authorization request. The value is of > > the xacml-context:Request type. > > > > InputContextOnly [Required] > > > > If this attribute is TRUE, the authorization decision MUST > > be made solely on the basis of information contained in the > > XCAuthorizationDecisionQuery; no external attributes are to be > > used. If FALSE, the authorization decision MAY be made on > > the basis of external attributes not contained in the > > XCAuthorizationDecisionQuery. > > > > ReturnContext [Required] > > > > If this attribute is TRUE, the > > XCAuthorizationDecisionStatement returned MUST include the > > XACML Attributes used to make the authorization decision in > > the form of an xacml-context:Request; additional XACML > > Attributes MAY be included in the returned > > xacml-context:Request. If this attribute is FALSE, the > > XCAuthorizationDecisionStatement returned MUST NOT include an > > xacml-context:Request. > > > > The following schema fragment defines the > > <XCAuthorizationDecisionQuery> element and its > > XCAuthorizationDecisionQueryType complex type: > > > > <element name="XCAuthorizationDecisionQuery" type="samlp2:XCAuthorizationDecisionQueryType"/> > > <complexType name="XCAuthorizationDecisionQueryType"> > > <complexContent> > > <extension base="samlp:QueryAbstractType"> > > <sequence> > > <element ref="xacml-context:Request" /> > > </sequence> > > <attribute name="InputContextOnly" type="boolean" use="required"/> > > <attribute name="ReturnContext" type="boolean" use="required"/> > > </extension> > > </complexContent> > > </complexType> > > > > 3.4.2 Element <Response> > > > > Replace line 1185 with: > > > > <saml2:XCAssertion> [Any Number] (see Section 2.3.2) > > > > Specifies an assertion by value. > > > > Replace line 1194 with: > > > > <element ref="saml2:XCAssertion" minOccurs="0" > > -- > ********************************************************* > > Leaders of the world's richest nations meet in Cancun on September 10th > 2003. Oxfam is presenting them with a petition to make trade fair. Be > sure your voice is heard. Sign the 'Big Noise' petition to make trade > fair at: > > http://www.maketradefair.com/go/join/?p=omf1 > > > ***************************************************************** > > David W. Chadwick, BSc PhD > Professor of Information Systems Security > IS Institute, University of Salford, Salford M5 4WT > Tel: +44 161 295 5351 Fax +44 01484 532930 > Mobile: +44 77 96 44 7184 > Email: D.W.Chadwick@salford.ac.uk > Home Page: http://www.salford.ac.uk/its024/chadwick.htm > Research Web site: http://sec.isi.salford.ac.uk > Seminars: http://www.salford.ac.uk/its024/seminars.htm > Entrust key validation string: MLJ9-DU5T-HV8J > PGP Key ID is 0xBC238DE5 > > *****************************************************************begin:vcard > n:Chadwick;David > tel;cell:+44 77 96 44 7184 > tel;fax:+44 1484 532930 > tel;home:+44 1484 352238 > tel;work:+44 161 295 5351 > x-mozilla-html:FALSE > url:http://www.salford.ac.uk/its024/chadwick.htm > org:University of Salford;IS Institute > version:2.1 > email;internet:d.w.chadwick@salford.ac.uk > title:Professor of Information Security > adr;quoted-printable:;;The Crescent=0D=0A;Salford;Greater Manchester;M5 4WT;England > note;quoted-printable:Research Projects: http://sec.isi.salford.ac.uk.......................=0D=0A=0D=0AUnderstanding X.500: http://www.salford.ac.uk/its024/X500.htm .......................=0D=0A=0D=0AX.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm...................=0D=0A=0D=0AEntrust key validation string: CJ94-LKWD-BSXB ...........=0D=0A=0D=0APGP Key ID is 0xBC238DE5 > x-mozilla-cpt:;-4856 > fn:David Chadwick > end:vcard -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]