[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: XACML/OGSA SAML Requirements, v1.6
The attached version incorporates comments by David Chadwick and Von Welch. I will have paper copies of this for the F2F this afternoon. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
Proposed SAML 2.0 Changes from XACML TC and OGSA Editor: Anne Anderson <Anne.Anderson@sun.com> Version: 1.6, 03/09/09 (yy/mm/dd) *******************DISCUSSION DRAFT*************************** ===================================================================== A. Abstract Requirements for SAML AuthorizationDecisionQuery/Response ===================================================================== 1. Way to pass an XACML Request Context in the Query and an XACML Response Context in the Decision. Should not extend SubjectQueryAbstractType and SubjectStatementAbstractType because Subject element is redundant and inconsistent with Subject information in the XACML Request and Response. This satisfies the following requirements: a) Make AuthorizationDecisionQuery and Response more compatible with the XACML Request and Response Context schema. b) Allow an AuthorizationDecisionStatement to include the validated Attribute Identifiers and values that were used in making the Authorization Decision. 2. Way to indicate in the Query that an XACML Request Context (note: might not match input Request) is to be returned as part of the Decision. This would usually be the input Request augmented with at least any additional attribute values used in evaluating the Request against applicable policies. 3. Way to indicate in the Query whether the PDP is free to collect Attributes for use in making the Decision from sources other than the XACML Request Context passed in the Query. 4. Associate a DataType with an Issuer name, such that the name can be determined to be a string, an X.500 Distinguished Name, etc. 5. Way to return an XACML Policy/PolicySet in a Decision as a condition that must evaluate to "Permit" in order for the Decision to be valid. Way to indicate that such a condition is associated with the Decision. Might be appropriate to put this condition and indication into the XACML Response Context itself rather than into the SAML envelope. 6. Way to pass an XACML Policy/PolicySet in a Query, along with an indication that such a policy is being supplied and whether this Policy/PolicySet is to be used alone or in conjunction with other Policies/PolicySets available to the PDP in evaluating the Query. ============================== B. Other Abstract Requirements ============================== 1. Better correspondence between SAML Attribute format and XACML Request Context Attribute format such that SAML Attributes can be translated into XACML Request Context Attributes mechanically and easily. 2. SAML Policy Statement syntax, allowing an issuer to state and sign an XACML Policy/PolicySet. 3. SAML AttributeQuery and Response syntax, allowing an entity to request Attributes of a given Subject or Resource, plus an indication whether only specific Attributes (identified in the Query by AttributeId) are to be returned, or whether all Attributes of the given Subject or Resource known to the Attribute Authority are to be returned. 4. Schema-aware canonicalization for SAML schema instances and encapsulated payloads, including at least DataType normalization, deterministic ordering of elements and attributes, and default attribute and element values, such that digital signatures can be applied to the output and verified by another entity that may have parsed and re-encoded the signed content. 5. Possibly: SAML Policy Query syntax, allowing a PDP to request a Policy/PolicySet by its Policy[Set]Id from an on-line Policy Administration Point (are there any online PAPs? If not, no need for this). ============================================================= C. Requirements to be satisfied by [changes to ]XACML schemas ============================================================= Current XACML 2.0 Work Items are available in http://lists.oasis-open.org/archives/xacml/200309/msg00014.html 1. Way to provide hints in the Query and in the Authorization Policy as to where the PDP should locate Attribute values. [XACML 2.0 Work Item #2] 2. How to prioritize a policy provided as part of an AuthorizationDecisionQuery and other applicable policies available to the PDP [PolicyCombiningAlg plus way to reference a policy provided by the PDP may be required in XACML (no current work item), or PDP may be configured with priorities; A6 provides a way for the PEP to indicate its preferences] 3. Way to indicate source for attributes retrieved by the PDP and returned to the PEP as part of a returned Request Context [submitted by Von Welch "use this as an indication of Where Are You From (WAYF)"; no current work item] ======================================================= D. Suggested SAML Assertion Schema Changes [incomplete] ======================================================= In order to distinguish SAML 2.0 XACML-Compatible elements from the corresponding SAML 1.0 elements with the same name, the recommended SAML 2.0 names are prefixed with "XC". The SSTC should change these names as appropriate. The QName "xacml-context" refers to "urn:oasis:names:tc:xacml:1.0:context", which is associated with the schema "cs-xacml-schema-context-01.xsd" located in the OASIS XACML TC Repository. See http://www.oasis-open.org/committees/xacml for links. <?xml version="1.0" encoding="UTF-8"?> <!-- edited with XML Spy v3.5 NT (http://www.xmlspy.com) by Phill Hallam-Baker (VeriSign Inc.) --> <schema targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xacml-context="urn:oasis:names:tc:xacml:1.0:context" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified"> <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/> <import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-assertion-1.0.xsd"/> <import namespace="urn:oasis:names:tc:xacml:1.0:context" schemaLocation="http://www.oasis-open.org/committees/xacml/repository/cs-xacml-schema-context-01.xsd"/> <annotation> <documentation> Document identifier: oasis-sstc-saml-schema-assertion-2.0 Location: </documentation> </annotation> <element name="XCAssertion" type="saml2:XCAssertionType"/> <complexType name="XCAssertionType"> <sequence> <element ref="saml:Conditions" minOccurs="0"/> <element ref="saml2:XCAdvice" minOccurs="0"/> <choice maxOccurs="unbounded"> <element ref="saml:Statement"/> <element ref="saml:SubjectStatement"/> <element ref="saml:AuthenticationStatement"/> <element ref="saml:AuthorizationDecisionStatement"/> <element ref="saml2:XCAuthorizationDecisionStatement"/> <element ref="saml:AttributeStatement"/> </choice> <element ref="ds:Signature" minOccurs="0"/> </sequence> <attribute name="MajorVersion" type="integer" use="required"/> <attribute name="MinorVersion" type="integer" use="required"/> <attribute name="AssertionID" type="saml:IDType" use="required"/> <attribute name="Issuer" type="string" use="required"/> <attribute name="IssueInstant" type="dateTime" use="required"/> </complexType> <element name="XCAdvice" type="saml2:XCAdviceType"/> <complexType name="XCAdviceType"> <choice minOccurs="0" maxOccurs="unbounded"> <element ref="saml:AssertionIDReference"/> <element ref="saml2:XCAssertion"/> <any namespace="##other" processContents="lax"/> </choice> </complexType> <element name="XCAuthorizationDecisionStatement" type="saml2:XCAuthorizationDecisionStatementType"/> <complexType name="XCAuthorizationDecisionStatementType"> <complexContent> <extension base="saml:StatementAbstractType"> <sequence> <element ref="xacml-context:Response" /> <element ref="xacml-context:Request" minOccurs="0"/> </sequence> </extension> </complexContent> </complexType> <element name="XCEvidence" type="saml2:XCEvidenceType"/> <complexType name="XCEvidenceType"> <choice maxOccurs="unbounded"> <element ref="saml:AssertionIDReference"/> <element ref="saml2:XCAssertion"/> </choice> </complexType> </schema> ====================================================== E. Suggested SAML Protocol Schema Changes [incomplete] ====================================================== In order to distinguish SAML 2.0 XACML-Compatible elements from the corresponding SAML 1.0 elements with the same name, the recommended SAML 2.0 names are prefixed with "XC". The SSTC should change these names as appropriate. The QName "xacml-context" refers to "urn:oasis:names:tc:xacml:1.0:context", which is associated with the schema "cs-xacml-schema-context-01.xsd" located in the OASIS XACML TC Repository. See http://www.oasis-open.org/committees/xacml for links. <?xml version="1.0" encoding="UTF-8"?> <!-- edited with XML Spy v4.2 U (http://www.xmlspy.com) by Phillip Hallam-Baker (Phillip Hallam-Baker) --> <schema targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xacml-context="urn:oasis:names:tc:xacml:1.0:context" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified"> <import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-assertion-1.0.xsd"/> <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="oasis-sstc-saml-schema-assertion-2.0.xsd"/> <import namespace="urn:oasis:names:tc:SAML:1.0:protocol" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-protocol-1.0.xsd"/> <import namespace="urn:oasis:names:tc:xacml:1.0:context" schemaLocation="http://www.oasis-open.org/committees/xacml/repository/cs-xacml-schema-context-01.xsd"/> <annotation> <documentation> Document identifier: oasis-sstc-saml-schema-protocol-2.0 Location: </documentation> </annotation> <element name="XCRequest" type="samlp2:XCRequestType"/> <complexType name="XCRequestType"> <complexContent> <extension base="samlp:RequestAbstractType"> <choice> <element ref="samlp:Query"/> <element ref="samlp:SubjectQuery"/> <element ref="samlp:AuthenticationQuery"/> <element ref="samlp:AttributeQuery"/> <element ref="samlp:AuthorizationDecisionQuery"/> <element ref="samlp2:XCAuthorizationDecisionQuery"/> <element ref="saml:AssertionIDReference" maxOccurs="unbounded"/> <element ref="samlp:AssertionArtifact" maxOccurs="unbounded"/> </choice> </extension> </complexContent> </complexType> <element name="XCAuthorizationDecisionQuery" type="samlp2:XCAuthorizationDecisionQueryType"/> <complexType name="XCAuthorizationDecisionQueryType"> <complexContent> <extension base="samlp:QueryAbstractType"> <sequence> <element ref="xacml-context:Request" /> </sequence> <attribute name="InputContextOnly" type="boolean" use="required"/> <attribute name="ReturnContext" type="boolean" use="required"/> </extension> </complexContent> </complexType> <element name="XCResponse" type="samlp2:XCResponseType"/> <complexType name="XCResponseType"> <complexContent> <extension base="samlp:ResponseAbstractType"> <sequence> <element ref="samlp:Status"/> <element ref="saml2:XCAssertion" minOccurs="0" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> </schema> =============================================== F. Suggested Specification Changes [incomplete] =============================================== Changes to "Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML)" (OASIS Standard, 5 November 2002) to utilize the XACML Request and Response Context formats for authorization decisions. These are associated with the schema changes listed in sections C and D. In order to distinguish SAML 2.0 XACML-Compatible elements from the corresponding SAML 1.0 elements with the same name, the recommended SAML 2.0 names are prefixed with "XC". The SSTC should change these names as appropriate. The QName "xacml-context" refers to "urn:oasis:names:tc:xacml:1.0:context", which is associated with the schema "cs-xacml-schema-context-01.xsd" located in the OASIS XACML TC Repository. See http://www.oasis-open.org/committees/xacml for links. 2.3.2 Element <XCAssertion> Insert after line 403: <saml2:XCAuthorizationDecisionStatement> An authorization decision statement in the SAML 2.0 format, containing an authorization decision in a format compatible with the OASIS XACML Version 1.0 Standard. Insert after line 416: <element ref="saml2:XCAuthorizationDecisionStatement"/> 2.3.2.2 Element <XCAdvice> Replace line 533 with: <element name="XCAdvice" type="saml2:XCAdviceType"/> Replace line 537 with: <element ref="saml2:XCAssertion"/> 2.4.4 Element <XCAuthorizationDecisionStatement> Replace lines 738-795 (entire section) with: The <XCAuthorizationDecisionStatement> element supplies a statement by the issuer that the request for access by the specified subject or subjects to perform the specified action on the specified resource has resulted in the specified decision. The decision is in the form of an xacml-context:Response. The <XCAuthorizationDecisionStatement> optionally contains a description of the context in which the decision was made, in the form of an xacml-context:Request. This context may include only the information used in making the authorization decision, or may include additional information. This is implementation-dependent. See OASIS eXtensible Access Control Markup Language (XACML) Version 1.0 for a description of the elements in an xacml-context:Response or xacml-context:Request. The <XCAuthorizationDecisionStatement> element is of type saml2:XCAuthorizationDecisionStatementType, which extends StatementAbstractType with the addition of the following elements (in order) and attributes: xacml-context:Response [Required] The decision rendered by the issuer with respect to an authorization decision query. The value is of the xacml-context:Response type. xacml-context:Request [Optional] The information used to make the authorization decision. If the XCAuthorizationDecisionRequest "ReturnContext" attribute is TRUE, then this element MUST be supplied and MUST include all XACML Attributes used in making the authorization decision, whether supplied in the original XCAuthorizationDecisionQuery or obtained from external sources. The xacml-context:Request MAY include additional XACML Attributes that were not used in making the authorization decision. If the XCAuthorizationDecisionRequest "ReturnContext" attribute is FALSE, then this element MUST NOT be supplied. The following schema fragment defines the <XCAuthorizationDecisionStatement> element and its XCAuthorizationDecisionStatementType complex type: <element name="XCAuthorizationDecisionStatement" type="saml2:XCAuthorizationDecisionStatementType"/> <complexType name="XCAuthorizationDecisionStatementType"> <complexContent> <extension base="saml:StatementAbstractType"> <sequence> <element ref="xacml-context:Response" /> <element ref="xacml-context:Request" minOccurs="0"/> </sequence> </extension> </complexContent> </complexType> 2.4.4.2 Element <XCEvidence> Replace line 819 with: <saml2:XCAssertion> Replace line 830 with: <element ref="saml2:XCAssertion> 3.2.2 Element <XCRequest> Insert after line 991: <saml2p:XCAuthorizationDecisionQuery> Makes a query for an authorization decision using the SAML 2.0 format. Insert after line 1006: <element ref="samlp2:XCAuthorizationDecisionQuery"/> 3.3.5 Element <XCAuthorizationDecisionQuery> Replace lines 1110-1136 (entire section) with: The <samlp2:XCAuthorizationDecisionQuery> element is used to make the query "Should these actions on this resource be allowed for this subject or subjects?" A successful response will be in the form of an assertion containing an XCAuthorizationDecisionStatement. This element is of type XCAuthorizationDecisionQueryType, which extends QueryAbstractType with the addition of the following element and attributes: xacml-context:Request [Required] A description of the authorization request. The value is of the xacml-context:Request type. InputContextOnly [Required] If this attribute is TRUE, the authorization decision MUST be made solely on the basis of information contained in the XCAuthorizationDecisionQuery; no external attributes are to be used. If FALSE, the authorization decision MAY be made on the basis of external attributes not contained in the XCAuthorizationDecisionQuery. ReturnContext [Required] If this attribute is TRUE, the XCAuthorizationDecisionStatement returned MUST include the XACML Attributes used to make the authorization decision in the form of an xacml-context:Request; additional XACML Attributes MAY be included in the returned xacml-context:Request. If this attribute is FALSE, the XCAuthorizationDecisionStatement returned MUST NOT include an xacml-context:Request. The following schema fragment defines the <XCAuthorizationDecisionQuery> element and its XCAuthorizationDecisionQueryType complex type: <element name="XCAuthorizationDecisionQuery" type="samlp2:XCAuthorizationDecisionQueryType"/> <complexType name="XCAuthorizationDecisionQueryType"> <complexContent> <extension base="samlp:QueryAbstractType"> <sequence> <element ref="xacml-context:Request" /> </sequence> <attribute name="InputContextOnly" type="boolean" use="required"/> <attribute name="ReturnContext" type="boolean" use="required"/> </extension> </complexContent> </complexType> 3.4.2 Element <Response> Replace line 1185 with: <saml2:XCAssertion> [Any Number] (see Section 2.3.2) Specifies an assertion by value. Replace line 1194 with: <element ref="saml2:XCAssertion" minOccurs="0"
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]