[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] New Topic: Policy Provisioning
Strictly speaking to refer to SAML
provisioning is inaccurate. Or at least, it should be made clear that SAML
Provisioning and XACML Provisioning do not refer to analogous things. The proposal we have been discussing in
the XACML TC is to actually distribute XACML polices to PDPs. However in the
case of SAML, what is provisioned is not SAML Assertions or Statements, but
items of information which relate to the later production of SAML Assertions or
Statements. For example, you might provision usernames
and passwords to a database. These might later be used to authenticate a user
and then a SAML Assertion attesting to this event would be created. Or some
user attributes might be provisioned to an LDAP directory, which would later be
contained in a SAML Assertion containing an Attribute Statement. However
Assertions about a given Subject produced for consumption by different Relying
Parties might have different sets of attributes in them. Further the attributes
in the LDAP directory might also be used for purposes that had nothing to do
with SAML. Hal From: Staggs, David
(SAIC) [mailto:David.Staggs@va.gov] Hal This might be off-topic but policy
provisioning using SPML was discussed at RSA (IAM 302). The panel
mentioned advantages of using SPML for both SAML and XACML policy
provisioning. The moderator, Mark Diodati (Burton Group), announced some
kind of working group was forming in this general area. Someone on the
list may already know about this, but if not I plan to get details on the
purpose of the group. Regards David From: Hal Lockhart [mailto:hlockhar@bea.com]
I think there is a basic misunderstanding
here. I did not mean to suggest that XACML endorse the implementation of SPML
2.0. What I am proposing is that we use parts of the schema and some of the
semantics as appropriate as the starting point to construct a XACML Policy
Provisioning Protocol. This would be exactly analogous to the Policy Request
and Policy Decisions Protocols in the XACML SAML Profile. Using these protocols
does not require you to support any other parts of SAML. Hal From: Anthony Nadalin
[mailto:drsecure@us.ibm.com] I think that there are a number of issues:
From: Anthony Nadalin [mailto:drsecure@us.ibm.com] Is SPML
the proper protocol for policy lifecycle mechanisms? Seems like a bit of a
stretch
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]