Strictly speaking to refer to SAML
provisioning is inaccurate. Or at least, it should be made clear that SAML
Provisioning and XACML Provisioning do not refer to analogous things.
The proposal we have been discussing in
the XACML TC is to actually distribute XACML polices to PDPs. However in the
case of SAML, what is provisioned is not SAML Assertions or Statements, but
items of information which relate to the later production of SAML Assertions or
Statements.
For example, you might provision usernames
and passwords to a database. These might later be used to authenticate a user
and then a SAML Assertion attesting to this event would be created. Or some
user attributes might be provisioned to an LDAP directory, which would later be
contained in a SAML Assertion containing an Attribute Statement. However
Assertions about a given Subject produced for consumption by different Relying
Parties might have different sets of attributes in them. Further the attributes
in the LDAP directory might also be used for purposes that had nothing to do
with SAML.
Hal
From: Staggs, David
(SAIC) [mailto:David.Staggs@va.gov]
Sent: Wednesday, March 07, 2007
5:23 PM
To: Hal Lockhart; Anthony Nadalin
Cc: Prateek Mishra;
xacml@lists.oasis-open.org
Subject: RE: [xacml] New Topic:
Policy Provisioning
Hal
This might be off-topic but policy
provisioning using SPML was discussed at RSA (IAM 302). The panel
mentioned advantages of using SPML for both SAML and XACML policy
provisioning. The moderator, Mark Diodati (Burton Group), announced some
kind of working group was forming in this general area. Someone on the
list may already know about this, but if not I plan to get details on the
purpose of the group.
Regards
David
From: Hal Lockhart [mailto:hlockhar@bea.com]
Sent: Wednesday, March 07, 2007
8:52 AM
To: Anthony Nadalin
Cc: Prateek Mishra;
xacml@lists.oasis-open.org
Subject: RE: [xacml] New Topic:
Policy Provisioning
I think there is a basic misunderstanding
here. I did not mean to suggest that XACML endorse the implementation of SPML
2.0. What I am proposing is that we use parts of the schema and some of the
semantics as appropriate as the starting point to construct a XACML Policy
Provisioning Protocol. This would be exactly analogous to the Policy Request
and Policy Decisions Protocols in the XACML SAML Profile. Using these protocols
does not require you to support any other parts of SAML.
Hal
From: Anthony Nadalin
[mailto:drsecure@us.ibm.com]
Sent: Tuesday, March 06, 2007
10:28 PM
To: Hal Lockhart
Cc: Prateek Mishra;
xacml@lists.oasis-open.org
Subject: RE: [xacml] New Topic:
Policy Provisioning
I think that there are a number of issues:
1) Very large feature set, a number of capabilities in the core set belong to
web services development tools rather than provisioning, including schema and
capability discovery. This places a burden on implementing SPML 2. This poses
problems for vendors trying to implement SPML introducing the need to hand
craft SPML implementations and for IT organizations in hand crafting client
applications (requesting authorities) for those SPML providers rather than
being able to generate code from WSDL.
2) Insufficient description of integration with security. There is no
description of communication of the identity of the user submitting the request
(identity of the RA), which may be necessary for authentication, authorization,
and auditing. T
3) Insufficient feature set for enterprises wanting to develop simple self
service user interfaces with web services.
WS-MEX/Transfer may be one approach. One of the key problems that it addresses
is the need for out-of-band information that SPML does, which is related to the
first point above.
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
"Hal Lockhart" <hlockhar@bea.com>
|
"Hal
Lockhart" <hlockhar@bea.com> 03/06/2007 09:50 AM |
|
I don’t see any technical reason why SPML is inappropriate.
Policy provisioning has been discussed by the Provisioning TC as a usecase. In
addition, there are specific features of SPML, such as operators, batching,
etc. which we would have to reinvent if we do not use SPML. Do you see a
specific technical problem or have an alternative starting point in mind?
Hal
From: Anthony Nadalin [mailto:drsecure@us.ibm.com]
Sent: Tuesday, March 06, 2007 10:27 AM
To: Prateek Mishra
Cc: Hal Lockhart; xacml@lists.oasis-open.org
Subject: Re: [xacml] New Topic: Policy Provisioning
Is SPML
the proper protocol for policy lifecycle mechanisms? Seems like a bit of a
stretch
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
Prateek Mishra <
|
Prateek
Mishra < 03/06/2007 08:56 AM |
|
Hal,
Your proposed approach is of interest to us.
I will obtain additional feedback on this issue and post the use-cases
of interest to us.
- prateek
> I have taken a further look at SPML and suggest the following might be a
> reasonable approach. Base the implementation on the SPML v2 - XSD
> Profile. Use Policy ID as the PSO Identifier. Using SPML defined
> operations the PAP can inquire of a PDP what policies it currently has.
> Using SPML the PAP can add, modify and delete policies as required.
> Using the SPML Batch capability, the PAP can insure that a set of
> updates is applied as a unit, thus avoiding the problem of the PDP
> making decisions on some inconsistent, interim set of policies. SPML
> also provides other potentially useful features such as error codes,
> asynchronous operations and capability queries.
>
> The main thing that this proposal requires is people who are willing to
> contribute to the work and edit the document.
>
> Hal
>
>