OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Returning a Request Context in the Decision Request Protocol


Section 3.1 of the SAML Profile contains the following text.

If this attribute is "True", then the PDP SHALL include the <xacml-context:Request> element in the <XACMLAuthzDecisionStatement> element in the <XACMLResponse>. This <xacml-context:Request> element SHALL include all those XACML Attributes supplied by the PEP in the <XACMLAuthzDecisionQuery> that were used in making the authorization decision. The PDP MAY include additional XACML Attributes in this <xacml-context:Request> element, such as external attributes obtained by the PDP and used in making the authorization decision, or other attributes known by the PDP that may be useful to the PEP in making subsequent <XACMLAuthzDecisionQuery> requests.

I propose we change it to:

If this attribute is "True", then the PDP SHALL include the <xacml-context:Request> element in the <XACMLAuthzDecisionStatement> element in the <XACMLResponse>. This <xacml-context:Request> element SHALL include all those XACML Attributes supplied by the PEP in the <XACMLAuthzDecisionQuery> that were used in making the authorization decision. A conforming PDP MAY omit those XACML Attributes which were not referenced in any policy which was evaluated in making the decision. If the value of the InputContextOnly Attribute in the Request is "False", the PDP MAY include additional XACML Attributes in this <xacml-context:Request> element, which were obtained by the PDP and used in making the authorization decision.

Hal



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]