OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-jc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-jc] A question: Modeling Provisioning as new SAML Statements


I would like the JC to consider the flowing: 

As the PS-TC continues to advance the SPML specification forward, we are debating using the SAML 1.0 framework to carry provisioning requests.  A possible implementation of this could be the development of new SAML <Statement> elements.  Based on the following short précis of SPML's charter, intentions and general model, I ask you to consider the following question.  Does it make sense to implement SPML as a range of extended SAML <Statements> and what would you see as the possible pros & cons of taking this approach?

SPML in a nutshell
SPML is intended to be an XML based protocol, schema and transport binding(s) for conveying provisioning requests and receiving provisioning request responses. SPML intends to address batch and a certain degree of transactional semantics around these request flows, such that several requests can be collected together and executed.  SPML implicitly support requesting the creation, deletion, update and listing of accounts and data in these request/response flows. The full charter is available in [1].

The proposal before the PS-TC is to model these operations as new SAML <Statements>.

Sample usage scenario for SPML
A Requesting Authority (RA), say a custom application or some other software element, contacts a Provisioning Service Point (PSP), say a vendor supplied provisioning application, and establishes a secure authenticated session.  Based on a defined security and control mechanism (out of scope here), the RA requests the creation (provisioning) of an account on a host/application managed by the PSP.  Relevant security policy, audit and all that good stuff happens (out of scope here) and the PSP creates the account.  When it has finished creating the account, the PSP sends a response message to the RA saying "I'm done with your request". 

The full use cases are available in [2], but the above is a reasonable enough summary for the purposed of my question.


[1] http://www.oasis-open.org/committees/provision/#charter
[2] http://www.oasis-open.org/committees/provision/docs/draft-spml-use-cases-04.doc

Darran Rolls                      http://www.waveset.com
Waveset Technologies Inc          drolls@waveset.com 
(512) 657 8360                    

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC