[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: XACML scope w.r.t. SAML
Ernesto
certainly got my point. There is
some confusion within SAML itself regarding AuthZ and AuthN. AuthZ is one area
of clear overlap. However, the information contained in AuthN, i.e.
authentication events and protocols, could be quite relevant to establishing
policy, e.g. allow access if the protocol was X9.9. One would hope that the
representation of such data would be similar, even if the information is
communicated in separate containers. Perhaps
someone from security-services could clarify. Simon Y. Blackwell CTO Psoom, Inc. Voice & Fax: 415-762-9787 -----Original
Message----- I believe some
interesting observations can be made starting from this excerpt of Simon's last
message: "Allow
<subject> to <verb> <object> only if they logged in using
an X9.9 Challenge-Response." [sblackwell] LARGE PORTION OF MESSAGE
DELETED FOR BREVITY [R-AuthN] SAML should define a data format for authentication
assertions, including descriptions of authentication events. This includes time
of authentication event and authentication protocol. [R-AuthZ] SAML should define a data format for authorization
attributes. Authorization attributes ("authz attributes") are
attributes of a principal that are used to make authorization decisions, e.g.
an identifier, group or role membership, or other user profile information. I believe that the second requisite is
aimed at prescribing how to represent <subject>, so there is a strong
overlapping here. am I right? As for the first requirement, honestly I
am not sure I fully understand it. Are "description of authentication
events" prescriptions about authentication algorithms, as in the
"only if" part of our initial example? If this is the case, this is outside our
scope and could be dealt with in a separate namespace. I am inclined to think that separate
namespaces should be defined for the XML-AC language itself (Allow
<subject> to <verb> <object> ) and for the prescription of
authentication techniques and the like. But perhaps I got the second
requirement wrong.. Best regards Ernesto |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC