OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [comments on SAML, Grids, RespondWith]

I'm forwarding this set of comments from David Chadwick, who I think many
of us know, who has been working with SAML as applied to his PERMIS system
and in the context of "the Grid" and OGSA (see references below if you're
not familiar with these).  I guess he sent it first to Tim Moses.

Some of this we might take as input for version 2.0 (eg the suggested
smaller decision response), and some as perhaps profiles of SAML use for a
particular purpose (eg the multi-step proposal).  But I mostly want to
highlight his comment (bullet (i)) about use of the RespondWith feature
and disappointment about its being deprecated in SAML 1.1.  I suppose it
is rather late to reconsider this decision.  I didn't entirely follow why
we decided to deprecate it, but if it was based on our perception of its
not being used by anyone, here is evidence to the contrary.

More generally, having recently heard about quite a bit of SAML-related
work in the Grid context, I'm a little concerned that the TC might need to
do more discovery of who's using what SAML features in the world at large
as we move forward making decisions about replacing and/or deprecating

 - RL "Bob"

---------- Forwarded message ----------
Date: Wed, 25 Jun 2003 16:12:28 +0100
From: David Chadwick <d.w.chadwick@salford.ac.uk>
To: RL 'Bob' Morgan <rlmorgan@washington.edu>
Subject: [Fwd: Grid use of SAML]


Here is an abridged version of the message I sent to Tim Moses. It
describes the changes to SAML that we would like to see for Grid use.


The documents that define the Grid use of SAML to provide an
authorisation API can be downloaded from the Globus site at, at the
bottom of the following page:


There are two documents, the first "OGSA Authorization Requirements"
specifies the requirements that we have and the second "Use of SAML for
OGSA Authorization" provides our use of SAML along with several
extensions that we have defined.

It is these extensions that I would like to discuss with you, since I
believe that you are about to produce version 2 of SAML, and it would be
nice if our proposed extensions could form part of the SAML Core,
providing of course that you see them as being generally useful.

The extensions are as follows:

i) firstly the ability to return a simple boolean decision, granted or
denied, rather than returning the whole authorisation decision statement
(I have discussed this with you previously, and you thought it might be
a common requirement arising from the XACML work). We have done this by
defining a new SAML Decision statement. One point related to this is
that we use Respond With to indicate which type of response the client
wants, but Von says you are now deprecating the use of the Respond With
parameter. Respond With is used to indicate whether a simple Decision
Statement or Authorisation Decision Statement is to be returned, so I
would have to find an alternative mechanism to do this if Respond With
is to be deprecated. Do you have any suggestions for this?

ii) secondly we have introduced support for multi-step decision making,
rather in line with the OpenGroup's AZN work of having a call to
GetCreds followed by a call to Decision. Step 1 in SAML is to pass an
Authorisation Decision statement and ask for an Attribute Statement in
response (again using the Respond With feature). The Attribute Statement
contains the validated credentials of the user. Step 2, which can be
repeated as often as wanted, puts the attribute into the Authorisation
Decision Statement and then asks for a decision to be made. (Again
either a simple decisiion or authorisation decision statement can be

iii) Thirdly we have defined a new Reference Statement that is used to
support the pull mode of operation, as defined in RFC 3281 (AC profile)
by Russ Housley and Steve Farrell. This allows the PEP to pass a
reference to the PDP that contains a URI telling the PDP where to pick
up the user's credentials. Currently SAML only supports the push mode of
operation as defined in RFC 3281, where the credentials are pushed as
part of the SAML assertion. Our work now supports both push and pull
modes of operation. Pull can be very useful where for example
credentials are stored in an LDAP directory that the PDP has access to.

We will be interested to have your views on the above, and be grateful
if you could relay them to the OASIS group for us, if you feel willing
and able to do that.




Leaders of the world's richest nations meet in Cancun on September 10th
2003. Oxfam is presenting them with a petition to make trade fair. Be
sure your voice is heard. Sign the 'Big Noise' petition to make trade
fair at:



David W. Chadwick, BSc PhD
Professor of Information Systems Security
IS Institute, University of Salford, Salford M5 4WT
Tel: +44 161 295 5351  Fax +44 01484 532930
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@salford.ac.uk
Home Page:  http://www.salford.ac.uk/its024/chadwick.htm
Research Web site: http://sec.isi.salford.ac.uk
Seminars: http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]