[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [comments on SAML, Grids, RespondWith]
I'm forwarding this set of comments from David Chadwick, who I think many of us know, who has been working with SAML as applied to his PERMIS system and in the context of "the Grid" and OGSA (see references below if you're not familiar with these). I guess he sent it first to Tim Moses. Some of this we might take as input for version 2.0 (eg the suggested smaller decision response), and some as perhaps profiles of SAML use for a particular purpose (eg the multi-step proposal). But I mostly want to highlight his comment (bullet (i)) about use of the RespondWith feature and disappointment about its being deprecated in SAML 1.1. I suppose it is rather late to reconsider this decision. I didn't entirely follow why we decided to deprecate it, but if it was based on our perception of its not being used by anyone, here is evidence to the contrary. More generally, having recently heard about quite a bit of SAML-related work in the Grid context, I'm a little concerned that the TC might need to do more discovery of who's using what SAML features in the world at large as we move forward making decisions about replacing and/or deprecating features. - RL "Bob" ---------- Forwarded message ---------- Date: Wed, 25 Jun 2003 16:12:28 +0100 From: David Chadwick <d.w.chadwick@salford.ac.uk> To: RL 'Bob' Morgan <rlmorgan@washington.edu> Subject: [Fwd: Grid use of SAML] Bob Here is an abridged version of the message I sent to Tim Moses. It describes the changes to SAML that we would like to see for Grid use. David --------------- The documents that define the Grid use of SAML to provide an authorisation API can be downloaded from the Globus site at, at the bottom of the following page: http://www.globus.org/ogsa/security/ There are two documents, the first "OGSA Authorization Requirements" specifies the requirements that we have and the second "Use of SAML for OGSA Authorization" provides our use of SAML along with several extensions that we have defined. It is these extensions that I would like to discuss with you, since I believe that you are about to produce version 2 of SAML, and it would be nice if our proposed extensions could form part of the SAML Core, providing of course that you see them as being generally useful. The extensions are as follows: i) firstly the ability to return a simple boolean decision, granted or denied, rather than returning the whole authorisation decision statement (I have discussed this with you previously, and you thought it might be a common requirement arising from the XACML work). We have done this by defining a new SAML Decision statement. One point related to this is that we use Respond With to indicate which type of response the client wants, but Von says you are now deprecating the use of the Respond With parameter. Respond With is used to indicate whether a simple Decision Statement or Authorisation Decision Statement is to be returned, so I would have to find an alternative mechanism to do this if Respond With is to be deprecated. Do you have any suggestions for this? ii) secondly we have introduced support for multi-step decision making, rather in line with the OpenGroup's AZN work of having a call to GetCreds followed by a call to Decision. Step 1 in SAML is to pass an Authorisation Decision statement and ask for an Attribute Statement in response (again using the Respond With feature). The Attribute Statement contains the validated credentials of the user. Step 2, which can be repeated as often as wanted, puts the attribute into the Authorisation Decision Statement and then asks for a decision to be made. (Again either a simple decisiion or authorisation decision statement can be returned) iii) Thirdly we have defined a new Reference Statement that is used to support the pull mode of operation, as defined in RFC 3281 (AC profile) by Russ Housley and Steve Farrell. This allows the PEP to pass a reference to the PDP that contains a URI telling the PDP where to pick up the user's credentials. Currently SAML only supports the push mode of operation as defined in RFC 3281, where the credentials are pushed as part of the SAML assertion. Our work now supports both push and pull modes of operation. Pull can be very useful where for example credentials are stored in an LDAP directory that the PDP has access to. We will be interested to have your views on the above, and be grateful if you could relay them to the OASIS group for us, if you feel willing and able to do that. regards David -- ********************************************************* Leaders of the world's richest nations meet in Cancun on September 10th 2003. Oxfam is presenting them with a petition to make trade fair. Be sure your voice is heard. Sign the 'Big Noise' petition to make trade fair at: http://www.maketradefair.com/go/join/?p=omf1 ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security IS Institute, University of Salford, Salford M5 4WT Tel: +44 161 295 5351 Fax +44 01484 532930 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@salford.ac.uk Home Page: http://www.salford.ac.uk/its024/chadwick.htm Research Web site: http://sec.isi.salford.ac.uk Seminars: http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]