Subject: Re: [security-services] Groups - authentication-context.pdf uploaded
If there was one gap that I wish would be addressed is the need for cached Authorization assertions. I think WS-Policy gets to the point of starting to try and address the "Expressive" aspects of an Authorization Policy but I believe that the results of these evaluations can be stored as Assertions in the SAML token. This architecture could be used to capture the results of a policy determination and can act as a "Cache" in the SAML token for storing the results of an authorization evaluation for a specified scope (could be just this one transaction, period of time, etc.) Building out the SAML token to hold Assertions about a users ability to Access or Use a certain resource would be a very powerful capability. This could have a significant impact on performance (in a good way) and increase the interoperability and productivity of an entire system. Systems could use the token to not only store assertions of identity but could also act as a cache of authorization assertions under a specific policy set. I would really like to see the next version address this set of requirements. The ability for the token to contain authorization information - maybe in a separate branch of the token. This is much broader than Liberty and maybe this isn't the right place but Tony's comments sparked my memory of a system I designed for a VERY LARGE corporate enterprise security system to address authentication and authorization. The Token cache idea was a big success and the performance impact was amazing to my surprise. Bill Haase Security and Privacy SME National Sales Engineering Team Tivoli Security & Privacy Software Internet: firstname.lastname@example.org AOL IM: BillHaase Tivoli Software Products, an IBM Company 5475 Rings Road, Suite 300, Dublin, Ohio, 43017 Office: (614) 659-7427 **Cell: (614) 348-4297 "The box said NT 4.0 or better, so I loaded it on my Linux Server" IBM is #1 in Security Software => http://biz.yahoo.com/iw/030129/050678.html Anthony Nadalin/Austin/IB To: <email@example.com> M@IBMUS cc: Subject: Re: [security-services] Groups - authentication-context.pdf uploaded 10/17/2003 09:37 AM >A separate question might be whether there is some overlap between the Authentication Context specification and WS-Policy. At this point, I don't know if that >question is being addressed within SSTC. I believe that there is a valid requirement , not sure if its a authentication context or a more generalized concept such as WS-Policy where one can express scope, preconditions, business value and decision aspects. Anthony Nadalin | work 512.436.9568 | cell 512.289.4122 To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php .