Abstract: XACML Profile of SAML V2.0 Attributes

[Anne Anderson <Anne.Anderson@Sun.COM>]

SAML Attribute Assertions may be used as input to authorization
decisions made according to the OASIS eXtensible Access Control
Markup Language (XACML) standard specification.  Since the SAML
Attribute format differs from the XACML Attribute format, there
is a mapping that must be performed.  The OASIS XACML TC has
defined a Profile for doing this mapping [XACML-Profile], but
that Profile imposes constrints on the meta-data provided with
the SAML Attribute.  This Profile describes those meta-data
constraints.  SAML Attribute Assertions generated in conformance
with this Profile can be mapped automatically to XACML Attributes
and used as input to XACML authorization decisions.

The audience for this Profile is developers and deployers of
systems that will produce SAML Attributes, where those Attributes
may be used (among other things) as input to XACML authorization
decisions.

The Profile itself is attached to
http://lists.oasis-open.org/archives/security-services/200406/msg00006.html

This Profile is being submitted to the SSTC in response to an
Action Item on this subject for Hal Lockhart (who will have to
supply the appropriate reference).  This submission was approved
by the XACML TC on 27 May 2004 with one dissenting vote (from
Mike McIntosh, IBM).  The intent is that the SSTC either adopt
this Profile, or incorporate the contents of this Profile into a
more general SSTC Attribute profile collection.

The XACML TC would like to thank the SSTC for the fruitful
discussions that have resulted in the ability to specify such a
profile.  The resulting interoperability between SAML and XACML
is to the benefit of both standards.

Anne Anderson
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692