OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml-comment] Benefits/limitations of SAML vs. XACML Contex t

Title: RE: [xacml-comment] Benefits/limitations of SAML vs. XACML Context

It is our intention to propose to the SSTC that SAML add a new Authorization Decision Request which integrates cleanly with XACML. It is my expectation that this request would include an XACML request context. Preliminary discussions have indicated that this is likely to be favorably received and included in SAML 2.0, which may be complete in the late spring to early summer timeframe.

In August of 2001, I successfully argued at the SSTC F2F that we would not know how to do this request properly until XACML was finished. Therefore I proposed we do something simple which would satisfy known, minimal requirements and fix it later. Later is now approaching.

Although this does not help you in the short term, I urge you to communicate your requirements and experiences to the SSTC so we get it right.


> -----Original Message-----
> From: Wes Kubo [mailto:wkubo@galdosinc.com]
> Sent: Tuesday, December 10, 2002 6:23 PM
> To: xacml-comment@lists.oasis-open.org
> Subject: [xacml-comment] Benefits/limitations of SAML vs.
> XACML Context
> Hi.
> We're currently modifying our application to use make use of
> XACML policies
> to make authorization decisions. For the time being, I'm
> developing a simple
> prototype Context Handler/PDP. In our original design, we
> planned on sending
> SAML requests from our application (PEP) to the PDP. After
> looking into
> mapping from SAML to XACML Context, I've found some
> limitations in SAML
> including the fact that the only the resource URI can be
> specified. There
> doesn't seem to be any way to specify multiple attributes on
> the resource,
> which XACML Context supports. Similarly for the Action. My
> questions are:
> a) whether there is any way to support multiple attributes for
> resource/action in the SAML request and
> b) whether there is any reason to use SAML in this context,
> or whether I
> should just send XACML Context Requests from our application.
> Given that we are designing both the PEP and PDP, using XACML Context
> instead of SAML may be our best option.
> I apologize if this veers slightly from XACML towards SAML,
> but I didn't
> want to cross post and I figured that the XACML might have
> some opinions on
> the matter.
> Thanks.
> Wes
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC