OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-comment] Public Comment

On 28 May, kiran@objectedge.com writes: RE: [xacml-comment] Public Comment
 > Thank you for the response and the link (XACML Profile for
 > SAML).  I was going back and forth between SAML
 > (AuthzDecisionQuery/Statement) and XACML
 > (Request/Response). Hence, I posted mixed up question. I
 > appologize for that.
 > In SAML AuthzDecisionQuery, you can request decision for a
 > resource and multiple actions. e.g:
 > <samlp:AuthzDecisionQuery Resource="Order">
 >    <saml:Subject>
 >      <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">kiran@objectedge.com</NameID>
 >    </saml:Subject>
 >    <saml:Action>Create</saml:Action>
 >    <saml:Action>Read</saml:Action>
 >    <saml:Action>Update</saml:Action>
 >    <saml:Action>Delete</saml:Action>
 >    <saml:Action>Validate</saml:Action>
 >    <saml:Action>Trade</saml:Action>
 > </samlp:AuthzDecisionQuery>
 > And you can expect response as below: (Excluded parent
 > Assertion element to save space)
 > <samlp:AuthzDecisionQuery Resource="Order" saml:Decision="Permit">
 >    <saml:Action>Create</saml:Action>
 >    <saml:Action>Read</saml:Action>
 >    <saml:Action>Update</saml:Action>
 > </samlp:AuthzDecisionQuery>
 > <samlp:AuthzDecisionQuery Resource="Order" saml:Decision="Deny">
 >    <saml:Action>Delete</saml:Action>
 >    <saml:Action>Validate</saml:Action>
 >    <saml:Action>Trade</saml:Action>
 > </samlp:AuthzDecisionQuery>
 > I assumed similar multiplicity for action in XACML which was
 > obviously wrong as per current XACML spec. That makes me ask,
 > why two specifications from same organization don't match? Why
 > don't you merge XACML context with SAML protocol instead of
 > coming up with 'XACML Profile for SAML'?

Good question.  As I understand it, the SSTC created a very basic
AuthorizationDecisionQuery format for SAML 1.0, and gave the
XACML TC the charter for dealing more fully with authorization
issues.  XACML, in doing its work, found that the SAML 1.0 format
was not sufficiently expressive, and found it had to develop more
expressive request and response formats.  The hope was that the
XACML formats would be merged back in to SAML 2.0, as you

The XACML TC presented SAML extensions to the SSTC to allow the
XACML formats to be used with SAML authorization decision queries
and responses.  The SSTC, however, decided that the XACML TC
should be responsible for any profiles that used XACML formats,
so they asked us to do the extensions within our own TC.

The XACML TC and the SSTC have several members in common, and
maintain good communication between the two TCs.  We believe we
are succeeding in the important goal: allow XACML to be used with
SAML Query, Response, and Assertion formats, regardless of
exactly which TC actually "owns" the extensions.


 > Thanks,
 > Kiran Gawde
 > Senior Software Engineer
 > Object Edge Inc
 > <FONT face=3D"Default Sans Serif,Verdana,Arial,Helvetica,sans-serif" =
 > size=3D2><DIV>Thank you for the response and the link (XACML Profile =
 > for SAML).</DIV><DIV>I was going back and forth between SAML (AuthzDe=
 > cisionQuery/Statement) and XACML (Request/Response). Hence, I posted =
 > mixed up question. I appologize for that.</DIV><DIV>&nbsp;</DIV><DIV>=
 > In SAML AuthzDecisionQuery, you can request decision for a resource a=
 > nd multiple actions. e.g:</DIV><DIV>&lt;samlp:AuthzDecisionQuery Reso=
 > urce=3D"Order"&gt;<BR>&nbsp;&nbsp; &lt;saml:Subject&gt;<BR>&nbsp;&nbs=
 > p;&nbsp;&nbsp; &lt;NameID Format=3D"urn:oasis:names:tc:SAML:1.1:namei=
 > d-format:emailAddress"&gt;kiran@objectedge.com&lt;/NameID&gt;<BR>&nbs=
 > p;&nbsp; &lt;/saml:Subject&gt;<BR>&nbsp;&nbsp; &lt;saml:Action&gt;Cre=
 > ate&lt;/saml:Action&gt;</DIV><DIV>&nbsp;&nbsp; &lt;saml:Action&gt;Rea=
 > d&lt;/saml:Action&gt;<BR>&nbsp;&nbsp; &lt;saml:Action&gt;Update&lt;/s=
 > aml:Action&gt;<BR>&nbsp;&nbsp;&nbsp;&lt;saml:Action&gt;Delete&lt;/sam=
 > l:Action&gt;<BR>&nbsp;&nbsp;&nbsp;&lt;saml:Action&gt;Validate&lt;/sam=
 > l:Action&gt;<BR>&nbsp;&nbsp;&nbsp;&lt;saml:Action&gt;Trade&lt;/saml:A=
 > ction&gt;<BR>&lt;/samlp:AuthzDecisionQuery&gt;</DIV><DIV>&nbsp;</DIV>=
 > <DIV>And you can expect response as below: (Excluded parent Assertion=
 >  element to save space)<BR>&lt;samlp:AuthzDecisionQuery Resource=3D"O=
 > rder" saml:Decision=3D"Permit"&gt;<BR>&nbsp;&nbsp;&nbsp;&lt;saml:Acti=
 > on&gt;Create&lt;/saml:Action&gt;<BR>&nbsp;&nbsp;&nbsp;&lt;saml:Action=
 > &gt;Read&lt;/saml:Action&gt;<BR>&nbsp;&nbsp;&nbsp;&lt;saml:Action&gt;=
 > Update&lt;/saml:Action&gt;<BR>&lt;/samlp:AuthzDecisionQuery&gt;<BR>&l=
 > t;samlp:AuthzDecisionQuery Resource=3D"Order" saml:Decision=3D"Deny"&=
 > gt;<BR>&nbsp;&nbsp;&nbsp;&lt;saml:Action&gt;Delete&lt;/saml:Action&gt=
 > ;<BR>&nbsp;&nbsp;&nbsp;&lt;saml:Action&gt;Validate&lt;/saml:Action&gt=
 > ;<BR>&nbsp;&nbsp;&nbsp;&lt;saml:Action&gt;Trade&lt;/saml:Action&gt;<B=
 > R>&lt;/samlp:AuthzDecisionQuery&gt;<BR></DIV><DIV>I assumed similar m=
 > ultiplicity for action in XACML which was obviously wrong as per curr=
 > ent XACML spec. That makes me ask, why two specifications from same o=
 > rganization don't match? Why don't you merge XACML context with SAML =
 > protocol instead of coming up with 'XACML Profile for SAML'?</DIV><DI=
 > V>&nbsp;</DIV><DIV>Thanks,</DIV><DIV>Kiran Gawde<BR><BR>Senior Softwa=
 > re Engineer<BR>Object Edge Inc<BR><TABLE cellSpacing=3D0 cellPadding=
 > =3D0 width=3D"100%" border=3D"0" V5DOTBL=3D"true"><TBODY><TR vAlign=
 > =3Dtop><TD width=3D"37%" bgColor=3D#e1e1e1 rowSpan=3D5><IMG height=
 > =3D1 alt=3D"" src=3D"https://www2.objectedge.com/icons/ecblank.gif"; w=
 > idth=3D1 border=3D0><BR><DIV align=3Dcenter><B><FONT size=3D2>Anne An=
 > derson &lt;Anne.Anderson@Sun.COM&gt;</FONT></B><BR><FONT size=3D2>05/=
 > 28/2004 09:19 AM AST</FONT><HR><FONT size=3D-1>Please respond to Anne=
 > .Anderson@Sun.COM</FONT><HR></DIV></TD><TD width=3D"1%" bgColor=3D#e1=
 > e1e1><IMG height=3D1 alt=3D"" src=3D"https://www2.objectedge.com/icon=
 > s/ecblank.gif" width=3D102 border=3D0><BR><DIV align=3Dright><FONT si=
 > ze=3D2>To</FONT>&nbsp;&nbsp;</DIV></TD><TD width=3D"63%" bgColor=3D#e=
 > 1e1e1><IMG height=3D1 alt=3D"" src=3D"https://www2.objectedge.com/ico=
 > ns/ecblank.gif" width=3D1 border=3D0><BR><FONT size=3D2>"Diego M. Gon=
 > zalez" &lt;diegog@lagash.com&gt;</FONT></TD></TR><TR vAlign=3Dtop><TD=
 >  width=3D"1%" bgColor=3D#e1e1e1><IMG height=3D1 alt=3D"" src=3D"https=
 > ://www2.objectedge.com/icons/ecblank.gif" width=3D102 border=3D0><BR>=
 > <DIV align=3Dright><FONT size=3D2>cc</FONT>&nbsp;&nbsp;</DIV></TD><TD=
 >  width=3D"63%" bgColor=3D#e1e1e1><IMG height=3D1 alt=3D"" src=3D"http=
 > s://www2.objectedge.com/icons/ecblank.gif" width=3D1 border=3D0><BR><=
 > FONT size=3D2>kiran@objectedge.com, xacml-comment@lists.oasis-open.or=
 > g</FONT></TD></TR><TR vAlign=3Dtop><TD width=3D"1%" bgColor=3D#e1e1e1=
 > ><IMG height=3D1 alt=3D"" src=3D"https://www2.objectedge.com/icons/ec=
 > blank.gif" width=3D102 border=3D0><BR><DIV align=3Dright><FONT size=
 > =3D2>bcc</FONT>&nbsp;&nbsp;</DIV></TD><TD width=3D"63%" bgColor=3D#e1=
 > e1e1><IMG height=3D1 alt=3D"" src=3D"https://www2.objectedge.com/icon=
 > s/ecblank.gif" width=3D1 border=3D0><BR><FONT size=3D2></FONT></TD></=
 > TR><TR vAlign=3Dtop><TD width=3D"1%" bgColor=3D#e1e1e1><IMG height=
 > =3D1 alt=3D"" src=3D"https://www2.objectedge.com/icons/ecblank.gif"; w=
 > idth=3D102 border=3D0><BR><DIV align=3Dright><FONT size=3D2>Subject</=
 > FONT>&nbsp;&nbsp;</DIV></TD><TD width=3D"63%" bgColor=3D#e1e1e1><IMG =
 > height=3D1 alt=3D"" src=3D"https://www2.objectedge.com/icons/ecblank.=
 > gif" width=3D1 border=3D0><BR><FONT size=3D2>RE: [xacml-comment] Publ=
 > ic Comment</FONT></TD></TR><TR vAlign=3Dtop><TD width=3D0% bgColor=
 > =3D#e1e1e1><IMG height=3D1 alt=3D"" src=3D"https://www2.objectedge.co=
 > m/icons/ecblank.gif" width=3D1 border=3D0></TD><TD width=3D"63%" bgCo=
 > lor=3D#e1e1e1><IMG height=3D1 alt=3D"" src=3D"https://www2.objectedge=
 > .com/icons/ecblank.gif" width=3D1 border=3D0><BR><FONT size=3D-1></FO=
 > NT></TD></TR></TBODY></TABLE><BR><FONT size=3D2><FONT face=3Dmonospac=
 > e size=3D2>I think Diego's response is excellent. &nbsp;Thank you!<BR=
 > ><BR>The "XACML Profile for Multiple Resource Requests" that I will b=
 > e<BR>posting soon (based on Section 7.[A] of the Hierarchical<BR>Reso=
 > urces draft attached to<BR>http://lists.oasis-open.org/archives/xacml=
 > /200405/msg00104.html)<BR>will clarify this further.<BR><BR>Note also=
 >  that the XACML Profile for SAML provides a way to link<BR>Attributes=
 >  of the original Request to the Response. &nbsp;This would<BR>include=
 >  the action-id in most cases (the spec says when Request<BR>Attribute=
 > s are returned that only those Attributes that were used<BR>in the ev=
 > aluation MUST be included, although others MAY be<BR>included).<BR><B=
 > R>Anne<BR><BR>On 28 May, Diego M. Gonzalez writes: RE: [xacml-comment=
 > ] Public Comment<BR>&gt; In my understanding the you will have a sing=
 > le Resource element if you<BR>&gt; ask for a single resource in the R=
 > equest. You can ask for multiple<BR>&gt; resources using hierarchical=
 >  resources. If you ask for a single resource<BR>&gt; there's no need =
 > to say what is the resource that you have been granted<BR>&gt; to, bu=
 > t if you ask for multiple resources you will receive a single<BR>&gt;=
 >  Result element for each Resource requested with the ResourceId speci=
 > fied<BR>&gt; and the Decission for each one.<BR>&gt; <BR>&gt; As you =
 > can request access over a resource for a single Action, the<BR>&gt; a=
 > ction is implicit in the "context", is the same ActionId placed in th=
 > e<BR>&gt; Request document so there's no need to place it in the resp=
 > onse.<BR>&gt; <BR>&gt; This is what you asked for?<BR>&gt; <BR>&gt; T=
 > hanks,<BR>&gt; Diego Gonzalez<BR>&gt; Lagash Systems SA<BR>&gt; <BR>&=
 > gt; <BR>&gt; -----Original Message-----<BR>&gt; From: comment-form@oa=
 > sis-open.org [mailto:comment-form@oasis-open.org] <BR>&gt; Sent: Thur=
 > sday, May 27, 2004 10:21 PM<BR>&gt; To: xacml-comment@lists.oasis-ope=
 > n.org<BR>&gt; Subject: [xacml-comment] Public Comment<BR>&gt; <BR>&gt=
 > ; Comment from: kiran@objectedge.com<BR>&gt; <BR>&gt; As per xacml sp=
 > ecification, Response element contains one or more Result<BR>&gt; ele=
 > ment. And result element contains ResourceId (as attribute v/s<BR>&gt=
 > ; element as in Request!), Decision, Status and Obligations. But it<B=
 > R>&gt; doesn't contain Action? Also ResourceId is not explicit attrib=
 > ute of<BR>&gt; Resource! <BR>&gt; <BR>&gt; Thanks,<BR>&gt; Kiran<BR>&=
 > gt; <BR>&gt; <BR>&gt; To unsubscribe from this list, send a post to<B=
 > R>&gt; xacml-comment-unsubscribe@lists.oasis-open.org, or visit<BR>&g=
 > t; http://www.oasis-open.org/mlmanage/.<BR>&gt; <BR>&gt; <BR>&gt; <BR=
 > >&gt; <BR>&gt; To unsubscribe from this list, send a post to xacml-co=
 > mment-unsubscribe@lists.oasis-open.org, or visit http://www.oasis-ope=
 > n.org/mlmanage/.<BR>&gt; <BR><BR>-- <BR>Anne H. Anderson &nbsp; &nbsp=
 > ; &nbsp; &nbsp; &nbsp; &nbsp; Email: Anne.Anderson@Sun.COM<BR>Sun Mic=
 > rosystems Laboratories<BR>1 Network Drive,UBUR02-311 &nbsp; &nbsp; Te=
 > l: 781/442-0928<BR>Burlington, MA 01803-0902 USA &nbsp;Fax: 781/442-1=
 > 692<BR><BR><BR></FONT></FONT><BR><BR></DIV></FONT>This email message =
 > (including any attachments) is for the sole use of the<br />intended =
 > recipient and may contain confidential and privileged information.<br=
 >  />Any unauthorized review&#44; use&#44; disclosure or distribution i=
 > s prohibited.  If<br />you are not the intended recipient&#44; please=
 >  contact the sender by reply email <br />and destroy all copies of th=
 > e original message.  Thank you.<br />

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]