[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: XACMLAuthzDecision Response when there are multiple decisions
The description in the SAML 2.0 Profile of XACML (Version 2.0) of the <samlp:StatusCode> in an XACMLAuthzDecision Response assumes there is only one <xacml-context:StatusCode> to consider and therefore does not account for the case where there are multiple results for a request for multiple decisions. The Multiple Decision Profile does not provide any enlightenment on this issue. The SAML 2.0 profile also does not specify the treatment of the urn:oasis:names:tc:xacml:1.0:status:processing-error status code. In my opinion, when facilities are layered upon other facilities the error reporting at each layer should relate to just that layer. When error conditions have to cascade through the layers it generally just raises awkward problems (like: what if there are multiple results?). So in the XACML case the SAML status code should just reflect the SAML processing of the XACML response. If the SAML layer has a legitimate XACML response to a legitimate XACML request, regardless of whether that response contains XACML errors, multiple results or whatever, then the SAML status should be "Success". This neatly addresses questions such as "what if there are multiple results, some of which are successful and some of which have errors?"; it's a legitimate XACML response so the SAML status code is "Success". The SAML "Requester" status code should be used in those cases where the request had syntax errors that prevented the SAML layer from passing the request to the XACML layer for processing. The "Responder" status code should be used in those cases where the XACML layer failed to produce a suitable response or if the subsequent SAML processing failed. Regards, Steven
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]