XACMLAuthzDecision Response when there are multiple decisions

[Steven Legg <steven.legg@enitiatives.com.au>]

The description in the SAML 2.0 Profile of XACML (Version 2.0) of the
<samlp:StatusCode> in an XACMLAuthzDecision Response assumes there is only one
<xacml-context:StatusCode> to consider and therefore does not account for the
case where there are multiple results for a request for multiple decisions.
The Multiple Decision Profile does not provide any enlightenment on this issue.
The SAML 2.0 profile also does not specify the treatment of the
urn:oasis:names:tc:xacml:1.0:status:processing-error status code.

In my opinion, when facilities are layered upon other facilities the error
reporting at each layer should relate to just that layer. When error conditions
have to cascade through the layers it generally just raises awkward problems
(like: what if there are multiple results?). So in the XACML case the SAML
status code should just reflect the SAML processing of the XACML response. If
the SAML layer has a legitimate XACML response to a legitimate XACML request,
regardless of whether that response contains XACML errors, multiple results or
whatever, then the SAML status should be "Success". This neatly addresses
questions such as "what if there are multiple results, some of which are
successful and some of which have errors?"; it's a legitimate XACML response so
the SAML status code is "Success". The SAML "Requester" status code should be
used in those cases where the request had syntax errors that prevented the
SAML layer from passing the request to the XACML layer for processing.
The "Responder" status code should be used in those cases where the XACML layer
failed to produce a suitable response or if the subsequent SAML processing
failed.

Regards,
Steven