OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-comment] XACMLAuthzDecision Response when there are multipledecisions

Hi Steven

I support your general principle of each protocol layer reporting the 
outcome from its own perspective, and hence your proposal for what the 
SAML status code should be



On 07/12/2010 22:38, Steven Legg wrote:
> The description in the SAML 2.0 Profile of XACML (Version 2.0) of the
> <samlp:StatusCode> in an XACMLAuthzDecision Response assumes there is
> only one
> <xacml-context:StatusCode> to consider and therefore does not account
> for the
> case where there are multiple results for a request for multiple decisions.
> The Multiple Decision Profile does not provide any enlightenment on this
> issue.
> The SAML 2.0 profile also does not specify the treatment of the
> urn:oasis:names:tc:xacml:1.0:status:processing-error status code.
> In my opinion, when facilities are layered upon other facilities the error
> reporting at each layer should relate to just that layer. When error
> conditions
> have to cascade through the layers it generally just raises awkward
> problems
> (like: what if there are multiple results?). So in the XACML case the SAML
> status code should just reflect the SAML processing of the XACML
> response. If
> the SAML layer has a legitimate XACML response to a legitimate XACML
> request,
> regardless of whether that response contains XACML errors, multiple
> results or
> whatever, then the SAML status should be "Success". This neatly addresses
> questions such as "what if there are multiple results, some of which are
> successful and some of which have errors?"; it's a legitimate XACML
> response so
> the SAML status code is "Success". The SAML "Requester" status code
> should be
> used in those cases where the request had syntax errors that prevented the
> SAML layer from passing the request to the XACML layer for processing.
> The "Responder" status code should be used in those cases where the
> XACML layer
> failed to produce a suitable response or if the subsequent SAML processing
> failed.
> Regards,
> Steven


David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]