OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-dev] XACML obligations in SAML assertions??

Hi Seth,

My query is based on the assumption that the PEP and PDP are separate, with
the PDP delivering a SAML Authorization Decision Statement to the PEP in the
following format:

    <complexType name="AuthzDecisionStatementType">
            <extension base="saml:StatementAbstractType">
                    <element ref="saml:Action" maxOccurs="unbounded"/>
                    <element ref="saml:Evidence" minOccurs="0"/>
                <attribute name="Resource" type="anyURI" use="required"/>
                <attribute name="Decision" type="saml:DecisionType"

Prior to SAML 2.0, no support was provided for conveying XACML responses as
SAML assertions. With the addition of XACMLAuthzDecisionStatementTypes in
v2.0, it became possible to forward the entire XACML response, including
obligations, to the PEP. How were XACML obligations conveyed to a PEP in
SAML 1.1? 

I would also be interested in perspective(s) on the "level of pain" that
would be associated with developing SAML profiles to support RELs besides
XACML, e.g., XrML, ODRL, etc., which are commonly used in DRM-type

Thanks again,

-----Original Message-----
From: Seth Proctor [mailto:Seth.Proctor@Sun.COM] 
Sent: Friday, March 25, 2005 10:22 AM
To: Jackson Wynn
Cc: xacml-dev@lists.oasis-open.org
Subject: Re: [xacml-dev] XACML obligations in SAML assertions??

Hi Jackson.

On Fri, 2005-03-25 at 08:33, Jackson Wynn wrote:
> Can anyone tell me what provisions are made for conveying XACML
> in a SAML authorization decision assertion?

What specifically are you looking for? With XACML 2.0 there is a SAML
profile that defines how to convey an XACML Response in SAML. In turn,
the Response includes any Obligations. Are you looking for a way to only
convey Obligations in a decision? (ie, not include a Response)

> How are obligations conveyed to
> policy enforcement points, if not through SAML assertions??

Again, I think I need a little more understanding of what you're trying
to do. XACML Obligations are typically conveyed as part of an XACML
Response. These can be passed around through any number of formats,
though the obvious standard for doing this is SAML.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]