Subject: RE: [xacml-dev] XACML obligations in SAML assertions??
Hi Seth, My query is based on the assumption that the PEP and PDP are separate, with the PDP delivering a SAML Authorization Decision Statement to the PEP in the following format: <complexType name="AuthzDecisionStatementType"> <complexContent> <extension base="saml:StatementAbstractType"> <sequence> <element ref="saml:Action" maxOccurs="unbounded"/> <element ref="saml:Evidence" minOccurs="0"/> </sequence> <attribute name="Resource" type="anyURI" use="required"/> <attribute name="Decision" type="saml:DecisionType" use="required"/> </extension> </complexContent> </complexType> Prior to SAML 2.0, no support was provided for conveying XACML responses as SAML assertions. With the addition of XACMLAuthzDecisionStatementTypes in v2.0, it became possible to forward the entire XACML response, including obligations, to the PEP. How were XACML obligations conveyed to a PEP in SAML 1.1? I would also be interested in perspective(s) on the "level of pain" that would be associated with developing SAML profiles to support RELs besides XACML, e.g., XrML, ODRL, etc., which are commonly used in DRM-type solutions... Thanks again, Jackson -----Original Message----- From: Seth Proctor [mailto:Seth.Proctor@Sun.COM] Sent: Friday, March 25, 2005 10:22 AM To: Jackson Wynn Cc: email@example.com Subject: Re: [xacml-dev] XACML obligations in SAML assertions?? Hi Jackson. On Fri, 2005-03-25 at 08:33, Jackson Wynn wrote: > Can anyone tell me what provisions are made for conveying XACML obligations > in a SAML authorization decision assertion? What specifically are you looking for? With XACML 2.0 there is a SAML profile that defines how to convey an XACML Response in SAML. In turn, the Response includes any Obligations. Are you looking for a way to only convey Obligations in a decision? (ie, not include a Response) > How are obligations conveyed to > policy enforcement points, if not through SAML assertions?? Again, I think I need a little more understanding of what you're trying to do. XACML Obligations are typically conveyed as part of an XACML Response. These can be passed around through any number of formats, though the obvious standard for doing this is SAML. seth