Subject: RE: [xacml-dev] XACML obligations in SAML assertions??
On Fri, 2005-03-25 at 11:01, Jackson Wynn wrote: > My query is based on the assumption that the PEP and PDP are separate, with > the PDP delivering a SAML Authorization Decision Statement to the PEP in the > following format: > [...] > Prior to SAML 2.0, no support was provided for conveying XACML responses as > SAML assertions. With the addition of XACMLAuthzDecisionStatementTypes in > v2.0, it became possible to forward the entire XACML response, including > obligations, to the PEP. How were XACML obligations conveyed to a PEP in > SAML 1.1? I think the point is that before the SAML profile in XACML 2.0 there was no standard mechanism for conveying any XACML messages. In my experience, most people: 1. Did their own extension to SAML (similar to the profile) 2. Passed XACML Requests/Responses directly over a socket (etc.) 3. Used existing, app-specific formats and converted to a standard format in the PDP service 4. Had their PEP and PDP tightly connected That's not an exhaustive list, but I think it covers the common cases (to others on this list: if you're doing something else that's interesting, chime in!). Bottom line, however, I haven't seen anyone trying to convey just Obligations in any system. Generally an XACML Response is what you're passing around, and if you figure out how to handle that, then you've also handled your Obligations. seth