OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Case study Shibboleth for XACML

Dear all,

This case study is taken from the paper "First experiences using XACML for
acess control in distributed systems"

I came across an issue during the study of shibboleth (one case study from
the above paper) and i wanted to ask from U people regarding this issue:

Suppose we have 2 educational sites Univ A and Univ B and a user U in Univ A
wants to access some reseource R on Univ B site (some slides).

Now This is very much true that Univ B after recieving request from User U
of Univ A will ask the AA of Univ A ,but first of all what attributes it is
going to ask ??

On the side of Univ B , how Univ B is going to specify that User U of Univ A
has access to Resouce R and under which condition ??

My question is that: In any case User U of Univ A will be known to Univ B
for Resouce R becaz when speicifing an access control Policy for Resouce R ,
Univ B will have to specify the condition under which User U of Univ A has
access to the resource R.

i am attaching the paragraph from its architecture for ur kind consideration

"We call the attribute request that the SHAR sends to the AA an "AQM" for
"attribute query

message". The response that the AA sends to the SHAR is an "ARM" for
"attribute response


The SHAR, once it has these attributes, will send them on to the manager of
the resource the user

is trying to access. The resource manager (RM) will then make an access
control decision based

on the user's attributes, and either grant or deny the user's request. If
the user is simply trying to

access a static web page or a typical application, this RM may be the web
server itself. In the

case where the user is attempting a more complex action (say updating
experimental results or

transferring grant money), the RM may sit "behind" the web server on a
separate machine."

so how RM resource Manager is going to specify the access control policy for
the access of Resource R for Univ A's user A.

am i getting the right scenireo ??

i will waiting for your kind response.

with Best Regards.
Muhammad Masoom Alam
University of Innsbruck Austria
+43 512 507 6462
+43 512 22455 410

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]