RE: another attempt at azn query refinment

[Hal Lockhart <hal.lockhart@entegrity.com>]

Title: another attempt at azn query refinment

I agree with the general proposition that the current Authorization Decision Request and Assertion are woefully inadequate for the kinds of policy decisions that can be made by state of the art access control systems. However at F2F#3 I urged and I remember a strong consensus for keeping the specification to a bare minimum in this area for SAML 1.0. I believe it will require some significant work to get this right and it is not a good idea to add individual features piecemeal. I also believe that the right place to do this work is in the XACML TC and I have submitted specific use cases to this effect.

 

Therefore, although I agree with Simon that we will eventually need this kind of thing (and a lot of other functionality) I feel strongly that this proposal should be deferred until we can address all the issues in a comprehensive fashion.

 

Hal

-----Original Message-----
From: Simon Godik [mailto:sgodik@crosslogix.com]
Sent: Thursday, October 04, 2001 3:11 PM
To: 'security-services@lists.oasis-open.org'
Subject: another attempt at azn query refinment

I did not get response (negative or positive) to my previous message on azn query,
so here is another try.

Suppose we want to ask the question: What can I have for lunch today?
To rephrase: Can I have lunch today (yes/no) and if yes what is on the menu?

To answer, I propose to parameterize action element in authorization query:

<AuthorizationQuery resource="lunch">
        <Subject/>
        <Actions>
                <ParamAction ActionName="eat">
                        <Parameter name="appetizer"/>
                        <Parameter name="main"/>
                        <Parameter name="desert"/>
                <ParamAction>
        </Actions>
        <Evidence> my weight is 500 lb</Evidence>
</AuthorizationQuery>

<Response>
        <AssertionSimple>
                <AuthorizationStatement resource="lunch" decision="Permit">
                        <Subject/>
                        <Actions>
                                <ParamAction ActionName="eat">
                                        <Parameter name="appetizer">
                                                <ParameterValue>green salad</ParameterValue>
                                        </Parameter>
                                        <Parameter name="main">
                                                <ParameterValue>hamburger</ParameterValue>
                                        </Parameter>
                                        <Parameter name="desert">
                                                <ParameterValue>ice cream</ParameterValue>
                                        </Parameter>
                                </ParamAction>
                        </Actions>
                        <Evidence> my weight is 500 lb</Evidence>
                </AuthorizationStatement>
        </AssertionSimple>
</Response>

To support this schema modifications are minimal:
We can define ParamAction element and everywhere we allow Action now we can allow
choice of Action or ParamAction. We also need Parameter element which is similar to
Attribute element. (Attribute element could be reused by I'm not in favor of that)

<Actions>
        <sequence>
                <choice minOccurs="1" maxOccurs="unbounded">
                        <element ref="saml:Action"/>
                        <element ref="saml:ParamAction"/>
                </choice>
        </sequence>
</Actions>

<element name="ParamAction" type="saml:ParamActionType"/>
<complexType name="ParamActionType">
        <sequence>
                <element ref="saml:Parameter" minOccurs="0" maxOccurs="unbounded"/>
        </sequence>
        <attribute name="ActionName" type="string" use="required"/>
</complexType>

<element name="Parameter" type="saml:ParameterType"/>
<complexType name="ParameterType">
        < same as AttributeType >
</complexType>

Simon Godik
Crosslogix