OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [xacml] Proposed resolution from PM-8-05


Title: RE: [xacml] Proposed resolution from PM-8-05

Michiharu - I was thinking that xacml obligations properly belong in the "conditions" element of a saml authorization decision assertion.  Here is the schema fragment (from saml v28).

        <element name="Conditions" type="saml:ConditionsType"/>
        <complexType name="ConditionsType">
                <choice minOccurs="0" maxOccurs="unbounded">
                        <element ref="saml:Condition"/>
                        <element ref="saml:AudienceRestrictionCondition"/>
                </choice>
                <attribute name="NotBefore" type="dateTime" use="optional"/>
                <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
        </complexType>
        <element name="Condition" type="saml:ConditionAbstractType"/>
        <complexType name="ConditionAbstractType" abstract="true"/>

Condition is an abstract type that xacml must extend in order to accommodate obligation.  The significance of a saml condition is that, if the recipient does not understand the contents, then it MUST reject the assertion, i.e. deny access.

All the best.  Tim.

-----------------------------------------
Tim Moses
Tel: 613.270.3183


-----Original Message-----
From: Michiharu Kudoh [mailto:KUDO@jp.ibm.com]
Sent: Friday, March 22, 2002 3:54 AM
To: XACML TC
Subject: [xacml] Proposed resolution from PM-8-05


I would like to propose a resolution as follows:

-ISSUE: PM-8-05: How to return obligation via SAML

Here is an authorization decision syntax that returns obligation(s). SAML
AuthorizationDecisionStatement is extended to include xacml:obligations
element by type extension. "samle" namespace prefix is used to indicate
SAML extension for the decision assertion with obligation. Note that the
following example just shows the overview for simplicity.

<saml:Assertion>
  <saml:AuthorizationDecisionStatement Resource="aaa" Decision="Permit"
xsi:type="samle:AuthorizationDecisionStatementWithObligations">
  <saml:Subject>
   <saml:NameIdentifier SecurityDomain="aaa" Name="Alice"/>
  </saml:Subject>
  <saml:Actions Namespace="http://www.oasis-open.org/xmlactions">
   <saml:Action>Read</saml:Action>
  </saml:Actions>
  <xacml:obligations>
   <xacml:obligation obligationId="myId">
     ...
   </xacml:obligation>
  </xacml:obligations>
  </saml:AuthorizationDecisionStatement>
</saml:Assertion>


The following "samle" schema fragment defines an authorization decision
with obligations.

<complexType name="AuthorizationDecisionStatementWithObligations">
  <complexContent>
    <extension base="saml:AuthorizationDecisionStatementType">
      <sequence>
        <element ref="xacml:obligations"/>
      </sequence>
    </extension>
  </complexContent>
</complexType>

Michiharu Kudo

IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428



----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC