[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Update SAML Profile XSLT including Obligation in SAML 1.0
This is in response to my Action Item to provide a "Update SAML Profile XSLT, including how to put Obligations into a SAML 1.0 AuthorizationQueryResponse". Seven files are attached in this mail. 1. XSLT transformation for generating XACML Request Context from SAML Request I created a XSLT transformation "SAML-Request.xsl" that reads "SAML-Request.xml" as an input SAML Request and generates "XACML-Request.xml" as an output XACML Request Context. I checked that both XML documents are valid against SAML 1.0 specification and XACML 0.16g context schema, respectively. 2. XSLT transformation for generating SAML Response from XACML Response Context I created a XSLT transformation "SAML-Response.xsl" that reads "XACML-RequestResponse.xml" as an input XACML Context and generates "SAML-Response.xml" as an output SAML Response. The "XACML-RequestResponse.xml" has a dummy root element <XACMLRequestResponse> that has <Request> element and <Response> element that correspond to "XACML-Request.xml" and "XACML-Response.xml", respectively. "XACML-Response.xml" is valid against the XACML 0.16g context schema but the "SAML-Response.xml" is not valid against SAML 1.0 specification. It does not include mandatory SAML attributes such as ResponseId and MajorVersion attributes in the Response element because the "XACML-Response.xml" does not include such information. The XSLT transformation just shows a rough idea on how to map XACML Context and SAML assertion. Implementers who use SAML as a communication protocol must write their own code that transforms a XACML Response into a SAML Response instead of this XSLT transformation. 3. Proposal for inclusion of obligation element in SAML 1.0 I propose to include an "Obligations" element in the AuthorizationDecisionStatement as an optional element by extending the current SAML 1.0 specification. Element <Obligations> The <Obligations> element contains any arbitrary elements and attributes. If an assertion contains a <Obligations> element, a set of elements below the obligations element means that one or more actions specified in a policy or policy set that should be performed in conjunction with the issuance of an authorization decision. This means that the recipient (PEP) must fulfill the obligations when they permit (or deny) the access from the requesting subject. The modified schema is: <element name="AuthorizationDecisionStatement" type ="saml:AuthorizationDecisionStatementType"/> <complexType name="AuthorizationDecisionStatementType"> <complexContent> <extension base="saml:SubjectStatementAbstractType"> <sequence> <element ref="saml:Action" maxOccurs="unbounded"/> <element ref="saml:Evidence" minOccurs="0"/> <element ref="saml:Obligations" minOccurs="0"/> </sequence> <attribute name="Resource" type="anyURI" use="required"/> <attribute name="Decision" type="saml:DecisionType" use="required"/> </extension> </complexContent> </complexType> <element name="Obligations" type="ObligationsType"/> <complexType name="ObligationsType"> <sequence> <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs ="unbounded"/> </sequence> <anyAttribute namespace="##any" processContents="lax"/> </complexType> A sample SAML response that includes Obligations element looks (this omits many mandatory attributes for simplicity): <saml:AuthorizationDecisionStatement Resource ="/medico.com/record/patient/patientDoB" Decision="Permit" xmlns:xac="urn:oasis:names:tc:xacml:0.16g:context" xmlns:saml ="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:Subject> <saml:NameIdentifier NameQualifier="/medico.com">Julius Hibbert</saml:NameIdentifier> </saml:Subject> <saml:Action Namespace="/medico.com">read</saml:Action> <saml:Obligations> <xac:Obligation ObligationId="/notification" FulfilOn="Permit"> <xac:AttributeAssignment AttributeId="email"> <xac:AttributeValue>bs@simpsons.com</xac:AttributeValue> </xac:AttributeAssignment> </xac:Obligation> </saml:Obligations> </saml:AuthorizationDecisionStatement> (See attached file: XACML-Request.xml)(See attached file: SAML-Request.xsl) (See attached file: SAML-Request.xml) (See attached file: XACML-RequestResponse.xml)(See attached file: XACML-Response.xml)(See attached file: SAML-Response.xsl)(See attached file: SAML-Response.xml) Michiharu Kudo IBM Tokyo Research Laboratory, Internet Technology Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
Attachment:
XACML-Request.xml
Description: Binary data
Attachment:
SAML-Request.xsl
Description: Binary data
Attachment:
SAML-Request.xml
Description: Binary data
Attachment:
XACML-RequestResponse.xml
Description: Binary data
Attachment:
XACML-Response.xml
Description: Binary data
Attachment:
SAML-Response.xsl
Description: Binary data
Attachment:
SAML-Response.xml
Description: Binary data
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC