OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [xacml] Update SAML Profile XSLT including Obligation in SAML 1.0

This is in response to my Action Item to provide a "Update SAML Profile
XSLT, including how to put Obligations into a SAML 1.0
AuthorizationQueryResponse". Seven files are attached in this mail.

1. XSLT transformation for generating XACML Request Context from SAML
Request

I created a XSLT transformation "SAML-Request.xsl" that reads
"SAML-Request.xml" as an input SAML Request and generates
"XACML-Request.xml" as an output XACML Request Context. I checked that both
XML documents are valid against SAML 1.0 specification and XACML 0.16g
context schema, respectively.

2. XSLT transformation for generating SAML Response from XACML Response
Context

I created a XSLT transformation "SAML-Response.xsl" that reads
"XACML-RequestResponse.xml" as an input XACML Context and generates
"SAML-Response.xml" as an output SAML Response. The
"XACML-RequestResponse.xml" has a dummy root element <XACMLRequestResponse>
that has <Request> element and <Response> element that correspond to
"XACML-Request.xml" and "XACML-Response.xml", respectively.
"XACML-Response.xml" is valid against the XACML 0.16g context schema but
the "SAML-Response.xml" is not valid against SAML 1.0 specification. It
does not include mandatory SAML attributes such as ResponseId and
MajorVersion attributes in the Response element because the
"XACML-Response.xml" does not include such information. The XSLT
transformation just shows a rough idea on how to map XACML Context and SAML
assertion. Implementers who use SAML as a communication protocol must write
their own code that transforms a XACML Response into a SAML Response
instead of this XSLT transformation.

3. Proposal for inclusion of obligation element in SAML 1.0

I propose to include an "Obligations" element in the
AuthorizationDecisionStatement as an optional element by extending the
current SAML 1.0 specification.

Element <Obligations>
The <Obligations> element contains any arbitrary elements and attributes.
If an assertion contains a <Obligations> element, a set of elements below
the obligations element means that one or more actions specified in a
policy or policy set that should be performed in conjunction with the
issuance of an authorization decision. This means that the recipient (PEP)
must fulfill the obligations when they permit (or deny) the access from the
requesting subject. The modified schema is:

<element name="AuthorizationDecisionStatement" type
="saml:AuthorizationDecisionStatementType"/>
<complexType name="AuthorizationDecisionStatementType">
  <complexContent>
    <extension base="saml:SubjectStatementAbstractType">
      <sequence>
        <element ref="saml:Action" maxOccurs="unbounded"/>
        <element ref="saml:Evidence" minOccurs="0"/>
        <element ref="saml:Obligations" minOccurs="0"/>
      </sequence>
      <attribute name="Resource" type="anyURI" use="required"/>
      <attribute name="Decision" type="saml:DecisionType" use="required"/>
    </extension>
  </complexContent>
</complexType>

<element name="Obligations" type="ObligationsType"/>
<complexType name="ObligationsType">
  <sequence>
    <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs
="unbounded"/>
  </sequence>
  <anyAttribute namespace="##any" processContents="lax"/>
</complexType>


A sample SAML response that includes Obligations element looks (this omits
many mandatory attributes for simplicity):

<saml:AuthorizationDecisionStatement Resource
="/medico.com/record/patient/patientDoB" Decision="Permit"
xmlns:xac="urn:oasis:names:tc:xacml:0.16g:context" xmlns:saml
="urn:oasis:names:tc:SAML:1.0:assertion">
  <saml:Subject>
    <saml:NameIdentifier NameQualifier="/medico.com">Julius
Hibbert</saml:NameIdentifier>
  </saml:Subject>
  <saml:Action Namespace="/medico.com">read</saml:Action>
  <saml:Obligations>
    <xac:Obligation ObligationId="/notification" FulfilOn="Permit">
      <xac:AttributeAssignment AttributeId="email">
        <xac:AttributeValue>bs@simpsons.com</xac:AttributeValue>
      </xac:AttributeAssignment>
    </xac:Obligation>
  </saml:Obligations>
</saml:AuthorizationDecisionStatement>


(See attached file: XACML-Request.xml)(See attached file: SAML-Request.xsl)
(See attached file: SAML-Request.xml)
(See attached file: XACML-RequestResponse.xml)(See attached file:
XACML-Response.xml)(See attached file: SAML-Response.xsl)(See attached
file: SAML-Response.xml)

Michiharu Kudo

IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428

Attachment: XACML-Request.xml
Description: Binary data

Attachment: SAML-Request.xsl
Description: Binary data

Attachment: SAML-Request.xml
Description: Binary data

Attachment: XACML-RequestResponse.xml
Description: Binary data

Attachment: XACML-Response.xml
Description: Binary data

Attachment: SAML-Response.xsl
Description: Binary data

Attachment: SAML-Response.xml
Description: Binary data

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC