OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [xacml] change request: subject attribute designators


Xacml request context allows for multiple subjects. Each subject block is identified with the subject-category.
Subject-category identifies different 'actors': access-subject, codesource, etc.
 
Category of 'access-subject' is requestor's identity.
 
There are use cases, such as 'integrated login' where multiple auth mechanisms are integrated.
Sun solves this with 'pluggable auth module' framework (pam). Pam allows for multiple
authentication protocols to be configured per application.
 
This shows that xacml context may contain multiple subject blocks with the same category
of 'access-subject': separate block per authentication protocol.
 
Subject blocks are accessed with subject-attribute-designators.
 
Assumpsion: subject block is uniquely addressed by subject-category
and authentication protocol.
 
Proposal.
Drop DataType attribue of the <xacml-context:AttributeType>.
 
Extend xacml:subject-attribute-designator with subject-category, and protocol attributes:
<complexType name SubjectAttributeDesignatorType>
    <attribute name="AttributeId" type="xs:string" use="required"/>
    <attribute name="Issuer" type="xs:anyURI" use="optional"/>
    <attribute name="SubjectCategory" type="xs:string" use="optional"/> <-- new
    <attribute name="Protocol" type="xs:anyURI" use="optional"/> <-- new
</complexType>
 
example 1.1 - match 'group' attribute of a subject authenticated with kerberos:
subject-match match-id="string-equal"
    subj-attr-desig attr-id="group" issuer="some-issuer" subj-cat="access-subject" protocol="kerb"
    attr-value admin
 
example 1.2 - match 'subject-id' attribute of a subject authenticated with kerb:
subject-match match-id="rfc822Name-match"
    subj-attr-desig attr-id="subject-id" subj-cat="access-subject" protocol="kerb"
    attr-value bart@simpson.com
 
Note that in example 1.2 subject block is identified by the protocol (kerb), not by the name format.
 
Simon
 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC