OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] Proposal for SAML 2.0 changes

Comments in line.

> Draft Proposal to SSTC for SAML 2.0 changes from XACML
> ======================================================
> SAML 2.0 AuthorizationDecisionQuery contains:
> 1. XACML input context
> 2. flag indicating whether
>    a) only the content of the context from the PEP can be used
>       ("what if" mode), or
>    b) the PDP can use attribute values obtained from other
>       sources
> 3. flag indicating whether returned assertion should contain
>    input context that decision was based on
> The response to the AuthorizationDecisionQuery is returned in the
> existing SAML Response, but uses a new
> AuthorizationDecisionStatement containing
> 1. XACML output context
> 2. (optional) XACML input context used.

The input context is optional in the sense that it would not normally be
provided, but if the flag was set in the request, the PDP must provide it.

>    The context MUST contain all data which affected the decision,
>    but it would be up to each implementation whether the context
>    was trimed down to just the values that "mattered" or whether
>    the context was the superset of all values known at the time
>    of the decision whether they affected the decision or not.
>    The reason for putting the input context in the assertion
>    would be to allow it to be saved by the PEP for audit
>    purposes.
> Discussion
> ==========
> Duplicate Subject Information
> -----------------------------
> While this effectively introduces a duplicate format for subject
> information (the XACML Subject vs. the SAML Subject Assertion),
> the AuthorizationDecisionRequest can contain SAML
> AttributeAssertions, as it does now.  The XACML PDP's "attribute
> finder" will need to be able to look for such SAML Attribute
> Assertions in the AuthorizationDecisionQuery that are outside of
> the XACML Request Context.

Perhaps we could derive this new statement type from StatementAbstractType
rather than from SubjectStatementAbstractType. Then there is no overlap.

Thinking that an AuthZ decision always involves one Subject is obsolete. In
XACML we know that AuthZ decision involves zero or more Subjects.


To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]