[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Proposed Agenda for April 3 concall...
Here is my proposed rewording. Does this seem more clear? xacml-context:Request [Optional] The information used to make the authorization decision. If the AuthorizationDecisionRequest "ReturnContext" attribute is TRUE, then this element MUST be supplied and MUST include all XACML Attributes used in making the Authorization Decision, whether supplied in the original AuthorizationDecisionQuery or obtained from external sources. The xacml-context:Request MAY include additional XACML Attributes that were not used in making the Authorization Decision. If the AuthorizationDecisionRequest "ReturnContext" attribute is FALSE, then this element MUST NOT be supplied. So far, this is the only change I have made to the proposal mailed out on 20 March (http://lists.oasis-open.org/archives/xacml/200303/msg00007.html). I have attached a copy of the modified proposal to this e-mail. Unless other comments come in, this is the proposal we will be voting on at the 3 April TC meeting. -Anne On 27 March, bill parducci writes: Re: [xacml] Proposed Agenda for April 3 concall... > is it me, or is this confusing: > > | xacml-context:Request [Optional] > > | The information used to make the authorization decision. > | This element MUST be supplied if the > | AuthorizationDecisionRequest "ReturnContext" attribute is > | TRUE and MUST NOT be supplied if the > | AuthorizationDecisionRequest "ReturnContext" attribute is > | FALSE. The xacml-context:Request MUST include all XACML > | Attributes used in making the Authorization Decision, > | whether supplied in the original AuthorizationDecisionQuery > | or obtained from external sources. The > | xacml-context:Request MAY include additional XACML > | Attributes that were not used in making the Authorization > | Decision. > > 'MUST/MUST NOT' and 'optional' seem conflicting. is the intent to > indicate 'IF USED, this element MUST ...?' -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
Changes to "Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML)" (OASIS Standard, 5 November 2002) to utilize the XACML Request and Response Context formats for authorization decisions. 2.3.2 Element <Assertion> Insert after line 403: <saml2:AuthorizationDecisionStatement> An authorization decision statement in the SAML 2.0 format. Insert after line 416: <element ref="saml2:AuthorizationDecisionStatement"/> 2.3.2.2 Element <Advice> Replace line 533 with: <element name="Advice" type="saml2:AdviceType"/> Replace line 537 with: <element ref="saml2:Assertion"/> 2.4.4 Element <AuthorizationDecisionStatement> Replace lines 738-795 (entire section) with: The <AuthorizationDecisionStatement> element supplies a statement by the issuer that the request for access by the specified subject or subjects to perform the specified action on the specified resource has resulted in the specified decision. The decision is in the form of an xacml-context:Response. The <AuthorizationDecisionStatement> optionally contains a description of the context in which the decision was made, in the form of an xacml-context:Request. This context may include only the information used in making the authorization decision, or may include additional information. This is implementation-dependent. See OASIS eXtensible Access Control Markup Language (XACML) Version 1.0 for a description of the elements in an xacml-context:Response or xacml-context:Request. The <AuthorizationDecisionStatement> element is of type saml2:AuthorizationDecisionStatementType, which extends StatementAbstractType with the addition of the following elements (in order) and attributes: xacml-context:Response [Required] The decision rendered by the issuer with respect to an authorization decision query. The value is of the xacml-context:Response type. xacml-context:Request [Optional] The information used to make the authorization decision. If the AuthorizationDecisionRequest "ReturnContext" attribute is TRUE, then this element MUST be supplied and MUST include all XACML Attributes used in making the Authorization Decision, whether supplied in the original AuthorizationDecisionQuery or obtained from external sources. The xacml-context:Request MAY include additional XACML Attributes that were not used in making the Authorization Decision. If the AuthorizationDecisionRequest "ReturnContext" attribute is FALSE, then this element MUST NOT be supplied. The following schema fragment defines the <AuthorizationDecisionStatement> element and its AuthorizationDecisionStatementType complex type: <element name="AuthorizationDecisionStatement" type="saml2:AuthorizationDecisionStatementType"/> <complexType name="AuthorizationDecisionStatementType"> <complexContent> <extension base="saml:StatementAbstractType"> <sequence> <element ref="xacml-context:Response" /> <element ref="xacml-context:Request" minOccurs="0"/> </sequence> </extension> </complexContent> </complexType> 2.4.4.2 Element <Evidence> Replace line 819 with: <saml2:Assertion> Replace line 830 with: <element ref="saml2:Assertion> 3.2.2 Element <Request> Insert after line 991: <saml2p:AuthorizationDecisionQuery> Makes a query for an authorization decision using the SAML 2.0 format. Insert after line 1006: <element ref="samlp2:AuthorizationDecisionQuery"/> 3.3.5 Element <AuthorizationDecisionQuery> Replace lines 1110-1136 (entire section) with: The <samlp2:AuthorizationDecisionQuery> element is used to make the query "Should these actions on this resource be allowed for this subject or subjects?" A successful response will be in the form of an assertion containing an AuthorizationDecisionStatement. This element is of type AuthorizationDecisionQueryType, which extends QueryAbstractType with the addition of the following element and attributes: xacml-context:Request [Required] A description of the authorization request. The value is of the xacml-context:Request type. InputContextOnly [Required] If this attribute is TRUE, the authorization decision MUST be made solely on the basis of information contained in the AuthorizationDecisionQuery; no external attributes are to be used. If FALSE, the authorization decision MAY be made on the basis of external attributes not contained in the AuthorizationDecisionQuery. ReturnContext [Required] If this attribute is TRUE, the AuthorizationDecisionStatement returned MUST include the XACML Attributes used to make the authorization decision in the form of an xacml-context:Request; additional XACML Attributes MAY be included in the returned xacml-context:Request. If this attribute is FALSE, the AuthorizationDecisionStatement returned MUST NOT include an xacml-context:Request. The following schema fragment defines the <AuthorizationDecisionQuery> element and its AuthorizationDecisionQueryType complex type: <element name="AuthorizationDecisionQuery" type="samlp2:AuthorizationDecisionQueryType"/> <complexType name="AuthorizationDecisionQueryType"> <complexContent> <extension base="samlp:QueryAbstractType"> <sequence> <element ref="xacml-context:Request" /> </sequence> <attribute name="InputContextOnly" type="boolean" use="required"/> <attribute name="ReturnContext" type="boolean" use="required"/> </extension> </complexContent> </complexType> 3.4.2 Element <Response> Replace line 1185 with: <saml2:Assertion> [Any Number] (see Section 2.3.2) Specifies an assertion by value. Replace line 1194 with: <element ref="saml2:Assertion" minOccurs="0"
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]