[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: XACML/OGSA SAML AuthzDecisionQuery/Resp Working Session 21 Aug
Colleagues,
We need an agenda of items to cover at our 21 August meeting in
order to use the time productively. I propose the following: use
the current XACML proposal (attached) as a base, with changes or
additions needed to support the OGSA requirements as issues to be
resolved. I have started a list of the OGSA requirements that
are not met by the existing XACML proposal below. We can decide
on the order in which to start addressing these at the meeting.
We won't get to all of them, but we can make a start.
Note that changes might involve the SAML
AuthzDecisionQuery/Response wrapper, the XACML Request/Response
payload, or other protocols, new or existing.
Any other suggestions?
-Anne Anderson
I use "attribute" to mean the same thing (I hope) as
"credential". [x] indicates a proposed solution at the bottom.
- decision push mode: any changes needed to support this?
- attribute pull mode (PDP pulls initiator's attributes from
some other authority)
o Way for client to provide pointer to the authorization
service, giving it a hint where to find attributes
- Multi-step authorization
o Way for a set of attributes to be collected for a given
subject and re-used in a sequence of subsequent
AuthorizationDecisionQueries. Where is this state
maintained?
o Format for such a collection of attributes (a skeleton XACML
Request?)
- Linking an AuthorizationDecision to the set of information
contained in the Query to which it is a response.
o Is XACML proposal option for including the entire Request in
the AuthzDecision sufficient? Does the unique ID in the SAML
AuthorizationDecisionQuery need to be included in the
AuthzDecision? Does each XACML Request need its own unique
ID?
- Multiple actions in a single request. [1,2]
o Is Decision all-or-nothing? or a separate decision for each
action? If separate, how do decisions specify action to
which they pertain?
- Multiple resources in a single request. [1,2]
o Is Decision all-or-nothing? or a separate decision for each
resource? If separate, how do decisions specify action to
which they pertain? (XACML already supports multiple
resources in a decision, but not in a Request).
- Decisions where not all information was available. How to
indicate that SAML Decision contains Conditions that must also
be satisfied. Format for those Conditions (XACML Policy?) [3]
- #X509SubjectName DataType: will XACML support this as a base
DataType? If so, will it replace the current XACML x500Name
DataType? Are comparison semantics the same?
- Returning subject's rights to all resources of which the PDP is
aware (wildcard resource URI).
- Returning subject's rights to take all actions that apply to a
specified resource.
Possible solutions:
[1] Multiple Actions, Associate Actions with Resource: It might be
useful for the XACML Request to be of the form
Subject Attributes
Requested Permission 1
Resource
Resource Attributes
Action
Action Attributes
Requested Permission 2
...
where each Requested Permission contains a resource and an
action, along with their attributes. The XACML Response
should then be modified to return a Decision for each
"Requested Permission", identifying the "Requested
Permission". This would meet the need that various users have
expressed for multiple actions, or for getting multiple
decisions per Request. [It does not solve the Hierarchical
Resource problems, but certainly does not make them worse :-)]
The evaluation model would be to run the current evaluation
model once for each Requested Permission.
[2] Semantics for multiple resources and/or actions might be
specified as: PDP runs the current evaluation engine once for
each resource/action pair. Depending on a flag set by the PEP,
either a single decision is returned ("Permit" only if every
resource/action pair evaluated to "Permit") or a separate
decision is returned for each, using existing XACML Response
multiple-decision format, but specifying action-id as well as
resource-id to which each decision applies.
[3] Partial Evaluation: It might be useful to define "partial
evaluation" for XACML, both for debugging purposes and for
applications such as returning "Conditions". By "partial
evaluation", I mean using all available attributes to resolve
and factor out predicates that can be eliminated, leaving a
Policy that that contains only predicates that depend on
unavailable attributes. For example, if the Rule is:
<Rule Effect="Permit">
<Condition FunctionId="and">
<Apply FunctionId="string-equals">
<AttributeValue>X</AttributeValue>
<SubjectAttributeDesignator AttrId="subject-id">
</Apply>
<Apply FunctionId="string-equals">
<AttributeValue>Y</AttributeValue>
<ResourceAttributeDesignator AttrId="resource-id">
</Apply>
</Condition>
</Rule>
and a Resource Attribute for resource-id with value "Y" is
supplied, but there is no subject-id attribute available, then
the Rule, given the input Context, simplifies to
<Rule Effect="Permit">
<Condition FunctionId="string-equals">
<AttributeValue>X</AttributeValue>
<SubjectAttributeDesignator AttrId="subject-id">
</Condition>
</Rule>
I can think of lots of problems in defining useful "partial
evaluation" rules, but I can also think of lots of useful
cases.
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
Title: Changes to SAML Specification for XACML-Compatible Authorization
Authors: Anne Anderson, Hal Lockhart, Simon Godik
Version: 1.4, 03/04/03 (yy/mm/dd)
Approved by XACML TC on 3 April 2003 for submitting to SSTC.
Description: This document contains recommended changes to
"Assertions and Protocol for the OASIS Security Assertion Markup
Language (SAML)" (OASIS Standard, 5 November 2002) to utilize the
XACML Request and Response Context formats for authorization
decisions. The associated changes recommended to the SAML
Assertion and Protocol schemas that are appended to this
document.
These changes are being proposed for inclusion in SAML 2.0.
In order to distinguish SAML 2.0 XACML-Compatible elements from
the corresponding SAML 1.0 elements with the same name, the
recommended SAML 2.0 names are prefixed with "XC". The SSTC
should change these names as appropriate.
The QName "xacml-context" refers to
"urn:oasis:names:tc:xacml:1.0:context", which is associated with
the schema "cs-xacml-schema-context-01.xsd" located in the OASIS
XACML TC Repository. See
http://www.oasis-open.org/committees/xacml for links.
2.3.2 Element <XCAssertion>
Insert after line 403:
<saml2:XCAuthorizationDecisionStatement>
An authorization decision statement in the SAML 2.0 format,
containing an authorization decision in a format compatible
with the OASIS XACML Version 1.0 Standard.
Insert after line 416:
<element ref="saml2:XCAuthorizationDecisionStatement"/>
2.3.2.2 Element <XCAdvice>
Replace line 533 with:
<element name="XCAdvice" type="saml2:XCAdviceType"/>
Replace line 537 with:
<element ref="saml2:XCAssertion"/>
2.4.4 Element <XCAuthorizationDecisionStatement>
Replace lines 738-795 (entire section) with:
The <XCAuthorizationDecisionStatement> element supplies a
statement by the issuer that the request for access by the
specified subject or subjects to perform the specified action
on the specified resource has resulted in the specified
decision. The decision is in the form of an
xacml-context:Response.
The <XCAuthorizationDecisionStatement> optionally contains a
description of the context in which the decision was made, in
the form of an xacml-context:Request. This context may include
only the information used in making the authorization decision,
or may include additional information. This is
implementation-dependent.
See OASIS eXtensible Access Control Markup Language (XACML)
Version 1.0 for a description of the elements in an
xacml-context:Response or xacml-context:Request.
The <XCAuthorizationDecisionStatement> element is of type
saml2:XCAuthorizationDecisionStatementType, which extends
StatementAbstractType with the addition of the following
elements (in order) and attributes:
xacml-context:Response [Required]
The decision rendered by the issuer with respect to an
authorization decision query. The value is of the
xacml-context:Response type.
xacml-context:Request [Optional]
The information used to make the authorization decision.
If the XCAuthorizationDecisionRequest "ReturnContext"
attribute is TRUE, then this element MUST be supplied and
MUST include all XACML Attributes used in making the
authorization decision, whether supplied in the original
XCAuthorizationDecisionQuery or obtained from external
sources. The xacml-context:Request MAY include additional
XACML Attributes that were not used in making the
authorization decision.
If the XCAuthorizationDecisionRequest "ReturnContext"
attribute is FALSE, then this element MUST NOT be supplied.
The following schema fragment defines the
<XCAuthorizationDecisionStatement> element and its
XCAuthorizationDecisionStatementType complex type:
<element name="XCAuthorizationDecisionStatement" type="saml2:XCAuthorizationDecisionStatementType"/>
<complexType name="XCAuthorizationDecisionStatementType">
<complexContent>
<extension base="saml:StatementAbstractType">
<sequence>
<element ref="xacml-context:Response" />
<element ref="xacml-context:Request" minOccurs="0"/>
</sequence>
</extension>
</complexContent>
</complexType>
2.4.4.2 Element <XCEvidence>
Replace line 819 with:
<saml2:XCAssertion>
Replace line 830 with:
<element ref="saml2:XCAssertion>
3.2.2 Element <XCRequest>
Insert after line 991:
<saml2p:XCAuthorizationDecisionQuery>
Makes a query for an authorization decision using the SAML
2.0 format.
Insert after line 1006:
<element ref="samlp2:XCAuthorizationDecisionQuery"/>
3.3.5 Element <XCAuthorizationDecisionQuery>
Replace lines 1110-1136 (entire section) with:
The <samlp2:XCAuthorizationDecisionQuery> element is used to make
the query "Should these actions on this resource be allowed for
this subject or subjects?" A successful response will be in
the form of an assertion containing an
XCAuthorizationDecisionStatement. This element is of type
XCAuthorizationDecisionQueryType, which extends QueryAbstractType
with the addition of the following element and attributes:
xacml-context:Request [Required]
A description of the authorization request. The value is of
the xacml-context:Request type.
InputContextOnly [Required]
If this attribute is TRUE, the authorization decision MUST
be made solely on the basis of information contained in the
XCAuthorizationDecisionQuery; no external attributes are to be
used. If FALSE, the authorization decision MAY be made on
the basis of external attributes not contained in the
XCAuthorizationDecisionQuery.
ReturnContext [Required]
If this attribute is TRUE, the
XCAuthorizationDecisionStatement returned MUST include the
XACML Attributes used to make the authorization decision in
the form of an xacml-context:Request; additional XACML
Attributes MAY be included in the returned
xacml-context:Request. If this attribute is FALSE, the
XCAuthorizationDecisionStatement returned MUST NOT include an
xacml-context:Request.
The following schema fragment defines the
<XCAuthorizationDecisionQuery> element and its
XCAuthorizationDecisionQueryType complex type:
<element name="XCAuthorizationDecisionQuery" type="samlp2:XCAuthorizationDecisionQueryType"/>
<complexType name="XCAuthorizationDecisionQueryType">
<complexContent>
<extension base="samlp:QueryAbstractType">
<sequence>
<element ref="xacml-context:Request" />
</sequence>
<attribute name="InputContextOnly" type="boolean" use="required"/>
<attribute name="ReturnContext" type="boolean" use="required"/>
</extension>
</complexContent>
</complexType>
3.4.2 Element <Response>
Replace line 1185 with:
<saml2:XCAssertion> [Any Number] (see Section 2.3.2)
Specifies an assertion by value.
Replace line 1194 with:
<element ref="saml2:XCAssertion" minOccurs="0"
======================================================================================
SAML Assertion Schema Changes
======================================================================================
<?xml version="1.0" encoding="UTF-8"?>
<!-- edited with XML Spy v3.5 NT (http://www.xmlspy.com) by Phill Hallam-Baker (VeriSign Inc.) -->
<schema targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xacml-context="urn:oasis:names:tc:xacml:1.0:context" xmlns="http://www.w3.org/2001/XMLSchema"; elementFormDefault="unqualified">
<import namespace="http://www.w3.org/2000/09/xmldsig#"; schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
<import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-assertion-1.0.xsd"/>
<import namespace="urn:oasis:names:tc:xacml:1.0:context" schemaLocation="http://www.oasis-open.org/committees/xacml/repository/cs-xacml-schema-context-01.xsd"/>
<annotation>
<documentation>
Document identifier: oasis-sstc-saml-schema-assertion-2.0
Location:
</documentation>
</annotation>
<element name="XCAssertion" type="saml2:XCAssertionType"/>
<complexType name="XCAssertionType">
<sequence>
<element ref="saml:Conditions" minOccurs="0"/>
<element ref="saml2:XCAdvice" minOccurs="0"/>
<choice maxOccurs="unbounded">
<element ref="saml:Statement"/>
<element ref="saml:SubjectStatement"/>
<element ref="saml:AuthenticationStatement"/>
<element ref="saml:AuthorizationDecisionStatement"/>
<element ref="saml2:XCAuthorizationDecisionStatement"/>
<element ref="saml:AttributeStatement"/>
</choice>
<element ref="ds:Signature" minOccurs="0"/>
</sequence>
<attribute name="MajorVersion" type="integer" use="required"/>
<attribute name="MinorVersion" type="integer" use="required"/>
<attribute name="AssertionID" type="saml:IDType" use="required"/>
<attribute name="Issuer" type="string" use="required"/>
<attribute name="IssueInstant" type="dateTime" use="required"/>
</complexType>
<element name="XCAdvice" type="saml2:XCAdviceType"/>
<complexType name="XCAdviceType">
<choice minOccurs="0" maxOccurs="unbounded">
<element ref="saml:AssertionIDReference"/>
<element ref="saml2:XCAssertion"/>
<any namespace="##other" processContents="lax"/>
</choice>
</complexType>
<element name="XCAuthorizationDecisionStatement" type="saml2:XCAuthorizationDecisionStatementType"/>
<complexType name="XCAuthorizationDecisionStatementType">
<complexContent>
<extension base="saml:StatementAbstractType">
<sequence>
<element ref="xacml-context:Response" />
<element ref="xacml-context:Request" minOccurs="0"/>
</sequence>
</extension>
</complexContent>
</complexType>
<element name="XCEvidence" type="saml2:XCEvidenceType"/>
<complexType name="XCEvidenceType">
<choice maxOccurs="unbounded">
<element ref="saml:AssertionIDReference"/>
<element ref="saml2:XCAssertion"/>
</choice>
</complexType>
</schema>
======================================================================================
SAML Protocol Schema Changes
======================================================================================
<?xml version="1.0" encoding="UTF-8"?>
<!-- edited with XML Spy v4.2 U (http://www.xmlspy.com) by Phillip Hallam-Baker (Phillip Hallam-Baker) -->
<schema targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xacml-context="urn:oasis:names:tc:xacml:1.0:context" xmlns="http://www.w3.org/2001/XMLSchema"; elementFormDefault="unqualified">
<import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-assertion-1.0.xsd"/>
<import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="oasis-sstc-saml-schema-assertion-2.0.xsd"/>
<import namespace="urn:oasis:names:tc:SAML:1.0:protocol" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-protocol-1.0.xsd"/>
<import namespace="urn:oasis:names:tc:xacml:1.0:context" schemaLocation="http://www.oasis-open.org/committees/xacml/repository/cs-xacml-schema-context-01.xsd"/>
<annotation>
<documentation>
Document identifier: oasis-sstc-saml-schema-protocol-2.0
Location:
</documentation>
</annotation>
<element name="XCRequest" type="samlp2:XCRequestType"/>
<complexType name="XCRequestType">
<complexContent>
<extension base="samlp:RequestAbstractType">
<choice>
<element ref="samlp:Query"/>
<element ref="samlp:SubjectQuery"/>
<element ref="samlp:AuthenticationQuery"/>
<element ref="samlp:AttributeQuery"/>
<element ref="samlp:AuthorizationDecisionQuery"/>
<element ref="samlp2:XCAuthorizationDecisionQuery"/>
<element ref="saml:AssertionIDReference" maxOccurs="unbounded"/>
<element ref="samlp:AssertionArtifact" maxOccurs="unbounded"/>
</choice>
</extension>
</complexContent>
</complexType>
<element name="XCAuthorizationDecisionQuery" type="samlp2:XCAuthorizationDecisionQueryType"/>
<complexType name="XCAuthorizationDecisionQueryType">
<complexContent>
<extension base="samlp:QueryAbstractType">
<sequence>
<element ref="xacml-context:Request" />
</sequence>
<attribute name="InputContextOnly" type="boolean" use="required"/>
<attribute name="ReturnContext" type="boolean" use="required"/>
</extension>
</complexContent>
</complexType>
<element name="XCResponse" type="samlp2:XCResponseType"/>
<complexType name="XCResponseType">
<complexContent>
<extension base="samlp:ResponseAbstractType">
<sequence>
<element ref="samlp:Status"/>
<element ref="saml2:XCAssertion" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
</extension>
</complexContent>
</complexType>
</schema>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]