[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: XACML/OGSA SAML 2.0 Requirements, v1.8
Colleagues, Attached are the joint XACML/OGSA SAML 2.0 requirements presented at the SAML Face-to-Face 10 Sept. This final version of the requirements was agreed on during a working session between XACML TC and OGSA representatives held at the SAML Face-to-Face Tuesday afternoon 9 Sept. Hal, can you pass these on to the SSTC mailing list? Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
Proposed SAML 2.0 Changes from XACML TC and OGSA
Editor: Anne Anderson <Anne.Anderson@sun.com>
Version: 1.8, 03/09/10 (yy/mm/dd)
================
Terms used below
================
Query = SAML AuthorizationDecisionQuery
Decision = SAML AuthorizationDecisionStatement in the Response to the
Query
Input = XACML Request Context
Output = XACML Response Context
Policy = XACML Policy and PolicySet schema instances
===========
Open Issues
===========
1. Layering for Status: SAML-level or XACML-level or both
2. XACML vs SAML schema namespace: where are extensions applied
3. Naming of Attributes - SAML 2-part names, XACML 1-part name
4. Where XACML Obligations go when carried in a SAML Response;
specific semantics of SAML Condition vs. XACML Obligation
===================================
XACML-related SAML Work Item Owners
===================================
W-28A Rebekah Lepro
W-28B Hal Lockhart
W-28C Hal Lockhart
W-28D Rebekah Lepro
Each abstract requirement below is tagged with its corresponding
SAML Work Item identifier.
=====================================================================
A. Abstract Requirements for SAML AuthorizationDecisionQuery/Response
=====================================================================
1. A way to pass an XACML Input in the SAML Query, and an XACML
Output in the SAML Decision. [W-28C]
These new SAML Query and Decision types should not extend SAML
SubjectQueryAbstractType and SubjectStatementAbstractType because
the SAML Subject element is redundant and inconsistent with XACML
Subject information in the XACML Input and Output.
The requirements are:
a) Make the SAML Query and Decision more compatible with the XACML
Input and Output.
b) Allow a SAML Decision to include the validated Attribute
Identifiers and values that were used by the PDP in making the
authorization decision.
2. A way to return an XACML Input as part of the SAML Decision, and
a flag in the SAML Query to indicate whether an XACML Input is to
be returned as part of the SAML Decision. [W-28C]
The returned XACML Input need not match the XACML Input passed
in the SAML Query - it can be pruned or augmented by the PDP.
Nevertheless, it MUST contain at least all attribute values
submitted as part of the SAML Query that were used by the PDP in
evaluating the input XACML Input against applicable policies.
3. XACML Input and Output must be usable separately from the SAML
Query and Decision wrappers. [W-28C]
They must be self-contained as far as PEP<->PDP level of
communication is concerned. I.e. if the PEP and PDP already have a
secure authenticated channel, the XACML Input and Output
formats must be usable in their native form.
===================================
B. Other Abstract SAML Requirements
===================================
1. Associate a DataType with an Issuer name, such that the name
can be determined to be a string, an X.500 Distinguished Name,
etc. [W-28D]
2. Better correspondence between SAML Attribute format and XACML
Input Attribute format. [W-28A]
The requirement is to allow SAML Attributes to be translated
into XACML Input Attributes mechanically and easily. Current
differences include:
a) One SAML Attribute can have multiple AttributeValue elements,
whereas an XACML Attribute has a single AttributeValue element
with "any" type (allowing the single AttributeValue to be a
sequence of values if appropriate).
b) SAML Attribute has a "name qualifier" XML attribute, whereas the
XACML Attribute does not.
Additional problematic differences are to be submitted by Rebekah
Lepro, who has been writing code to do such translations.
3. A new SAML Policy Statement syntax. [W-28B]
The requirement is to allow a policy issuer (Policy Administration
Point) to state and sign an XACML Policy.. The XACML TC may be
responsible for defining such a syntax.
4. A new SAML Policy Query syntax. [W-28B]
The requirement is to allow a PDP to request an XACML Policy by its
Policy[Set]Id from an on-line Policy Administration Point (PAP).
=============================================================
C. Requirements to be satisfied by [changes to ]XACML schemas
=============================================================
Current XACML 2.0 Work Items are available in
http://lists.oasis-open.org/archives/xacml/200309/msg00014.html
1. A way to provide hints in an XACML Input and in an XACML Policy
on where the PDP should locate Attribute values.
[XACML 2.0 Work Item #2]
2. A way in an XACML Policy to specify requirements on the issuer of
an Attribute Assertion used in the XACML policy. [Define and use a
new XACML SubjectCategory identifier?] [Related to W-28D]
=======================================================
D. Suggested SAML Assertion Schema Changes [incomplete]
=======================================================
Note: This is an early draft that has not been completely reviewed
against the current list of requirements. It is included here merely
as an example that may help clarify what XACML and OGSA have in mind.
In order to distinguish SAML 2.0 XACML-Compatible elements from
the corresponding SAML 1.0 elements with the same name, the
recommended SAML 2.0 names are prefixed with "XC". The SSTC
should change these names as appropriate.
The QName "xacml-context" refers to
"urn:oasis:names:tc:xacml:1.0:context", which is associated with
the schema "cs-xacml-schema-context-01.xsd" located in the OASIS
XACML TC Repository. See
http://www.oasis-open.org/committees/xacml for links.
<?xml version="1.0" encoding="UTF-8"?>
<!-- edited with XML Spy v3.5 NT (http://www.xmlspy.com) by Phill Hallam-Baker (VeriSign Inc.) -->
<schema targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xacml-context="urn:oasis:names:tc:xacml:1.0:context" xmlns="http://www.w3.org/2001/XMLSchema"; elementFormDefault="unqualified">
<import namespace="http://www.w3.org/2000/09/xmldsig#"; schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
<import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-assertion-1.0.xsd"/>
<import namespace="urn:oasis:names:tc:xacml:1.0:context" schemaLocation="http://www.oasis-open.org/committees/xacml/repository/cs-xacml-schema-context-01.xsd"/>
<annotation>
<documentation>
Document identifier: oasis-sstc-saml-schema-assertion-2.0
Location:
</documentation>
</annotation>
<element name="XCAssertion" type="saml2:XCAssertionType"/>
<complexType name="XCAssertionType">
<sequence>
<element ref="saml:Conditions" minOccurs="0"/>
<element ref="saml2:XCAdvice" minOccurs="0"/>
<choice maxOccurs="unbounded">
<element ref="saml:Statement"/>
<element ref="saml:SubjectStatement"/>
<element ref="saml:AuthenticationStatement"/>
<element ref="saml:AuthorizationDecisionStatement"/>
<element ref="saml2:XCAuthorizationDecisionStatement"/>
<element ref="saml:AttributeStatement"/>
</choice>
<element ref="ds:Signature" minOccurs="0"/>
</sequence>
<attribute name="MajorVersion" type="integer" use="required"/>
<attribute name="MinorVersion" type="integer" use="required"/>
<attribute name="AssertionID" type="saml:IDType" use="required"/>
<attribute name="Issuer" type="string" use="required"/>
<attribute name="IssueInstant" type="dateTime" use="required"/>
</complexType>
<element name="XCAdvice" type="saml2:XCAdviceType"/>
<complexType name="XCAdviceType">
<choice minOccurs="0" maxOccurs="unbounded">
<element ref="saml:AssertionIDReference"/>
<element ref="saml2:XCAssertion"/>
<any namespace="##other" processContents="lax"/>
</choice>
</complexType>
<element name="XCAuthorizationDecisionStatement" type="saml2:XCAuthorizationDecisionStatementType"/>
<complexType name="XCAuthorizationDecisionStatementType">
<complexContent>
<extension base="saml:StatementAbstractType">
<sequence>
<element ref="xacml-context:Response" />
<element ref="xacml-context:Request" minOccurs="0"/>
</sequence>
</extension>
</complexContent>
</complexType>
<element name="XCEvidence" type="saml2:XCEvidenceType"/>
<complexType name="XCEvidenceType">
<choice maxOccurs="unbounded">
<element ref="saml:AssertionIDReference"/>
<element ref="saml2:XCAssertion"/>
</choice>
</complexType>
</schema>
======================================================
E. Suggested SAML Protocol Schema Changes [incomplete]
======================================================
Note: This is an early draft that has not been completely reviewed
against the current list of requirements. It is included here merely
as an example that may help clarify what XACML and OGSA have in mind.
In order to distinguish SAML 2.0 XACML-Compatible elements from
the corresponding SAML 1.0 elements with the same name, the
recommended SAML 2.0 names are prefixed with "XC". The SSTC
should change these names as appropriate.
The QName "xacml-context" refers to
"urn:oasis:names:tc:xacml:1.0:context", which is associated with
the schema "cs-xacml-schema-context-01.xsd" located in the OASIS
XACML TC Repository. See
http://www.oasis-open.org/committees/xacml for links.
<?xml version="1.0" encoding="UTF-8"?>
<!-- edited with XML Spy v4.2 U (http://www.xmlspy.com) by Phillip Hallam-Baker (Phillip Hallam-Baker) -->
<schema targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xacml-context="urn:oasis:names:tc:xacml:1.0:context" xmlns="http://www.w3.org/2001/XMLSchema"; elementFormDefault="unqualified">
<import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-assertion-1.0.xsd"/>
<import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="oasis-sstc-saml-schema-assertion-2.0.xsd"/>
<import namespace="urn:oasis:names:tc:SAML:1.0:protocol" schemaLocation="http://www.oasis-open.org/committees/security/docs/oasis-sstc-saml-schema-protocol-1.0.xsd"/>
<import namespace="urn:oasis:names:tc:xacml:1.0:context" schemaLocation="http://www.oasis-open.org/committees/xacml/repository/cs-xacml-schema-context-01.xsd"/>
<annotation>
<documentation>
Document identifier: oasis-sstc-saml-schema-protocol-2.0
Location:
</documentation>
</annotation>
<element name="XCRequest" type="samlp2:XCRequestType"/>
<complexType name="XCRequestType">
<complexContent>
<extension base="samlp:RequestAbstractType">
<choice>
<element ref="samlp:Query"/>
<element ref="samlp:SubjectQuery"/>
<element ref="samlp:AuthenticationQuery"/>
<element ref="samlp:AttributeQuery"/>
<element ref="samlp:AuthorizationDecisionQuery"/>
<element ref="samlp2:XCAuthorizationDecisionQuery"/>
<element ref="saml:AssertionIDReference" maxOccurs="unbounded"/>
<element ref="samlp:AssertionArtifact" maxOccurs="unbounded"/>
</choice>
</extension>
</complexContent>
</complexType>
<element name="XCAuthorizationDecisionQuery" type="samlp2:XCAuthorizationDecisionQueryType"/>
<complexType name="XCAuthorizationDecisionQueryType">
<complexContent>
<extension base="samlp:QueryAbstractType">
<sequence>
<element ref="xacml-context:Request" />
</sequence>
<attribute name="ReturnContext" type="boolean" use="required"/>
</extension>
</complexContent>
</complexType>
<element name="XCResponse" type="samlp2:XCResponseType"/>
<complexType name="XCResponseType">
<complexContent>
<extension base="samlp:ResponseAbstractType">
<sequence>
<element ref="samlp:Status"/>
<element ref="saml2:XCAssertion" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
</extension>
</complexContent>
</complexType>
</schema>
===============================================
F. Suggested Specification Changes [incomplete]
===============================================
Changes to "Assertions and Protocol for the OASIS Security
Assertion Markup Language (SAML)" (OASIS Standard, 5 November
2002) to utilize the XACML Request and Response Context formats
for authorization decisions. These are associated with the
schema changes listed in sections C and D.
Note: This is an early draft that has not been brought up to date with
the current list of requirements. It is included here merely as an
example that may help clarify what XACML and OGSA have in mind.
In order to distinguish SAML 2.0 XACML-Compatible elements from
the corresponding SAML 1.0 elements with the same name, the
recommended SAML 2.0 names are prefixed with "XC". The SSTC
should change these names as appropriate.
The QName "xacml-context" refers to
"urn:oasis:names:tc:xacml:1.0:context", which is associated with
the schema "cs-xacml-schema-context-01.xsd" located in the OASIS
XACML TC Repository. See
http://www.oasis-open.org/committees/xacml for links.
2.3.2 Element <XCAssertion>
Insert after line 403:
<saml2:XCAuthorizationDecisionStatement>
An authorization decision statement in the SAML 2.0 format,
containing an authorization decision in a format compatible
with the OASIS XACML Version 1.0 Standard.
Insert after line 416:
<element ref="saml2:XCAuthorizationDecisionStatement"/>
2.3.2.2 Element <XCAdvice>
Replace line 533 with:
<element name="XCAdvice" type="saml2:XCAdviceType"/>
Replace line 537 with:
<element ref="saml2:XCAssertion"/>
2.4.4 Element <XCAuthorizationDecisionStatement>
Replace lines 738-795 (entire section) with:
The <XCAuthorizationDecisionStatement> element supplies a
statement by the issuer that the request for access by the
specified subject or subjects to perform the specified action
on the specified resource has resulted in the specified
decision. The decision is in the form of an
xacml-context:Response.
The <XCAuthorizationDecisionStatement> optionally contains a
description of the context in which the decision was made, in the
form of an xacml-context:Request. This context, if included, MUST
include all XACML Attributes submitted as part of the
<XCAuthorizationDecisionQuery> that were used by the PDP in making
the authorization decision. It may include additional information.
This is implementation-dependent.
See OASIS eXtensible Access Control Markup Language (XACML)
Version 1.0 for a description of the elements in an
xacml-context:Response or xacml-context:Request.
The <XCAuthorizationDecisionStatement> element is of type
saml2:XCAuthorizationDecisionStatementType, which extends
StatementAbstractType with the addition of the following
elements (in order) and attributes:
xacml-context:Response [Required]
The decision rendered by the issuer with respect to an
authorization decision query. The value is of the
xacml-context:Response type.
xacml-context:Request [Optional]
The information used to make the authorization decision.
If the XCAuthorizationDecisionQuery "ReturnContext" attribute is
TRUE, then this element MUST be supplied and MUST include all
XACML Attributes submitted as part of the
XCAuthorizationDecisionQuery that were used by the PDP in making
the authorization decision. The xacml-context:Request MAY
include additional XACML Attributes that were not used in making
the authorization decision.
If the XCAuthorizationDecisionRequest "ReturnContext"
attribute is FALSE, then this element MUST NOT be supplied.
The following schema fragment defines the
<XCAuthorizationDecisionStatement> element and its
XCAuthorizationDecisionStatementType complex type:
<element name="XCAuthorizationDecisionStatement" type="saml2:XCAuthorizationDecisionStatementType"/>
<complexType name="XCAuthorizationDecisionStatementType">
<complexContent>
<extension base="saml:StatementAbstractType">
<sequence>
<element ref="xacml-context:Response" />
<element ref="xacml-context:Request" minOccurs="0"/>
</sequence>
</extension>
</complexContent>
</complexType>
2.4.4.2 Element <XCEvidence>
Replace line 819 with:
<saml2:XCAssertion>
Replace line 830 with:
<element ref="saml2:XCAssertion>
3.2.2 Element <XCRequest>
Insert after line 991:
<saml2p:XCAuthorizationDecisionQuery>
Makes a query for an authorization decision using the SAML
2.0 format.
Insert after line 1006:
<element ref="samlp2:XCAuthorizationDecisionQuery"/>
3.3.5 Element <XCAuthorizationDecisionQuery>
Replace lines 1110-1136 (entire section) with:
The <samlp2:XCAuthorizationDecisionQuery> element is used to make
the query "Should these actions on this resource be allowed for
this subject or subjects?" A successful response will be in
the form of an assertion containing an
XCAuthorizationDecisionStatement. This element is of type
XCAuthorizationDecisionQueryType, which extends QueryAbstractType
with the addition of the following element and attributes:
xacml-context:Request [Required]
A description of the authorization request. The value is of
the xacml-context:Request type.
ReturnContext [Required]
If this attribute is TRUE, the XCAuthorizationDecisionStatement
returned MUST include all XACML Attributes submitted as part of
the AuthorizationDecisionQuery that were used to make the
authorization decision, and MAY include other XACML Attributes.
These XACML Attributes are returned in the form of an
xacml-context:Request. If this attribute is FALSE, the
XCAuthorizationDecisionStatement returned MUST NOT include an
xacml-context:Request.
The following schema fragment defines the
<XCAuthorizationDecisionQuery> element and its
XCAuthorizationDecisionQueryType complex type:
<element name="XCAuthorizationDecisionQuery" type="samlp2:XCAuthorizationDecisionQueryType"/>
<complexType name="XCAuthorizationDecisionQueryType">
<complexContent>
<extension base="samlp:QueryAbstractType">
<sequence>
<element ref="xacml-context:Request" />
</sequence>
<attribute name="ReturnContext" type="boolean" use="required"/>
</extension>
</complexContent>
</complexType>
3.4.2 Element <Response>
Replace line 1185 with:
<saml2:XCAssertion> [Any Number] (see Section 2.3.2)
Specifies an assertion by value.
Replace line 1194 with:
<element ref="saml2:XCAssertion" minOccurs="0"
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]