FW: SAML AI 0076 - XACML Policy Transport

["Hal Lockhart" <hlockhar@bea.com>]

I just posted this to the SSTC list. Comments from the XACML TC are more
than welcome. Since the XACML TC F2F is before the SAML F2F, I will try to
get a reading on today's call as to whether they will pursue this work item.

Hal

-----Original Message-----
From: Hal Lockhart [mailto:hlockhar@bea.com]
Sent: Tuesday, October 14, 2003 11:18 AM
To: security-services@lists.oasis-open.org
Subject: AI 0076 - XACML Policy Transport


I thought at least some of this had been previously proposed within the
XACML TC, but I can find no evidence for this. Therefore, this should be
considered as coming from me as an individual. I will cross post it to the
XACML list for comment.

The basic idea of this proposal is twofold:

1) wrap an XACML <Policy> or <PolicySet> in a SAML statement so as to
provide a common framework for header elements (version, issuer, validity
interval, signature, etc.)

2) provide a SAML mechanism to retrieve policies by identifier or by
<Target> evaluation.

----------------------------------------------------------------------------
----------------
The issue that needs to be decided first is whether this work should be done
within the SSTC or the XACML TC. I do not see any strong argument either
way. Since the work consists of extensions to the SAML schemas, it seems to
me that the SSTC should have the right of "first refusal."
----------------------------------------------------------------------------
----------------

Details:

A. XACML Policy Statement

Define a new SAML Statement Type:

<XACMLPolicyStatement> which inherits from StatementAbstractType (not from
<SubjectStatementAbstractType>)

It can contain either an XACML <PolicySet> or <Policy>

B. XACML Policy Query

Define two new SAML Query Types:

<XACMLPolicyIdQuery>

<XACMLPolicyTargetQuery>

All inherit from <QueryAbstractType>

The <XACMLPolicyIdQuery> contains one or more <PolicyId> or <PolicySetId>
values. The response would return the matching Policies or PolicySets, if
available.

The <XACMLPolicyTargetQuery> contains an XACML request context which needs
to only include the Subject, Resource and Action elements to be considered
for policy Target matching. The response would return zero or more Policies
or PolicySets which are potentially applicable to the decision. The
responder could chose to match on some target elements and ignore others,
but it would be required to return every potentially applicable policy or
policyset it has. In other words, it can return a superset, but not a subset
of the policies applicable to the decision.

The existing SAML <Response> would be used to return an assertion containing
XACML Policies and/or PolicySets as specified by the query.

Note that the existing SAML <AssertionIdReference> could also be used to
request an Assertion containing XACML POlicies, but this seems less likely
to be useful than the Policy Id query.

Hal