OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Timing of the XACML/SAML profile(s) of SAML/XACML. Forwardedmessage from Anne Anderson.

This is the message I sent to Eve in response to her query about
SAML profiles and XACML.

Anne
--- Begin Message --- 
On 12 May, Eve L. Maler writes: Timing of the XACML/SAML profile(s) of SAML/XACML
 > Hi Anne-- I took an action in yesterday's SSTC meeting to ask you about 
 > the ongoing work on the (I think) SAML profile of XACML.  Hal made it 
 > sound like there were two things being developed, but I couldn't tell 
 > which would be for what purpose.  Here's my guess:

You are pretty close.  I've elaborated below.  Your names "A
profile of B" are sort of the opposite of what we have been
using, but that is OK so long as we know what each profile will
include, where it will be progressed, and who is the audience for
it.

 > 
 > - SAML profile of XACML?

Profile for how to use SAML in XACML systems

 >    A profile of XACML, owned by the XACML TC, that explains how
 >    to use a subset of XACML attribute features that map well to
 >    SAML attributes?

For XACML developers and users, describes how to use SAML to
provide functionality needed XACML systems:

 o Retrieval of Attributes
 o Retrieval of policies
 o Assertion formats that can be signed for
    - Attributes
    - XACML Requests, Responses
    - XACML policies

A draft of this document exists and is linked from the XACML TC
web page in the "XACML TC Working Drafts" section.

  # XACML Profile for SAML:
    http://www.oasis-open.org/committees/download.php/5854/wd-xacml-saml-profile-02.pdf

This is currently blocked on SAML's progress:

 o We already have draft schema extensions for policy
   query/response and for XACML versions of authz decision
   query/response, but can't finalize them until we know how SAML
   2.0 can best be extended with our additions.

 o For Attribute retrieval and assertion formats, we are waiting
   for SAML 2.0 definitions of its formats, the meta-data stuff,
   etc.  We are not planning extensions here, just a link to the
   second profile (below) with a description of the process for
   mapping SAML Attributes to XACML Attributes.

 > - XACML profile of SAML?
 >    A profile of SAML, to be drafted by the XACML TC and submitted
 >    to the SSTC for consideration to be included in the SAML spec
 >    suite, that provides the XACML-compatible portion of our
 >    planned Baseline Attributes work?

Profile for the generation of SAML Attributes that are usable by
XACML systems

We don't have a draft of this yet, but here is a description.

For developers of systems that will be generating Attributes in
SAML formats that need to work with XACML.  This document will
apply only to SAML Attributes.  It will be very short:

  o Describe a DataType field/XML attribute for Attribute
    meta-data or <Attribute> itself.  This is "anyURI", and we
    will link to the XACML 1.0, 1.1, and 2.0 specifications for
    the definition of the values that may be used and their
    associated semantics.

  o Specify that any aggregation attributes used (Source, etc.)
    must be a profiled specifically for XACML so an XACML system
    will know how to map the combination of the aggregation
    attributes and the Attribute identity attributes to a single
    XACML Attribute Identifier.

  o This document will be referenced from the previous profile.

 > The specific question I was supposed to ask you had to do with the 
 > timing of the one that's intended to be submitted to the SSTC.  Since 
 > our V2.0 design work is rapidly coming to a close, any submission might 
 > not get into the V2.0 release if it doesn't come really son, but if it's 
 > a "profile of SAML", it can be published separately in a variety of 
 > different ways.

I don't see why either of these has to come out along with SAML
2.0, although the second one could profitably be submitted as
part of the SAML 2.0 "package" to OASIS for "standard" approval.

I volunteered to do this, and will, and it will be quick to do
once I start, but it is about 3 items down on my to-do list, and
probably will not be started until week after next.

 > But as you can see, I have a lot of other questions before I can 
 > understand any answer to this one!
 > 
 > Thanks,
 > 
 > 	Eve
 > -- 
 > Eve Maler                                        +1 781 442 3190
 > Sun Microsystems                            cell +1 781 354 9441
 > Web Products, Technologies, and Standards    eve.maler @ sun.com

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692
--- End Message ---

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]