Subject: attribute with AttributeId="...:subject-id" containing the "identity"of a subject ?
In XACML, we don't seem to distinguish the attributes by type as being either identity-attributes or "just-attributes", where the identity attributes would be special as they would uniquely identify that subject/resource/action. Instead we use this special subject-id/resource-id/action-id AttributeId that fullfills a similar role. However, if a requester comes in, the request context creation code has to "know" what identifier to use for that subject-id, otherwise it wouldn't match the one used in the policy matching rules. So, one should know to use a X509 subject-name's DN, or the public key, and if that same user authenticates tomorrow with kerberos, then principal@realm will only work if you "know" to use an associated identity assertion that federates those names and to fill-in the right one for that subject-id. We have the added issue that when issuers are associated with policies, then we need the issuer's attributes to use a subject-id such that we can match it to additional attributes that may be available when that issuer is substituted by the PDP in the xacml-context:Request. As an alternative, could we maybe label the attributes with a boolean "Identifier", such that we could use that in our matching functions like: see if any of the subject's attributes for which "Identifier==TRUE", match my subject-id value. Having such an "Identifier" attribute for Attribute, would also allow you to specify a true XACML Attribute assertion as a collection of Attributes with at least one Attribute for which "Identifier==TRUE". (I guess the latter would also be possible if the attribute set included one for which AttributeId=="...:subject-id") -Frank. -- Frank Siebenlist email@example.com The Globus Alliance - Argonne National Laboratory