[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Notes on the updated SAML profile
Background ========== The 2.0 standard SAML profile defined XACMLAuthzDecisionQuery, XACMLAuthzDecisionStatement, XACMLPolicyQuery, and XACMLPolicyStatement, along with their types. But the elements were defined in such a way that they could not actually be used (they did not use xsi:type), so we removed them in our errata, leaving only the extension types. There were also other errata that were reported, and those are also included in our errata. A few additional errata have been reported since the most recent errata update was done. As I said in today's meeting, the original intention was to incorporate the errata into a new version of the 2.0 profile that could be approved as a Committee Draft. Eve Maler, however, recommended that, since we are doing a "deep" extension of SAML (extending inner elements) that we should probably define all the types and elements that a user would need in order to use our SAML Profile. That way the types and elements will have standard names and it will be clear when someone is using the profile or not. Changes made in the updated SAML profile ======================================== - Incorporates all errata reported against our XACML 2.0 standard profile - Defines elements that use xsi:type to pick up the extension types o XACMLAuthzDecisionStatement o XACMLAuthzDecisionQuery o XACMLPolicyStatement o XACMLPolicyQuery - Defined additional extension types and elements for all the SAML elements in which our XACML extensions might be used: o XACMLAssertion and XACMLAssertionType o XACMLAdvice and XACMLAdviceType o XACMLResponse and XACMLResponseType - XACMLAuthzDecisionQuery now allows XACML policies to be included in an authorization decision request, in anticipation of XACML Administration requirements. PDPs MAY use these policies in evaluating that one decision request only;the combining algorithm (i.e. how to combine the policies included and how and whether to combine them with other policies) is up to the PDP. This may need more specification. Editorial Issues ================ - I organized the spec by the four classes of information an XACML system might use SAML for: Attributes, Authorization Decisions, Policies, and Advice elements. This means there is some duplication; for example, XACMLResponse is described under Attributes, Authorization Decisions, and Policies, since it might be used with Statements about any of those classes of information. The duplicate descriptions point to one rather full description that is included with one of the classes of information, and then mention any additional restrictions or usages that apply only to use of the type for this particular information category. An alternative organization would have use models described for each class of information in one section, but would define the elements and their types just once in another section. Regards, Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]