Notes on the updated SAML profile

[Anne Anderson <Anne.Anderson@sun.com>]

Background
==========

The 2.0 standard SAML profile defined XACMLAuthzDecisionQuery, 
XACMLAuthzDecisionStatement, XACMLPolicyQuery, and XACMLPolicyStatement, 
along with their types.  But the elements were defined in such a way 
that they could not actually be used (they did not use xsi:type), so we 
removed them in our errata, leaving only the extension types.  There 
were also other errata that were reported, and those are also included 
in our errata.  A few additional errata have been reported since the 
most recent errata update was done.

As I said in today's meeting, the original intention was to incorporate 
the errata into a new version of the 2.0 profile that could be approved 
as a Committee Draft.  Eve Maler, however, recommended that, since we 
are doing a "deep" extension of SAML (extending inner elements) that we 
should probably define all the types and elements that a user would need 
in order to use our SAML Profile.  That way the types and elements will 
have standard names and it will be clear when someone is using the 
profile or not.

Changes made in the updated SAML profile
========================================

- Incorporates all errata reported against our XACML 2.0 standard
    profile
- Defines elements that use xsi:type to pick up the extension
    types
    o XACMLAuthzDecisionStatement
    o XACMLAuthzDecisionQuery
    o XACMLPolicyStatement
    o XACMLPolicyQuery
- Defined additional extension types and elements for all the
    SAML elements in which our XACML extensions might be used:
    o XACMLAssertion and XACMLAssertionType
    o XACMLAdvice and XACMLAdviceType
    o XACMLResponse and XACMLResponseType
- XACMLAuthzDecisionQuery now allows XACML policies to be
    included in an authorization decision request, in anticipation
    of XACML Administration requirements.  PDPs MAY use these
    policies in evaluating that one decision request only;the
    combining algorithm (i.e. how to combine the policies included
    and how and whether to combine them with other policies) is up
    to the PDP.  This may need more specification.

Editorial Issues
================
- I organized the spec by the four classes of information an
   XACML system might use SAML for: Attributes, Authorization
   Decisions, Policies, and Advice elements.  This means there
   is some duplication; for example, XACMLResponse is described
   under Attributes, Authorization Decisions, and Policies,
   since it might be used with Statements about any of those
   classes of information.  The duplicate descriptions point
   to one rather full description that is included with one
   of the classes of information, and then mention any additional
   restrictions or usages that apply only to use of the type
   for this particular information category.

   An alternative organization would have use models described
   for each class of information in one section, but would define
   the elements and their types just once in another section.

Regards,
Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692