[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Open issue 72
All, Regarding issue 72, "SAML:Where should passed-in policies be inserted", I made a proposal to close this issue earlier: http://lists.oasis-open.org/archives/xacml/200806/msg00015.html At the following meeting Hal did not like this and took an action to review the spec regarding the definition of "top level" policies. http://lists.oasis-open.org/archives/xacml/200806/msg00043.html As far as I can tell, my conclusion is still right: XACML does not specify anything about how the PDP finds a policy to evaluate, so there is no place in the current specification to insert the provided policies from the SAML request. And I cannot think of any single working solution for all needs. I could imagine for instance that the policies should be the only policies which should be used, or that they are policies which augment the existing policies in some way. Does anyone remember what the original use cases were? So as far as I see, we either have to leave it unspecified, or we could define a mechanism by which the request can specify where the policies should be inserted. The latter is perhaps better, so I propose that we put in the SAML request an XML attribute called for instance InsertMethod, which is a URI. This identifier is an extension point where users/we can define more methods as the needs become more clear. For now we can define one possible value in the specification "urn:....:xaml:...:policy-insert-method:provided-policy-only". This identifier means that the SAML request MUST contain a single policy, which will be the top level policy of the PDP. Of course, policy references may be resolved as usual by the PDP. Best regards, Erik
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]