OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Open issue 72


Regarding issue 72, "SAML:Where should passed-in policies be inserted", 
I made a proposal to close this issue earlier:


At the following meeting Hal did not like this and took an action to 
review the spec regarding the definition of "top level" policies.


As far as I can tell, my conclusion is still right: XACML does not 
specify anything about how the PDP finds a policy to evaluate, so there 
is no place in the current specification to insert the provided policies 
from the SAML request.

And I cannot think of any single working solution for all needs. I could 
imagine for instance that the policies should be the only policies which 
should be used, or that they are policies which augment the existing 
policies in some way. Does anyone remember what the original use cases were?

So as far as I see, we either have to leave it unspecified, or we could 
define a mechanism by which the request can specify where the policies 
should be inserted. The latter is perhaps better, so I propose that we 
put in the SAML request an XML attribute called for instance 
InsertMethod, which is a URI. This identifier is an extension point 
where users/we can define more methods as the needs become more clear. 
For now we can define one possible value in the specification 
"urn:....:xaml:...:policy-insert-method:provided-policy-only". This 
identifier means that the SAML request MUST contain a single policy, 
which will be the top level policy of the PDP. Of course, policy 
references may be resolved as usual by the PDP.

Best regards,

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]