[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: AI 0076 - XACML Policy Transport
I thought at least some of this had been previously proposed within the XACML TC, but I can find no evidence for this. Therefore, this should be considered as coming from me as an individual. I will cross post it to the XACML list for comment. The basic idea of this proposal is twofold: 1) wrap an XACML <Policy> or <PolicySet> in a SAML statement so as to provide a common framework for header elements (version, issuer, validity interval, signature, etc.) 2) provide a SAML mechanism to retrieve policies by identifier or by <Target> evaluation. ---------------------------------------------------------------------------- ---------------- The issue that needs to be decided first is whether this work should be done within the SSTC or the XACML TC. I do not see any strong argument either way. Since the work consists of extensions to the SAML schemas, it seems to me that the SSTC should have the right of "first refusal." ---------------------------------------------------------------------------- ---------------- Details: A. XACML Policy Statement Define a new SAML Statement Type: <XACMLPolicyStatement> which inherits from StatementAbstractType (not from <SubjectStatementAbstractType>) It can contain either an XACML <PolicySet> or <Policy> B. XACML Policy Query Define two new SAML Query Types: <XACMLPolicyIdQuery> <XACMLPolicyTargetQuery> All inherit from <QueryAbstractType> The <XACMLPolicyIdQuery> contains one or more <PolicyId> or <PolicySetId> values. The response would return the matching Policies or PolicySets, if available. The <XACMLPolicyTargetQuery> contains an XACML request context which needs to only include the Subject, Resource and Action elements to be considered for policy Target matching. The response would return zero or more Policies or PolicySets which are potentially applicable to the decision. The responder could chose to match on some target elements and ignore others, but it would be required to return every potentially applicable policy or policyset it has. In other words, it can return a superset, but not a subset of the policies applicable to the decision. The existing SAML <Response> would be used to return an assertion containing XACML Policies and/or PolicySets as specified by the query. Note that the existing SAML <AssertionIdReference> could also be used to request an Assertion containing XACML POlicies, but this seems less likely to be useful than the Policy Id query. Hal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]