mace-opensaml-users - RE: SAMLAuthorizationDecision
Subject: OpenSAML user discussion
List archive
- From: "RL 'Bob' Morgan" <>
- To: Ed Reed <>
- Cc: , ,
- Subject: RE: SAMLAuthorizationDecision
- Date: Mon, 24 May 2004 08:54:38 -0700 (PDT)
> Does that mean that you expect a non-SAML protocol that is built around
> a XACML protocol to be used to ask things like "what roles are active",
> or "does this user, given whatever roles they're in, have this
> permission at this time"?
I have heard that XACML 1.1 includes support for the evaluation of "what
can this user do" (could be considered to be "what roles") along with
XACML's traditional support for "can this user do X".
> Is there any protocol work in XACML at all?
Well, the nice thing about XML is you just plop a document into a
transport and you've got a protocol, eh? (he said derisively.) But yes,
as Scott said, XACML authz reqs/resps would be carried in SAML protocol,
according to the what the XACML TC told the SSTC.
Regarding whether this is SAML or XACML, the simple fact was that no one
interested in use of the SAML authz-decision components ever showed up in
SSTC committee meetings or on the mailing lists as we were working on 2.0,
despite many requests (meta-requests, I guess). So it was hard for the
SSTC to make any progress on that stuff, without a constituency. But
folks in XACML wanted to work on that, in the XACML context, so the SSTC
felt that the nebulous community of SAML authz-decision users would be
well-enough served by that work.
I believe it is the case that the OGSA-Authz WG has produced some work
that profiles and/or extends the SAML 1.x authz-decision stuff. I have no
idea whether that stuff will work with SAML 2.0 or whatever the XACML TC
is doing.
> I rather thought XACML could be used to express information in
> SAML, and that SAML attribute assertions would likely continue
> to be useful.
When dealing with modern specs that have myriad dependencies and profiles
and often rather mysterious areas of usage, it's important to be as
precise as possible. So indeed, SAML attribute assertions continue to be
useful and actively worked on in the SSTC. Some of the SAML 2.0 work adds
some needed structure to their use. It's the authz-decision stuff that
has been frozen.
- RL "Bob"
- SAMLAuthorizationDecision, Gabriel López, 05/24/2004
- <Possible follow-up(s)>
- Re: SAMLAuthorizationDecision, andy, 05/24/2004
- Re: SAMLAuthorizationDecision, Gabriel López, 05/24/2004
- RE: SAMLAuthorizationDecision, Scott Cantor, 05/24/2004
- Re: SAMLAuthorizationDecision, Gabriel López, 05/24/2004
- RE: SAMLAuthorizationDecision, Ed Reed, 05/24/2004
- RE: SAMLAuthorizationDecision, RL 'Bob' Morgan, 05/24/2004
- Re: SAMLAuthorizationDecision, Gabriel López, 05/24/2004
- RE: SAMLAuthorizationDecision, RL 'Bob' Morgan, 05/24/2004
- RE: SAMLAuthorizationDecision, Scott Cantor, 05/24/2004
- RE: SAMLAuthorizationDecision, Ed Reed, 05/24/2004
Archive powered by MHonArc 2.6.16.