Skip to Content.
Sympa Menu

mace-opensaml-users - Re: SAMLAuthorizationDecision

Subject: OpenSAML user discussion

List archive

Re: SAMLAuthorizationDecision


Chronological Thread 
  • From: Gabriel López <>
  • To: RL 'Bob' Morgan <>
  • Cc: Ed Reed <>, ,
  • Subject: Re: SAMLAuthorizationDecision
  • Date: Mon, 24 May 2004 18:14:26 +0200


SAML and XACML have a "natural" integration, this document defines how Authorization Decisions, SAML and XACML can live together

http://www.oasis-open.org/committees/download.php/5854/wd-xacml-saml-profile-02.pdf <http://www.oasis-open.org/committees/download.php/5854/wd-xacml-saml-profile-02.pdf>


RL 'Bob' Morgan wrote:

Does that mean that you expect a non-SAML protocol that is built around
a XACML protocol to be used to ask things like "what roles are active",
or "does this user, given whatever roles they're in, have this
permission at this time"?


I have heard that XACML 1.1 includes support for the evaluation of "what
can this user do" (could be considered to be "what roles") along with
XACML's traditional support for "can this user do X".


Is there any protocol work in XACML at all?


Well, the nice thing about XML is you just plop a document into a
transport and you've got a protocol, eh? (he said derisively.) But yes,
as Scott said, XACML authz reqs/resps would be carried in SAML protocol,
according to the what the XACML TC told the SSTC.

Regarding whether this is SAML or XACML, the simple fact was that no one
interested in use of the SAML authz-decision components ever showed up in
SSTC committee meetings or on the mailing lists as we were working on 2.0,
despite many requests (meta-requests, I guess). So it was hard for the
SSTC to make any progress on that stuff, without a constituency. But
folks in XACML wanted to work on that, in the XACML context, so the SSTC
felt that the nebulous community of SAML authz-decision users would be
well-enough served by that work.

I believe it is the case that the OGSA-Authz WG has produced some work
that profiles and/or extends the SAML 1.x authz-decision stuff. I have no
idea whether that stuff will work with SAML 2.0 or whatever the XACML TC
is doing.


I rather thought XACML could be used to express information in
SAML, and that SAML attribute assertions would likely continue
to be useful.


When dealing with modern specs that have myriad dependencies and profiles
and often rather mysterious areas of usage, it's important to be as
precise as possible. So indeed, SAML attribute assertions continue to be
useful and actively worked on in the SSTC. Some of the SAML 2.0 work adds
some needed structure to their use. It's the authz-decision stuff that
has been frozen.

- RL "Bob"






--
Gabriel López Millán
Dept. Ingeniería de la Información y las Comunicaciones
Facultad de Informática
Universidad de Murcia
Apartado 4021
30001 Murcia
Telf: +34-968-367645
fax: +34-968-364151




Archive powered by MHonArc 2.6.16.

Top of Page