OpenSAML user discussion

["Anil Saldhana" <>]

I wrote the saml-xacml integration stuff somewhere between 5-8 hours spread over a week. So kind of picked up whatever worked at that time. The biggest help was from the XMLHelper class (that is quite smart in what it does).

References:
http://anonsvn.jboss.org/repos/jbossas/projects/security/security-xacml/tags/2.0.2.GA/jboss-xacml-saml/src/main/java/org/jboss/security/xacml/saml/integration/opensaml/servlets/SOAPSAMLXACMLServlet.java
http://anonsvn.jboss.org/repos/jbossas/projects/security/security-xacml/tags/2.0.2.GA/jboss-xacml-saml/src/main/java/org/jboss/security/xacml/saml/integration/

Some of the challenges faced:
a) Converting the xacml request types into DOM is still a challenge because I do not want every subelement of the xacml request to be of type xmlobject
(as I will be creating an object model for opensaml). Now I will have to manually recreate the dom element for my xacml request such that XMLHelper can import the node cleanly). This is useful for mainly logging the entire payload.

b)
I could not get to statements in an assertion. I had to cast it to AssertionImpl and get the statements.
Maybe I can use the unknownxmlobjects or such in Assertion?
========================
 XACMLAuthzDecisionStatementType decision = (XACMLAuthzDecisionStatementType) 

            OpenSAMLUtil.buildXMLObject(XACMLAuthzDecisionStatementType.DEFAULT_ELEMENT_NAME_XACML20);

         //Some mismatch in the Statements for XACML
         AssertionImpl assertionImpl = (AssertionImpl) assertion;

         assertionImpl.getStatements().add(decision);
         
         samlResponse.getAssertions().add(assertionImpl);
====================================
 
c) I hope for a better solution than the following - the unknown part:
envelope.getBody().getUnknownXMLObjects().add(samlResponse); 

Basically, I did not use the xacml integration code from opensaml2 branch. I learned how to do things by picking nuggets of wisdom from the xacml layer of opensaml2. Hopefully once the xacml layer is properly integrated into a future version of opensaml2, I can work on better integrating my xacml library to the opensaml2xacml types. :)

On Fri, Apr 18, 2008 at 12:37 AM, Chad La Joie <> wrote:

Much like we're not putting IdP/SPs in OpenSAML we don't plan to put XACML processing engines within it either.  However, the hope is that when developers need to do something like this they can take the XACML engine of their choice and our toolkit and get to a working system much more quickly.

What would be interesting to hear, though, is whether you found anything missing within OpenSAML when you were trying to produce/consume the XML bits.  We've had a lot of experience, through Shibboleth, with SAML and so I feel pretty confident that we provide a lot of nice helper bits there, but we have very little experience with XACML and so the helper bits are probably lacking.

Anil Saldhana wrote:

I am a strong supporter of Open SAML since v1.0 and have waited patiently
for v2.0. :)

For the Oasis XACML Interoperability Event at the RSA Conference, I had to
process samlv2 payload that was embedded inside a soap11 envelope carrying
the xacml v2.0 decision queries. So I wrote a teeny integration layer (which
needs progressive cleanup) using opensamlv2 to do this - of course the xacml
processing is done by JBossXACML. I wonder if Hakon has looked at
integrating OSS xacml libraries such as sunxacml.

Anil
http://anil-identity.blogspot.com

On Thu, Apr 17, 2008 at 6:57 AM, Tom Scavo <> wrote:

FYI

----------------------------------------------------------------------

JBossXACML v2.0.2.GA Released
Anil Saldhana, Blog

"After a successful OASIS XACML Interoperability event at the RSA
Conference last week at San Francisco, I am pleased to inform you
about the release of JBossXACML v2.0.2.GA... the authorization space
is pretty complex unlike the authentication landscape. Access Control
requirements can become extremely complex and unmanageable. Enterprises
typically employ proprietary mechanisms such as ACLs to handle access
control use cases. OASIS XACML is the only standard that is making an
attempt at addressing the complex access control landscape... Expected
in 2.0.2.GA libraries: (1) OASIS XACML v2.0 core; (2) SOAP v1.1/SAML2.0
payload carrying XACML requests/response capabilities -- using OpenSAML
v2.0, as we will have packaged servlets for usage; (3) JAXB v2.0 Object
Model to deal with policies, requests etc -- if not interested in dealing
with XML. Additionally, as part of the Open Console or Embedded Console
of JBoss AS5, we should have a decent free XACML editor to create policy
sets... The OASIS XACML Interop simulated health care application with
real medical records' data that was driven by XACML based use cases.
There are HL7 Confidentiality Codes that can be associated with Patient
medical records. The VA developed an excellent application that had a
decent GUI and in the background, it interacted with its own PIP (Policy
Information Point) to derive the attributes needed to create the XACML
requests. Once the XACML requests were generated (based on the application
interaction), then they were passed to the PDP (Policy Decision Point)
of the vendors. Examples: [A] Your neighbor is a doctor and is snoopy
in nature. You certainly do not want him to have access to your medical
records. Would you? As a patient, you can associate the UBA
confidentiality code with a list of doctors that you do not want to
have access to your records (dissent list). [B] A patient arrives at
a facility in an emergency. The providers do not have access to the
patient records that is housed at another facility. They can trigger
an "emergency override" to get access to the records. Shouldn't they
in an emergency? [C] A patient can decide to mask a portion of his
medical records (e.g., radiology tests ' results) from a list of
providers..."

http://www.jboss.org/feeds/post/jbossxacml_v2_0_2_ga_released0
See also the RSA Conference 2008 OASIS XACML Interoperability Event:
http://anil-identity.blogspot.com/2008/04/summary-review-oasis-xacml.html

----------------------------------------------------------------------

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
, http://www.switch.ch