Skip to Content.
Sympa Menu

shibboleth-dev - Access Policy strawman

Subject: Shibboleth Developers

List archive

Access Policy strawman


Chronological Thread 
  • From: Noah Levitt <>
  • To: ,
  • Cc:
  • Subject: Access Policy strawman
  • Date: Thu, 3 Jun 2004 18:07:59 -0400
  • Secret-nsa-message-id: 3b026257dfe9ed894171dbbb76f5b2ba
Hello,

I've started thinking about defining the agreement between
an identity provider and a service provider, which is needed
for the arp gui.

One thing we need to decide initially is whether the target
will use this same document to make authorization decisions.
If not, much of the information will have to be duplicated,
and the information available to the arp gui will be
unnecessarily limited, so I suggest that we do use it.

Below are some samples of an xml syntax that seems to me to
cover the basic requirements. Each <AccessPolicy> would be
associated with an application and one or more identity
providers in shibboleth.xml.

If none of the requirements for any of the service levels
are met, access is denied.

We might want to use a subset of XACML for this instead of
an ad hoc thing.

Noah

<AccessPolicy id="template-policy-foo">
	<Description>Sample policy 1.</Description>

	<ServiceLevel name="Basic">
		<Description>Basic access with minimal functionality.</Description>
		<Resource location="https://localhost/foo"; satisfy="any"> <!-- implies /foo/* -->
			<!-- If "value" is unspecified, any value is accepted. -->
			<!-- If "scope" is unspecified on a scoped attribute, accepts any scope. (AAP stuff
			should check that identity provider is qualified to present it?) -->
			<Attribute id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" value="member" />
		</Resource>
	</ServiceLevel>

	<ServiceLevel name="Bronze" extends="Basic">
		<Description>Basic access with the additional ability to save user preferences.</Description>
		<Resource location="https://localhost/foo"; satisfy="all"> <!-- implies /foo/* -->
			<!-- Any value will give user this service level since "value" is unspecified. -->
			<Attribute id="urn:mace:dir:attribute-def:eduPersonTargetedId" />
		</Resource>
	</ServiceLevel>
</AccessPolicy>

<AccessPolicy id="template-policy-bar">
	<Description>Sample policy 2.</Description>
	<ServiceLevel name="Basic">
		<Description>Basic access.</Description>
		<Resource location="https://localhost/bar"; satisfy="all">
			<Attribute id="https://localhost/shibboleth/has-access-to-bar"; value="true" />
		</Resource>
	</ServiceLevel>
</AccessPolicy>


<AccessPolicy id="template-policy-cero">
	<Description>Sample policy 3.</Description>
	<ServiceLevel name="Basic">
		<Description>Access to each e-seminar.</Description>
		<!-- Perhaps have an alternative element here that points to a directory 
		from which to load *.xml, each of which is a <Resource>...</Resource>. -->
		<Resource location="https://cero.columbia.edu/0201"; satisfy="any">
			<Attribute id="http://columbia.edu/shibboleth/federation/attributes/resource"; value="DKV.CI.0201" />
			<Attribute id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" value="member" scope="columbia.edu" />
		</Resource>
		<Resource location="https://cero.columbia.edu/0202"; satisfy="any">
			<Attribute id="http://columbia.edu/shibboleth/federation/attributes/resource"; value="DKV.CI.0202" />
			<Attribute id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" value="member" scope="columbia.edu" />
		</Resource>
		<Resource location="https://cero.columbia.edu/0203"; satisfy="any">
			<Attribute id="http://columbia.edu/shibboleth/federation/attributes/resource"; value="DKV.CI.0203" />
			<Attribute id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" value="member" scope="columbia.edu" />
		</Resource>
		<!-- &c. -->
	</ServiceLevel>
</AccessPolicy>

Archive powered by MHonArc 2.6.16.

Top of Page