OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: Timing of the XACML/SAML profile(s) of SAML/XACML. Forwardedmessage from Anne Anderson.

  • 1.  Re: Timing of the XACML/SAML profile(s) of SAML/XACML. Forwardedmessage from Anne Anderson.

    Posted 05-13-2004 14:12
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: Re: Timing of the XACML/SAML profile(s) of SAML/XACML. Forwardedmessage from Anne Anderson.


    This is the message I sent to Eve in response to her query about
    SAML profiles and XACML.
    
    Anne
    
    --- Begin Message ---
    On 12 May, Eve L. Maler writes: Timing of the XACML/SAML profile(s) of SAML/XACML
     > Hi Anne-- I took an action in yesterday's SSTC meeting to ask you about 
     > the ongoing work on the (I think) SAML profile of XACML.  Hal made it 
     > sound like there were two things being developed, but I couldn't tell 
     > which would be for what purpose.  Here's my guess:
    
    You are pretty close.  I've elaborated below.  Your names "A
    profile of B" are sort of the opposite of what we have been
    using, but that is OK so long as we know what each profile will
    include, where it will be progressed, and who is the audience for
    it.
    
     > 
     > - SAML profile of XACML?
    
    Profile for how to use SAML in XACML systems
    
     >    A profile of XACML, owned by the XACML TC, that explains how
     >    to use a subset of XACML attribute features that map well to
     >    SAML attributes?
    
    For XACML developers and users, describes how to use SAML to
    provide functionality needed XACML systems:
    
     o Retrieval of Attributes
     o Retrieval of policies
     o Assertion formats that can be signed for
        - Attributes
        - XACML Requests, Responses
        - XACML policies
    
    A draft of this document exists and is linked from the XACML TC
    web page in the "XACML TC Working Drafts" section.
    
      # XACML Profile for SAML:
        http://www.oasis-open.org/committees/download.php/5854/wd-xacml-saml-profile-02.pdf
    
    This is currently blocked on SAML's progress:
    
     o We already have draft schema extensions for policy
       query/response and for XACML versions of authz decision
       query/response, but can't finalize them until we know how SAML
       2.0 can best be extended with our additions.
    
     o For Attribute retrieval and assertion formats, we are waiting
       for SAML 2.0 definitions of its formats, the meta-data stuff,
       etc.  We are not planning extensions here, just a link to the
       second profile (below) with a description of the process for
       mapping SAML Attributes to XACML Attributes.
    
     > - XACML profile of SAML?
     >    A profile of SAML, to be drafted by the XACML TC and submitted
     >    to the SSTC for consideration to be included in the SAML spec
     >    suite, that provides the XACML-compatible portion of our
     >    planned Baseline Attributes work?
    
    Profile for the generation of SAML Attributes that are usable by
    XACML systems
    
    We don't have a draft of this yet, but here is a description.
    
    For developers of systems that will be generating Attributes in
    SAML formats that need to work with XACML.  This document will
    apply only to SAML Attributes.  It will be very short:
    
      o Describe a DataType field/XML attribute for Attribute
        meta-data or <Attribute> itself.  This is "anyURI", and we
        will link to the XACML 1.0, 1.1, and 2.0 specifications for
        the definition of the values that may be used and their
        associated semantics.
    
      o Specify that any aggregation attributes used (Source, etc.)
        must be a profiled specifically for XACML so an XACML system
        will know how to map the combination of the aggregation
        attributes and the Attribute identity attributes to a single
        XACML Attribute Identifier.
    
      o This document will be referenced from the previous profile.
    
     > The specific question I was supposed to ask you had to do with the 
     > timing of the one that's intended to be submitted to the SSTC.  Since 
     > our V2.0 design work is rapidly coming to a close, any submission might 
     > not get into the V2.0 release if it doesn't come really son, but if it's 
     > a "profile of SAML", it can be published separately in a variety of 
     > different ways.
    
    I don't see why either of these has to come out along with SAML
    2.0, although the second one could profitably be submitted as
    part of the SAML 2.0 "package" to OASIS for "standard" approval.
    
    I volunteered to do this, and will, and it will be quick to do
    once I start, but it is about 3 items down on my to-do list, and
    probably will not be started until week after next.
    
     > But as you can see, I have a lot of other questions before I can 
     > understand any answer to this one!
     > 
     > Thanks,
     > 
     > 	Eve
     > -- 
     > Eve Maler                                        +1 781 442 3190
     > Sun Microsystems                            cell +1 781 354 9441
     > Web Products, Technologies, and Standards    eve.maler @ sun.com
    
    Anne
    -- 
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    
    
    --- End Message ---
    
    -- 
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]