OASIS eXtensible Access Control Markup Language (XACML) TC

Expand all | Collapse all

[xacml] Groups - Asserting attribute predicates in SAML and XACML(XACML_TC_Conditions_in_SAML-XACML[1].ppt) uploaded

  • 1.  [xacml] Groups - Asserting attribute predicates in SAML and XACML(XACML_TC_Conditions_in_SAML-XACML[1].ppt) uploaded

    Posted 11-04-2010 02:51
    (Resending this message as non-std chars in Subject line may have
      caused illegibility.)
    Primelife Project:
    Greg Neven of IBM Research, Zurich presented an overview of the Primelife
    Project with proposals of how XACML and SAML may be able to address various
    requirements associated with this work. A paper from the W3C-sponsored
    Workshop on Access Control that Greg presented may be found here for
    background reference:
    Notes from the TC meeting discussion may be found here:
      -- Rich Levinson
    The document named Asserting attribute predicates in SAML and XACML
    (XACML_TC_Conditions_in_SAML-XACML[1].ppt) has been submitted by Rich
    Levinson to the OASIS eXtensible Access Control Markup Language (XACML) TC
    document repository.
    Document Description:
    Primelife Project:
    Greg Neven of IBM Research, Zurich presented an overview of the Primelife
    Project with proposals of how XACML and SAML may be able to address various
    requirements associated with this work. A paper from the W3C-sponsored
    Workshop on Access Control that Greg presented may be found here for
    background reference:
    Notes from the TC meeting discussion may be found here:
    View Document Details:
    Download Document:
    PLEASE NOTE:  If the above links do not work for you, your email application
    may be breaking the link into two pieces.  You may be able to copy and paste
    the entire link address into the address field of your web browser.
    -OASIS Open Administration

  • 2.  RE: [xacml] Groups - Asserting attribute predicates in SAML and XACML(XACML_TC_Conditions_in_SAML-XACML[1].ppt) uploaded

    Posted 11-04-2010 16:00
    On further reflection, I have concerns about the proposal to include XACML Conditions in a SAML Assertion.
    My question is, what exactly do you propose to do with the condition expression? I can think of at least four possible operations which might be performed:
    1. Compute the expression value using the input attributes,
    2. Find the attributes needed to compute the expression value,
    3. Find attributes which produce a particular expression value, e.g. TRUE, and
    4. Compare two different expressions (e.g. in the SAML Assertion and in the XACML Policy) to determine if they will give the same result.
    XACML only really says how to do #1. We generally can manage to do #2 for conventional attributes, but I am not sure how it would work for the advanced, privacy preserving credentials you described on the last call.
    I believe that #4 is NP-complete in the general case. 
    Can you outline exactly what steps would be performed in making use of a condition in a SAML (attribute) assertion?