OASIS eXtensible Access Control Markup Language (XACML) TC

Re: Telling the PIP where to pull from

  • 1.  Re: Telling the PIP where to pull from

    Posted 10-21-2010 10:06
    Here is some more background information on this topic.
    
    1. Our first attempt at this was done in the Open Grid Forum Authz 
    working group several years ago and the result is documented in a couple 
    of draft OGF profiles. In this case, the PEP knows the user's 
    distinguished name from his X.509 PKC, and this is passed to the context 
    handler/PDP as a subject attribute in the request context. It is assumed 
    that the user's attributes are assigned to this DN at all the different 
    attribute authorities. In order to request that the PIP pull attributes 
    from a given set of AAs/IDPs, the PEP places an IDPLIst element into the 
    request context as an environmental attribute with
    ID= http://schemas.ogf.org/ogsa-authz/2008/09/attribute/IDPList.
    
    IDPList is defined below