[OGSA-AUTHZ] Draft XACML/SAML Protocol Profile
Valerio Venturi
valerio.venturi at cnaf.infn.it
Mon Dec 3 09:44:54 CST 2007
Hi Chad,
your work aims at satisfying the same need of one the current WG draft,
Use of XACML Request Context to Obtain an Authorization Decision,
last version at
https://forge.gridforum.org/sf/docman/do/downloadDocument/projects.ogsa-authz/docman.root.authz_service/doc14907
One difference is that this one states only that the SAML V2.0 Profile
for XACLM V2.0 is used for carrying the message, while yours go deeper
into details and mandate to using the SAML SOAP Binding. I think this
suits also the WG specification, and this is exaclty what the SAML
Profile for XACML was meant to, to leverage protocols and bindings that
SAML have, why XACLM doesn't.
The other requirements seems to me sounding as well. Please keep us
informed of your efforts, so that we can exhange experiences and find a
convergence.
David, as the main author of the XACML spec, do you think Chad's doc
requirements can be received in your doc? I really hope so, since I'm
implementing those too:). Actually, when we speak of web services, most
of the time is assumed you'll be using SOAP over HTTP, but I think it's
worth be clear in a spec.
Another thing, what about a WSDL? We are publishing one, though non
normative, in the Attribute Exchange Profile. In general, I think WSDL
helps adoption a lot, so it may be a good idea having one in. What do
you think?
Chad, needless, your comemnts on the WG doc are also very much
appreciated.
Valerio
On Mon, 2007-12-03 at 06:54 -0800, Chad La Joie wrote:
> For part of some EGEE work that I'm involved in I came up with a
> profile, in draft form currently, for the XACML over SAML protocol
> defined within the OASIS XACML working group. Valerio suggested that I
> make it available to this working group for possible adoption in your
> efforts.
>
> The draft can be found here:
> http://switch.ch/grid/support/documents/xacmlsaml.pdf
>
> The basic goal of the document is to restrict possible options into a
> baseline subset such that discreet implementations might inter-operate.
> I think Valerio's summary of the document, as follows, is good:
> - requirement for using the SAML SOAP binding as in SAMLBind
> - requirement for having mutual authentication between the requester and
> the responder
> - some requirements on the elements usage
> - requirements on authN, integrity and confidentiality
> Note this document is only about interoperability at the protocol level,
> it does not speak to the other necessary item here which is a profile
> for the information (attributes) within the XACML request/response
> context. I know that individuals here have already been working on such
> a document.
>
> Comments are welcome to the document. We will be going forward with an
> immediate implementation of this draft for the EGEE work, but that
> should only be taken as a reflection of a constrained timeline for a
> short-term project, not as an indication that the profile is already as
> good as possible.
>
More information about the ogsa-authz-wg
mailing list