[OGSA-AUTHZ] VO SAML Attribute Profile
Krzysztof Benedyczak
golbi at mat.uni.torun.pl
Mon Feb 11 06:03:52 CST 2008
Hello,
After a bit of investigation of URI encoding I've run into some issues
that, I think, need more discussion.
Some of them occurred after evaluating a simple use-case, which is:
let's consider a XACML policy which grants access for all entities who
possess a 'role' attribute with a value 'Admin' in a scope of vo/group:
'SomeVO/Staff'.
I believe that such a simple use case should be also simple to express,
implement etc.
1) I assume that an attribute 'X' with value 'V' in scope of 'S1/S2/S3'
should be expressed like this:
<saml:Attribute
xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML"
xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#anyURI"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="X"
FriendlyName="friendly X">
<saml:AttributeValue xsi:type="xsd:anyURI"
>group://voservice/S1/S2/S3#V</saml:AttributeValue>
</saml:Attribute>
I wrote it because it isn't exactly as in Tom's proposal (so is it ok?).
And also another issue: XACML DataType. As I understand the topic about
the legacy/trivial/dummy software the problem is with values not being a
simple string. Will it be OK for this software when it will see xsd:anyURI?
2) URI equivalence test in XACML is simple codepoint-by-codepoint (or
UnicodeChar-by-UnicodeChar). Provided that, we come into a nightmare of
infinite number of representations of the *same* scope+value pair:
-) The VO service URI as part of SAML attribute value will complicate
things a lot. Examples:
*) group://serivice.org/services/foo - is it VO 'foo' of VOservice
service.org/services OR group 'foo' of VO 'services' of VOservice
'service.org'?
*) when XACML policy requires 'group:///vo/group#Admin' and PDP
receives 'group://VOservice.org/vo/group#Admin' then comparison will fail.
-) shall we enforce an URI normalization for the 'group:' URIs? For
possible examples of it see http://tools.ietf.org/html/rfc3986#section-6.2
I think that we can take two approaches. Either resign from putting
voservice's URI as part of 'group:' URI at all - then it won't be
globally unique but most of the problems will disappear. Or enforce
voservice's URI to be put in 'group:' URI and define a canonical form.
It will add uniques but at cost of complicated profile and implementation.
In favor of the first solution there is one more point - global
uniqueness wasn't considered in our previous proposal (so at least we
can live without it).
3) Having 'group:' URIs what about earlier 'VO' and 'group' SAML
attributes (defined in the initial version of draft)? I think we should
merge them into one attribute proposed by Tom: 'isMemberOf', with group
URI syntax as a value. It will be enough to express both VO and group.
'isMemberOf' attribute's namespace would be VO profile-specific.
Best regards,
Krzysztof
More information about the ogsa-authz-wg
mailing list