orchard-maler assertion proposal saml f2f #3 david orchard, eve maler this presentation will...
TRANSCRIPT
![Page 1: Orchard-Maler Assertion Proposal SAML F2F #3 David Orchard, Eve Maler This presentation will probably involve audience discussion, which will create action](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f425503460f94c6131e/html5/thumbnails/1.jpg)
Orchard-MalerAssertion Proposal
SAML F2F #3
David Orchard,
Eve Maler
![Page 2: Orchard-Maler Assertion Proposal SAML F2F #3 David Orchard, Eve Maler This presentation will probably involve audience discussion, which will create action](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f425503460f94c6131e/html5/thumbnails/2.jpg)
Outline
PrinciplesPrinciple: Top-typingPrinciple: Namespaces and SchemaPrinciple: Vocabulary re-useQueriesResponsesAssertion PackagesSubject AssertionAttribute AssertionAuthorization AssertionClaim vs Assertion
![Page 3: Orchard-Maler Assertion Proposal SAML F2F #3 David Orchard, Eve Maler This presentation will probably involve audience discussion, which will create action](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f425503460f94c6131e/html5/thumbnails/3.jpg)
Principles
“Constrain Early and Often”– Top-typing
Fully leverage Namespaces and Schema for extensibility and re-use– Extension mechanisms– Attribute Values– Subject Assertions
Re-use Existing vocabularies– Ie Xquery if complex Queries
Usage of AttributesOptimize for the Simple cases
![Page 4: Orchard-Maler Assertion Proposal SAML F2F #3 David Orchard, Eve Maler This presentation will probably involve audience discussion, which will create action](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f425503460f94c6131e/html5/thumbnails/4.jpg)
Principle:Top-Typing
OM defines cardinalities for all assertions– Ie subjectAssertion MUST have 1 subject
Assertions are not re-used for queriesIf Assertions re-used, should be
additional types(s)Cardinalities of 0..* for all elements have
dubious type safety.
![Page 5: Orchard-Maler Assertion Proposal SAML F2F #3 David Orchard, Eve Maler This presentation will probably involve audience discussion, which will create action](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f425503460f94c6131e/html5/thumbnails/5.jpg)
Principle:Namespaces & SchemaWherever possible, use namespaces for
mixing content and schema for extensibility
All Assertions are types– Place for adding new Assertions– Subject Assertions have a required subject
• Reduces need for 3+ subject references• And allows SubjectAssertionsPackage
Attributes are vocabulary specific– Mixed in using Schema wildcard, <any>– Attributes are in attribute language, not
SAML language
![Page 6: Orchard-Maler Assertion Proposal SAML F2F #3 David Orchard, Eve Maler This presentation will probably involve audience discussion, which will create action](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f425503460f94c6131e/html5/thumbnails/6.jpg)
Principle: Vocabulary re-use
Never re-invent the wheel, unless our wheel is much simpler than others
IFF we have complex queries, then re-use Xquery
Allow vocabularies to define their own attributes
![Page 7: Orchard-Maler Assertion Proposal SAML F2F #3 David Orchard, Eve Maler This presentation will probably involve audience discussion, which will create action](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f425503460f94c6131e/html5/thumbnails/7.jpg)
Request
Contain a queryCurrently Xquery
– Allows complex Queries– Clients loosely coupled to Server
• Clients can change queries without changing the specification
– High performance– Allows queries against XML defined attributes
Also contains optional SubjectAssertionPackage– For passing in subject info, like
authentication, attribute assertions
![Page 8: Orchard-Maler Assertion Proposal SAML F2F #3 David Orchard, Eve Maler This presentation will probably involve audience discussion, which will create action](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f425503460f94c6131e/html5/thumbnails/8.jpg)
Response
Contain AssertionsPackageLittle controversy here
![Page 9: Orchard-Maler Assertion Proposal SAML F2F #3 David Orchard, Eve Maler This presentation will probably involve audience discussion, which will create action](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f425503460f94c6131e/html5/thumbnails/9.jpg)
AssertionsPackage
Container for AssertionsLittle controversy here
![Page 10: Orchard-Maler Assertion Proposal SAML F2F #3 David Orchard, Eve Maler This presentation will probably involve audience discussion, which will create action](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f425503460f94c6131e/html5/thumbnails/10.jpg)
SubjectAssertions & SAPackage
Assertions that contain a subjectExample of Top-typing in actionAttribute, Authentication,
AuthorizationAssertions do not need to declare subject
SubjectAssertionsPackage can make use of, so it’s stronger typed than Assertions Package
![Page 11: Orchard-Maler Assertion Proposal SAML F2F #3 David Orchard, Eve Maler This presentation will probably involve audience discussion, which will create action](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f425503460f94c6131e/html5/thumbnails/11.jpg)
AuthorizationAssertion
Binds resources, permissions to subjects
Used for query operations– How does one ask “Can alice Read Y”
without one of these?Optimized for simple case– 1 subject has 1 permission for 1 resource
Possible for multiple resources by having multiple Resources and/or Permissions– Or multiple AuthorizationAssertions
![Page 12: Orchard-Maler Assertion Proposal SAML F2F #3 David Orchard, Eve Maler This presentation will probably involve audience discussion, which will create action](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f425503460f94c6131e/html5/thumbnails/12.jpg)
AttributeAssertion
Contains attributes for a subjectThe use of XML Schema wildcard
allows arbitrary elementsWe expect these are defined in
external vocabulariesOptimized for the simple case,
which is 1 XML vocabulary that expresses open-ended attribs.
![Page 13: Orchard-Maler Assertion Proposal SAML F2F #3 David Orchard, Eve Maler This presentation will probably involve audience discussion, which will create action](https://reader035.vdocument.in/reader035/viewer/2022071806/56649f425503460f94c6131e/html5/thumbnails/13.jpg)
Claim vs Assertion
OM defines an Assertion as facts relating to 1 subject– Attributes, Authentication, Authorization
Further allows arbitrary # of attribute facts, yet only 1 authorization fact per assertion
This difference in style is due to the source of the facts.– Attributes are defined externally, so there is
no way for SAML to control how many– Authorizations are defined by SAML, so
SAML can control an assertion to exactly 1.