OrchardMaler Assertion Proposal

1
Orchard-MalerAssertion Proposal

• This presentation will probably involve audience
  discussion, which will create action items. Use
  PowerPoint to keep track of these action items
  during your presentation
• In Slide Show, click on the right mouse button
• Select Meeting Minder
• Select the Action Items tab
• Type in action items as they come up
• Click OK to dismiss this box
• This will automatically create an Action Item
  slide at the end of your presentation with your
  points entered.

• SAML F2F 3
• David Orchard,
• Eve Maler

2
Outline

• Principles
• Principle Top-typing
• Principle Namespaces and Schema
• Principle Vocabulary re-use
• Queries
• Responses
• Assertion Packages
• Subject Assertion
• Attribute Assertion
• Authorization Assertion
• Claim vs Assertion

3
Principles

• Constrain Early and Often
• Top-typing
• Fully leverage Namespaces and Schema for
  extensibility and re-use
• Extension mechanisms
• Attribute Values
• Subject Assertions
• Re-use Existing vocabularies
• Ie Xquery if complex Queries
• Usage of Attributes
• Optimize for the Simple cases

4
PrincipleTop-Typing

• OM defines cardinalities for all assertions
• Ie subjectAssertion MUST have 1 subject
• Assertions are not re-used for queries
• If Assertions re-used, should be additional
  types(s)
• Cardinalities of 0.. for all elements have
  dubious type safety.

5
PrincipleNamespaces Schema

• Wherever possible, use namespaces for mixing
  content and schema for extensibility
• All Assertions are types
• Place for adding new Assertions
• Subject Assertions have a required subject
• Reduces need for 3 subject references
• And allows SubjectAssertionsPackage
• Attributes are vocabulary specific
• Mixed in using Schema wildcard, ltanygt
• Attributes are in attribute language, not SAML
  language

6
Principle Vocabulary re-use

• Never re-invent the wheel, unless our wheel is
  much simpler than others
• IFF we have complex queries, then re-use Xquery
• Allow vocabularies to define their own attributes

7
Request

• Contain a query
• Currently Xquery
• Allows complex Queries
• Clients loosely coupled to Server
• Clients can change queries without changing the
  specification
• High performance
• Allows queries against XML defined attributes
• Also contains optional SubjectAssertionPackage
• For passing in subject info, like authentication,
  attribute assertions

8
Response

• Contain AssertionsPackage
• Little controversy here

9
AssertionsPackage

• Container for Assertions
• Little controversy here

10
SubjectAssertions SAPackage

• Assertions that contain a subject
• Example of Top-typing in action
• Attribute, Authentication, AuthorizationAssertions
  do not need to declare subject
• SubjectAssertionsPackage can make use of, so its
  stronger typed than Assertions Package

11
AuthorizationAssertion

• Binds resources, permissions to subjects
• Used for query operations
• How does one ask Can alice Read Y without one
  of these?
• Optimized for simple case
• 1 subject has 1 permission for 1 resource
• Possible for multiple resources by having
  multiple Resources and/or Permissions
• Or multiple AuthorizationAssertions

12
AttributeAssertion

• Contains attributes for a subject
• The use of XML Schema wildcard allows arbitrary
  elements
• We expect these are defined in external
  vocabularies
• Optimized for the simple case, which is 1 XML
  vocabulary that expresses open-ended attribs.

13
Claim vs Assertion

• OM defines an Assertion as facts relating to 1
  subject
• Attributes, Authentication, Authorization
• Further allows arbitrary of attribute facts,
  yet only 1 authorization fact per assertion
• This difference in style is due to the source of
  the facts.
• Attributes are defined externally, so there is no
  way for SAML to control how many
• Authorizations are defined by SAML, so SAML can
  control an assertion to exactly 1.