Orchard-MalerAssertion Proposal

SAML F2F #3

David Orchard,

Eve Maler

Outline

PrinciplesPrinciple: Top-typingPrinciple: Namespaces and SchemaPrinciple: Vocabulary re-useQueriesResponsesAssertion PackagesSubject AssertionAttribute AssertionAuthorization AssertionClaim vs Assertion

Principles

“Constrain Early and Often”– Top-typing

Fully leverage Namespaces and Schema for extensibility and re-use– Extension mechanisms– Attribute Values– Subject Assertions

Re-use Existing vocabularies– Ie Xquery if complex Queries

Usage of AttributesOptimize for the Simple cases

Principle:Top-Typing

OM defines cardinalities for all assertions– Ie subjectAssertion MUST have 1 subject

Assertions are not re-used for queriesIf Assertions re-used, should be

additional types(s)Cardinalities of 0..* for all elements have

dubious type safety.

Principle:Namespaces & SchemaWherever possible, use namespaces for

mixing content and schema for extensibility

All Assertions are types– Place for adding new Assertions– Subject Assertions have a required subject

• Reduces need for 3+ subject references• And allows SubjectAssertionsPackage

Attributes are vocabulary specific– Mixed in using Schema wildcard, <any>– Attributes are in attribute language, not

SAML language

Principle: Vocabulary re-use

Never re-invent the wheel, unless our wheel is much simpler than others

IFF we have complex queries, then re-use Xquery

Allow vocabularies to define their own attributes

Request

Contain a queryCurrently Xquery

– Allows complex Queries– Clients loosely coupled to Server

• Clients can change queries without changing the specification

– High performance– Allows queries against XML defined attributes

Also contains optional SubjectAssertionPackage– For passing in subject info, like

authentication, attribute assertions

Response

Contain AssertionsPackageLittle controversy here

AssertionsPackage

Container for AssertionsLittle controversy here

SubjectAssertions & SAPackage

Assertions that contain a subjectExample of Top-typing in actionAttribute, Authentication,

AuthorizationAssertions do not need to declare subject

SubjectAssertionsPackage can make use of, so it’s stronger typed than Assertions Package

AuthorizationAssertion

Binds resources, permissions to subjects

Used for query operations– How does one ask “Can alice Read Y”

without one of these?Optimized for simple case– 1 subject has 1 permission for 1 resource

Possible for multiple resources by having multiple Resources and/or Permissions– Or multiple AuthorizationAssertions

AttributeAssertion

Contains attributes for a subjectThe use of XML Schema wildcard

allows arbitrary elementsWe expect these are defined in

external vocabulariesOptimized for the simple case,

which is 1 XML vocabulary that expresses open-ended attribs.

Claim vs Assertion

OM defines an Assertion as facts relating to 1 subject– Attributes, Authentication, Authorization

Further allows arbitrary # of attribute facts, yet only 1 authorization fact per assertion

This difference in style is due to the source of the facts.– Attributes are defined externally, so there is

no way for SAML to control how many– Authorizations are defined by SAML, so

SAML can control an assertion to exactly 1.