1. XACML and Federated Identity Hal Lockhart BEA Systems

2. Hal Lockhart  Principal Technologist, BEA Systems  Co-chair XACML TC  SAML Issues List Editor  Editor WS Security TC Interop Specs  Also Member: Provisioning TC, Digital Signature Services TC, Rights Language TC, WS-I Basic Security Profile WG, Web Services Management TC, Project Liberty, DCML  OASIS Security Joint Committee  OASIS Liaison to W3C for WS Security

3. Information Security Definition Technologies and procedures intended to implement organizational policy in spite of human efforts to the contrary.  Suggested by Authorization  Applies to all security services  Protection against accidents is incidental  Suggests four areas of attention

4. Information Security Areas  Policy determination  Expression: code, permissions, ACLs, Language  Evaluation: semantics, architecture, performance  Policy enforcement  Maintain integrity of Trusted Computing Base (TCB)  Enforce variable policy

5. Infrastructural Service  Consistent enforcement of security policies  Minimize user inconvenience  Ensure seamless implementation  Coherent, interdependent services  Not just list of products  Avoid reimplementation  Simplify management and administration

6. Authorization Theory Authentication Authority Attribute Authority Policy Decision Point Policy Enforcement Point Credentials Authentication Assertion System Entity Attribute Assertion Authorization Decision Assertion Policy Credentials Collector Credentials Assertion Application Request

7. Types of Authorization Info - 1  Attribute Assertion  Properties of a system entity (typically a person)  Relatively abstract – business context  Same attribute used in multiple resource decisions  Examples: X.509 Attribute Certificate, SAML Attribute Statement, XrML PossessProperty  Authorization Policy  Specifies all the conditions required for access  Specifies the detailed resources and actions (rights)  Can apply to multiple subjects, resources, times…  Examples: XACML Policy, XrML License, X.509 Policy Certificate

8. Types of Authorization Info - 2  AuthZ Decision  Expresses the result of a policy decision  Specifies a particular access that is allowed  Intended for immediate use  Example: SAML AuthZ Decision Statement, IETF COPS

9. Implications of this Model  Benefits  Improved scalability  Separation of concerns  Enables federation  Distinctions not absolute  Attributes can seem like rights  A policy may apply to one principal, resource  Systems with a single construct tend to evolve to treating principal or resource as abstraction

10. One Best Practice Approach  Centralized User Id issuance  Smartcard – Contains Public Keys – Photo ID – Building Access – (possibly biometrics)  Issued by Security Dept at start of employment  Distributed User Attribute Issuance  Federated repositories  Issued by “best source” boss, secretary, project lead, outsource vendor, external org  Policy managed as part of infrastructure  Aligned with application deployments, upgrades

11. OASIS Overview  Organization for the Advancement of Structured Information Standards (www.oasis-open.org)  Non-profit consortium – founded 1993  600 Members (350+ organizations) – 100 countries  Lightweight standardization process  Business process, Building, CGM, DocBook, ebXML, Government, Legal, Naming, RELAX NG, Security, Topic Maps, UBL, UDDI, Web Services Infrastructure  IPR Policy emphasizes full disclosure  All technical proceedings are completely public  Board of Directors includes: BEA, HP, IBM, Intel, Microsoft, Nokia, Oracle, Sun, UK Government

12. SAML History  Work started on 9 January 2001  From a base of S2ML and AuthXML  SAML 1.0 - OASIS Standard – 12 November 2002  Initial version  Used as starting point for Shiboleth and Project Liberty  SAML 1.1 – OASIS Standard – 2 September 2003  Corrections and backward compatible changes  SAML 2.0 – In progress – complete summer 2004  Submissions from Shiboleth and Project Liberty  Deferred features  Other field experience

13. XACML TC Charter  Define a core XML schema for representing authorization and entitlement policies  Target - any object - referenced using XML  Fine grained control, characteristics - access requestor, protocol, classes of activities, and content introspection  Consistent with and building upon SAML

14. XACML Objectives  Ability to locate policies in distributed environment  Ability to federate administration of policies about the same resource  Base decisions on wide range of inputs  Multiple subjects, resource properties  Decision expressions of unlimited complexity  Ability to do policy-based delegation  Usable in many different environments  Types of Resources, Subjects, Actions  Policy location and combination

15. XACML Data Flow Model

16. General Characteristics  Defined using XML Schema  Strongly typed language  Extensible in multiple dimensions  Borrows from many other specifications  Features requiring XPath are optional  Obligation feature optional (IPR issue)  Language is very “wordy”  Many long URLs  Expect it to be generated by programs  Complex enough that there is more than one way to do most things

17. XACML Concepts  Policy & PolicySet – combining of applicable policies using CombiningAlgorithm  Target – Rapidly index to find applicable Policies or Rules  Conditions – Complex boolean expression with many operands, arithmetic & string functions  Effect – “Permit” or “Deny”  Obligations – Other required actions  Request and Response Contexts – Input and Output  Bag – unordered list which may contain duplicates

18. XACML Concepts PolicySet Policies Obligations Rules Target Obligations Condition Effect Target

19. Request and Response Context

20. Rules  Smallest unit of administration, cannot be evaluated alone  Elements  Description – documentation  Target – select applicable policies  Condition – boolean decision function  Effect – either “Permit” or “Deny”  Results  If condition is true, return Effect value  If not, return NotApplicable  If error or missing data return Indeterminate  Plus status code

21. Target  Designed to efficiently find the policies that apply to a request  Makes it feasible to have very complex Conditions  Attributes of Subjects, Resources and Actions  Matches against value, using match function  Regular expression  RFC822 (email) name  X.500 name  User defined  Attributes specified by Id or XPath expression  Normally use Subject or Resource, not both

22. Condition  Boolean function to decide if Effect applies  Inputs come from Request Context  Values can be primitive, complex or bags  Can be specified by id or XPath expression  Fourteen primitive types  Rich array of typed functions defined  Functions for dealing with bags  Order of evaluation unspecified  Allowed to quit when result is known  Side effects not permitted

23. Datatypes  From XML Schema  String, boolean  Integer, double  Time, date  dateTime  anyURI  hexBinary  base64Binary  From Xquery  dayTimeDuration  yearMonthDuration  Unique to XACML  rfc822Name  x500Name

24. Functions  Equality predicates  Arithmetic functions  String conversion functions  Numeric type conversion functions  Logical functions  Arithmetic comparison functions  Date and time arithmetic functions  Non-numeric comparison functions  Bag functions  Set functions  Higher-order bag functions  Special match functions  XPath-based functions  Extension functions and primitive types

25. Policies and Policy Sets  Policy  Smallest element PDP can evaluate  Contains: Description, Defaults, Target, Rules, Obligations, Rule Combining Algorithm  Policy Set  Allows Policies and Policy Sets to be combined  Use not required  Contains: Description, Defaults, Target, Policies, Policy Sets, Policy References, Policy Set References, Obligations, Policy Combining Algorithm  Combining Algorithms: Deny-overrides, Permit- overrides, First-applicable, Only-one-applicable

26. Request and Response Context  Request Context  Attributes of:  Subjects – requester, intermediary, recipient, etc.  Resource – name, can be hierarchical  Resource Content – specific to resource type, e.g. XML document  Action – e.g. Read  Environment – other, e.g. time of request  Response Context  Resource ID  Decision  Status (error values)  Obligations

27. XACML History  First Meeting – 21 May 2001  Requirements from: Healthcare, DRM, Registry, Financial, Online Web, XML Docs, Fed Gov, Workflow, Java, Policy Analysis, WebDAV  XACML 1.0 - OASIS Standard – 6 February 2003  XACML 1.1 – Committee Specification – 7 August 2003  XACML 2.0 – In progress – complete summer 2004

28. New in XACML 2.0  Profiles  Digital Signature, Hierarchical Resources, LDAP, Privacy, RBAC, SAML Integration  Condition & Rule References  Combining Algorithm Parameters  Environment in Target  Time in Range  Policy Versions  Negative Target Match  New Functions

29. Beyond Version 3.0  Administrative policies  Policy delegation  Configuration Metadata  Domain Specific Identifiers  Function Declarations  Missing Attributes

30. XACML Uptake  Three open source implementations available  See OASIS website  Product Statements  BEA, DataPower, OverXeer  Standards references  Open GIS Consortium  XRI Data Interchange – interest  UDDI – interest  Global Grid Forum – joint work  PRISM (Publication Metatadata) – interest

31. Summary – XACML and Federated ID  XACML view: Identity is a collection of attributes  XACML can use identity information from any source as a basis for policy decisions  XACML policies can consider multiple parties involved in a request  Requester, Recipient, Intermediaries, Node Identity, Codebase  XACML policies also can consider non-identity information  Date/time, location, operation, resource attributes, resource content  Deployment of Id Federations will stimulate interest in XACML