ESOE Attribute Authority Design

Enterprise Sign On Engine Technical Architecture
Written by Bradley Beddoes
September 2006

Architecture design by Bradley Beddoes
Incorporates SAML 2.0, and (L)XACML 2.0 OASIS standards

Contributions by:
Shaun Mangelsdorf
Andre Zitelli

Edited by:
Bradley Beddoes
Shaun Mangelsdorf
Andre Zitelli

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as
described in RFC 2119

Attribute Authority Processor

Component Lead Shaun Mangelsdorf
Package com.qut.middleware.esoe.aa.impl.\*
Type AttributeAuthorityProcessorImpl
Implemented Interfaces com.qut.middleware.esoe.aa.AttributeAuthorityProcessor
Exceptions InvalidRequestException, InvalidPrincipalException

Verify the supplied value of [com.qut.middleware.esoe.aa.bean.AAProcessorData.requestDocument|#Verifying Requests]. Any invalid request MUST set com.qut.middleware.esoe.aa.bean.AAProcessorData.responseDocument to a base response with <Status> of urn:oasis:names:tc:SAML:2.0:status:Requestor. No AttributeStatement is generated for this failure case and no further processing should be undertaken except to create and throw com.qut.middleware.esoe.aa.exception.InvalidRequestException

The value of <Issuer> should be retrieved and stored at com.qut.middleware.esoe.aa.bean.AAProcessorData.descriptorID.

The value of <Subject> should be determined and stored against com.qut.middleware.esoe.aa.bean.AAProcessorData.subjectID.

The subjectID SHOULD be used with the the [[com.qut.middleware.esoe.sessions.Query.querySAMLSession]|[#Query]] query component to retrieve a com.qut.middleware.esoe.sessions.Principal. If the request throws an exception this should be caught. It MUST be considered a failure, the AAP MUST set com.qut.middleware.esoe.aa.bean.AAProcessorData.responseDocument to a base response with <Status> of urn:oasis:names:tc:SAML:2.0:status:Authn. No AttributeStatement is generated for this failure case and no further processing should be undertaken except to create and throw com.qut.middleware.esoe.aa.exception.InvalidRequestException

Once the principal object is successfully retrieved the processor should evaluate com.qut.middleware.esoe.sessions.bean.IdentityData.attributes. At the present time the processing model here is fairly simple. In the future the Attribute Authority may be extended to support privacy for users and perhaps an extensible pipeline architecture for responding with attributes. Addtionally the aatribute authority does not currently impose the SAML spec limitations correctly especially relating to only returning equal values for <AttributeValues> which are specified and only returning <Attributes> which are specified. This functionality will also be added later, for now all SPEP get all attribute details.

The attribute authority currently only supports the basic attribute profile.

For each key stored in com.qut.middleware.esoe.sessions.bean.IdentityData.attributes a check should be made to ensure the vector located in the associated com.qut.middleware.esoe.sessions.bean.IdentityAttribute.values has at least one element. If this is the case <saml:Attribute> should be created. NameFormat SHOULD always be set to urn:oasis:names:tc:SAML:2.0:attrname-format:basic. Name SHOULD be set to the current key. An <saml:AttributeValue> should now be created, for each value stored in the vector. type for this element MUST be set to the matching XML type for the corresponding value of com.qut.middleware.esoe.sessions.bean.IdentityAttribute.type (ie For 'string' type="xs:string").

Where no attributes exist an empty AttributeStatement should be returned.

An AttributeStatement MUST now be created.

Once complete the value com.qut.middleware.esoe.aa.AttributeAuthorityProcessor.result.Successful MUST be returned

Creating AttributeStatement

Once all the <saml:Attribute> elements have been created for the specified com.qut.middleware.esoe.sessions.Principal an <AttributeStatement> MUST be created and embed all the generated values for <saml:Attribute>

SAML Wrappers

An [[assertion]|[SAML Document Descriptors#Generating Assertions]] MUST be created and the <AttributeStatement>. embedded inside.

A base [[response]|[SAML Document Descriptors#Generating Responses]] MUST be created with <Status> information set as detailed by the request processing, it should contain the generated <Assertion>.

Once successfully created the response should be stored at com.qut.middleware.esoe.aa.bean.AAProcessorData.responseDocument.

Also available in: HTML TXT