ESOE Authorization Design

Enterprise Sign On Engine Technical Architecture
Written by Bradley Beddoes
September 2006

Architecture design by Bradley Beddoes
Incorporates SAML 2.0, and (L)XACML 2.0 OASIS standards

Contributions by:
Shaun Mangelsdorf
Andre Zitelli

Edited by:
Bradley Beddoes
Shaun Mangelsdorf
Andre Zitelli

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as
described in RFC 2119

PDP Processor (LXACML)

Component Lead Andre Zitelli
Package com.qut.middleware.esoe.pdp.\*

The current design of the PSP is based on a simplified XACML 2.0 standard which we have dubbed 'Lightweight eXtensible Access Control Markup Language (LXACML)', all requests and responses are wrapped up in the (L)XACML 2.0 profile for SAML 2.0 for all transports and to ensure properties such as message integrity. We decided to implement a streamlined version of XACML 2.0 to meet specific business requirements, there will also be fully XACML 2.0 compliant offering in the open source version.

(L)XACML authorization policies are XML documents that define three top-level policy elements: <Rule>, <Policy> and <PolicySet>.
The <Rule> element contains a Boolean expression that can be evaluated in isolation, but that is not intended to be accessed in isolation. So, it is not intended to form the basis of an authorization decision by itself. The <Policy> element contains a set of <Rule> elements and a specified procedure for combining the results of their evaluation. It is the basic unit of policy used and so it is intended to form the basis of an authorization decision. The <PolicySet> element contains a set of <Policy> or other <PolicySet> elements and a specified procedure for combining the results of their evaluation. It is the standard means for combining separate policies into a single combined policy.

For our initial purposes the PAP will be a simplified web form which will take an XML file already encoded in the schema outlined below, this will be validated and pushed up to the PDP which will live as a component inside the ESOE. Our PDP will initially only implement one rule combining algorithm Deny-overrides. If a single <Rule> or <Policy> element is encountered that evaluates to Deny, then, regardless of the evaluation result of the other <Rule> or <Policy> elements in the applicable policy, the combined result is Deny. The default state of the authorization engine is to Deny, this can be configured to a default state of Permit by administrators if required but changing the default state should be undertaken with care.

Reading Requirements

Authorization Terms

Access \- Performing an action
Access control \- Controlling access in accordance with a policy
Action \- An operation on a resource
Applicable policy \- The set of policies and policy sets that governs access for a specific decision request
Attribute \- Characteristic of a subject, resource, action or environment that may be referencedin a predicate or target
Authorization decision \- The result of evaluating applicable policy. A function that evaluates to "Permit" or "Deny"
Bag \- An unordered collection of values
Condition \- An expression of predicates. A function that evaluates to "True", "False" or "Indeterminate"
Conjunctive sequence \- a sequence of predicates combined using the logical 'AND' operation
Context \- The canonical representation of a decision request and an authorization decision
Context handler \- The system that converts decision requests in the native request format to the XACML canonical form and converts authorization decisions in the XACML canonical form to the native response format
Decision \- The result of evaluating a rule, policy or policy set
Disjunctive sequence\* - a sequence of predicates combined using the logical 'OR' operation
Effect \- The intended consequence of a satisfied rule (either "Permit" or "Deny")
Policy \- A set of rules, an identifier for the rule-combining algorithm and (optionally) a set of obligations. May be a component of a policy set
\*Policy administration point (PAP) - The system that creates a policy or policy set
Policy-combining algorithm \- The procedure for combining the decision and obligations from multiple policies
Policy set \- A set of policies, other policy sets, a policy-combining algorithm and (optionally) a set of obligations. May be a component of another policy set
Predicate \- A statement about attributes whose truth can be evaluated
Resource \- Data, service or system component
Rule \- A target, an effect and a condition. A component of a policy
Rule-combining algorithm \- The procedure for combining decisions from multiple rules
Subject \- An actor whose attributes may be referenced by a predicate
Target \- The set of decision requests, identified by definitions for resource, subject and action, that a rule, policy or policy set is intended to evaluate

authzPolicy Cache Processor

Component Lead Andre Zitelli
Package com.qut.middleware.esoe.pdp.cache.impl.\*
Type PolicyCacheProcessorImpl
Implemented Interfaces com.qut.middleware.esoe.pdp.cache.PolicyCacheProcessor

The authzPolicy cache processor is perhaps one of the most critical elements in the entire system, it is responsible for continuously monitoring the database for changes to policy items and advising to all effected SPEP's that they should drop their caches immediently.

Binding for communicating with SPEP

The ESOE should implement the saml-bindings-2.0 SAML over SOAP over HTTP Binding as their method of communication with the SPEP.

The ESOE should only ever send authorization responses over backchannel communication.

The ESOE should not set any additional HTTP header information.

The SAML response should be appropriately wrapped in a SOAP envelope and delivered to the HTTP endpoint for the SPEP.

Generating initial cache state

The authZ Cache processor MUST execute as follows:
On startup the processor is to be created in its own thread, this thread MUST continuously stay active until the shutdown of the system. Should it fail in some way it MUST be automatically recovered by the system.

When the processor is executed it SHOULD using iBatis database stack connect to the ESOE authorative data store and a query should be issued agaist the database to determine the most highest value of SEQID from SERVICE_POLICIES_STATE this value should be stored as prevSequenceID

The processor now MUST obtain an exclusive lock on the PDP wide authzCache object. For each descriptorID located in the table SERVICE_POLICIES a vector of type java.util.Vector should be created. For each descriptorID its (L)XACML policies stored in the database MUST be parsed into language specific objects representing the <Policy> element. Each policy object should be stored in the vector. Once all elements are parsed the vector should be stored in the authzCache with a key of descriptorID. The exclusive lock SHOULD now be released.

Once the cache has been generated the processor MUST advise SPEPs that it has built a new cache.

For each descriptorID:
A request supplying the descriptorID should be sent to the [[SPEP processor]|[#Endpoint Resolver]] endpoint resolver for cache clear to retrieve a vector of endpoints to communicate with.

For each effected descriptorID/endpoint combination a ClearAuthzCacheRequest SHOULD be created by generating a base [[Request]|[SAML Document Descriptors#Generating Requests]] with the addition of the following:
Reason MUST be set to the string of "ESOE advises complete rebuild of central authzPolicy cache"
<Extenstions> MUST be present and its value MUST be set to be the set to the <GroupTarget> for this entity as follows:
The value of <GroupTargetID> SHOULD be set to the corresponding value of the entities <Policy> / <Target> from the authzCache. A new <AuthzTarget> element should be set to the corresponding value of each defined <Rule> / <Target>. Where <Rule> has been created with no <Target> value the value of <Policy> / <Target> should be substituted. This MUST only occur once, subsequent <Rules> that DO NOT define a <Target> can be ignored.

For each request generated the spring injected ESOEWS instance clear cache service should be called and the generated SAML message and currently processing endpoint supplied. A SAML response document MUST be returned. The SAML response contained should be validated and a status of urn:oasis:names:tc:SAML:2.0:status:Success assured. Where these conditions are not met or an exception is returned by ESOWES a bean implementing com.qut.middleware.esoe.pdp.cache.bean.FailedAuthzCacheUpdate must be created. The SAML request document must be stored at com.qut.middleware.esoe.pdp.cache.bean.FailedAuthzCacheUpdate.requestDocument, the current endpoint at com.qut.middleware.esoe.pdp.cache.bean.FailedAuthzCacheUpdate.endPoint. This bean should be supplied to the Spring IoC injected failed authz cache monitor.

Maintaining Cache State

Once the initial configuration has been setup the authzPolicy cache processor must poll the database using iBatis database stack at configured time intervals (default 60 seconds) for changes to the table SERVICE_POLICIES_STATUS. This is achieved by requesting the maximum value of SEQID and comparing it against prevSequenceID

If the values are in sync then no further action is to be taken and the processor is to sleep for another configured time interval.

If the returned value is greater the processor MUST select all policies and associated descriptorID's from SERVICE_POLICIES_STATE that have a SEQID value greater then prevSequenceID, the maximum value of SEQID from this request gets set as the new value of prevSequenceID.

For each modified descriptorID:

The value of POLACTION MUST be checked. For a value of 'U' (Update) the processor must parse the associated policy stored in the table SERVICE_POLICIES into LXACML language specific objects. The current cache should be checked to determine if a policy with the current policyID exists for the descriptorID, if it does then it must be ejected and this new version added. If it doesn't contain the DescriptorID, PolicyID combination the policy is considered to be new and entered into the cache.

For a value of 'D' (Deleted) the processor must find the associated object in its cache for the supplied DescriptorID PolicyID combination and eject it.

For each update the processor MUST operate on ALL changes to a descriptorID that have occured in the current update cycle. Once all changes to a specified descriptorID have been processed they should be inserted into the PDP wide AuthzCache. This should be done by exclusive lock and steps taken to minimise the time this lock is in effect.

A request supplying the descriptorID MUST be sent to the SPEP processor endpoint resolver for cache clear to retrieve a vector of endpoints to communicate with.

For each effected descriptorID/endpoint combination a ClearAuthzCacheRequest SHOULD be created by generating a base Request with the addition of the following:
Reason MUST be set to the string of "ESOE advises administrator initiated change to SPEP authzPolicy cache"
<Extenstions> MUST be present and its value MUST be set to be the set to the <GroupTarget> for this entity as follows:
The value of <GroupTargetID> SHOULD be set to the corresponding value of the entities <Policy> / <Target> from the authzCache. A new <AuthzTarget> element should be set to the corresponding value of each defined <Rule> / <Target>. Where <Rule> has been created with no <Target> value the value of <Policy> / <Target> should be substituted. This MUST only occur once, subsequent <Rules> that DO NO define a <Target> can be ignored.

For each request generated the spring injected ESOEWS instance clear cache service should be called and the generated SAML message and currently processing endpoint supplied. A SAML response document MUST be returned. The SAML response contained should be validated and a status of urn:oasis:names:tc:SAML:2.0:status:Success assured. Where these conditions are not met or an exception is returned by ESOWES a bean implementing com.qut.middleware.esoe.pdp.cache.bean.FailedAuthzCacheUpdate must be created. The SAML request document must be stored at com.qut.middleware.esoe.pdp.cache.bean.FailedAuthzCacheUpdate.requestDocument, the current endpoint at com.qut.middleware.esoe.pdp.cache.bean.FailedAuthzCacheUpdate.endPoint. This bean should be supplied to the Spring IoC injected failed authz cache monitor.

The processor MUST now sleep for another configured time interval.

Failed Authz Cache Monitor

The failed cache monitor consistently looks at a repository of com.qut.middleware.esoe.pdp.cache.bean.FailedAuthzCacheUpdate beans. Once it reaches the end of the repository it MUST immediently start at the beginning and work its way back through again attempting to deliver updates to SPEPs. On startup the monitor is to be created in its own thread, this thread MUST continuously stay active until the shutdown of the system. Should it fail in some way it MUST be automatically recovered by the system.

For each bean stored in the repository the spring injected ESOEWS instance clear cache service should be called with com.qut.middleware.esoe.pdp.cache.bean.FailedAuthzCacheUpdate.requestDocument and com.qut.middleware.esoe.pdp.cache.bean.FailedAuthzCacheUpdate.endPoint supplied. A SAML response document MUST be returned. The SAML response contained should be validated and a status of urn:oasis:names:tc:SAML:2.0:status:Success assured. If this is the case the bean is ejected from the local repository.

If this check fails the value of com.qut.middleware.esoe.pdp.cache.bean.FailedAuthzCacheUpdate.TimeStamp should be evaluated. If it is older then the time configured as a maximum (default of 24hrs) the bean is ejected from the local repository.

Where these conditions are not met or an exception is returned by ESOWES the bean should remain in the local repository.

External systems will supply additional failed requests to be added to the repository at random intervals. When they are supplied the repository MUST be locked for both read and write access while the new data is added. For each bean placed into the repository the value of com.qut.middleware.esoe.pdp.cache.bean.FailedAuthzCacheUpdate.TimeStamp must be set to the current system time.

Providing cache information to new or restarted SPEP

When an SPEP starts up it will interact with the ESOE through backchannel communication. The com.qut.middleware.esoe.spep.SPEPProcessor will make a call to the authzCacheProcessor to advise this new service has come online. It MUST supply the unique id of the descriptor along with the value of the authzCacheIndex to respond to.

The details stored in cache for the unique descriptorID should be retrieved, A ClearAuthzCacheRequest SHOULD be created by generating a base Request with the addition of the following:
Reason MUST be set to the string of "ESOE advises configured cache details for new SPEP execution instance"
<Extenstions> MUST be present and its value MUST be set to be the set to the <GroupTarget> for this entity as follows:
The value of <GroupTargetID> SHOULD be set to the corresponding value of the entities <Policy> / <Target> from the authzCache. A new <AuthzTarget> element should be set to the corresponding value of each defined <Rule> / <Target>. Where <Rule> has been created with no <Target> value the value of <Policy> / <Target> should be substituted. This MUST only occur once, subsequent <Rules> that DO NO define a <Target> can be ignored.

For each request generated the spring injected ESOEWS instance clear cache service should be called and the generated SAML message supplied along with the values descriptorID and the value of the endpoint. A SAML response document MUST be returned. The SAML response contained should be validated and a status of urn:oasis:names:tc:SAML:2.0:status:Success assured. Where these conditions are not met the value com.qut.middleware.esoe.pdp.cache.PolicyCacheProcessor.result.Failure should be returned, otherwise com.qut.middleware.esoe.pdp.cache.PolicyCacheProcessor.result.Successful should be returned.

Authorization Processor

Component Lead Andre Zitelli
Package com.qut.middleware.esoe.pdp.impl.\*
Type AuthorizationProcessorImpl
Implemented Interfaces com.qut.middleware.esoe.pdp.AuthorizationProcessor
Exceptions InvalidRequestException, InvalidPrincipalException

The authorization processor is the core policy decision processor. It is responsible for evaluating requests to resources at remote SPEP's and responding with allows or denies based on the policies which have been defined by the administrators of that site.

It MUST implement the interface com.qut.middleware.esoe.pdp.AuthorizationProcessor

Binding for communicating with SPEP

The ESOE should implement the saml-bindings-2.0 SAML over SOAP over HTTP Binding as their method of communication with the SPEP.

The ESOE should only ever send authorization responses over backchannel communication.

The ESOE should not set any additional HTTP header information.

The SAML response should be appropriately wrapped in a SOAP envelope and delivered to the HTTP endpoint for the SPEP.

Request processing rules

Verify the supplied value of [com.qut.middleware.esoe.pdp.bean.AuthorizationProcessorData.requestDocument|#Verifying Requests]. If it does not validate this is a failure. A response <StatusCode> of urn:oasis:names:tc:SAML:2.0:status:AuthnFailed must be returned. A Deny LXACMLAuthzDecisionStatement SHOULD be created with a <StatusMessage> of "Invalid request format". The exception com.qut.middleware.esoe.pdp.exception.InvalidRequestException should be created and thrown.

As soon as any failure state is encounted due to either internal processing factors or external environmental factors a Deny LXACMLAuthzDecisionStatement MUST be generated.

The value of <Issuer> should be retrieved and stored at com.qut.middleware.esoe.pdp.bean.AuthorizationProcessorData.descriptorID.

The value of <Subject> should be determined and stored against com.qut.middleware.esoe.pdp.bean.AuthorizationProcessorData.subjectID.

The subjectID SHOULD be used with the the com.qut.middleware.esoe.sessions.Query.querySAMLSession query component to retrieve a com.qut.middleware.esoe.sessions.Principal. If the request throws an exception this should be caught. It MUST be considered a failure, a response <StatusCode> of urn:oasis:names:tc:SAML:2.0:status:AuthnFailed must be returned. A Deny LXACMLAuthzDecisionStatement SHOULD be created with a <StatusMessage> of "Principal specified has not been previously identified". The exception com.qut.middleware.esoe.pdp.exception.InvalidPrincipalException SHOULD be created and thrown.

The vector stored in the authzCache for com.qut.middleware.esoe.pdp.bean.AuthorizationProcessorData.descriptorID should be retrieved. The <Resource> / <Attribute> / <AttributeValue> value in the presented <LXACMLAuthzDecisionQuery> must now be evaluated against all policies <Target> / <Resources> / <Resource> / <AttributeValue> values present in this vector. Values should attempt to be matched by:
\#. Exact string match on supplied <Resource> / <AttributeValue>.
\#. Regex string match on supplied <Resource> / <AttributeValue>.

If no match is established the PDP falls through to the default state of the policy (standard configuration sets this to Deny) and generates the appropriate LXACMLAuthzDecisionStatement, The response <StatusCode> should be set to urn:oasis:names:tc:SAML:2.0:status:Success. The LXACMLAuthzDecisionStatement should be created with a <StatusMessage> of "No matching policy located falling through to default state of $1", where $1 specifies the current default operation mode of the policy of "Permit" or "Deny". The value com.qut.middleware.esoe.pdp.AuthorizationProcessor.result.Successful should be returned.

ALL the matching policies MUST be evaluated until either a "Deny" effect is determined or until all matching policies are exhausted.

For each policy ALL the policy rules MUST be evaluated until either a "Deny" effect is determined or until all rules are exhausted.

In order to send the SPEP the correct response a record of every policy target and every rule target that evaluates to "Permit" must be recorded. If the final result is Permit this information will be sent to the SPEP as obligations in <LXACMLAuthzDecisionStatement>. For a Rule that does not implement a Target but which evaluates to Permit the target of the policy must be registered. This MUST be recorded only once even if multiple matching Rules in the policy do not specify a Target.

To evaluate each <Rule> it must be determined if the one of the <Rule> / <Target> / <Resources> / <Resource> / <AttributeValue> matches the <AttributeValue> of the <Resource> defined in the presented <LXACMLAuthzDecisionQuery>. If the <Rule> / <Target> does not exist it is considered to be an automatic match state. If it does exist it must be evaluated in the following order:
\#. Exact string match on supplied <Resource> / <AttributeValue>.
\#. Regex string match on supplied <Resource> / <AttributeValue>.

If a <Rule> is considered to be a match then the <Condition> element MUST be evaluated. If the condition does not exist the value of Effect is immediently applied. Should the value be "Permit" the value of RuleId should be added to the successfully negotiated rule set for this policy. Should the value be "Deny" the PDP MUST generate an appropriate [LXACMLAuthzDecisionStatement|#Creating LXACMLAuthzDecisionStatement]. The response <StatusCode> should be set to urn:oasis:names:tc:SAML:2.0:status:Success. The LXACMLAuthzDecisionStatement should be created with a <StatusMessage> of "Policy $1 located and rules evaluated, identified DENY state for principal on Rule $2. Rules evaluated $3. $4", $1 SHOULD be the current PolicyId, $2 should be the current RuleId, $3 should be all RuleId values that were successfully evaluated for the current policy before the Deny state was encountered, $4 should be all PolicyId values of policies which have already been successfully evaluated. A <GroupTarget> with <GroupTargetID> set to the matching resource target of the current policy and the value of <AuthzTarget> set to the value of the current rule should also be set. The value com.qut.middleware.esoe.pdp.AuthorizationProcessor.result.Successful should be returned.

If a <Condition> element does exist it should be treated as a boolean function. <Conditions> may include embeded <Conditions>, <Apply>, <AttributeValue> and <SubjectAttributeDesignator>. Child nodes should be evaluated as necessary to satisfy the input requirements of their parents.

The <Apply> element denotes application of a function to its arguments, thus encoding a function call. The following functions may be defined as appropriate for the FunctionId attribute of the <Apply> element

The <AttributeDesignatorType> is the type for elements that identify attributes by name. All attributes are considered to be of type string, should an attribute not be available the bag will be considered empty.

The <SubjectAttributeDesignator> indicates to the PDP it should use the set of values for the matching attribute which we have already retrieved earlier from the [Sessions Processor|ESOE Design#Sessions Processor].

The result of the <Condition> is the result of the top level <Apply> element. If the condition is evaluated as being TRUE then the value of Effect for the rule is applied. Should the value be "Permit" the value of RuleId should be added to the successfully negotiated rule set for this policy. Should the value be "Deny" the PDP MUST generate an appropriate [LXACMLAuthzDecisionStatement|#Creating LXACMLAuthzDecisionStatement]. The response <StatusCode> should be set to urn:oasis:names:tc:SAML:2.0:status:Success. The LXACMLAuthzDecisionStatement should be created with a <StatusMessage> of "Policy $1 located and rules evaluated, identified DENY state for principal on Rule $2. Rules evaluated $3. $4", $1 SHOULD be the current PolicyId, $2 should be the current RuleId, $3 should be all RuleId values that were successfully evaluated for the current policy before the Deny state was encountered, $4 should be all PolicyId values of policies which have already been successfully evaluated. A <GroupTarget> with <GroupTargetID> set to the matching resource target of the current policy and the value of <AuthzTarget> set to the value of the current rule should also be set. The value com.qut.middleware.esoe.pdp.AuthorizationProcessor.result.Successful should be returned.

If the condition is evaluated as being FALSE then the rule is discounted in this policy evaluation. At this stage any remaining rules for the policy must be evaluated.

Once all <Policy> objects are evaluated by the PDP if at least one "Permit" has been identified the PDP MUST generate an appropriate LXACMLAuthzDecisionStatement. The response <StatusCode> should be set to urn:oasis:names:tc:SAML:2.0:status:Success. The LXACMLAuthzDecisionStatement should be created with a <StatusMessage> of "Policies located and rules evaluated, identified PERMIT state for principal. $1", $1 SHOULD be all PolicyId values of policies which were successfully evaluated. For each policy that contained at least one <Rule> which evaluated to Permit a <GroupTarget> with <GroupTargetID> set to the matching resource target of the policy and the values of <AuthzTarget> set to the target of all the contained rules which evaluated to Permit. The value com.qut.middleware.esoe.pdp.AuthorizationProcessor.result.Successful should be returned.

If all <Policy> objects are exhausted without an explicit "Deny" or "Permit" Effect being encountered the PDP falls through to the default state of the policy (standard configuration sets this to Deny) and generates an appropriate LXACMLAuthzDecisionStatement, The response <StatusCode> should be set to urn:oasis:names:tc:SAML:2.0:status:Success. The LXACMLAuthzDecisionStatement should be created with a <StatusMessage> of "Policies located and rules evaluated but no explicit outcome detected falling through to default state of $2", $1 SHOULD specify the current default operation mode of the policy of "Permit" or "Deny". The value com.qut.middleware.esoe.pdp.AuthorizationProcessor.result.Successful should be returned.

Creating LXACMLAuthzDecisionStatement

The LXACMLAuthzDecisionStatement should be created to match the outcomes of the request processor.

Queries which are evaluated to Deny

Set the value of <Response> / <Result> / <Decision> to Deny
<AttributeValue> should be the original resource that was queried by the SPEP

Set the value of <Response> / <Result> / <Status> / <StatusMessage> to the value indicated by the request processor.

Set the value of <Response> / <Result> / <Obligations> to a new <Obligation> with values:
FullFillOn set to Deny
ObligationId set to lxacmlpdp:obligation:cachetargets

Queries which are evaluated to Permit

Set the value of <Response> / <Result> / <Decision> to Permit
<AttributeValue> should be the original resource that was queried by the SPEP

Set the value of <Response> / <Result> / <Status> / <StatusMessage> to the value indicated by the request processor.

Set the value of <Response> / <Result> / <Obligations> to a new <Obligation> with values:
FullFillOn set to Permit
ObligationId set to lxacmlpdp:obligation:cachetargets

<lxacml-context:Result
    xmlns:group="http://www.qut.com/middleware/lxacmlGroupTargetSchema"
    xmlns:lxacml="http://www.qut.com/middleware/lxacmlSchema"
    xmlns:lxacml-context="http://www.qut.com/middleware/lxacmlContextSchema">
    <lxacml-context:Decision>Permit</lxacml-context:Decision>
    <lxacml-context:Status>
        <lxacml-context:StatusMessage>
            Policies located and rules evaluated. Identified PERMIT
            state for principal.
            \{urn:qut:policy:complex:3,urn:qut:policy:complex:4\}
        </lxacml-context:StatusMessage>
    </lxacml-context:Status>
    <lxacml:Obligations>
        <lxacml:Obligation
            ObligationId="lxacmlpdp:obligation:cachetargets"
            FulfillOn="Permit">
            <lxacml:AttributeAssignment
                AttributeId="lxacmlpdp:obligation:cachetargets:updateusercache">
                <group:GroupTarget>
                    <group:GroupTargetID>
                        /default/\*
                    </group:GroupTargetID>
                    <group:AuthzTarget>
                        /default/public\*
                    </group:AuthzTarget>
                </group:GroupTarget>
            </lxacml:AttributeAssignment>
        </lxacml:Obligation>
    </lxacml:Obligations>
</lxacml-context:Result>

SAML Wrappers

An Assertion should be created and the <LXACMLAuthzDecisionStatement>. embedded inside.

A base Response should be created with <Status> information set as detailed by the request processing, it should contain the generated <Assertion>.

Once successfully created the response should be stored at com.qut.middleware.esoe.pdp.bean.AuthorizationProcessorData.responseDocument.

Sessions Processor

Component Lead Shaun Mangelsdorf
Package com.qut.middleware.esoe.sessions.impl.\*
Type SessionsProcessorImpl
Implemented Interfaces com.qut.middleware.esoe.sessions.SessionsProcessor
Exceptions ConfigurationValidationException