This is a first step toward an analytical framework that would allow us to meaningfully compare and contrast widely different solutions to given usage scenarios in the general space of web security. For a given problem, SAML-federation-based solutions might initially appear quite orthogonal to, for example, UMA-based solutions, even for the same usage scenario. Yet in ambitious ventures such as NSTIC, we need to be able to make meaningful comparisons between drastically different proposed solutions.
The initial goal here will be to define a spanning set of atomic functions that can be shown to be combinable in different ways to compose commonly discussed multi-capability service and application models. The services and applications are the typical units of analysis when a given model is being presented.
The following is offered as an introductory example. Imagine that a university offers students a tab in its portal to manage their white-pages entry in the online campus directory. Let's say that students should be allowed to control which elements of their white pages information should be viewable by anyone and which should be viewable only by faculty, staff and students at the same institution.
Atomic functionality required to implement such a management tool and the associated online white pages:
Name | Relevant actor or component in SAML federation model | Relevant actor or component in UMA model |
---|---|---|
Request Authentication | End User A | Resource Owner |
Authenticate | Authentication Service fronting SAML IdP | Authentication Service fronting Resource Server |
Request Authorization to edit White Page (WP) Information | End User A | Requesting Party |
Grant Authorization to edit WP Information | Portal Tab App behind SAML SP | Authorization Server |
Edit WP Information | End User A | Resource Owner |
Set Access Policy for WP Information | End User A | Resource Owner |
Persist Access Policy for WP Information | Not SAML Specified | Authorization Server |
Put WP Information Online | Portal Tab | Resource Server |
Find Person WP Information | End User B | |
Request Authorization for WP Information Access | ||
Grant Authorization for WP Information Access | ||
Show WP Information | ||