Multi-Request Response
Correlation in AzAPI
What is the problem?
• XACML 3.0 multi-decision profile (and to a lesser
extent XACML 2.0 multi-resource) permits
multiple decisions in a single request
• AzAPI also will support multi-decision requests
(currently only resource-action pairs)
• Different mechanisms are used to correlate
requests and responses
• AzAPI glue layer needs to match them up
When does this matter
• Case 1: Support for remote PDP
– Glue layer needs to parse XML response, construct
AzAPI Response Context
• Case 2: When mating AzAPI with local XACML
3.0 PDP that uses internal structure like the XML
Response Context
• Not needed for PDP that can act directly on AzAPI
Request and Response Context Objects
Assumptions
• Discussion ignores hierarchical multidecision requests (XML or not) [2.1, 2.2]
• Also ignores use of multiple attributes of
same category [2.3]
• PDP always returns multiple individual
decisions, any aggregation is done in
AZAPI glue layer
XACML 3.0 Multi-decision
Request Context with References
<Request …
<Attributes Id=”S1” Category="… access-subject">
<Attribute AttributeId="… subject-id"
<AttributeValue DataType="… #string">Jack</AttributeValue>
</Attribute>
</Attributes>
<Attributes Id=”R1” Category="… resource">
<Attribute AttributeId="… resource-id" >
<AttributeValue DataType="… #string"> … Res1</AttributeValue>
</Attribute>
</Attributes>
<Attributes Id=”R2” Category="… resource">
<Attribute AttributeId="… resource-id" >
<AttributeValue DataType="… #string"> … Res2</AttributeValue>
</Attribute>
</Attributes>
continued
XACML 3.0 Multi-decision
Request Context with References
<Attributes Id=”A1” Category="… action">
<Attribute AttributeId="… action-id" >
<AttributeValue DataType="… #string">read</AttributeValue>
</Attribute>
</Attributes>
<MultiRequests>
<RequestReference>
<AttributesReference #S1 </AttributesReference>
<AttributesReference #R1 </AttributesReference>
<AttributesReference #A1 </AttributesReference>
</RequestReference>
<RequestReference>
<AttributesReference #S1 </AttributesReference>
<AttributesReference #R2 </AttributesReference>
<AttributesReference #A1 </AttributesReference>
</RequestReference>
</MultiRequests>
</Request>
XACML 3.0 Correlation
• Any <Attribute> can include the
IncludeInResult=“True” XML Attribute
• Attributes can be included which are not
used for decision, but simply for
correlation
AzAPI Multi-Request Support
• Currently Request Context can contain
Resource-Action Associations
• Generalize these to Associations of any
Category
• Response is linked to Association
Glue Layer Request
Implementation
• Generate <Attributes> for every category
instance with unique Id
• For each Association
– Generate synthetic <Attribute> called
something like “AZAPI-decision-id” assign
values 1,2,3 etc.
– Generate <RequestReference> to Attributes in
Association and common Attributes
Glue Layer Response Processing
• For each <Decision> in <Response> check
value of decision-id
• Link Response to indicated Association
• Discard decision-id Attribute
• Perform any requested combining of
decisions