Auth.+Framework-+AuthzDecisionStatement+without+ACPs

Please contribute your comments via the discussion tab above. Outcomes and resolution will be added at the bottom of this page.

=Auth framework: impact of AuthzDecisionStatement without ACPs?=

0 row selected - rows selected - [|clear] || Issue: In the SAML header of some requests, the AuthzDecisionStatement element, an optional element, is present although no ACP references are being passed in it (at least one is required). The other problems in this example are: - The Issuer is not a real person, but a default - The Conditions are such that the assertion is never valid
 * ~ 1 - 1 of 1
 * [[image:http://www.wikispaces.com/i/user_none_lg.jpg width="48" height="48" caption="JoeLamy" link="http://www.wikispaces.com/user/view/JoeLamy"]] || [|JoeLamy]

Example:  Execute    CN=SAML User,OU=SU,O=SAML User,L=Los Angeles,ST=CA,C=US         

Impact: interoperability risk. The risk to organizations sending this content is that other systems may reject the header as invalid or incomplete and deny access.

Workaround: work with partners to ensure that they accept this form and treat it equivalently to an omitted AuthzDecisionStatement.

Tentative severity level: 2-High

Is the above impact analysis correct?

2010-10-01 discussion:

The analysis is correct. The SSA is not impacted by this. Others may be impacted. The risk is that responding systems may make an incorrect authorization decision.

Possible work around: Implementers may be given guidance to ignore this type of statement.

Impact: probably low to moderate since CONNECT is probably ignoring this statement, the Medicity impact is low. Need to determine the impact to others, using any other gateways, as well.

Guidance to the ONC test team: We suggest that this is be a policy issue, not a technical issue. The statement is technically illegal. But, the impact to others may be small or contained enough that the ONC may chose to allow the team to move forward in spite of this known flaw.

[|[delete]] ||