3. Authorization Data Formats

This document includes the definition of two authorization data formats: X.509 Attribute Certificate (AC) [ATTRCERT] and Security Assertion Markup Language (SAML) [SAML1.1] [SAML2.0]. Other authorization data formats may be defined in separate documents.

3.1. AttributeCertificateURL Format

When the x509_attr_cert_url value is used, the AC is provided by a URI [HTTP].

3.2. SAML Assertion

The SAML Assertion structure provides two alternatives for the assertion: by value or by reference.

3.2.1. SAML Assertion Version

In TLS, the choice of authorization data format in the ClientAuthzFormatList and ServerAuthzFormatList does not distinguish between SAML version 1.1 and version 2.0.

3.2.2. SAML Assertion Encoding

When SAML assertions are directly represented, the UTF-8 encoding MUST be used for all SAML assertions that are carried in the TLS handshake protocol.

3.3. Using SAML Assertions for Authorization Decisions

The SAML Assertion is a very rich structure that was designed for use with many different authentication mechanisms in many different operating environments.

3.3.1. SAML Attribute Statement

A SAML attribute statement carries a list of attributes that are associated with the assertion subject.

3.3.2. SAML Authorization Decision Statement

A SAML authorization decision statement carries an authorization decision (Permit, Deny, or Indeterminate) for a particular resource.

3.1. AttributeCertificateURL Format​

3.2. SAML Assertion​

3.2.1. SAML Assertion Version​

3.2.2. SAML Assertion Encoding​

3.3. Using SAML Assertions for Authorization Decisions​

3.3.1. SAML Attribute Statement​

3.3.2. SAML Authorization Decision Statement​