[
Lists Home |
Date Index |
Thread Index
]
Chiusano Joseph wrote:
> Regarding the future of XACML:
>
> In the past there has been quite a bit of observation (justified, IMO)
> regarding overlaps in functionality between SAML and XACML, with regard
> to authorization decisions. In the SAML 2.0 Core Specification (OASIS
> Committee Draft[1], released 17-Aug-2004), it states on p.29 regarding
> the SAML Authorization Decision Statement:
>
> "Note: The <AuthzDecisionStatement> feature has been frozen as of SAML
> V2.0, with no future enhancements planned. Users who require additional
> functionality may want to consider the eXtensible Access Control Markup
> Language [XACML], which offers enhanced authorization decision
> features."
>
> This is clearly a great step toward helping ensure that the 2 standards
> do not evolve in an overlapping manner for this functionality. One may
> interpret this as meaning a brighter future for XACML.
I think you're right on here. There has been considerable effort in the
XACML and SAML 2.0 processes to clearly define the relationship, and
make sure we're not duplicating effort. In addition to specific changes
to SAML 2.0, there is also an XACML Profile for SAML (which was just
voted today to committee draft) which defines some specific elements of
this relationship. I think this will make it even easier to use SAML and
XACML as complimentary technologies.
As an aside, I've been involved in several prototype experiments to use
SAML and XACML together. With the 2.0 specifications coming down the
pipeline, I'm looking forward to finally seeing standard implementations
that will interoperate. If anyone is bored (heh) and looking for
something to try building, I'd be happy to provide some pointers about
how to get started on this...
seth
|