From: Martin Schneider <martincschneider@googlemail.com>
To: xacml-users@lists.oasis-open.org
Sent: Thu, November 12, 2009 12:32:06 PM
Subject: [xacml-users] XACML and Certificate Based Authentification with SAML
Hello list,
I'm new to SAML and XACML. After reading four days in specs,
tutorials, etc I am stuck or I don't have the feeling that my
understanding grows any more ;-)
My overall goal is to do the following: I want to build an generic
authentication and authorization mechanism based upon certificates.
When I understand everything correctly
(sstc-saml-tech-overview-2.0-draft-03, page 16), things work as
follows: a client would ask for permission to access a service (1).
The service has a PEP which
asks a SAML authority for authentification
(2). The PEP will receive a SAML assertion from the SAML authority
that contains information about the client (cf. page 20 of the
document):
- auth statement, which contains info about the subject and info how
authentification was done
- attribute statements, additional info, e.g. something like a credit limit
- authz decision, permit / deny
My first question is about the authz decision. When SAML authority
says "permit", why would I ask an XACML PDP for his decision?
After the PEP is convinced that a valid user want access to a service,
PEP asks the PDP for his decision (4). PDP evaluates the request using
his database/policy set (5) and sends the decision back to the PEP
(6).
Is this understanding correct up to now?
---
The next questions target the implementation side. What availiable
software products (open source) would you
recommend to me? I have seen
that there is a XACML PDP implementation availiable from SUN
(
http://sunxacml.sourceforge.net/). I browsed through the availiable
documentation but couldn't find out if there is a SAML authority
implementation in the package. If no, which implementation would be
suitable to fit my needs?
If anybody of you set up a similar system that I want to build, do you
maybe have some kind of a written guide?
It would be very kind of you if you could help me a little and provide
information.
Thanks a lot
Martin
---------------------------------------------------------------------
To unsubscribe, e-mail:
xacml-users-unsubscribe@lists.oasis-open.orgFor additional commands, e-mail:
xacml-users-help@lists.oasis-open.org