Possible clarification on XACML interop test

[Anne Anderson <Anne.Anderson@sun.com>]

I listened in to a Burton Group "telebriefing" this morning on Web 
Access Management, and the analyst, Mark Diodati, referred to the XACML 
interop event Burton is interested in sponsoring at the next Catalyst 
conference.

The analyst did not shed much light on what Burton (and its customers) 
really want, but the emphasis seemed to be on support for XACML's 
Request/Response formats rather than on support for XACML policies.

In order to test interoperability of products with XACML 
Request/Response formats, two things need to be tested.  First is 
whether the product supports XACML's Request/Response formats at all 
(Diodati did not distinguish between raw Request/Response versus 
encapsulation using the SAML profile).  The second is whether the XACML 
Request/Response format can convey the information required to evaluate 
existing WAM policies, whether those policies are XACML policies or some 
other existing format.   This seemed to be the analyst's primary concern.

Design an XACML policy interoperability test requires testing the 
various XACML policy capabilities.  Products that translate XACML 
policies into their native policy format may be able to translate some 
XACML policy functionality but not all.  Even products that use XACML as 
their native format may not support all features.  This type of test 
would need to be something like our Conformance tests, to see exactly 
which features various products can handle, either directly or by 
translation.  I think the problem of Attribute retrieval could be 
finessed by specifying that all Attributes required to evaluate the 
policies are supplied in the Request.

Regards,
Anne
-- 
Anne H. Anderson               Anne.Anderson@sun.com
Sun Microsystems Labs          1-781-442-0928
Burlington, MA USA