OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml] Standardization Status of Documents


We use both OAuth2 and XACML in a B2B setting. The OAuth2 token (JWT) carries the user’s role and some identity attributes, all of which are added to the XACML request. Authorization is done using XACML; we’re not using OAuth scopes. Authentication uses SAML to exchange identity attributes. The user’s role in the application comes from our home-grown multi-tenant subscription system.

 

 

From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Martin Smith
Sent: vrijdag 1 juli 2016 16:06
To: Herrmann, Jan
Cc: hal.lockhart@oracle.com; xacml@lists.oasis-open.org
Subject: Re: [xacml] Standardization Status of Documents

 

Jan--

 

Thanks for the very helpful response. 

 

I agree that OAuth has gotten very popular, and that's especially so in the consumer-oriented (c-to-c and b-to-c) spaces that are the main focus of the ID Ecosystem (IDESG) initiative. I do not know the history of consideration of an OAuth Profile in the XACML TC, but others can provide . . . I'd like to have a "talking point" on that in case the question comes up in review of our XACML nomination to IDESG.

 

Thanks!

 

Martin

 

 

 

 

 

 

On Fri, Jul 1, 2016 at 3:44 AM, Herrmann, Jan <jan.herrmann@siemens.com> wrote:

Hi Martin, Hal,

 

based on the use cases I am dealing with, I would name the following profiles being the most active/important… ones in descending order:

1.     REST                        

2.     JSON                        

3.     RBAC  

4.     SAML

Followed with some gap by:

·         Hierarchical Resource      

·         Multiple Decision         

              

Another thought on XACML Profiles: Quite some time ago I read Hal`s paper on the relation of OAuth2 and XACML. Do you know of people using XACML within a OAuth ecosystem? Did the TC ever discuss if an OAUTH2 profile of XACML (or vice versa) makes sense? Here at Siemens OAuth based IAM solutions are rapidly spreading and some guidance how fine grained authorization with XACML can be married with token based authentication à la OAuth might help to solve use cases and also help XACML’s popularity/usage in practice.  

 

BR Jan

 


Siemens AG
Corporate Technology
CT RDA ITS SEA-DE
Otto-Hahn-Ring 6
81739 Muenchen, Germany
Tel.: +49 89 636-633675
Fax: +49 89 636-48000
Mobile: +49 173 3157961
mailto:jan.herrmann@siemens.com
www.siemens.com/ingenuityforlife
www.siemens.com/ingenuityforlife
Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Siegfried Russwurm, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322

 

 

 

 

Von: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] Im Auftrag von Martin Smith
Gesendet: Donnerstag, 30. Juni 2016 23:15
An: Hal Lockhart
Cc: XACML TC
Betreff: Re: [xacml] Standardization Status of Documents

 

Hal-- I think your message below is what you mentioned in last call's discussion of which profiles we might want to submit for the IDESG Standards Registry. 

 

I'll put together a draft IDESG Nomination form bundling these together (but separately from the core v3 spec draft nomination I posted.) 

 

Recall that (at least according to Jamie, who is very familiar with the IDESG processes) OASIS Committee Specs should be eligible for the IDESG Standards Registry. But of course it can't hurt to have a Profile on track to OASIS Standard.  

 

And I do agree that it would be good to affirm implementations for JSON and REST (and SAML..?) One of the IDESG eval points is "interoperability" and being able to say XACML works with JSON and REST would be a talking point on that issue. 

 

So, are you thinking we should all the Profiles below in the nomination form for IDESG?  If not, can anyone suggest a "most relevant/important/active" subset?

 

MAP

IPC

EC-US

XSPA

SAML

Signature

DLP/NAC

Hierarchical Resource       

Multiple Decision          

REST                         

JSON                         

Additional Combining Algs.   

Privacy                    

RBAC                       

 

Also another request for help. Given the available space on the Nomination Form and the limited review bandwidth available to the IDESG SCC, it would be GREAT to have 1-line bullets expressing the relevance/importance/target-use-case of each of the Profiles we include. (I can try to extract this myself from the Profile introductions, but I expect the authors of each Profile could summarize theirs better.) 

 

Thanks,

 

Martin

 

 

 

 

On Thu, May 26, 2016 at 10:41 AM, Hal Lockhart <hal.lockhart@oracle.com> wrote:

The following documents have reached OASIS Standard.

 

XACML Core

MAP

IPC

EC-US

XSPA

 

The TC does not plan to progress the following document past Committee Specification at the current time.

 

Administration & Delegation

 

The following documents have reached CS, but not yet received any Statements of Use.

 

SAML

Signature

DLP/NAC

 

I found SoU's against the following documents.

 

Hierarchical Resource         Axiomatics

Multiple Decision             Axiomatics

REST                          Axiomatics, EMC

JSON                          Axiomatics

Additional Combining Algs.    Axiomatics, EMC

Privacy                       ViewDS

RBAC                          ViewDS

 

Does anyone have any corrections or additions to the above?

 

Can we get some more SOU’s for REST & JSON? I believe these are the ones that people want to use. (Or are using.)

 

Hal

 



 

--

Martin F Smith, Principal

BFC Consulting, LLC

McLean, Va 22102

703 389-3224 mobile



 

--

Martin F Smith, Principal

BFC Consulting, LLC

McLean, Va 22102

703 506-0159

703 389-3224 mobile



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]