[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Standardization Status of Documents
We use both OAuth2 and XACML in a B2B setting. The OAuth2 token (JWT) carries the user’s role and some identity attributes, all of which are added to the XACML
request. Authorization is done using XACML; we’re not using OAuth scopes. Authentication uses SAML to exchange identity attributes. The user’s role in the application comes from our home-grown multi-tenant subscription system. From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org]
On Behalf Of Martin Smith Jan-- Thanks for the very helpful response. I agree that OAuth has gotten very popular, and that's especially so in the consumer-oriented (c-to-c and b-to-c) spaces that are the main focus of the ID Ecosystem (IDESG) initiative. I do not know the history of consideration of an OAuth
Profile in the XACML TC, but others can provide . . . I'd like to have a "talking point" on that in case the question comes up in review of our XACML nomination to IDESG. Thanks! Martin On Fri, Jul 1, 2016 at 3:44 AM, Herrmann, Jan <jan.herrmann@siemens.com> wrote: Hi Martin, Hal, based on the use cases I am dealing with, I would name the following profiles being the most active/important…
ones in descending order: 1.
REST
2.
JSON
3.
RBAC
4.
SAML Followed with some gap by: ·
Hierarchical Resource
·
Multiple Decision
Another thought on XACML Profiles: Quite some time ago I read Hal`s paper on the relation of OAuth2
and XACML. Do you know of people using XACML within a OAuth ecosystem? Did the TC ever discuss if an OAUTH2 profile of XACML (or vice versa) makes sense? Here at Siemens OAuth based IAM solutions are rapidly spreading and some guidance how fine grained authorization
with XACML can be married with token based authentication à la OAuth might help to solve use cases and also help XACML’s popularity/usage in practice. BR Jan
Von:
xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org]
Im Auftrag von Martin Smith Hal-- I think your message below is what you mentioned in last call's discussion of which profiles we might want to submit for the IDESG Standards Registry. I'll put together a draft IDESG Nomination form bundling these together (but separately from the core v3 spec draft nomination I posted.) Recall that (at least according to Jamie, who is very familiar with the IDESG processes) OASIS Committee Specs should be eligible for the IDESG Standards Registry.
But of course it can't hurt to have a Profile on track to OASIS Standard. And I do agree that it would be good to affirm implementations for JSON and REST (and SAML..?) One of the IDESG eval points is "interoperability" and being able
to say XACML works with JSON and REST would be a talking point on that issue. So, are you thinking we should all the Profiles below in the nomination form for IDESG? If not, can anyone suggest a "most relevant/important/active" subset? MAP IPC EC-US XSPA SAML Signature DLP/NAC Hierarchical Resource Multiple Decision REST JSON Additional Combining Algs. Privacy RBAC Also another request for help. Given the available space on the Nomination Form and the limited review bandwidth available to the IDESG SCC, it would be GREAT to
have 1-line bullets expressing the relevance/importance/target-use-case of each of the Profiles we include. (I can try to extract this myself from the Profile introductions, but I expect the authors of each Profile could summarize theirs better.) Thanks, Martin On Thu, May 26, 2016 at 10:41 AM, Hal Lockhart <hal.lockhart@oracle.com> wrote: The following documents have reached OASIS Standard. XACML Core MAP IPC EC-US XSPA The TC does not plan to progress the following document past Committee Specification at the current time. Administration & Delegation The following documents have reached CS, but not yet received any Statements of Use. SAML Signature DLP/NAC I found SoU's against the following documents. Hierarchical Resource Axiomatics Multiple Decision Axiomatics REST Axiomatics, EMC JSON Axiomatics Additional Combining Algs. Axiomatics, EMC Privacy ViewDS RBAC ViewDS Does anyone have any corrections or additions to the above? Can we get some more SOU’s for REST & JSON? I believe these are the ones that people want to use. (Or are using.) Hal
--
-- Martin F Smith, Principal BFC Consulting, LLC McLean, Va 22102 703 506-0159 703 389-3224 mobile |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]