OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [saml-dev] SAML/XACML scenarios/samples

Hello Everyone, 

I am new to this forum and glad to see an active forum unlike the one on
Yahoo.  I read SAML/XACML specs and some related articles.  But I am
looking for some examples and opinions from experts which could make
things more clear and helpful.

I appreciate very much if anyone points me to any samples/examples
available for SAML/XACML?  I tried to download JSAML from Netegrity but
they had taken out the free download option and the JSAML is now
integrated into their other products.  And there seems to be some
vendors that offer SAML tools for evaluations - any recommendations?

Single sign on...
If two or more entities join an alliance and trust each other, should
each have its own sign on service for authentication or should they all
share a single sign on service.  In other words should the sign on
credentials of all users of all entities be managed/authenticated by one
service or each take care of their own.  Any cons in using single sign
on as long as entities trust each other?

Sample scenario...
I have a scenario where users of two web services (each belong to a
separate entity, but trust each other) want to share information among
them.  In detail: when user from entity A (user-A) makes a request to
WS-A, it should also pull related information from WS-B and combines
with its own data and provides to the user-A.  

It should work similarly for a user from entity B (user-B), such that
WS-B pulls data from WS-A and combines with its own data and provides to
the user-B.

Using SAML...
To implement SAML in this scenario, assuming I use single sign on
service (SSO-WS), I think of the following approach:

- user provides credentials to SSO-WS
- user authenticated and provided a reference#
- user forwarded to his/her entity's WS url
- user submits request along with reference id
- user entity's WS requests assertion from SSO-WS and
receives assertion info
- user entity's WS pulls data from its DB and also
sends request to WS-B along with user's reference#
- similarly WS-B also requests assertion from SSO-WS and receives
assertion info
- WS-B pulls data from its DB and sends resp to WS-A
- Now, WS-A provides data from both entities to its user

Using XACML...
And thinking of permissions, for e.g., entity A giving full permissions
to its users to access its data while entity-B giving limited
permissions to users of other entities - wonder how XACML can provide
rules for permissions to different users on each entity.  Should SAML's
authorization query be used along with having XACML rules on each

I really appreciate very much if anyone provides suggestions/comments on
my thinking of using single sign on, saml and xacml...  Thanks in

- Raju.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC