XACML and Certificate Based Authentification with SAML

[Martin Schneider <martincschneider@googlemail.com>]

Hello list,

I'm new to SAML and XACML. After reading four days in specs,
tutorials, etc I am stuck or I don't have the feeling that my
understanding grows any more ;-)

My overall goal is to do the following: I want to build an generic
authentication and authorization mechanism based upon certificates.

When I understand everything correctly
(sstc-saml-tech-overview-2.0-draft-03, page 16), things work as
follows: a client would ask for permission to access a service (1).
The service has a PEP which asks a SAML authority for authentification
(2). The PEP will receive a SAML assertion from the SAML authority
that contains information about the client (cf. page 20 of the
document):

- auth statement, which contains info about the subject and info how
authentification was done
- attribute statements, additional info, e.g. something like a credit limit
- authz decision, permit / deny

My first question is about the authz decision. When SAML authority
says "permit", why would I ask an XACML PDP for his decision?

After the PEP is convinced that a valid user want access to a service,
PEP asks the PDP for his decision (4). PDP evaluates the request using
his database/policy set (5) and sends the decision back to the PEP
(6).

Is this understanding correct up to now?

---

The next questions target the implementation side. What availiable
software products (open source) would you recommend to me? I have seen
that there is a XACML PDP implementation availiable from SUN
(http://sunxacml.sourceforge.net/). I browsed through the availiable
documentation but couldn't find out if there is a SAML authority
implementation in the package. If no, which implementation would be
suitable to fit my needs?

If anybody of you set up a similar system that I want to build, do you
maybe have some kind of a written guide?

It would be very kind of you if you could help me a little and provide
information.
Thanks a lot

Martin