OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: XACML and Certificate Based Authentification with SAML

Hello list,

I'm new to SAML and XACML. After reading four days in specs,
tutorials, etc I am stuck or I don't have the feeling that my
understanding grows any more ;-)

My overall goal is to do the following: I want to build an generic
authentication and authorization mechanism based upon certificates.

When I understand everything correctly
(sstc-saml-tech-overview-2.0-draft-03, page 16), things work as
follows: a client would ask for permission to access a service (1).
The service has a PEP which asks a SAML authority for authentification
(2). The PEP will receive a SAML assertion from the SAML authority
that contains information about the client (cf. page 20 of the

- auth statement, which contains info about the subject and info how
authentification was done
- attribute statements, additional info, e.g. something like a credit limit
- authz decision, permit / deny

My first question is about the authz decision. When SAML authority
says "permit", why would I ask an XACML PDP for his decision?

After the PEP is convinced that a valid user want access to a service,
PEP asks the PDP for his decision (4). PDP evaluates the request using
his database/policy set (5) and sends the decision back to the PEP

Is this understanding correct up to now?


The next questions target the implementation side. What availiable
software products (open source) would you recommend to me? I have seen
that there is a XACML PDP implementation availiable from SUN
(http://sunxacml.sourceforge.net/). I browsed through the availiable
documentation but couldn't find out if there is a SAML authority
implementation in the package. If no, which implementation would be
suitable to fit my needs?

If anybody of you set up a similar system that I want to build, do you
maybe have some kind of a written guide?

It would be very kind of you if you could help me a little and provide
Thanks a lot


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]