[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: XACML and Certificate Based Authentification with SAML
Hello list, I'm new to SAML and XACML. After reading four days in specs, tutorials, etc I am stuck or I don't have the feeling that my understanding grows any more ;-) My overall goal is to do the following: I want to build an generic authentication and authorization mechanism based upon certificates. When I understand everything correctly (sstc-saml-tech-overview-2.0-draft-03, page 16), things work as follows: a client would ask for permission to access a service (1). The service has a PEP which asks a SAML authority for authentification (2). The PEP will receive a SAML assertion from the SAML authority that contains information about the client (cf. page 20 of the document): - auth statement, which contains info about the subject and info how authentification was done - attribute statements, additional info, e.g. something like a credit limit - authz decision, permit / deny My first question is about the authz decision. When SAML authority says "permit", why would I ask an XACML PDP for his decision? After the PEP is convinced that a valid user want access to a service, PEP asks the PDP for his decision (4). PDP evaluates the request using his database/policy set (5) and sends the decision back to the PEP (6). Is this understanding correct up to now? --- The next questions target the implementation side. What availiable software products (open source) would you recommend to me? I have seen that there is a XACML PDP implementation availiable from SUN (http://sunxacml.sourceforge.net/). I browsed through the availiable documentation but couldn't find out if there is a SAML authority implementation in the package. If no, which implementation would be suitable to fit my needs? If anybody of you set up a similar system that I want to build, do you maybe have some kind of a written guide? It would be very kind of you if you could help me a little and provide information. Thanks a lot Martin
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]