OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [xacml-users] XACML and Certificate Based Authentification with SAML

>> ..browsed through the availiable documentation but couldn't find out if there is a SAML authority
>>implementation in the package. If no, which implementation would besuitable to fit my needs?

 You can try STS (Secure Token Service). See WSIT tutorial.

 

 

 



From: Martin Schneider <martincschneider@googlemail.com>
To: xacml-users@lists.oasis-open.org
Sent: Thu, November 12, 2009 12:32:06 PM
Subject: [xacml-users] XACML and Certificate Based Authentification with SAML

Hello list,

I'm new to SAML and XACML. After reading four days in specs,
tutorials, etc I am stuck or I don't have the feeling that my
understanding grows any more ;-)

My overall goal is to do the following: I want to build an generic
authentication and authorization mechanism based upon certificates.

When I understand everything correctly
(sstc-saml-tech-overview-2.0-draft-03, page 16), things work as
follows: a client would ask for permission to access a service (1).
The service has a PEP which asks a SAML authority for authentification
(2). The PEP will receive a SAML assertion from the SAML authority
that contains information about the client (cf. page 20 of the
document):

- auth statement, which contains info about the subject and info how
authentification was done
- attribute statements, additional info, e.g. something like a credit limit
- authz decision, permit / deny

My first question is about the authz decision. When SAML authority
says "permit", why would I ask an XACML PDP for his decision?

After the PEP is convinced that a valid user want access to a service,
PEP asks the PDP for his decision (4). PDP evaluates the request using
his database/policy set (5) and sends the decision back to the PEP
(6).

Is this understanding correct up to now?

---

The next questions target the implementation side. What availiable
software products (open source) would you recommend to me? I have seen
that there is a XACML PDP implementation availiable from SUN
(http://sunxacml.sourceforge.net/). I browsed through the availiable
documentation but couldn't find out if there is a SAML authority
implementation in the package. If no, which implementation would be
suitable to fit my needs?

If anybody of you set up a similar system that I want to build, do you
maybe have some kind of a written guide?

It would be very kind of you if you could help me a little and provide
information.
Thanks a lot

Martin

---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]