OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] XACML and Certificate Based Authentificationwith SAML

On Thu, 2009-11-12 at 12:32 +0100, Martin Schneider wrote:
> Hello list,
> - authz decision, permit / deny
> My first question is about the authz decision. When SAML authority
> says "permit", why would I ask an XACML PDP for his decision?

This is probably some leftover from the time where SAML and XACML had
some overlap concerning authorization.

According to my understanding the use of the authz statement in SAML has
been discontinued/deprecated in favor of the XACML request/response
format. So you should use XACML for authz decisions and SAML for auth
and attribute statements.

See the saml-core-2.0 spec page 31 section 2.7.4 for the official
statement on this.

Hope it helps,

Ludwig Seitz

Ludwig Seitz, PhD             |   Axiomatics AB
Training & Development        |   Electrum 223
Phone: +46 (0)760 44 22 91    |   S-164 40 Kista, Sweden
Mail: ludwig@axiomatics.com   |

This is a digitally signed message part

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]