Subject: RE: [xacml] Standardization Status of Documents
We use both OAuth2 and XACML in a B2B setting. The OAuth2 token (JWT) carries the user’s role and some identity attributes, all of which are added to the XACML request. Authorization is done using XACML; we’re not using OAuth scopes. Authentication uses SAML to exchange identity attributes. The user’s role in the application comes from our home-grown multi-tenant subscription system.
From: email@example.com [mailto:firstname.lastname@example.org]
On Behalf Of Martin Smith
Thanks for the very helpful response.
I agree that OAuth has gotten very popular, and that's especially so in the consumer-oriented (c-to-c and b-to-c) spaces that are the main focus of the ID Ecosystem (IDESG) initiative. I do not know the history of consideration of an OAuth Profile in the XACML TC, but others can provide . . . I'd like to have a "talking point" on that in case the question comes up in review of our XACML nomination to IDESG.
On Fri, Jul 1, 2016 at 3:44 AM, Herrmann, Jan <email@example.com> wrote:
Hi Martin, Hal,
based on the use cases I am dealing with, I would name the following profiles being the most active/important… ones in descending order:
Followed with some gap by:
· Hierarchical Resource
· Multiple Decision
Another thought on XACML Profiles: Quite some time ago I read Hal`s paper on the relation of OAuth2 and XACML. Do you know of people using XACML within a OAuth ecosystem? Did the TC ever discuss if an OAUTH2 profile of XACML (or vice versa) makes sense? Here at Siemens OAuth based IAM solutions are rapidly spreading and some guidance how fine grained authorization with XACML can be married with token based authentication à la OAuth might help to solve use cases and also help XACML’s popularity/usage in practice.
Hal-- I think your message below is what you mentioned in last call's discussion of which profiles we might want to submit for the IDESG Standards Registry.
I'll put together a draft IDESG Nomination form bundling these together (but separately from the core v3 spec draft nomination I posted.)
Recall that (at least according to Jamie, who is very familiar with the IDESG processes) OASIS Committee Specs should be eligible for the IDESG Standards Registry. But of course it can't hurt to have a Profile on track to OASIS Standard.
And I do agree that it would be good to affirm implementations for JSON and REST (and SAML..?) One of the IDESG eval points is "interoperability" and being able to say XACML works with JSON and REST would be a talking point on that issue.
So, are you thinking we should all the Profiles below in the nomination form for IDESG? If not, can anyone suggest a "most relevant/important/active" subset?
Additional Combining Algs.
Also another request for help. Given the available space on the Nomination Form and the limited review bandwidth available to the IDESG SCC, it would be GREAT to have 1-line bullets expressing the relevance/importance/target-use-case of each of the Profiles we include. (I can try to extract this myself from the Profile introductions, but I expect the authors of each Profile could summarize theirs better.)
On Thu, May 26, 2016 at 10:41 AM, Hal Lockhart <firstname.lastname@example.org> wrote:
The following documents have reached OASIS Standard.
The TC does not plan to progress the following document past Committee Specification at the current time.
Administration & Delegation
The following documents have reached CS, but not yet received any Statements of Use.
I found SoU's against the following documents.
Hierarchical Resource Axiomatics
Multiple Decision Axiomatics
REST Axiomatics, EMC
Additional Combining Algs. Axiomatics, EMC
Does anyone have any corrections or additions to the above?
Can we get some more SOU’s for REST & JSON? I believe these are the ones that people want to use. (Or are using.)
Martin F Smith, Principal
BFC Consulting, LLC
McLean, Va 22102
703 389-3224 mobile