Tuesday, March 09, 2010

SAML vs. XACML for Authorization: VHS versus Betamax?

I’ve had my first customer discussion around implementation of a SAML-based authorization system. Yes, I said SAML – not XACML. There are lots of companies out there building XACML management products. Axiomatics and BitKoo come to mind but while customers have been discussing the potential use of XACML I have yet to run into a customer who is actually writing applications that use XACML. But I have run into my first customer who is already using SAML for the authentication side of an application and now wants to enable attribute-based authorization via SAML. Why SAML? Because they are already using it for authentication.

Is SAML the right “thing” for authorization? Hmmm, I guess if I were a purist I’d say “No” but since I’m a pragmatist I’d say “If it works for your application then use it”. In either case, this brings me to wonder about SAML and XACML from an authorization perspective. Will there be a Betamax versus VHS war in the authorization space? Hard to say. I know Microsoft will be support SAML tokens with the release of ADFS V2 later this quarter. They won’t be supporting XACML.

Who will win the war? I don’t know but there’s something to be said about the fact that progress is being made faster with SAML than XACML. Draw your own conclusions…As they say, time will tell.


Parker said...

I would be more interested in why you would say "no", pretending you are a purist, when authorization is defined in the SAML spec.

Ben Gerber said...

I think a better analogy may be a shovel vs. a spoon -- or perhaps the opening of doors vs. opening dresser drawers... you get the idea...
SAML is great for authentication, of course -- and it works well for coarse-grained authorizations.
So if you use SAML, when would you use XACML? For fine-grained authorizations.

richlooker said...

I consider the question of vendor strategy more important. SAML may very well be usable for authorization. But there is no commercial product supporting it very well for this purpose. If you go for XACML, then IBM, Oracle, Axiomatics (and probably lots of others) will offer you;
* Lightweight Policy Decision Points for multiple platforms
* Out-of-the box support for multiple user & attribute sources (LDAP, SQL)
* Flexible attribute caching
* Centralized policy store
* Centralized, hierarchically delegated policy administration
* Centralized audit logging of authorization requests/responses