I’ve had my first customer discussion around implementation of a SAML-based authorization system. Yes, I said SAML – not XACML. There are lots of companies out there building XACML management products. Axiomatics and BitKoo come to mind but while customers have been discussing the potential use of XACML I have yet to run into a customer who is actually writing applications that use XACML. But I have run into my first customer who is already using SAML for the authentication side of an application and now wants to enable attribute-based authorization via SAML. Why SAML? Because they are already using it for authentication.
Is SAML the right “thing” for authorization? Hmmm, I guess if I were a purist I’d say “No” but since I’m a pragmatist I’d say “If it works for your application then use it”. In either case, this brings me to wonder about SAML and XACML from an authorization perspective. Will there be a Betamax versus VHS war in the authorization space? Hard to say. I know Microsoft will be support SAML tokens with the release of ADFS V2 later this quarter. They won’t be supporting XACML.
Who will win the war? I don’t know but there’s something to be said about the fact that progress is being made faster with SAML than XACML. Draw your own conclusions…As they say, time will tell.