Is SAML the right “thing” for authorization? Hmmm, I guess if I were a purist I’d say “No” but since I’m a pragmatist I’d say “If it works for your application then use it”. In either case, this brings me to wonder about SAML and XACML from an authorization perspective. Will there be a Betamax versus VHS war in the authorization space? Hard to say. I know Microsoft will be support SAML tokens with the release of ADFS V2 later this quarter. They won’t be supporting XACML.
Who will win the war? I don’t know but there’s something to be said about the fact that progress is being made faster with SAML than XACML. Draw your own conclusions…As they say, time will tell.
Technorati Tags: SAML,XACML,Axiomatics,Bitkoo,Active Directory,Microsoft,MSFT,ADFS,federation,identity management
3 comments:
I would be more interested in why you would say "no", pretending you are a purist, when authorization is defined in the SAML spec.
I think a better analogy may be a shovel vs. a spoon -- or perhaps the opening of doors vs. opening dresser drawers... you get the idea...
SAML is great for authentication, of course -- and it works well for coarse-grained authorizations.
So if you use SAML, when would you use XACML? For fine-grained authorizations.
I consider the question of vendor strategy more important. SAML may very well be usable for authorization. But there is no commercial product supporting it very well for this purpose. If you go for XACML, then IBM, Oracle, Axiomatics (and probably lots of others) will offer you;
* Lightweight Policy Decision Points for multiple platforms
* Out-of-the box support for multiple user & attribute sources (LDAP, SQL)
* Flexible attribute caching
* Centralized policy store
* Centralized, hierarchically delegated policy administration
* Centralized audit logging of authorization requests/responses
Post a Comment