tag:blogger.com,1999:blog-11222552.post205400882391780193..comments2023-06-27T02:23:56.854-07:00Comments on Jackson's Identity Management & Active Directory Reality Tour Travelblog: SAML vs. XACML for Authorization: VHS versus Betamax?Anonymoushttp://www.blogger.com/profile/00014140177974348471noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-11222552.post-91452724789654473902012-12-07T00:02:35.191-08:002012-12-07T00:02:35.191-08:00I consider the question of vendor strategy more im...I consider the question of vendor strategy more important. SAML may very well be usable for authorization. But there is no commercial product supporting it very well for this purpose. If you go for XACML, then IBM, Oracle, Axiomatics (and probably lots of others) will offer you;<br />* Lightweight Policy Decision Points for multiple platforms<br />* Out-of-the box support for multiple user & attribute sources (LDAP, SQL)<br />* Flexible attribute caching<br />* Centralized policy store<br />* Centralized, hierarchically delegated policy administration<br />* Centralized audit logging of authorization requests/responsesrichlookerhttps://www.blogger.com/profile/08871868236804883447noreply@blogger.comtag:blogger.com,1999:blog-11222552.post-10525428109644982162010-03-12T04:04:48.977-08:002010-03-12T04:04:48.977-08:00I think a better analogy may be a shovel vs. a spo...I think a better analogy may be a shovel vs. a spoon -- or perhaps the opening of doors vs. opening dresser drawers... you get the idea...<br />SAML is great for authentication, of course -- and it works well for coarse-grained authorizations.<br />So if you use SAML, when would you use XACML? For fine-grained authorizations.Ben Gerberhttps://www.blogger.com/profile/05667281945504422778noreply@blogger.comtag:blogger.com,1999:blog-11222552.post-81392634631292949662010-03-09T06:56:48.961-08:002010-03-09T06:56:48.961-08:00I would be more interested in why you would say &q...I would be more interested in why you would say "no", pretending you are a purist, when authorization is defined in the SAML spec.Secret Chipmunkhttps://www.blogger.com/profile/11975929282438463641noreply@blogger.com