IE6 check

Wednesday, October 5, 2011

XACML, or, why SAML is not sufficient

For many, the title of this post may come as a surprise, because after all, SAML is used in many cases for authorization decisions in applications. But, if you are looking a bit closer at what is really going here, you will see that SAML won't give you authorization: at best it will give you the necessary elements such that you (or better said, your application) can make a decision for yourself: all that SAML will give you is a bunch of claims, which are not much more than attributes of a person that are being passed to the application after which the application is still doing the heavy lifting all by itself.

I personally think that XACML very nicely fills in that void. To quote wikipedia: (XACML) is a declarative access control policy language implemented in XML and a processing model, describing how to interpret the policies. Obviously, SAML won't give you this. If you would compare the two, I think it would be fair to say that SAML is much like hardwiring authorization into your application, which is very much what you would like to avoid when you want to decouple your application from authorization. I will agree that SAML is the perfect way to externalize authentication, not so much authorization.

If you want to have a high-level introduction to XACML, my friend Felix Gaethgens of Axiomatics is presenting tomorrow at Kuppinger Cole on this very subject (register here). For all the details on XACML, OASIS is the source.

1 comment: