Tag Archives: XACML

Security Policy Provisioning

There is an idea that has been kicked around in IdM for years called Security Policy Provisioning. Basically the idea is that you have a system that takes centrally managed security policies and pushes them out to disparate system, the same way provisioning systems manage user accounts. We kicked around the idea of building a Security Policy Provisioning product back at OpenNetwork,  but never did. In all honesty I had expected some IdM vendor to have added this feature to their provisioning engine by now, but as far as I know none ever went farther than user role management.

Well Axiomatics has apparently rolled it out in the guise of pushing their XACML policies to Windows Server 2012 to leverage the new authorization features. This is a very neat idea.

Of course after you push out the policies, Windows Server 2012 becomes the PDP as well as the PEP. You could develop a similar solution without using XACML at all.


It’s all about the PEP

Jackson Shaw has this to say about authorization via SAML vs XACML. Jonathan Sander follows up with some very good comments about SAML vs XACML.

I really like XACML. Ideally, it should be much more widely used. But when push comes to shove it’s really all about the policy enforcement point (PEP).

SAML can be an easy (relatively) bridging technology that really doesn’t require significant changes to the back-end systems. All that is needed is to create a SAML end point that receives the authentication and creates an authn token appropriate for the services being authenticated. It may also need to provision identity information, but that’s another discussion. The point is the services can still leverage the same authentication token they used before SAML was added.

XACML, on the other hand, will require changes to services to make the appropriate XACML authz queries. In other words, the service needs to become a PEP.

An alternative approach is to pass SAML attribute assertions during the authentication that are converted to updates to a user attribute store (in a DB table or directory). Those attributes are then used for authorization decisions by the service. The same can be done with role information.

You could argue that ABAC and RBAC are not sufficient. But chances are the service you are trying to federate is already ABAC or RBAC based. That and the fact that SAML will be implemented first, makes  XACML a hard sell.

Physical and logical security convergence

Guy Huntington has had a lot of interesting things to say recently over at his AuthenticationWorld blog. I am not sure I completely agree with this, however:

Get all my PAC products to meet LDAP, SPML and XACML protocols.
This enables the products to easily interconnect with any of the logical identity and access management products. Most are now LDAP (Lightweight Directory Access Protocol) enabling communication between the enterprise directory and the PAC.

I’m not sure how compelling it is to SPML enable a product that is already LDAP enabled. As much as I like SPML, if the PAC identities are already externalized to LDAP, I’m not sure I see the value in provisioning via SPML.

Still, Guy makes some great points about the value of integrated PAC, Identity, and Security Management systems.


Where is Microsoft going on identity?

There has been some interesting news on Microsoft and Identity recently. Of course there is the recent acquisition o f U-prove. You can read Stefan Brands’ thoughts here and Kim Cameron’s here. I think that this is in theory a great move for Microsoft that could be very beneficial to the internet at large.

The real question is whether the theoretical benefits will ever realized by significant relying party adoption. As with SAML, OpenID, and Information Cards/Cardspace, it doesn’t matter how good the idea is or how many vendors back it, if popular relying parties don’t adopt it, it will remain an interesting topic of conversation and nothing more. I hope this catches on, I am just not betting on it.

There have been some interesting discussion going on at DEC (which I missed unfortunately). John Fontana has articles on it here, here, and here. There are three interesting thoughts here; Microsoft’s notion of an Identity Bus, opening the door to more standards adoption, and IdM as a service.

Of the three I think the notion of standards adoption is the most interesting to me personally since I have been involved in a lot of these standards activities. I would love to see Microsoft add support for the SAML protocol, XACML, and SPML.

Interesting times.