OpenSAML user discussion

["RL 'Bob' Morgan" <>]

> I'm confused by the relation between SAML/XACML and
> WS-Policy/WS-PolicyAttachment/WS-PolicyAssertion. Is SAML a more
> specific language implementation of WS-Policy, or they are actually
> doing the same thing? I mean in the aspect of specifying the
> authorization policies, excluding the SSO. I can see that SAML/XACML has
> real impls, while WS-Policy* don't.

It is a confusing situation.

You might think of the WS-* specifications, including those you mention
and also WS-Security (now approaching OASIS standard), WS-Trust,
WS-SecureConversation, WS-Federation, and many others, as being similar to
CORBA or DCE in defining an approximately complete distributed computing
system out of many component protocols.  SAML and XACML have much less
ambitious goals.  In the case of SAML it is defining some XML formats for
exchanging security objects among the sorts of services commonly seen in
vendor single-sign-on/authorization systems.  In the case of XACML it is
defining an XML representation of access-control policies.  Also, WS-* is
based on SOAP for all communications, whereas SAML and XACML are not
dependent on SOAP (even though one common way of carrying SAML protocol is
via SOAP).

To some extent these are complementary.  You can use WS-Security to carry
a SAML assertion (and maybe an XACML policy) as a security token.  An
XACML policy could probably be a component of a policy expressed by
WS-Policy.  But whether these linkages will become common in the world is
still quite uncertain.  It is fair to say that the WS-* development is
almost all happening in a closed community led by Microsoft and IBM, and
that this community doesn't have much overlap with the open standards
committees developing SAML and XACML.  So there will also be areas of
conflict and overlap, I'm afraid.

 - RL "Bob"