OpenSAML user discussion

["Scott Cantor" <>]

> I am working with Swiss University Rapperswil on a enterprise
> authorization framework called HERAS-AF that would eventually leverage
> on the SAML 2.0 XACML profile for PEP-PDP communication.

I think you want to be a bit careful here. There is a SAML 2.0 XACML
Attribute profile. That talks about mapping attributes between the systems
more cleanly.

There is also (I think) an XACML 2.0 profile of SAML 2.0. I think that's the
thing you're talking about. It uses SAML protocol to do XACML
request/response work, and replaces the SAML AuthzDecisionStatement with an
XACML decision construct inside an assertion.

> For that I planto integrate SUN's XACML implementation with your upcoming
> SAML2.0 implementation.

Does Sun's library support XACML 2.0? I saw a few 2.0 features being added
to it, but it didn't look like they had a full 2.0 library yet. Maybe that's
changed.

> I was really happy to see that the roadmap envisages a
> final release for March 2006. I could imagine to donate the resulting
> SAML-XACML glue code, if the project finds the results worthy.

I think it's the wrong place for it. Contibuting it is fine, but it's not
going into OpenSAML proper because OpenSAML is a SAML library, not an XACML
library. XACML-defined SAML extensions belong outside OpenSAML, in my
opinion.

> Is the final milestone in March realistic?

I think working code is realistic. Ultimately OpenSAML 2.0 is probably not
going to be officially released until Shibboleth 2.0 ships. It might precede
it by a little, but I am *not* releasing ten pre-2.0 versions like I did
with 1.0 so people can fork off of buggy code and then complain about it
later. If somebody takes a cvs snapshot, at least then they know it's not a
real release.

-- Scott