mace-opensaml-users - RE: XACML Profile of OpenSAML 2.0 for the HERAS-AF project
Subject: OpenSAML user discussion
List archive
- From: "Scott Cantor" <>
- To: "'Wolfgang Giersche'" <>, <>
- Cc: <>
- Subject: RE: XACML Profile of OpenSAML 2.0 for the HERAS-AF project
- Date: Thu, 12 Jan 2006 13:23:54 -0500
- Organization: The Ohio State University
> I am working with Swiss University Rapperswil on a enterprise
> authorization framework called HERAS-AF that would eventually leverage
> on the SAML 2.0 XACML profile for PEP-PDP communication.
I think you want to be a bit careful here. There is a SAML 2.0 XACML
Attribute profile. That talks about mapping attributes between the systems
more cleanly.
There is also (I think) an XACML 2.0 profile of SAML 2.0. I think that's the
thing you're talking about. It uses SAML protocol to do XACML
request/response work, and replaces the SAML AuthzDecisionStatement with an
XACML decision construct inside an assertion.
> For that I planto integrate SUN's XACML implementation with your upcoming
> SAML2.0 implementation.
Does Sun's library support XACML 2.0? I saw a few 2.0 features being added
to it, but it didn't look like they had a full 2.0 library yet. Maybe that's
changed.
> I was really happy to see that the roadmap envisages a
> final release for March 2006. I could imagine to donate the resulting
> SAML-XACML glue code, if the project finds the results worthy.
I think it's the wrong place for it. Contibuting it is fine, but it's not
going into OpenSAML proper because OpenSAML is a SAML library, not an XACML
library. XACML-defined SAML extensions belong outside OpenSAML, in my
opinion.
> Is the final milestone in March realistic?
I think working code is realistic. Ultimately OpenSAML 2.0 is probably not
going to be officially released until Shibboleth 2.0 ships. It might precede
it by a little, but I am *not* releasing ten pre-2.0 versions like I did
with 1.0 so people can fork off of buggy code and then complain about it
later. If somebody takes a cvs snapshot, at least then they know it's not a
real release.
-- Scott
- XACML Profile of OpenSAML 2.0 for the HERAS-AF project, Wolfgang Giersche, 01/11/2006
- RE: XACML Profile of OpenSAML 2.0 for the HERAS-AF project, Scott Cantor, 01/12/2006
Archive powered by MHonArc 2.6.16.