OpenSAML user discussion

["Anil Saldhana" <>]

I am a strong supporter of Open SAML since v1.0 and have waited patiently for v2.0. :)

For the Oasis XACML Interoperability Event at the RSA Conference, I had to process samlv2 payload that was embedded inside a soap11 envelope carrying the xacml v2.0 decision queries. So I wrote a teeny integration layer (which needs progressive cleanup) using opensamlv2 to do this - of course the xacml processing is done by JBossXACML. I wonder if Hakon has looked at integrating OSS xacml libraries such as sunxacml.

Anil
http://anil-identity.blogspot.com

On Thu, Apr 17, 2008 at 6:57 AM, Tom Scavo <> wrote:

FYI

----------------------------------------------------------------------

JBossXACML v2.0.2.GA Released
Anil Saldhana, Blog

"After a successful OASIS XACML Interoperability event at the RSA
Conference last week at San Francisco, I am pleased to inform you
about the release of JBossXACML v2.0.2.GA... the authorization space
is pretty complex unlike the authentication landscape. Access Control
requirements can become extremely complex and unmanageable. Enterprises
typically employ proprietary mechanisms such as ACLs to handle access
control use cases. OASIS XACML is the only standard that is making an
attempt at addressing the complex access control landscape... Expected
in 2.0.2.GA libraries: (1) OASIS XACML v2.0 core; (2) SOAP v1.1/SAML2.0
payload carrying XACML requests/response capabilities -- using OpenSAML
v2.0, as we will have packaged servlets for usage; (3) JAXB v2.0 Object
Model to deal with policies, requests etc -- if not interested in dealing
with XML. Additionally, as part of the Open Console or Embedded Console
of JBoss AS5, we should have a decent free XACML editor to create policy
sets... The OASIS XACML Interop simulated health care application with
real medical records' data that was driven by XACML based use cases.
There are HL7 Confidentiality Codes that can be associated with Patient
medical records. The VA developed an excellent application that had a
decent GUI and in the background, it interacted with its own PIP (Policy
Information Point) to derive the attributes needed to create the XACML
requests. Once the XACML requests were generated (based on the application
interaction), then they were passed to the PDP (Policy Decision Point)
of the vendors. Examples: [A] Your neighbor is a doctor and is snoopy
in nature. You certainly do not want him to have access to your medical
records. Would you? As a patient, you can associate the UBA
confidentiality code with a list of doctors that you do not want to
have access to your records (dissent list). [B] A patient arrives at
a facility in an emergency. The providers do not have access to the
patient records that is housed at another facility. They can trigger
an "emergency override" to get access to the records. Shouldn't they
in an emergency? [C] A patient can decide to mask a portion of his
medical records (e.g., radiology tests ' results) from a list of
providers..."

http://www.jboss.org/feeds/post/jbossxacml_v2_0_2_ga_released0
See also the RSA Conference 2008 OASIS XACML Interoperability Event:
http://anil-identity.blogspot.com/2008/04/summary-review-oasis-xacml.html

----------------------------------------------------------------------