Databases Reference
In-Depth Information
OASIS are XACML and SAML. XACML (eXtensible Access Control Markup
Language) provides fine grained control of authorized activities. SAML (Se-
curity Assertions Markup Language) is an XML framework for exchanging
authentication and authorization information. The next section gives details
of both XACML and SAML.
2.4 XACML and SAML
SAML provides a single point of authorization. It aims to 'solve the web
single sign-on' problem. One identity provider in the group allows access.
It has Public/Private Key Foundations. Those who are providing SAML in
their products are Microsoft Passport, OpenID (VeriSign) and Global Login
System (Open Source). As stated in the SAML specifications, its three main
components are the following:
Assertions:
SAML has three kinds of assertions. Authentication assertions
are those in which the user has proven his identity. Attribute assertions contain
specific information about the user, such as his spending limits. Authorization
decision assertions identify what the user can do, for example, whether he can
buy an item.
Protocol:
This defines the way that SAML asks for and gets assertions, for
example, using SOAP over HTTP for now, although using other methods in
the future.
Binding:
This details exactly how SAML message exchanges are mapped into
SOAP exchanges.
Outstanding issues for SAML include performance, federations and han-
dling legacy applications. With respect to performance, there is no support
for caching and also it has to be implemented over HTTP protocols using
SOAP. Furthermore, it does not specify encryption and as a result the poli-
cies may be compromised. With respect to federations, SAML does not specify
authentication protocols. Furthermore, multiple domains cannot be handled.
Therefore, OASIS is examining federated identity management. SAML does
not work with legacy applications as it is expensive to retrofit.
XACML combines multiple rules into a single policy. It permits multiple
users to have different roles. It provides separation between policy writing and
application environment. The goal is to standardize access control languages.
Some elements of XACML are the following. Users interact with resources.
Every resource is protected by an entity known as a Policy Enforcement Point
(PEP). This is where the language is actually used and does not actually
determine access. PEP sends its request to a Policy Decision Point (PDP).
Policies may or may not be actually stored here, but PDP has the final say
on access. A decision is relayed to PEP, which then grants or denies access.
Outstanding issues of XACML include distributed responsibility and pol-
icy cross-referencing. With respect to distributed responsibility, what happens
when the PEP is responsible for multiple objects? What happens when we
