locked
XACML RRS feed

  • Question

  • It looks like Microsoft has decided to forgo the XACML standard.  I have read about products that can take a SAML token and translate parts of it into a XACML request, but it seems like there would still be some limitations compared to the flexibility that XACML has.  Thoughts on this topic anyone?
    Wednesday, July 8, 2009 7:35 PM

Answers

  • It looks like Microsoft has decided to forgo the XACML standard.

    What makes you think that?

    Thoughts on this topic anyone?

    ATM, Geneva Server does nothing in the way of authz (e.g., central storage of authz-related rules, enforcement or hooks for it, etc.). The framework barely provides anything in this regard either; as of beta 2, it does includes a few classes that allow you to create an interceptor layer that can hook into on your RP to do access control (like a PDP would, correct?).  For more about this, check out Chuck Reeves' Web cast on Channel 9 , this forum thread , and this blog post .

    In the future, I think that Geneva Framework will provide building blocks for helping RP developers externalize authz from their apps like the current incantation does w/ authn.  These building blocks, I predict, will allow app developers to hook into Geneva Server which will run the security rules for that RP and tell it whether or not the request should be allowed.  I'm not the only one predicting this either; Matias Wolsoki said something along these lines last month.  Whether we're right that Geneva will eventually provide a way to externalize authz from our apps is probably a safe bet.  Betting on whether or not this will involve XACML though is a bit riskier.  I've heard negative things about the standard when talking to some of Microsoft's higher-ups and some positive views.  Time will certainly tell.

     


    Regards,

    Travis Spencer
    http://travisspencer.com
    • Marked as answer by mryerse Tuesday, July 14, 2009 8:20 PM
    Friday, July 10, 2009 3:04 PM

All replies

  • It looks like Microsoft has decided to forgo the XACML standard.

    What makes you think that?

    Thoughts on this topic anyone?

    ATM, Geneva Server does nothing in the way of authz (e.g., central storage of authz-related rules, enforcement or hooks for it, etc.). The framework barely provides anything in this regard either; as of beta 2, it does includes a few classes that allow you to create an interceptor layer that can hook into on your RP to do access control (like a PDP would, correct?).  For more about this, check out Chuck Reeves' Web cast on Channel 9 , this forum thread , and this blog post .

    In the future, I think that Geneva Framework will provide building blocks for helping RP developers externalize authz from their apps like the current incantation does w/ authn.  These building blocks, I predict, will allow app developers to hook into Geneva Server which will run the security rules for that RP and tell it whether or not the request should be allowed.  I'm not the only one predicting this either; Matias Wolsoki said something along these lines last month.  Whether we're right that Geneva will eventually provide a way to externalize authz from our apps is probably a safe bet.  Betting on whether or not this will involve XACML though is a bit riskier.  I've heard negative things about the standard when talking to some of Microsoft's higher-ups and some positive views.  Time will certainly tell.

     


    Regards,

    Travis Spencer
    http://travisspencer.com
    • Marked as answer by mryerse Tuesday, July 14, 2009 8:20 PM
    Friday, July 10, 2009 3:04 PM
  • Thanks for replying.  I think that what I would be more interested in than "XACML support in Geneva" is a set of Microsoft supported .Net code libraries that enable .Net apps and services to make XACML requests for authz.  The reason is that I would like to see a common, externalized authorization service that our origanization could use for both .Net/AD based systems, as well as our Java/WebSphere/Etc systems.  We use a variety of systems at the moment and I think best practices could be better facilitated with a good security policy and with a common set of tools for developers to get there.

    Microsoft has committed to some extent to interop with Java with the WS* stack.  Additionally with Geneva it appears they are now willing to interop with the SAML protocol to communicate authn, essentially enabling a java app to use a MS authn Server.

    For authz XACML only seems appropriate considering that BEA, Sun (both now Oracle apparently), and IBM use XACML in their products for authz (see IBM Tivoli Security Policy Manager).  Are there other protocols besides XACML on the horizon with such promises?  I have seen Microsoft refer customers to Securent for entitlement management for sharepoint and I believe SQL, which is based on XACML.

    Thanks for the insight, I'll check out those articles.  In the meantime I'll continue to hope for a common, externalized access control infrastructure that a large, heterogeneous organization can use.  I have spoken with Axiomatics whom apparently has their own .net module which can be used to either translate Geneva claims to XACML attribues and also enable .net apps to make XACML requests.  However, it would be much easier to get the majority of our organization on board with a common access control system provided it was supported in the core .net libraries and not third party.

    In the meantime my only option seems to be to use an intermediary PEP at the network layer which support XACML or something similar.
    • Edited by mryerse Tuesday, July 14, 2009 8:22 PM
    Tuesday, July 14, 2009 8:07 PM