My blog has moved and can now be found at

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Tuesday, November 20, 2007
« Dilbert on IdM and Strong Authentication... | Main | Two Viewpoints on SOAP and REST »

I was giving a presentation and demo today about Policy Based Management in a Web Services environment. The particular use case I was demonstrating was the ability to, by policy, change the type of authentication tokens that were accepted by a web service (from none, to hard-coded, to leveraging an existing identity store, to X.509 Certs etc.) depending on the level of assurance needed, without modifying the web service code.

The mechanism I was using as the Policy Enforcement Point (PEP) in my demonstration was an XML Security Gateway. XML Security Gateways are useful devices for a variety of reasons, but typically there are also drawbacks. The major one is that if you have XML Security Gateways from multiple vendors, you typically cannot define policies in the Policy Administration Point (PAP) of one vendor and push it out to the Gateways (PEPs) of another vendor. This issue becomes even more extensive when you consider that other pieces of web services infrastructure such as Web Service Management (WSM) products, ESBs etc. also have their own unique consoles for administration.

When you question the vendors on this, the typical answer that you get is that they are waiting for WS-Policy (and the associated domain specific languages under WS-Policy) to be approved and adopted to alleviate this issue. In the mean time of course, if you need that central administration, just standardize on our product :-) I'll buy that to a certain extent, but what about support for those standards that have been out there for a while and have traction in the community? e.g. SAML and XACML.

One of the reasons that the acquisition of Reactivity and Securent by Cisco interested me, was that it brought together the possibility of an XML Security Gateway (acting as a PEP) backing against a XACML-based fine grained authorization service (PDP). I was not aware of anyone who supported this use case out of the box, although  I am aware of folks who have requested this functionality and the vendors who have either custom modified their products to enable this or have put it on their feature roadmap.

But I was recently made aware of at least one potential out of the box support for this capability by Mark O'Neill, CTO of Vordel. Mark pointed me to Vordel's XACML PEP Support, as well as a case study and information on interoperating with various XACML PDPs. Very interesting!

11/20/2007 9:27 PM Eastern Standard Time  |  Comments [0]  |  Disclaimer  |  Permalink   
Comments are closed.