My blog has moved and can now be found at http://blog.aniljohn.com

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Saturday, March 8, 2008
« Attending IDtrust 2008 | Main | Abstraction, Remote Controls and Service... »

One of the things I have been doing a bit of work on has been Attribute Authorities in the SAML 2.0 sense i.e. a SAML entity that produces assertions in response to identity attribute queries from an entity acting as an attribute requester.  In particular, my interest lies in controlling the release of attributes based on policies that could be externalized.

My interest in finding a hopefully standardized way of doing this was sparked by the article "Using XACML for Privacy Control in SAML-Based Identity Federations" by Wolfgang Hommel, which I found on the XACML section of the OASIS Cover Pages. The article describes the use of XACML to control the release of attributes and an implementation of this using an earlier release of Shibboleth.

At the IDTrust 2008 Symposium, one of the sessions that I enjoyed was the panel session on "Federations Today and Tomorrow" hosted by Ken Klingenstein of Internet2 and Patrick Harding of Ping Identity.  When Ken spoke a bit about the release of Shibboleth 2.0, which supports SAML 2.0, this brought me back full circle.

In an earlier conversation I had had on this topic with some colleagues who are working with release candidate versions of Shibboleth 2.0, I was curious to find out if the "Attribute Filter" capability in Shibboleth had made it into the SAML 2.0 standard given that Shibboleth 2.0 is the convergence of Shibboleth, SAML 1.X and the Liberty IDFF. Unfortunately, I was informed that it had not. The implementation is specific to the Shibboleth functionality and does not seem to exist as part of the SAML 2.0 specification.

So what I asked the panel was that given that both SAML 2.0 and XACML 2.0 are based out of OASIS, is there any work in integrating the two standards to enable this type of functionality, as there is definitely a use case for this in a lot of the communities that I am familiar with. The answer I got back was that, while this is not outside the realm of possibility, it is not something that someone is working on. In a hallway conversation I had with some other folks after the session, someone mentioned that this type of functionality may be built into one of the Oracle products, but again the implementation was proprietary to that vendor.


Tags:: Security
3/8/2008 10:22 PM Eastern Standard Time  |  Comments [2]  |  Disclaimer  |  Permalink   
Thursday, March 13, 2008 10:56:39 PM (Eastern Standard Time, UTC-05:00)
AJ: So what I asked the panel was that given that both SAML 2.0 and XACML 2.0 are based out of OASIS, is there any work in integrating the two standards to enable this type of functionality, as there is definitely a use case for this in a lot of the communities that I am familiar with.

Are you talking about combining SAML 2 and XACML 2. I thought SAML deferred authorization to xacml, given that there is a XACML profile in SAML2.
Sunday, March 16, 2008 7:52:09 PM (Eastern Standard Time, UTC-05:00)
Not speaking of combining per se.. But would like to see something in the SAML 2.0 standard that is talks to attribute release conditions similar to what is in Shibboleth AND would like to see that capability implemented using XACML (Shibboleth has its own custom mechanism for enabling this capability).
Anil John
Comments are closed.