Does OpenSAML support profile of XACML 2.0?

24 views
Skip to first unread message

Yang, Gang CTR (US)

unread,
Mar 5, 2012, 10:40:52 AM3/5/12
to Shib Dev
Hi,

This is an OpenSAML question. Does OpenSAML support the profile of XACML 2.0 with the assertion extension? A side question: does anyone have any recommendation for an XACML 2.0 implementation?

Thanks,
Gang
--
To unsubscribe from this list send an email to dev-uns...@shibboleth.net

Chad La Joie

unread,
Mar 5, 2012, 12:18:57 PM3/5/12
to Shib Dev
It has binding support for it, yes.

On Mon, Mar 5, 2012 at 10:40, Yang, Gang CTR (US)
<gang.y...@mail.mil> wrote:
> Does OpenSAML support the profile of XACML 2.0 with the assertion extension?


--
Chad La Joie
www.itumi.biz
trusted identities, delivered

Yang, Gang CTR (US)

unread,
Mar 5, 2012, 1:22:53 PM3/5/12
to Shib Dev
Thanks for the reply, Chad. But I'm not sure I understand what you mean by "binding support". Did you mean the SAML binding, as SOAP or HTTP POST binding? Doesn't supporting the profile of XACML 2.0 involve extending the assertion to include the extra statements and extending the protocol to support the extra queries?

Gang
________________________________________
From: dev-b...@shibboleth.net [dev-b...@shibboleth.net] on behalf of Chad La Joie [laj...@itumi.biz]
Sent: Monday, March 05, 2012 11:18 AM
To: Shib Dev
Subject: Re: Does OpenSAML support profile of XACML 2.0?

Chad La Joie

unread,
Mar 5, 2012, 1:31:34 PM3/5/12
to Shib Dev
Sorry, binding as in XML binding. You can use OpenSAML to generate,
or read, XACML messages. It does not, however, have any support for
evaluating policies.

On Mon, Mar 5, 2012 at 13:22, Yang, Gang CTR (US)

Yang, Gang CTR (US)

unread,
Mar 5, 2012, 1:40:47 PM3/5/12
to Shib Dev
Got it. Thanks! I wasn't expecting any PDP functions, but that is what I'm looking to do though, hopefuly with the help of OpenSAML lib. Would appreciate if anyone knows and can recommend an existing open source implementation of XACML.

Gang
________________________________________
From: dev-b...@shibboleth.net [dev-b...@shibboleth.net] on behalf of Chad La Joie [laj...@itumi.biz]

Sent: Monday, March 05, 2012 12:31 PM

Chad La Joie

unread,
Mar 5, 2012, 1:49:43 PM3/5/12
to Shib Dev
The only implementation that I'm aware of HERAS[1]. I used it in a
XACML project a few years back. I have no idea what state it's
currently in.

[1] http://www.herasaf.org/

On Mon, Mar 5, 2012 at 13:40, Yang, Gang CTR (US)

Peter Schober

unread,
Mar 5, 2012, 1:51:56 PM3/5/12
to d...@shibboleth.net
* Yang, Gang CTR (US) <gang.y...@mail.mil> [2012-03-05 19:41]:

> Got it. Thanks! I wasn't expecting any PDP functions, but that is
> what I'm looking to do though, hopefuly with the help of OpenSAML
> lib. Would appreciate if anyone knows and can recommend an existing
> open source implementation of XACML.

Can't recommend it since I know nothing about it, but one such
implementation is http://www.herasaf.org/
-peter

Nick Duan

unread,
Mar 5, 2012, 2:08:51 PM3/5/12
to Shib Dev
Sun's XACML is the most popular one. It should be easy to google it out. It
is not based on OpenSAML APIs, though.

Nick

Chad La Joie

unread,
Mar 5, 2012, 3:56:11 PM3/5/12
to Shib Dev
It's also broken, not XACML compliant, and hasn't been maintained in many years.

Yang, Gang CTR (US)

unread,
Mar 5, 2012, 4:18:24 PM3/5/12
to Shib Dev
That's how I felt, too, when I went to Sun's website. Couple of others just in case someone else is also looking for this info:

JBossXACML (PicketBox XACML): https://community.jboss.org/wiki/PicketBoxXACMLJBossXACML
Enterprise Java XACML: http://code.google.com/p/enterprise-java-xacml/ - from Google?

Gang
________________________________________
From: dev-b...@shibboleth.net [dev-b...@shibboleth.net] on behalf of Chad La Joie [laj...@itumi.biz]

Sent: Monday, March 05, 2012 2:56 PM

David Chadwick

unread,
Mar 5, 2012, 6:42:34 PM3/5/12
to Shib Dev, sa...@synergetics.be
Gang

in the EC TAS3 project (http://www.tas3.eu/) we used the SAML profile of
XACMLv2 to talk between our SP PEPs and PDPs. Open source code is
available for both the PEP (based on ZXID) and the PDP (based on
PERMIS). The latter supports plugging in Sun's XACML PDP to the PERMIS
authz server, which handles the SAML protocol and can then call multiple
subordinate PDPs via the XACML request/response context. You can
download the latter from here

http://sec.cs.kent.ac.uk/permis/downloads/download.shtml

you will want package 18, the standalone PERMIS authz server

To get the latest version of ZXID, talk to Sampo the author

regards

David

--

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Ch...@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

Brad Cox

unread,
Mar 6, 2012, 10:43:44 AM3/6/12
to Shib Dev
Sun wrote the XACML interpreter that everyone uses. It interprets a core tree that JAXB builds from the XACML2 schema.

I have an alternative approach based on compilation not interpreting. The Xacml2.0 version started from JAXB but I eventually converted it to OpenSAML. The XACML3.0 version is still based on JAXB since OpenSAML doesn't support XACML3.0.

PDPs based on compiled XACML are available on forge.mil under the name GOSAC-N along with working compilers (not sure about XACML3.0; possibly removed at the last minute). The compiler sources are NOT included; proprietary for now. Some early details are at http://bradjcox.blogspot.com.
Reply all
Reply to author
Forward
0 new messages