In the field of access control policy, anyone can provide an explanation of the difference between SAML and XACML. In an Attribute Based Access Control models, can both be applied simultaneously?
SAML is about identity - an XML format for exchanging authentication and authorization data. It is used most often for implementing single sign on in web browsers.
XACML is also XML based but oriented toward access policy.
They can be used together because they are orthogonal in purpose. Both have their own provider and client architectures that are associated with each. I have seen SAML used but never did anything with it myself. There seems to be a fair number of production implementations of it. I have played with XACML and Attribute based Access Control for some internal Proof of Concept work and experimentation, but have rarely seen XACML in production (just once).
Some basic overviews in the links below.
https://www.oasis-open.org/committees/download.php/2713/Brief_Introduction_to_XACML.html
https://developers.google.com/google-apps/sso/saml_reference_implementation?hl=en
SAML is about identity - an XML format for exchanging authentication and authorization data. It is used most often for implementing single sign on in web browsers.
XACML is also XML based but oriented toward access policy.
They can be used together because they are orthogonal in purpose. Both have their own provider and client architectures that are associated with each. I have seen SAML used but never did anything with it myself. There seems to be a fair number of production implementations of it. I have played with XACML and Attribute based Access Control for some internal Proof of Concept work and experimentation, but have rarely seen XACML in production (just once).
Some basic overviews in the links below.
https://www.oasis-open.org/committees/download.php/2713/Brief_Introduction_to_XACML.html
https://developers.google.com/google-apps/sso/saml_reference_implementation?hl=en
SAML is mainly for authenticating services - providing security assertions proving that an entity is authenticated. XACML is an authorisation language. It is designed to be able to play well with SAML to implement access control solutions (both are OASIS standards).
The main advantage of XACML is its extensibility. The best example of that is in my opinion the GeoXACML extension standardised by OGC, which allows for location-based authorisation where the access control policy can contain geographic primitives (points, lines, polygons etc) as well as operations on these (contains, within, distance etc.) within the authorisation policy. This is a quite unique feature of XACML that I am not aware of any other authorisation policy language supporting.
Despite what some players want to indicate - XACML is not dead. It is being used by several big corporations, amongst them Boeing, insurance companies, banks etc. Axiomatics and WSO2 are successful players in this marketplace.
- Badges
- Science topic