There has been a lot of talk over the past week on the topic of “Federated Authorisation”. This was instigated by James McGovern but then received responses from a number of people including Pat, Conor, Paul and Paul.
I have been reading with interest the comments that have been made and think the the idea of integrating SAML with XACML is a very interesting one. As Pat said, this hasn’t been built in any commercial products yet but could be something for the opensource community (with the likes of OpenSSO) to take on.
I must admit that I haven’t had chance to read the entire thread of discussions but wanted to get my thoughts down before the topic moved on.
In particular I wanted to pick up on a particular comment that I first saw from Paul Squires (I think Conor made a similar comment as well). There have already been a number of issues flagged up with how you might get, effectively an IdP to act as an authorisation point (latency, response etc being just some of the issues). Personally, I don’t see this approach working or wanting to work. Would you really trust someone else to make authorisation decisions for your resources that are under your control. The SAML model already gives the facility (in my eyes) to cope with this at the moment anyway. As Paul quite rightly points out, Roles provide a good mechanism to allow an IdP to assign “permissions” to users while allowing the SP to retain the actual control over their resources by stipulating what a particular Role is capable of doing. This is completely different to getting the IdP to say exactly what resources on an SP a user should get.
I can see more of an argument where the IdP is not the Policy Decision Point (PDP) and this is delegated to some 3rd party that may specialise in holding extra information about a user. However, we have to be careful that we aren’t just talking about attribute querying instead of federated authorisation. If, for example, I wanted to ask the DVLA IdP (the DVLA issue driving licenses in the UK) if UserA had a driving license, I am more likely to ask the question directly using the existing attribute query mechanisms supported by SAML than to ask “User A is trying to get to the car hire section of my website, should they be allowed?”.
I will try and finish reading the entire thread and then i’m sure I will have more thoughts.