Of course Jackson’s post on SAML vs. XACML for authorization caught my eye and I wanted to add some thoughts…
First, I don’t think it’s a Betamax vs. VHS zero sum game. Exchanging attributes (claims) via SAML tokens is a reasonable place to start for relatively simple application authorization. I will resist the urge to respond as a purist and won’t point out all the extra benefits you get from going to the XACML model. What’s important is finding a practical approach that is suitable for the requirements at hand and complementary to existing IdM infrastructure.
At Axiomatics, we do talk to organizations that want to get deep into sophisticated authorization services – and we think XACML is the right model for such scenarios. However, we acknowledge it is not a one-size-fits-all solution.
Where Microsoft goes with authorization will be interesting to watch. They have already sent a very positive signal to the industry with their claims-based approach to building identity-aware applications. In the mean time, XACML based authorization services are very compatible with claims applications.