If the shoe fits…

Of course Jackson’s post on SAML vs. XACML for authorization caught my eye and I wanted to add some thoughts…

First, I don’t think it’s a Betamax vs. VHS zero sum game. Exchanging attributes (claims) via SAML tokens is a reasonable place to start for relatively simple application authorization. I will resist the urge to respond as a purist and won’t point out all the extra benefits you get from going to the XACML model :-). What’s important is finding a practical approach that is suitable for the requirements at hand and complementary to existing IdM infrastructure.

At Axiomatics, we do talk to organizations that want to get deep into sophisticated authorization services – and we think XACML is the right model for such scenarios. However, we acknowledge it is not a one-size-fits-all solution.

Where Microsoft goes with authorization will be interesting to watch. They have already sent a very positive signal to the industry with their claims-based approach to building identity-aware applications. In the mean time, XACML based authorization services are very compatible with claims applications.

Explore posts in the same categories: Uncategorized

One Comment on “If the shoe fits…”


  1. […] Analyzing Identity Gerry Gebel's Identity Industry Insights « If the shoe fits… […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s