[OGSA-AUTHZ] Draft XACML/SAML Protocol Profile

Chad La Joie chad.lajoie at switch.ch
Mon Dec 3 08:54:40 CST 2007

For part of some EGEE work that I'm involved in I came up with a 
profile, in draft form currently, for the XACML over SAML protocol 
defined within the OASIS XACML working group.  Valerio suggested that I 
make it available to this working group for possible adoption in your 

The draft can be found here:

The basic goal of the document is to restrict possible options into a 
baseline subset such that discreet implementations might inter-operate. 
  I think Valerio's summary of the document, as follows, is good:
- requirement for using the SAML SOAP binding as in SAMLBind
- requirement for having mutual authentication between the requester and
the responder
- some requirements on the elements usage
- requirements on authN, integrity and confidentiality

Note this document is only about interoperability at the protocol level, 
it does not speak to the other necessary item here which is a profile 
for the information (attributes) within the XACML request/response 
context.  I know that individuals here have already been working on such 
a document.

Comments are welcome to the document.  We will be going forward with an 
immediate implementation of this draft for the EGEE work, but that 
should only be taken as a reflection of a constrained timeline for a 
short-term project, not as an indication that the profile is already as 
good as possible.

Serving Swiss Universities
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad.lajoie at switch.ch, http://www.switch.ch

More information about the ogsa-authz-wg mailing list