Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

TIIME 2013 Tuesday Session 4: Authorization in SAML federations

We talked about how to handle authorization across services in a SAML federation.
Attribute based access control (ABAC) is a sensible first step. Sent user rights in an application using an entitlement. Use of XACML is seen as to complicated for IdP, SP now.
Administrating entitlements on the IdP side can be a problem for the IdP operator when the operator is not the person in charge of managing the right for the application.
An SP can get additional attributes (e.g. provided by a virtual organization (VO)) by sending a SAML attribute query to an attribute authority (AA).

Entitlements can contain encoded data. Use urns because there is already a mechanism in place for resolving these. These can (even) be used to express e.g. maximum amounts in an entitlement:

urn:<registered namespace>:<application>:<role>(:attr=value)

It makes sense to work on a standard for expressing entitlements. Proposal to work on a standard for expressing entitlements for passing these to services (TM-EMC2) (Pieter, Roland).