When: July 27, 2010 12:30-2:30pm, Room Aqua 304, Hilton Bayfront Hotel
Where: Burton Catalyst San Diego
Title: Authorization Standards Workshop
Abstract: As authorization generally follows authentication in a given online transaction, standardization of authorization has generally followed that of web authentication standards like SAML, WS-Federation, and OpenID. This workshop will explore developments & trends in authorization standards, including OAuth (a community initiative now being standardized within the IETF), User-Managed Access (evolving within the Kantara Initiative) and XACML (an OASIS standard). We’ll also look at some authorization use cases that may imply new requirements of these protocols. Through a combination of presentations, panels and demonstrations – we’ll explore how these existing & emerging authorization standards fit into the enterprise & social web infrastructure.
Welcome, Intro & Overview, Paul Madsen – 5 mins
Preso 1 – XACML 3.0 Update
It’s been more than 5 years since eXtensible Access Control Markup Language (XACML) version 2 was standardized at OASIS. In the meantime XACML has grown in popularity as a standard and the number of production XACML implementations continues to grow steadily. XACML 3.0, currently in the final stages of ratification, contains significant enhancements that will enable it to keep pace with growing enterprise demands. In this session, Gerry Gebel will describe the enhancements to version 3.0, including the SAML 2.0, Delegation and Multiple Decision Request profiles. Gerry will also provide use case samples of how new features of XACML 3.0 can be implemented.
Gerry Gebel, Axiomatics – 20 mins
Preso 2/use case – OAuth
As today’s businesses increasingly shift their processes into the cloud, a simplified set of design patterns and standards are required to harmonize the speed and compelling economics of the cloud with companies’ existing Identity management systems and processes. Topics will include the evolution of OAuth2, and it’s applicability to enterprise use-cases for cloud authorization and API federation.
Chuck Mortimer, Product Management Director, Identity & Security, Salesforce.com – 20 mins
Break 5 mins
Preso 3/use case – IASWG overview and review of authorization use cases
Describe IASWG purpose and goals, review authorization use cases received by IASWG thus far, review Concordia AuthZ Survey results.
John Tolbert, Boeing & Gavin Illingworth, BMO – 20 mins
Preso 4/use case – OpenAz: Building and Deploying XACML PEPs for Attribute-Based Access Control
There is an increasing consensus that access control decisions should be externalized from applications or services to a policy engine implementing a PDP. To take full advantage of this model, one needs to embed PEPs in applications, middleware and services in a performant and flexible way. OpenAz (http://openliberty.org/wiki/index.php/Main_Page#OpenAz
) is an open source project aimed at creating language bindings for the XACML PEP request-response protocol. A sample implementation of the Java AzApi, which implements the XACML PEP protocol, is available from the OpenAz website.
Prateek Mishra, Oracle – 20 mins
Preso 5/use case – Federation Authorization and the Cloud – Why A Pragmatic Approach is Important
Pam Dingle will discuss what organizations are doing today in the context of federation and authorization. Further he will examine what are the next pragmatic steps organizations should consider such that they can successfully implement a federated authorization model for cloud computing.
Pam Dingle, PingID – 20 mins
Closing comments 10 mins