An answer to your common XACML dilemmas 

Asela Pathberiya

Senior Software Engineer

Founded in 2005 by acknowledged leaders in XML, Web Services Technologies & Standards and Open Source

Producing entire middleware platform 100% open source under Apache license

Business model is to sell comprehensive support & maintenance for our products

Venture funded by Intel Capital and Quest Software. Global corporation with offices in USA, UK & Sri Lanka 150+ employees and growing

WSO2

What are we going to cover

What is XACML? Why is XACML important for your

organization? What are the disadvantages of

XACML? How can WSO2 Identity Server help

you to overcome those disadvantages?

ETag Group

ETag group is a trading company, which is established in 2001.

Application System

ETag group deployed their 1st Application System in 2005.

Authentication

Application System included an authentication mechanism

Authentication

Some functions and data in the Application System must not be accessed by all employees in the company.

Therefore authentication is not enough..!!!

Authorization

ETag group wanted to build an authorization logic for their Application System.

Role Based Access Control (RBAC)

Set of people who has same set of privileges, put in to a role and assign permission for that role.

Role Based Access Control (RBAC)

Effect of company growth No. of Application Systems were increased.

For each application system, authorization logics were needed to implemented.

Authorization logics became more complex Authorization logics were needed to be

updated frequently Maintaining of authorization logics became a

tricky task

Growth of ETag Group

Meeting

Decided implement a new authorization system

ETag Common Authorization System (ECAS)

Denis was asked to lead “ECAS” project

“ECAS” project must fulfill following six requirements as decided in the board meeting.

Externalized

Authorization system is not bound to an application. Each application must be able to query a single authorization system for all authorization queries

Policy based

Authorization logics can be modified frequently without any source code changes.

Standardized

Even business managers and external people must be aware of the technology which is used to design this.

Attribute Based

"X resource can be accessed by the Users who are from etag.com domain and whose age is not less than 18 years old”

Fine-grained

Need to achieve the fine grain without defining a large number of static combinations in the source code or database

Real Time

“Can user, Bob transfer X amount from current account Y between 9.00am to 4.00pm”

Externalized Policy based Standardized Attribute based Fine-grained Dynamic

Authorization Solution

XACML

XACML is standard for eXtensible Access Control Markup Language

Standard which is ratified by OASIS standards organization

The first meeting 21st March 2001

XACML 1.0 - OASIS Standard – 6 February 2003

XACML 1.1 – Committee Specification – 7th August 2003

XACML 2.0 – OASIS Standard – 1 February 2005

XACML 3.0 – OASIS Standard – 10th Aug 2010

Policy language implemented using XML

Externalization is provided by XACML Reference architecture

Attribute Based Access Control (ABAC)

Fine-grained authorization

Fine-grained authorization with higher level of abstraction by means of policy sets policies and rules.

Real time evaluation

XACML Implementation for ECAS

Denis was really happy as he found the solution for all requirements

Denis thought to start to implement XACML based authorization system for ECAS project

Meeting

“Denis, It is hard to implement a XACML solution from the scratch”

“It is better to find an existing implementation and plug it in to ECAS project “

Meeting

“We need a closer look on XACML... Let have a

review on it”

Disadvantages Performances of XACML based authorization system

would be less than the existing system Complexity of defining and managing XACML policies How to integrate current authorization logics in to new

system as XACML policies. How to provide a standard interface to communicate

with with PDP. PDP would be able to handle lager number of (10000 -

100000) policies How to achieve reliability and High availability. Can XACML solutions support "What are the resources

that Bob can access?"

XACML Implementations

An Open source XACML Implementation

"Open source XACML solution, WSO2 identity Server, Just download and can run the PDP with out any configuration. how fast is that..? I do not want to write mail asking for evaluation copies"

"I can just write simple XACML policy and try this out... Nice web based UI. "

WSO2 Identity Server

WSO2 Identity Server

Performance bottleneck

There would be less performance than the traditional authorization systems.

It is a trade-off for the advantages, offered But WSO2 Identity Server team has identify this

performance bottleneck and has provided a solution to overcome this to a greater extent.

Caching technologies

Thrift protocol for PDP – PEP communication

Caching

Load Test Figures Environment

Intel(R) Xeon(R) CPU X3440 @ 2.53GHz processor, 4 GB RAM, OS - Debian 6.0 (64bit) - with a single instance of Identity Server

[-Xms1024m -Xmx2024m -XX:MaxPermSize=1024m]

Policy Complexity

L1: 10 rules per policy while one rule dealing with 1 attribute

L2: 100 rules per policy while one rule dealing with more than 10 attributes

Requests

one million XACML requests.

XACML requests are randomly retrieved from a pool where 10 000 different requests are available

Resources

http://people.wso2.com/~asela/xacml_load_test/

Load Test Result - Caching

Load Test Result - Thrift

Complexity of defining and managing XACML policies

Web based UI as PAP for defining and managing XACML policies.

XACML Policy Editors

Two policy editors, Basic and Advance.

Integrating current authorization logics

Standard interface for PDP and PAP

All PDP and PAP functionality has been exposed as Web services

Handling large number of policies

Policy distribution On demand Policy Loading

Reliability and High Availability

PDP clustering

Listing entitled resources for user

What we discussed Today

Identified XACML as a standard way of implementing authorization

How XACML answers the authorization requirements of your organization

What are the negative points of XACML How WSO2 Identity Server has provided an

answer for them

References

www.oasis-open.org/committees/xacml

http://xacmlinfo.com/

http://blog.facilelogin.com

Q and A

Customers

WSO2 Engagement Model

QuickStart

DevelopmentSupport

Development Services

Production Support

Turnkey Solutions

WSO2 Mobile Services Solution

WSO2 FIX Gateway Solution

WSO2 SAP Gateway Solution

Thank You...!!!

Contact Us…

bizdev@wso2.com