![Page 1: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/1.jpg)
Is XACML a Classic?Gerry Gebel
@ggebel
![Page 2: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/2.jpg)
XACML 3.0 isapproved
10 vendors
5 end-user
orgs
Open source options
Who’s the XACML Technical Committee?
![Page 3: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/3.jpg)
RSA 2013Interop
When will Catalyst host the next interop?
![Page 4: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/4.jpg)
StandardizedXACML is a Authorization language
![Page 5: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/5.jpg)
CentralizedXACML enables Authorization
![Page 6: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/6.jpg)
Attributebased
XACML implements Access Control
Check out the NIST Special Publication 800-162 on ABAC
![Page 7: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/7.jpg)
Policybased
XACML is a Access Control language
![Page 8: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/8.jpg)
eXtensibleThe XACML language & architecture is
![Page 9: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/9.jpg)
Fine grainedXACML allows for Authorization scenarios
![Page 10: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/10.jpg)
Does this XML make me
look fat?
<xml/>
![Page 11: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/11.jpg)
XACMLJSON Profile
84%smaller
Character Count0
200
400
600
800
1000
1200
1400
XMLJSON
![Page 12: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/12.jpg)
REST Profileof XACML
Three Implementations
already
JSON
XML
![Page 13: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/13.jpg)
ProtectIn-depth
XACML lets you SPF 5 to 50
![Page 14: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/14.jpg)
ImplementSegregation
Of Duty
Managers can approve a transaction
if and only if they did not initiate it
if and only if user.id != creator id
Easily with XACML rules & attributes
![Page 15: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/15.jpg)
InheritMultiple
Rules
Managers can approve a transaction
if and only if they did not initiate it
And if it’s between 9am and 5pm
And the amount is under the user’s limit
XACML lets you And combine them into a single set
![Page 16: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/16.jpg)
Device-awareXACML enables authorization for BYOD
![Page 17: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/17.jpg)
,kill
the
comma(the semi-colon too)
Ian Glazer once claimed: “Kill IAM to save it”
![Page 18: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/18.jpg)
a happy relationship
XACML helps you build that lasts generations
![Page 19: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/19.jpg)
XACML & OAuth
OAuth 2.0
XACML
![Page 20: XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity protocols fight for your love"](https://reader035.vdocuments.us/reader035/viewer/2022081602/54b6bf8c4a7959ec1b8b4598/html5/thumbnails/20.jpg)
XACML & SCIM
XACML & SAML