Combining capability-based access control with SAML

Asked Mar 10 '12 at 14:22

Active Apr 29 '14 at 21:46

Viewed 1,175 times

I have been looking into various research on identity, PKI and access control trying to boil it down to a simplified methodology for IAM (Identity & Access Management).

One thing which pops up in lots of places is capability-based access control, as in: your current permissions are encoded in a ticket or certificate following the request. Lots of contemporary research is pointing to this as something to look in to, as it means giving temporary authorization to perform a certain transaction. Authorizing the transaction is often more important than establishing identity.

It seems to me that SAML is flexible enough to be handle such use-cases, encoding capabilities as SAML-attributes. I also believe capabilities is a better match in a federated scenario than roles, as trying to synchronize role-definitions (or even identity) across organizations seems futile.

However, I have found very little research, products or even prototypes on combining SAML and capabilities.

I have started looking at XPOLA, but I am wondering:

is there any other research, papers, products or projects I should take a look at?
does any of the off-the-shelf IAM or federation-products provide any capability-based functionality?

edited Apr 29 '14 at 21:46

David Brossard

1,360
7
16

asked Mar 10 '12 at 14:22

Rolf Rander

Hi Rolf, welcome to [security.se] - and thanks for this question! I look forward to seeing answers to this. – AviD Mar 13 '12 at 11:04
2

Btw (and this is not really an answer), I have seen capabilities called by several different terms, so you might have better luck searching with one of the other terms. I would suggest including also entitlements, ABAC (attribute based AC), PBAC (policy based AC), and fine-grained authorization. No, these are not exactly the same thing, but often vendors (even of these products) and researchers are confused by these terms, and tend to blur the lines, especially in marketing materials. – AviD Mar 13 '12 at 11:05

2 Answers2

I'm not familiar with XPOLA, but here are some resources on using capability-based authorization on the web that you should read:

Alan Karp at HP Labs is doing work in exactly this area: capability-based security for web services, including using SAML and similar standards. Take a look at his work. See, e.g., the following papers of his:
- From ABAC to ZBAC: The Evolution of Access Control Models.
- Solving the Transitive Access Problem for the Services Oriented Architecture (discusses using SAML certificates for capability-based security)
- Authorization-Based Access Control for the Services Oriented Architecture (more discussion of use of SAML certificates)
Webkeys bring capability-based security to the web. It is a detailed, worked-out proposal for how a URL can serve as a capability, and how to build web services on this substrate.
The Waterken server is a capability-based approach to web security, which allows deploying non-trivial computation and coordination between entities using object capabilities as the security model. See, e.g., some of the talks from Tyler Close.
The cap-talk mailing list is the leading place where capability folks hang out and share information about the capability-based approach to security, including web security.
For more background on capability-based systems, read Wikipedia's entry on object capabilities, Jonathan Shapiro's essay on What is a capability, anyway?. See also Kragen Sitaker's rant on capabilities and the web, or Doug Crockford's more recent talk on capability-based security and the web (it focuses more on fine-grained sharing, including on the web side, rather than web services design, which I think you are more focused on).

edited Mar 13 '12 at 22:59

answered Mar 13 '12 at 22:54

D.W.

98,420
30
267
572

Any comments regarding the relation to "Trust Management" systems? They appear to be capability-systems where the granted permission is expressed in a generic grammar, making the system a bit more flexible/interoperable. – pepe Mar 13 '12 at 23:42
As far as I am aware, trust management does not use capabilities. (See Wikipedia for some defining attributes of a capability-based system.) However, as trust management schemes is intended to support expressing authorization policies, they seem to be in roughly the same space. – D.W. Mar 14 '12 at 00:58

There is one standard in this space that implements attribute-based access control (ABAC). That standard is XACML (eXtensible Access Control Markup Language). It's also part of OASIS exactly like SAML and has been designed in part to work with SAML in many IAM scenarios.

It's definitely not research anymore. There are lots of companies using XACML such as Boeing, Documentum, governments, Bank of America... There are several vendors in this space such as the one I work for - Axiomatics - or IBM, Oracle... Lastly, there is a pretty lively open source community (SunXACML in the old days - ForgeRock and OpenAM, and WSO2 today...)

Lastly, NIST have been working on attribute-based access control. Their work can be found here. It's a great place to start looking around.

answered Oct 18 '13 at 08:31

David Brossard

1,360
7
16