I'm thinking of using SAML for sending authentication and authorization information to system. I plan to send roles and other information as authentication attributes in the assertion.
Does this sound like good idea or do I have to look into using XACML?
As Guido points out in his comment, it largely depends on the target system. If the target system has clearly defined APIs / interfaces you can protect, then XACML would make more sense (XACML has an architecture whereby a policy enforcement point intercepts a flow and sends off an authorization request to a policy decision point).
If, on the other hand, the target system doesn't have APIs (e.g. it's mainly a web UI / portal), and if the target system has a rich role-based / claims-based authorization model within it, then you should aim for attribute statements inside your SAML assertion which can be used as assertions / claims in the target system.
The benefit to SAML over XACML in this scenario is that it's probably less disruptive. The benefit of XACML over SAML is that it's more fine-grained and can take care of context (time of day, device...)
You can still use XACML on the IdP side when the SAML token gets issued to provision claims inside the SAML token.
So, what is it you want to protect? Do you control the target system?
