PicketBox XACML integration with SAML
Suppose you have the following needs: a) Need to have XACMLv2 evaluation of access control requests. b) Do not want to implement either the XACML PDP (Policy Decision Points) or PEP (Policy Enforcement Points). c) Use SAMLv2 payload to transport the XACMLv2 request and response. d) Use SOAP 1.1 messages to carry the SAMLv2 payload (which internally carries the XACMLv2 request/response messages). As described in SAMLv2/XACMLv2 integration, there is a servlet provided as part of the JBossIdentity stack. All you need to do is create the XACML policies and package it as part of a web application and configure the SOAPSAMLXACMLServlet in the web.xml as defined in the wiki article. You get out of the box functionality without a need to write PDP or PEP. The servlet acts as the PEP/PDP combo. Additional information: Since PicketLink project provides both SAML v2 and XACML v2 capabilities, there is support for XACML2 profile of SAMLv2 specification. What is provided? As part of PicketLink, you are provided a servlet that can take in SOAP 1.1 requests that contain a SAML payload with XACML authorization decision request and as a response, we send the XACML authorization decision as a SAML statement placed in a SOAP 1.1 response.