Page 1

Ready to roll at the Cloud Identity Summit 2013, Napa #CISNapa

It’s already day 2 of the Cloud Identity Summit. Day 1 focused on workshops and so will day 2 along with bootcamps and interops including workshops on Microsoft Identity & the Cloud. Standards will be hailed like never before: OAuth 2.0, OpenID Connect, and SCIM will be represented in a standards-focused workshop while SAML, the star of the conference, will be highlighted in a hands-on demo of PingFederate by John Da Silva.
In the afternoon, I will have the privilege of completing the standards quintet as I take on my developer hat to talk about XACML, and the latest efforts around REST and JSON APIs / encoding for XACML 3.0. I will be uploading my slides later for those of you who want to check them out.
Happy CIS 2013!


How to send a XACML request using Perl

In a previous post, I mention how I used cURL to send a XACML request to an Axiomatics XACML Policy Decision Point (PDP). My goal, however, wasn’t to use cURL but rather whip up a sample in Perl.
Perl is perhaps my third love in terms of programming languages. As a kid, I learned programming with Pascal. Later, as a teen, I went across to web programming and PHP. In my first uni. student placement I was tasked with writing Perl code which opened up a whole new world of scripting.
These days, most of what I do revolves around XACML, the eXtensible Access Control Markup Language. XACML defines an architecture to apply fine-grained, externalized authorization to any type of application. Typically, the customers I deal with at Axiomatics want to apply XACML to Java or C#. This entails writing policy enforcement points (PEP) in Java or .NET. Occasionally though, we do get requests for Perl. And so, on a flight back from a customer visit, I googled around for the latest in Perl and hacked a very simple example together.
To get running, I used

It was actually very quick and easy to test out the Perl PEP. This is what it looks like:

#!/usr/bin/perl -w

use strict;

use LWP::UserAgent;
use HTTP::Request::Common;

my $userAgent = LWP::UserAgent->new(agent => 'perl post');
$userAgent->credentials("localhost:8280","Axiomatics PDP",'pdp-user','password');
my $soapStartElement = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>
<soap:Envelope xmlns:soap=\"\">
<irc:AccessQuery3 xmlns:irc=\"\">
my $soapCloseElement = "</irc:AccessQuery3>
my $xacmlRequest = "<xacml-ctx:Request ReturnPolicyIdList=\"true\" CombinedDecision=\"false\" xmlns:xacml-ctx=\"urn:oasis:names:tc:xacml:3.0:core:schema:wd-17\">
   <xacml-ctx:Attributes Category=\"urn:oasis:names:tc:xacml:3.0:attribute-category:resource\" >
   <xacml-ctx:Attributes Category=\"urn:oasis:names:tc:xacml:3.0:attribute-category:action\" >
   <xacml-ctx:Attributes Category=\"urn:oasis:names:tc:xacml:3.0:attribute-category:environment\" >
   <xacml-ctx:Attributes Category=\"urn:oasis:names:tc:xacml:1.0:subject-category:access-subject\" >
      <xacml-ctx:Attribute AttributeId=\"urn:oasis:names:tc:xacml:1.0:subject:subject-id\" IncludeInResult=\"true\">
         <xacml-ctx:AttributeValue DataType=\"\">alice</xacml-ctx:AttributeValue>

my $response = $userAgent->request(POST 'http://localhost:8280/asm-pdp/pdp',
Content_Type => 'text/xml',
Content => ($soapStartElement.$xacmlRequest.$soapCloseElement));

print $response->error_as_HTML unless $response->is_success;

print $response->as_string;



Call out to a XACML Policy Decision Point (PDP) from PHP

Today, I have the pleasure to invite a fellow colleague, Patrick McDowell, to post on my blog. Today’s topic is around reaching out to other languages other than just Java and C# for XACML-based authorization. Today’s choice? PHP, naturellement as both Patrick and I are huge WordPress fans.

If you have been programming in PHP it is very likely that you have interacted with an external authentication service. For example Google and Facebook provide external authentication services that people can use to allow other providers to authenticate users for you using standard protocols such as SAML, OAuth, and OpenID.
Once a user has been authenticated, we then need to determine what that user is authorized to do inside of an application or service. This authorization logic can be externalized and defined using a standard language called XACML.
XACML stands for eXtensible Access Control Markup Language. The standard defines a declarative access control policy language implemented in XML and a processing model describing how to evaluate authorization requests according to the rules defined in policies.
Unlike the typical role-based security methodology used in many applications XACML authorization decisions are made in real time, and are made based on attributes about the user, the resource, and the context. For example a bank teller might have access to an account but should not be permitted to access his or her own account; the teller should not have access to accounts outside of his or her bank. XACML policies can be evaluated in real time to determine whether the teller should be permitted to access an account.
Additionally authorization decisions are made externally from the application, therefore security policy is not hardcoded into the application, which makes it easier for security policies to be changed. and Security administrators gain easier access to the authorization logic.
XACML requests include:

  • Subject
  • Action
  • Resource
  • Environment

And the XACML Policy Server (PDP, aka Policy Decision Point), will return:

  • Decision (Deny, Permit, Indeterminate, Not Applicable)
  • Status
  • Obligations or Advice

To keep this simple, we are simply going to ask the XACML Authorization server to confirm that:
Users with Teller Role (Subject), can View (Action), Bank Accounts (Resource)
This request in raw XACML looks like this:

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
      <xacml-ctx:Attribute AttributeId="" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="">teller</xacml-ctx:AttributeValue>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="">view</xacml-ctx:AttributeValue>
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
   <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
      <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true">
         <xacml-ctx:AttributeValue DataType="">bank account</xacml-ctx:AttributeValue>

The same request can be produced in PHP with SOAP like this:

$regReq = new stdClass();

$regReq->Version = "3.0";
$regReq->ID = "abcde1234";
$regReq->ReturnContext = true;
$regReq->Request = new stdClass();

$regReq->Request->Attributes = array();

$regReq->Request->Attributes[0]= new stdClass();
$regReq->Request->Attributes[0]->Attribute = new stdClass();
$regReq->Request->Attributes[0]->Attribute->AttributeId = "";
$regReq->Request->Attributes[0]->Attribute->AttributeValue = new stdClass();

$regReq->Request->Attributes[1]= new stdClass();
$regReq->Request->Attributes[1]->Attribute = new stdClass();
$regReq->Request->Attributes[1]->Attribute->AttributeId = "urn:oasis:names:tc:xacml:1.0:action:action-id";
$regReq->Request->Attributes[1]->Attribute->AttributeValue = new stdClass();

$regReq->Request->Attributes[2]= new stdClass();
$regReq->Request->Attributes[2]->Attribute = new stdClass();
$regReq->Request->Attributes[2]->Attribute->AttributeId = "urn:oasis:names:tc:xacml:1.0:resource:resource-id";
$regReq->Request->Attributes[2]->Attribute->AttributeValue = new stdClass();
$regReq->Request->Attributes[2]->Attribute->AttributeValue->any="bank account";
$regReq->Request->Attributes[3]= new stdClass();

The following PHP code creates the WS client and sends the request to the PDP.

ini_set('soap.wsdl_cache_enabled', 0); // Turn off the cache if you like
$client = new SoapClient("http://axiomatics:8080/asm-pdp/pdp?WSDL", Array("trace" => 1));
$result = $client->AccessQuery3($regReq);

The result returns a stdClass like this:

stdClass Object ( [Response] => stdClass Object ( [Result] => stdClass Object ( [Decision] => Permit [Status] => stdClass Object ( [StatusCode] => stdClass Object ( [Value] => urn:oasis:names:tc:xacml:1.0:status:ok ) ) ) ) )

The response to this request will return an object called Result with a field labeled Decision set to Permit, as well as other information about the request such as Obligations / Advice and information about the request.
To handle the response in PHP, all you need is the following code snippet:

if ( $result->Response->Result->Decision == "Permit") { 
 echo "Permit.. Tellers can view bank accounts";

The response does depend on the policy, and if the request did not find an appropriate target it is possible the response could be NotApplicable, which essentially means the Policy Decision Point (PDP), did not have enough information to make a decision.
The XACML Policy is also written in XML, and look like this in Raw XML:

<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <xacml3:AttributeValue DataType="">bank account</xacml3:AttributeValue>
          <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"  AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="" MustBePresent="false"/>
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <xacml3:AttributeValue DataType="">view</xacml3:AttributeValue>
          <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"  AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="" MustBePresent="false"/>
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <xacml3:AttributeValue DataType="">teller</xacml3:AttributeValue>
          <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"  AttributeId="" DataType="" MustBePresent="false"/>
  <xacml3:Rule RuleId="51179cb3-5319-4a35-a13e-ac1db27b5d93" Effect="Permit">
    <xacml3:Description>doctor can view medicalrecord</xacml3:Description>
  <xacml3:Rule RuleId="a2af1648-41c0-4843-ba4f-c1284d367957" Effect="Deny">

If you don’t like working with raw XML, Axiomatics offers an Eclipse Plug-in which uses a “Pseudocode” called ALFA (Axiomatics Language for Authorization) which makes writing these policies much simpler. It can be downloaded for free here.


A neat MS SQL treat: convert from count(*) to a bit (or boolean)

I was busy writing a sample application for a retail company where I wanted to express a XACML authorization policy that would state that a user can sell an item if it hasn’t already been sold.
I knew whether the item was sold by simply running a SQL PIP retrieving the count(*) of that item id in the sales contracts. But I wanted to have a boolean attribute in the XACML policy:
A user can sell if the item is not sold (i.e. sold==false). So I went looking around for a means to convert count(*) into a MS SQL bit (the boolean datatype).

And the answer is:

select cast(count(*) as bit) as sold from salecontracts where identifier='9700E2EA-8545-4F26-91A1-1F5E7953E3A4'


Axiomatics seeks serious contender – impressions of Gartner Catalyst 2011 (#CAT11) 30,000 ft up.

I had the opportunity to fly with Axiomatics CEO, Babak Sadighi, on our trip back from San Diego to Stockholm. During the 15-hour journey, Babak and I shared our experience and impressions of the conference.

Gearing up to Catalyst 2011

The week of the 23rd of July turned out to be a pretty busy one at Axiomatics. As solutions architect, I flew over to San Diego for the much anticipated Catalyst Conference. I was keen on getting the dial tone in the Identity and Access Management space. Catalyst was to be the perfect place to catch up with Gartner analysts as well as colleagues from partner companies.
As a vendor of XACML solutions and pioneers of the XACML technology, my colleagues and I were keen on getting the opinions of analysts and end users to take those back home and enhance our offering.
In the 12 months since #CAT10, we have seen a surge in sales activities: an increased number of new leads, new contracts, and repeated interactions with prospect customers. Along with the increased frequency came more breadth. 2009 / 2010 was more about a handful of verticals. Today, requirements come from twice as many verticals from health and finance to media and manufacturing. And it brings us pride to see wider-spread adoption. Traffic on our website spiked; traffic on Gerry’s blog and mine also increased phenomenally.
And it’s not only customers: the company struck new partnerships with leading IAM system integrators such as First Point Global in APAC or Mycroft in the USA. New technical partnerships were announced with best-in-class vendors such as Radiant Logic (virtual directories).
We saw this intense activity as a sign of market readiness. As such, we had very high expectations in San Diego. We were eager to learn about customer experiences – your experiences – as well as competitors’ experiences and lastly analysts’ views on the coming twelve months.

New use cases, new opportunities

In a sense, our expectations were exceeded: XACML was all over the conference (at least in the identity track). Bob Blakley and his team repeatedly mentioned the technology, its now proven maturity, the use cases, and the existing vendors such as ourselves but also promising open source alternatives such as WS02 or PicketBox.
One end-user organization, Fidelity, came to talk about their deployment using XACML and how they meet with regulatory compliance. (more details on the track here)
In a separate track, Ian Glazer talked about the importance of high-quality data for IAM (How IAM Depends On Hi-Fi Data… And Doesn’t Know It Yet). This is what we call making smart decisions with trustworthy attributes.
Axiomatics was also in the headlines as its CEO signed a new partnership agreement with IDMWorks to strengthen the brand’s presence in the cloud.
And speaking of cloud, Axiomatics partnered with Radiant Logic to implement a cloud-based demonstrator using the Axiomatics Policy Server combined with RadiantOne VDS Context Edition to deliver fine-grained access control on a sales application.
In another instance, Axiomatics partnered with Layer 7 Tech to deliver fast, secure, and context-aware SOA security for any type of applications again hosted inside an Amazon instance.
It really felt like we were on par and that 2011 was year 1 of widespread XACML adoption. There was even a lunch session entirely dedicated to XACML.
This leads me to conclude that to those skeptics, XACML is now a reality.

Where’s the competition?

In a thriving market, one would expect a wide range of competitors to react and strengthen their offering; to act responsibly and deliver better products. In that sense, we were a bit led down. It’s a well-known fact that the driving forces behind the XACML standard are IBM, Oracle, and Axiomatics. I would like to stress that Axiomatics in particular has fueled the efforts in the last 6 years with its CTO, Erik Rissanen, taking the editorial responsibility for XACML 3.0. But the larger organizations, as often, are now lagging behind a handful of smaller, faster players such as Axiomatics.
In fact there was a single other small vendor at Catalyst 2011 with a XACML offering but they have yet to take part in the innovation effort.
For instance, we would love to see more industry engagement in the XACML technical committee. It’s not just about engagement. It’s also about endorsement: the reason XACML 3.0 has not become a standard is because it has not been attested by 3 different vendors and/or end-users. Axiomatics has attested to the latest implementation of the standard and several other profiles. We are still waiting for other vendors to follow suit. It would do the standard good if more enterprise-ready implementations stood up to the challenge.

Axiomatics involvement in the XACML TC: CTO Erik Rissanen is the 2nd most prolific contributor.

Axiomatics involvement in the XACML TC: CTO Erik Rissanen is the 2nd most prolific contributor.

If you want to know more about contributions, the history of the XACML TC, and the current work, check out the TC mailing list and the XACML dev list.

Fact or fiction?

When I look at the offering in the security space, my head almost always ends up spinning. There are many different vendors to choose from (quite a few were at Catalyst) and they offer many different standards-based solutions. Some of my customers struggle to understand the difference between authentication and authorization. The messaging we give out is of critical importance and we should make sure we state verifiable facts.
In the XACML space, many vendors claim some level of implementation. How complete is their implementation? Others claim to be the fastest. Are they really? Have they compared? I wrote a post on this very topic pointing readers to areas that need serious investigation. Caution is the key word here.
This is where we would need a serious report from the analyst community – a health check if you like – on the state of fine-grained access control today. A magic quadrant perhaps?


We are pretty excited at Axiomatics about the future. New customers are knocking on our doors and our teams are expanding (sales; engineering; drop me a line if you are keen on joining us). Yet we want to make sure that the one standard we believe in, the reference for fine-grained access control doesn’t get tarnished by false marketing claims. We want the competition to rise to the challenge of XACML 3.0. We can only grow through a healthy debate between vendors that offer comparable products. And we want you, the customer, to reap the benefits.