You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Phil Steitz <ph...@steitz.com> on 2003/12/04 06:41:55 UTC

[AAA] Was: Re: Introducing myself

Vincent Tence wrote:
>>Hi Vincent,
>>
>>Welcome aboard!  I am also interested in these things.  I lost
>>the earlier
>>sf thread on AAA and I would like to come up to speed on this framework.
>>Can you post some links describing both the technical structure and the
>>integration model / philosophy.
> 
> 
> This framework is based on the work done by the aaa4avalon projet at sf.
> The guys at aaa4avalon are all a bit busy and they can't find the time
> to work on the project anymore. So after talking wih them, we decided it
> would be better easier for me to start a new project and hopefully merge
> back at some point. I have attached a diagram from the original project
> that shows the general idea.
> 
> 
>>Is this framework compatible with XACML,
>>SAML and/or Liberty?
> 
> 
> Not XACML or SAML compatible at that point. The initial idea is to have a
> set
> of reusable components for AAA and then provide integration layers to
> existing
> standards. I'm not quite there yet ;-)

The architecture and separation of concerns looks similar to XACML.  Cf, 
for example, 
http://www.oasis-open.org/committees/download.php/2406/oasis-xacml-1.0.pdf 
(see the data flow diagram on p. 19) with the "container" playing the 
role of both the policy enforcement point and the policy decision point. 
  Having these things separated and defining a (ideally open) protocol 
to connect them provides deployment flexibility (PDPs can be remoted), 
container independence and scalability benefits (the PDPs can cache 
authorizations and provide HA services for multiple containers).   One 
thing to consider would be to at least use XACML policly language to 
represent authorization rules and policies.

Phil


> 
> <snip/>
> 
>>I think that it is important that
>>whatever we implement, we try to keep it standards-based and, as much as
>>possible, platform and language independent.  Could be we are talking
>>about different things here.  On the other hand, it could be that we can
>>find one solution that meets both needs (external, standards-based,
>>platform-independent identity/authentication/authorization service +
>>Avalon/J2EE container embedded provider).  Kind of like Eve is doing for
>>ldap ;-)
> 
> 
> That's the holy grail I'm looking for as well.
> 
> - Vincent
> 
> 
> ------------------------------------------------------------------------
>