IBM and XACML at the Burton Catalyst Conference

The dust has settled on the XACML interop event at the Burton Catalyst conference, and by all measures the event was a success. We achieved a full 8x8 success matrix on both use cases; meaning the participants could call each others Policy Decision Servers, as well as import the XACML policy produced by the other products.

Interestingly enough, most of the challenges faced in the preparation for the event lay not with the XACML technology pieces themselves but with the supporting technologies. For example, ensuring that the right SOAP version is used for the SAML message exchanges and things of that nature.

So what did IBM show at the event? What we demonstrated was an internal IBM authorization component that is used by some of our products. This Java-based component, which is designed to save products re-implementing authorization functionality, contains a fully-blown native XACML decision engine.

We were asked many times during the event about product plans for XACML. For example, "When is this going to be in a product?" The answer is that there are a few pieces of the puzzle that have to be filled in before we can reach that point. The primary piece is around the manageability of XACML policy - it's verbose, and quite honestly non-trivial to author, and the tooling just isn't there yet.

That's not to say that using XACML as a policy exchange mechansim isn't worth chasing, because it definitely is. But this is a chicken and egg problem - you can't have the policy editing tools without the evaluation engine. The evaluation engine demonstrated at the interop is an important step towards the wider adoption of this technology.

On a personal note, it was fantastic to meet some of the driving forces behind this standard. The spirit of collaboration was alive and well, there was a point when I was helping to debug a problem that Jericho Systems and Redhat were having! This open approach, from all vendors, contributed greatly to the success of the event.