Abstract: As authorization generally follows authentication in a given online transaction, standardization of authorization has generally followed that of web authentication standards like SAML, WS-Federation, and OpenID. This workshop will explore developments & trends in authorization standards, including OAuth (a community initiative now being standardized within the IETF), User-Managed Access (evolving within the Kantara Initiative) and XACML (an OASIS standard). We’ll also look at some authorization use cases that may imply new requirements of these protocols. Through a combination of presentations, panels and demonstrations – we’ll explore how these existing & emerging authorization standards fit into the enterprise & social web infrastructure.

Agenda:

Welcome, Intro & Overview

Paul Madsen – 5 mins

Preso 1 - XACML 3.0 Update

It’s been more than 5 years since eXtensible Access Control Markup Language (XACML) version 2 was standardized at OASIS. In the meantime XACML has grown in popularity as a standard and the number of production XACML implementations continues to grow steadily. XACML 3.0, currently in the final stages of ratification, contains significant enhancements that will enable it to keep pace with growing enterprise demands. In this session, Gerry Gebel will describe the enhancements to version 3.0, including the SAML 2.0, Delegation and Multiple Decision Request profiles. Gerry will also provide use case samples of how new features of XACML 3.0 can be implemented.

Gerry Gebel, Axiomatics – 25 mins

Preso 2/use case - OAuth

As today’s businesses increasingly shift their processes into the cloud, a simplified set of design patterns and standards are required to harmonize the speed and compelling economics of the cloud with companies’ existing Identity management systems and processes. Topics will include the evolution of OAuth2, and it’s applicability to enterprise use-cases for cloud authorization and API federation.

Chuck Mortimer, Product Management Director, Identity & Security, Salesforce.com – 25 mins

Break 5 mins

Preso 3/use case - IASWG overview and review of authorization use cases

Description of IASWG purpose and goals, review authorization use cases received by IASWG thus far, review Concordia AuthZ Survey results.

John Tolbert, Boeing & Gavin Illingworth, BMO – 25 mins

Preso 4/use case - Federation Authorization and the Cloud – Why A Pragmatic Approach is Important

Harding will discuss what organizations are doing today in the context of federation and authorization. Further he will examine what are the next pragmatic steps organizations should consider such that they can successfully implement a federated authorization model for cloud computing.

Patrick Harding, PingID – 25 mins

Closing comments 10 mins

Please RSVP to Dervla O’Reilly, dervla[at]kantarainitiative[dot]org