Who uses XACML?

Question

Has anyone written XACML Implementations other than the Sun XACML Implementation and XEngine?

Who uses them in their products?

Which vendors provide a PDP? I read something about a WebLogic XACML Provider. What other products support XACML?

Answer 1

This has been answered on the XACML TC list already: http://markmail.org/message/w7msffsbi6qzgfoj

XACML is used in a wide variety of industries today. Trying to summarize what's been said

There are 2 types of implementations today:

1. open-source implementations They are either backed by commercial organizations, foundations, or universities. These include:

   • (Sun-backed) SunXACML (http://sunxacml.sourceforge.net/) - very much dead on its own but used in other products such as WS02's offering (see below)
   • (R&D-backed) SICSACML (http://www.sics.se/node/2465) backed by SICS, the Swedish Institute for Computer Science, and now taken up by Axiomatics (www.axiomatics.com)
   • (University-backed) Heras AF (http://www.herasaf.org/heras-af-xacml.html): Orange is using their product. Orange is one of the leading telecommunications providers in Europe.
   • WS02 is a company that was born from the Apache Synapse project and expanded into different areas successfully including XACML by using the initial SunXACML implementation (http://wso2.org/library/identity-server/user-management/xacml). I am not sure they have customers using XACML today.
   • Enterprise XACML (http://code.google.com/p/enterprise-java-xacml/) but not updates in nearly a year
   • Brad Cox also a neat approach to implementing XACML as described in his blog and paper at http://bradjcox.blogspot.com/

2. Commercial products

   • Oracle OES provides a SunXACML-based XACML 2.0 implementation. It is hard to know whether OES customers are using XACML features.
   • IBM Tivoli Security Policy Manager
   • Axiomatics Policy Server took SICSACML and marketed it in 2006 - their product fully implements XACML 3.0. Their customers include "one of the world's largest bank", Paypal, Bell Helicopter, Swedish National Healthcare service, SOS Alarm, and DATEV eG as listed at www.axiomatics.com/customers.html

There are other vendors such as Jericho Systems and Nextlabs that offer XACML. Also Securent (later bought by CISCO) had a XACML offering.

Lastly I recommend you visit the XACML TC (http://www.oasis-open.org/committees/xacml/) where you can see its contributing members. Those include Oracle, Axiomatics, Boeing, Veterans Administration, EMC who are regular contributors.

Answer 2

I'm a member of the team at IBM that builds a security policy management solution, including XACML for authorization policy; and I used to be the team lead for the XACML runtime component itself. The product is called Tivoli Security Policy Manager, and is definitely under active development.

WebLogic used to be built by BEA, before they were acquired by Oracle. I'm not sure if Oracle still sells it or not.

Axiomatics also has a XACML solution, as does Jericho Systems.

Answer 3

WSO2 Identity Server (http://wso2.org/) is a open source entitlement engine which is based on the sunxacml. WSO2 Identity Server contains a nice XACML UI policy editor which can be easily used to create complex XACML policies. There is a PIP layer to plug any attribute finder module with it. Therefore you are able to find your attribute from any database, LDAP user store , web services and many more .... Also there are decision caching, policy caching and PIP level attribute caching to improve the performance. You can refer the implementation source code from here [1]

[1] https://svn.wso2.org/repos/wso2/branches/carbon/3.2.0/components/identity/org.wso2.carbon.identity.entitlement/

Answer 4

DATEV (a german IT service provider w 5800 employees) announced in 2010 that they will use XACML. Swedish software company Axiomatics will develop a Datev version of its identity management solution.

Answer 5

XACML implementations (Sun, XEngine, and EnterpriseXACML) are currently interpeters, which makes it hard to debug how a decision was reached since debuggers show the interpreter's internal code, not the policy itself.

I've written a compiler for DOD/DISA that transforms XACML directly to Java code. The goal was making policies easier to understand, not speed, but it is gratifying that compiled policies run in about a tenth the space and time as Sun's interpreter.

The compiler has now been verified by using the same Oasis compliance tests that Sun's interpreter uses. Out of ~400 tests, it passes all but 8. Current problem areas are cases the standard isn't clear on; Subject Categories and PolicySet IdReferences to name two.

I'm wiring it up as a SAML-P service this weekend. Release plans aren't final yet but we'll probably release it as open source on forge.mil as soon as the SOA version stabilizes.

Note added: There's a link to an AFCEA paper about it at http://bradjcox.blogspot.com/2011/03/compiling-xacml-to-java-source.html

Answer 6

I'm aware that this questions was posted a few years ago but it can be relevant right now to people looking for open source XACML implementations.

The project AuthZForce provide an opensource XACML 3.0 implementation with a multi tenant REST API along with a java based API. It also provide an XACML SDK.

AuthZForce is available on github, on the OW2 repository and a docker container as well as a debian package are available

• http://github.com/authzforce
• https://tuleap.ow2.org/projects/AuthzForce/

I'm one of the core developper of the project so feel free to reach me if you have any questions.

Answer 7

BiTKOO (http://bitkoo.com) has XACML 3.0 integrated into its Keystone family of authorization management products. I'm the architect of BiTKOO's XACML core technologies (PDP, PAP, PEP).

A wide variety of organizations are now using XACML based solutions for authorization management. Most are large organizations - government agencies (foreign, domestic, military, and state), universities, media companies, industrial companies, etc.

Answer 8

PicketBoxXACML, formerly JBossXacml also wraps SunXacml's implementation and provides an updated PDP. There's not alot of documentation out there on it, but it's open source.

Answer 9

This may not be helpful as it's not a COTS product, but it may be of interest to you or others.

There is an open-source XACML implementation at http://code.google.com/p/enterprise-java-xacml/ which I've used recently. It covers the entire specification and has pretty decent policy evaluation performance considering it's not optimised.

Answer 10

You can have a look at http://www.herasaf.org/ . It is a highly developed open source project (Although I don't know which license they are under) I looks really promising, but there is still a lot of work to do.

Answer 11

If you are looking for an alternative to Sun XACML you should really have a look at HERAS-AF (www.herasaf.org). It's a very active project and their support is very good and fast responding (e.g. forum.herasaf.org). Code is in good quality and it provides very much extension points. The API is clear and very easy to use. Have a look at the getting started guide. It is developed and published under Apache2 license.

Answer 12

OpenAM, an open source access management and web Single Sign On solution, previously known as OpenSSO, provides a PDP and has support for XACML 3.0 for importing and exporting policies. More information at openam.forgerock.org.

Answer 13

Hi you might also want to have a look at ViewDS identity Solutions (see http://www.viewds.com). ViewDS have two XACML solutions. Access Sentinel which provides for externalised authorisation services with a PDP/PIP and two PAPs (DortNet & Java) and a variety of PIPS. Their product also supports Delegation, Roles Management & obligations. ViewDS Identity Solutions also have an LDAP Directory with its own integrated searching and matching engine and have XACML enabled the Directory. That is they use XACML to provide the Policy based authorisation system for accessing Directory information over the Web.

Answer 14

Here's an interesting discussion at Forrester blog http://blogs.forrester.com/andras_cser/13-05-07-xacml_is_dead that actually updates the state of XACML as of 2013. Be sure to read the comments as well.