Would like a standard for defining the urn namespace
Could send an encrypted signed packet in an encrypted tunnel.
Andalucia is using urns for students. Hub filters on urn and students get added to learning system at receiving institution. A urn with defined fields.
Austrian government is using parameter lists for roles; similar to scoped attributes, but having providing a list of key-value pairs instead of a single value.
Rules based approach e.g. user, administrator, power user.. with or without permission sets. Historically use huge permission set. Want to move to role based approach but wary this isn't granular enough
Permissions brings us into the realm of xacml
STS is like pgp and issue permission set that a customer that gets forwarded by idp.
Idp defines authZ policy.
Context gets more complicated within federations (and between)
Saml2 request includes authZ so sends xacml request that gets forwarded to Pdp
Context involves the identity and what it is doing.
Much easier to ask if a user is allowed to access something rather than making decisions at endpoint based on attributes
The pdp needs attributes to make the decision.
Xacml has pip to resolve attributes wherever they're from
In trying to solve single log out a central point is helpful for authorization but scalability is an issue.
Could be distributed with load balancer...
PDP = policy decision point
PIP= policy information point
RBAC = role based access control
PDP/PIP could be with the AP or the RP.
The further you store data from the source the quicker it rots
AuthZ in context of applications will be role based. Avoid context in federated infrastructure, stick on RBAC, use central repository to manage the access tokens (long term token)
Provide rbac but won't discard permission sets to reduce dependency
Will use pdp to be more flexible
Talking about saml2 bearer tokens