« What current trends tell us about the future of federated access management in education | Main | The DCMI Abstract Model in 2010 »

October 14, 2010

SAML attributes vs. entitlements - a quick rule of thumb

One specific issue that came up during discussions at the FAM10 conference (see my previous post) was about the use of 'attributes' vs 'entitlements' in the SAML messages passed from Identity Providers to Service Providers'. For the purposes of this discussion:

  • an attribute is some property of the individual - eye colour, age, sex and staff category being examples;
  • an entitlement is an indication of something that the person is allowed to do once they have been authenticated.

(Note: in practice, both attributes and entitlements (as used here) are carried as SAML attributes - the difference lies only in their semantics).

In most use-cases it is possible to use either attributes or entitlements to achieve a particular task. For example, individuals with a staff category of 'librarian' (an attribute) may be inferred by the Service Provider to be allowed to order new books within, say, a library management system - anyone with that attribute is allowed to do so. Alternatively, a 'bookOrdering' entitlement may be used - only people with that entitlement are allowed to order new books, irrespective of whether they are a librarian or not.

So, the question arose, when does one use an attribute and when does one use an entitlement?

In the discussion, I proposed a rule of thumb for making that decision, as follows:

Where you specifically want to control access to some resource or function, and particularly where such a requirement exists across multiple Service Providers, use an entitlement. Where you want to record a property of an individual, particularly where that property issued across multiple Identity Providers, and where different Service Providers may take different actions based on that property (e.g. one system may use the property to configure the user interface, another may use it to control access) use an attribute.

Simples!

Well, not really, but it's a start.

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8345203ba69e20134882fead7970c

Listed below are links to weblogs that reference SAML attributes vs. entitlements - a quick rule of thumb:

Comments

The comments to this entry are closed.

About

Search

Loading
eFoundations is powered by TypePad