XACML User Work-Flow

January 20, 2012 by
Filed under: Architecture, Security 

With some of the foundational components defined previously, we will examine the big picture of XACML authentication system and then break out more workflows over time to get an application of this security framework

.xacml workflow

As you can see in the above diagram. Here is a step-by-step breakdown.

1 – You attempt access to a secure system, you will essentially be calling a PEP (enforcement point) which will check your authentication to ensure you are who you say you are, if you are authentic, it will forward request to PDP.

2- PEP packs this information along with roles and claims to the PDP for a decision to be made about you.

3 – PEP will check cache and return, if not available, it will then try to make a decision, most likely getting information from PIP to make a decision about your authorization access.

4 – PIP will query all identity system usually Active Directory or some Identity system.

5 – PIP will also query any other systems if needed, and send this back to PDP for decision.

6 – PDP caches data from PIP and makes a decision about authorization.

7 – PDP sends decision back to PEP to then allow request or deny.

8 – PEP allows or disallows request based on policies.


We will examine the components and possibly implementation solutions to these problems, and why they are very useful for externalizing security decisions from an application.  Another alternate flow is that the PEP controls the data flow as well, rather than just a security check, but would constrain the data based on policies.


Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

%d bloggers like this: