Who uses XACML?

Question

Has anyone written XACML Implementations other than the Sun XACML Implementation and XEngine?

Who uses them in their products?

Which vendors provide a PDP? I read something about a WebLogic XACML Provider. What other products support XACML?

Answer 1

This has been answered on the XACML TC list already: http://markmail.org/message/w7msffsbi6qzgfoj

XACML is used in a wide variety of industries today. Trying to summarize what's been said

There are 2 types of implementations today:

1. open-source implementations They are either backed by commercial organizations, foundations, or universities. These include:

   • (Sun-backed) SunXACML (http://sunxacml.sourceforge.net/) - very much dead on its own but used in other products such as WS02's offering (see below)
   • (R&D-backed) SICSACML (http://www.sics.se/node/2465) backed by SICS, the Swedish Institute for Computer Science, and now taken up by Axiomatics (www.axiomatics.com)
   • (University-backed) Heras AF (http://www.herasaf.org/heras-af-xacml.html): Orange is using their product. Orange is one of the leading telecommunications providers in Europe.
   • WS02 is a company that was born from the Apache Synapse project and expanded into different areas successfully including XACML by using the initial SunXACML implementation (http://wso2.org/library/identity-server/user-management/xacml). I am not sure they have customers using XACML today.
   • Enterprise XACML (http://code.google.com/p/enterprise-java-xacml/) but not updates in nearly a year
   • Brad Cox also a neat approach to implementing XACML as described in his blog and paper at http://bradjcox.blogspot.com/

2. Commercial products

   • Oracle OES provides a SunXACML-based XACML 2.0 implementation. It is hard to know whether OES customers are using XACML features.
   • IBM Tivoli Security Policy Manager
   • Axiomatics Policy Server took SICSACML and marketed it in 2006 - their product fully implements XACML 3.0. Their customers include "one of the world's largest bank", Paypal, Bell Helicopter, Swedish National Healthcare service, SOS Alarm, and DATEV eG as listed at www.axiomatics.com/customers.html

There are other vendors such as Jericho Systems and Nextlabs that offer XACML. Also Securent (later bought by CISCO) had a XACML offering.

Lastly I recommend you visit the XACML TC (http://www.oasis-open.org/committees/xacml/) where you can see its contributing members. Those include Oracle, Axiomatics, Boeing, Veterans Administration, EMC who are regular contributors.

Answer 2

I'm a member of the team at IBM that builds a security policy management solution, including XACML for authorization policy; and I used to be the team lead for the XACML runtime component itself. The product is called Tivoli Security Policy Manager, and is definitely under active development.

WebLogic used to be built by BEA, before they were acquired by Oracle. I'm not sure if Oracle still sells it or not.

Axiomatics also has a XACML solution, as does Jericho Systems.

Answer 3

WSO2 Identity Server (http://wso2.org/) is a open source entitlement engine which is based on the sunxacml. WSO2 Identity Server contains a nice XACML UI policy editor which can be easily used to create complex XACML policies. There is a PIP layer to plug any attribute finder module with it. Therefore you are able to find your attribute from any database, LDAP user store , web services and many more .... Also there are decision caching, policy caching and PIP level attribute caching to improve the performance. You can refer the implementation source code from here [1]

[1] https://svn.wso2.org/repos/wso2/branches/carbon/3.2.0/components/identity/org.wso2.carbon.identity.entitlement/

Answer 4

DATEV (a german IT service provider w 5800 employees) announced in 2010 that they will use XACML. Swedish software company Axiomatics will develop a Datev version of its identity management solution.