XACML 3.0 multiple PEP and PDP instances

StackOverflow https://stackoverflow.com/questions/20968903

  •  25-09-2022
  •  | 
  •  

Question

I am using XACML 3.0 I just want to know which is the best practices for separating the PEP and PDP instances. I have three scenarios here which one is best as per the cloud way of implementation.

  1. I have one instance of PEP which will communicate to multiple PDP instances.
  2. I have multiple PEP and multiple PDP instances which will communicate to each other.
  3. I have multiple PEP instances which will communicate to one PDP instance.
Was it helpful?

Solution

The typical deployment I see is one or more enforcement points (PEP) talking to a load balancer that sits in front of multiple PDPs that are all equally configured.

That's true of any version of XACML.

PDPs rarely communicate together though you could imagine you'd have a PDP talking to another via a PIP connector.

--- EDIT --- Here's an architecture diagram

Load balancing the PDP

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top