How to Manage Trust between PEP and PDP

StackOverflow https://stackoverflow.com/questions/21479622

  •  05-10-2022
  •  | 
  •  

Question

I am working with distributed scenario in which I have multiple instances of PEP and PDP , in such a scenario how PDP will validate that XACML request is coming from my trusted PEP.

Was it helpful?

Solution

There are can be different ways to trust the PEP. It is not clearly mentioned in the spec. But it is mentioned that you must use SSL and authentication mechanism (such as Basic/Digest authentication). Also there is a SAML-XACML profile that talks about PEP-PDP communication. But I guess, following two simple ways can be used.

  1. Basic authentication with SSL. Each PEP is given with user/password. When PEP sends a XACML request, User/Pass must be sent within Basic auth headers. PDPs can verify the user/pass by processing Basic Auth headers. All PDPs can be connected with same credential store.

  2. Mutual SSL. (two-way SSL). You can implement the PDP to support for mutual SSL. Then PEP must create a SSL session by exchanging certificates. PEP must have a its own certificate (private, public key pair). To trust PEP's certificated by the PDP, they must be in the PDP's trust store.(or less signed by a trusted CA) Then PDP can trust the certificate of the PEP.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top