I too am against reinventing the wheel and that is one of the reasons we selected Picketbox/Picketlink as a
staring point for our research. When we started, we reviewed all of the existing SAML/XACML
solutions in the open source and found that Picketbox/Picketlink put us close to our goal with minimal modification.
As far as why I need to create a custom PDP, there are two reasons, (if I missed something
that would allow these features in the existing implementation, a pointer would be great!):
1) We need to support attribute-based authorization. The current implementation appears to be
role-based authorization.
2) We need to support remote Attribute Authorities. From what I can determine, this would require
modification of the PDP to allow for configuration of a known/trusted attribute authority that
is not self contained.
Another requirement I have not started to investigate, however I think should be supported in the existing
PDP is the intergration of a custom rule combining algorithm.
At the moment, the custom PolicyRegistration approach is the route I took. This has allowed my
to extend and modify the existing PDP to meet my requirements. It is possible that what I am doing
is very specific and not worth modification of the existing implementation.
Hope this helps some in clarifying my intent.
Brian