For Authorization, the PEP could accept a Subject, Resource and Action. The Subject could be an authenticated user or role, the Resource would be the entity being protected and action what the user wants to do. For example, for someone wanting to read data from a personnel database, the subject could be a user role, resource would be the database and action would be a read. This fits right into the XACML spec and could be adjusted to fit most policy-based authorization needs. Would the authentication PEP follow the SAML spec? They have some good features within an Assertion. I have a Class Diagram of an Assertion and am using it with smooks to read and write data to the SAML Assertion. I will post the UML diagram and some SAML assertions to see if it captures it. I will also generate some SAML test cases similar to the compliance tests for XACML. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4187921#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...