The paper on "Extending the Security Assertion Markup Language to Support Delegation for Web Services and Grid Services" by Jun Wang and my friend Marty Humphrey over at the CS department, University of Virginia, is a great read. It illustrates how one could do user rights delegation using SAML. This is a common scenario in Internet-scale applications (aka Grid applications). They also have an implementation using Microsoft's WSE.

Here's a quote from the paper:

"The problem with the conventional approach in Grids - GSI X509 proxy certificates [5] - is that commercial tooling for Web Services does not necessarily recognize and properly process these certificates, typically the Distinguished Name (DN) in the certificate or in path validation. Even with the recent introduction of proxy certificates in the IETF, it is not clear when and if this commercial support will occur. An alternative approach that is pursued in this work is to leverage and extend existing Web Services standards, without breaking the existing tooling, so as to facilitate Grid practitioners more easily building and consuming services across the Grid without requiring Grid-specific protocols."

Excellent stuff.