Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Implementing XML web services authentication John Messing Law-on-Line, Inc. Prepared for Maricopa County ICJIS May 17, 2006.

Published byEthel Webster Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction to Implementing XML web services authentication John Messing Law-on-Line, Inc. Prepared for Maricopa County ICJIS May 17, 2006."— Presentation transcript:

1 Introduction to Implementing XML web services authentication John Messing Law-on-Line, Inc. Prepared for Maricopa County ICJIS May 17, 2006

2 Legal: Proving up audit trails Regulatory contexts (Sarbanes-Oxley) Evidence in court - In re Vee Vinhnee, 336 BR 437 (BAP 9 th Cir. 2005). Digital data base records offered into evidence must be established first as unchanged since creation through foundational testimony from a qualified witness, preferably aided by cryptographic protections.

3 SAML and WSS: related OASIS standards Not yet interoperable But WSS includes a SAML profile

4 SAML Authentication for –Access control – Audit purposes Used with –Web browsers –SOAP messages

5 WSS Protections for SOAP messages on the wire –Defines bindings for W3C XML encryption and XML signatures to SOAP messages –Conveys security tokens in SOAP headers for credentialing, integrity and confidentiality WSS profiles –Kerberos tickets –X.509 certificates –Username/Password tokens –SAML Assertions –XRML Licenses

6 Limited protection For data in transit between the end user’s machine and the web service. No protection against malware on the user’s machine that hijacks a legitimate authentication. –Serious Internet banking problem –May need also to capture and data-mine usage –Not yet addressed by standards

7 Scope SAML –authentication for single sign-on purposes –includes web browsing in addition to SOAP WSS –Broader purposes such as digital rights protection, but includes only SOAP

8 Techniques WSS places SAML token inside the header to authenticate the SOAP body. In SAML itself, the assertion resides in the SOAP body, to authenticate the user. Since SAML 2.0, attributes can be encrypted, so features are otherwise comparable in many ways. NB – Signing, encryption, and Base64 encoding in addition XML parsing are processor-intensive operations that can limit the scalability of SOA implementations.

9 Usefulness Federated authentication can be indispensable across security domains. SAML generally is more mature than WSS MS opposes SAML except as part of WSS WS-I.org – implementation vetting efforts by vendors supporting WSS SAML and WSS each seem compatible with GJXML, NIEM and ECF 3.x

10 Security Token Service Brokered authentication to mediate non- interoperable security methods and update diverse security data stores. Relies on WS-Trust and WSS SAML profile Useful where DotNet implementations interact with non-MS web services in SOA Custom built or proprietary solutions

11 Document security SAML and WSS do not address document level security. Acrobat 5+ and OASIS DSS do. ECF 3.0 provides for document level security (5 signature profiles) and allows for optional messaging layer security using WS-I BP 1.0 (WSS derived)

12 Related presentations SAML update SAML animation WSS 1.1 STS

13 IPR Considerations Open standards usually provide for an agreement to license proprietary intellectual property of vendors to participants that is needed to implement a standard. The terms are generally not self-executing. Requesting and obtaining licenses can be time-consuming and frustrating. But it must be done. E.g. WebMethod and Epicentric patent claims to SOAP 1.2. Obtain licenses from all vendor participants who agree to the use of their IPR in the standards. Understand the license terms and implications, including royalty obligations, before investing heavily.

14 End John Messing Law-on-Line, Inc. 5151 E. Broadway Blvd., Suite 1600 Tucson, AZ 85711 (520) 512-5432 (office) (520) 512-5401 (fax) (520) 270-1953 (mobile) johnmessing@lawonline.biz

Download ppt "Introduction to Implementing XML web services authentication John Messing Law-on-Line, Inc. Prepared for Maricopa County ICJIS May 17, 2006."

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.
XKI Atomic Signatures John H. Messing, Esq. Law-on-Line, Inc. © JHM 2007 This presentation is informational only and not intended as a contribution to.

XKI Atomic Signatures John H. Messing, Esq. Law-on-Line, Inc. © JHM 2007 This presentation is informational only and not intended as a contribution to.
LEGALLY ENFORCEABLE ELECTRONIC SIGNATURES: Old Myths and New Realities &/OR New Myths and Old Realities.

LEGALLY ENFORCEABLE ELECTRONIC SIGNATURES: Old Myths and New Realities &/OR New Myths and Old Realities.
Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.

Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop 7.7.2011 London, UK.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Core Web Service Security Patterns

Core Web Service Security Patterns
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.

Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
Prashanth Kumar Muthoju

Prashanth Kumar Muthoju
GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Similar presentations

Ads by Google