Presentation is loading. Please wait.

Presentation is loading. Please wait.

January 19, 2005 Andrew Nash Chief Technology Officer, Reactivity xmlCoP Interoperable Trust Networks.

Published byJonathan Baldwin Modified over 8 years ago

Similar presentations

Presentation on theme: "January 19, 2005 Andrew Nash Chief Technology Officer, Reactivity xmlCoP Interoperable Trust Networks."— Presentation transcript:

1 January 19, 2005 Andrew Nash Chief Technology Officer, Reactivity xmlCoP Interoperable Trust Networks

2 Slide 2 Reactivity Proprietary & Confidential Web Service Aggregator Example Browser Redirection Yahoo shopping portal searches for products and lowest prices across all storefronts –Search results displayed at Yahoo –Users redirected to backend web sites belonging to vendors –Interactions with vendors use browser redirects –Single Sign On achieved using SAML assertions HTTP Redirection

3 Slide 3 Reactivity Proprietary & Confidential Web Service Aggregator Example Yahoo shopping portal searches for products and lowest prices across all storefronts –Results aggregated at Yahoo instead of redirecting users to backend web sites –Common shopping, payment, shipping and query interfaces provided through Yahoo portal –Interactions with vendors use Web Service transactions –Complimentary to classic Liberty Federation using browser redirection – avoids changing look and feel HTML Web Services

4 Slide 4 Reactivity Proprietary & Confidential Applications Users User and Transactional Security User Security Transactional Security Business transaction model based on XML and Web Services Applications exchange transactions – users are not directly involved Sender may not originate transactions; does not know the final destination Security requirements are based on the content of transaction – not the identity of the applications Web Servers

5 Slide 5 Reactivity Proprietary & Confidential Overlapping Web Security Standards SAML User FederationWeb Services Liberty ID FFWS-Federation WSS WS-Trust WS-Secure Conversation SOAPHTTP

6 Slide 6 Reactivity Proprietary & Confidential Security Assertions Markup Language Framework for exchanging security assertions –Profiles will map assertion use to messaging frameworks Use Cases –Single Sign-On Web user authenticates at a Web site. Web user then accesses another Web site without re-authenticating –Authorization Service User attempts to access a resource or service. The access controller for that resource (policy enforcement point) checks the user's rights with a policy decision point –Attribute Service User moves from one web site to another – customer loyalty information or context is passed to simplify the users experience as part of a federated information services

7 Slide 7 Reactivity Proprietary & Confidential SAML Domain Model Authorization Decision Assertion Attribute Assertion Authentication Assertion SAML Policy Enforcement Point Policy Decision Point Authentica tion Authority Attribute Authority Policy System Entity Application Request Credentials Collector

8 Slide 8 Reactivity Proprietary & Confidential SAML Assertion Request Protocol

9 Slide 9 Reactivity Proprietary & Confidential Where Does Liberty Fit? Liberty Alliance is focused on SSO and user information sharing using a federated identity model Liberty is an application domain standard Builds on standards defined elsewhere to solve the application domain problems Liberty will uses SAML V2 for infrastructure support Liberty move to WSS SOAP WS Security SAML Other Federation Enabling Standards Liberty Alliance

10 Slide 10 Reactivity Proprietary & Confidential Liberty & SAML Attribute Assertion Authentication Assertion SAML Policy Enforcement Point Policy Decision Point Authentication Authority Attribute Authority Liberty Identity ProviderLiberty Service Provider Authorization Decision Assertion SAML SOAP Foundation

11 Slide 11 Reactivity Proprietary & Confidential Liberty Identity Federation PartnerA.com “Circle of Trust” BusUnit1.com Name:Jack Name:JFK MyCompany.com (ID Provider) Federated ID SecurityDomain=“BusUnit1.com" Name=“Jack" SecurityDomain=“PartnerA.com" Name=“John" Federated ID SecurityDomain=“BusUnit1.com" Name="dTvIiRcMlpCqV6xX" SecurityDomain=“PartnerA.com" Name="pfk9uzUN9JcWmk4RF" Name:John

12 Slide 12 Reactivity Proprietary & Confidential Liberty/SAML Web SSO Model 1 1. Request Access 4 4. Redirect w/SAML AuthN reference 5 5. Request SAML AuthN Assertion 6 6. Receive SAML AuthN Assertion 3. Authenticate 3 Identity Provider “Circle of Trust” Service Provider Authentication Authority Attribute Authority 7. Grant Access 7 2. Redirect w/AuthN Request 2

13 Slide 13 Reactivity Proprietary & Confidential IBM/Microsoft Web Services Architecture SOAP Foundation WS-Security WS-PolicyWS-TrustWS-Privacy WS-Secure Conversation WS- Federation WS- Authorization Standards Body Published Specs Unpublished Specs

14 Slide 14 Reactivity Proprietary & Confidential What’s in a Name? WS-Security (aka WSS) WS-Trust WS-Policy WS-SecurityPolicy SOAP Message Security only, does not cover other aspects of security for web services Issuance and exchange of security tokens – not establishment and validation of trust Policy definition framework, does not describe how policies are managed How security information is passed, not how security policy is distributed or enforced

15 Slide 15 Reactivity Proprietary & Confidential WS-Security Describes how to secure SOAP messages Defines how to identify the creator of the message –Carries multiple credential types including Message Integrity –Integrity of all or part of a message –Builds on XML-Signature –Supports multiple and overlapping signatures Message Confidentiality –Confidentiality of all or part of a message –Builds on XML-Encrypt

16 Slide 16 Reactivity Proprietary & Confidential Securing SOAP Messages WSS information stored in SOAP security header One or more security tokens carried in header to identify the transaction XML Signature blocks may be carried to provide integrity and link the identity to the transaction –Key information within the security token may be used Privacy provided using XML encryption Security Header SOAP Envelope SOAP Header SOAP Body Message Body wsse: security token signature key info

17 Slide 17 Reactivity Proprietary & Confidential Security Tokens Separate profiles define the format and usage rules of various token types –Username/password –Binary Security Tokens Encoding type like Base-64 allows inclusion in XRML X.509 Kerberos –XML Tokens SAML XRML Common Biometric Format Great … but where do we get these security tokens from…?

18 Slide 18 Reactivity Proprietary & Confidential WS-Trust A Security Token Service (STS) issues tokens that can be used in WSS Forms the basis for several other WS-* standards (coming up) Token issuance, renewal and validation are handled by an STS The services of an STS may be required by web services and their clients Security tokens are a collection of claims about a resource The claims presented in security token are examined in the light of the policy controlling the web service

19 Slide 19 Reactivity Proprietary & Confidential Web Services Trust Model Security Token Service Policy Security Token Claims Web Service Policy Security Token Claims Requestor Policy Security Token Claims

20 Slide 20 Reactivity Proprietary & Confidential WS-Policy Framework for defining policies parameters or assertions that affect web services –WS-PolicyAttachment describes how policies are associated with a resource –WS-PolicyAssertions defines a common set of assertions Establishes a mechanism for exchanging requirements between a web services provider and client Provides machine readable policy statements that describe the operational parameters for interactions between a service and a client Supports negotiation of the parameters defined within a policy

21 Slide 21 Reactivity Proprietary & Confidential WS-Policy Policy is defined as a series of assertions Each has a usage (required, optional, rejected etc) and preference (ranking of this assertion) Operators (all, exactlyone, oneormore) define how to evaluate child assertions WS-PolicyAssertions define common assertion types –(TextEncoding, Language, SpecVersion) WS-PolicyAttachment supports –a standalone option that allows a standalone description of the web service that the policy is associated with –Or integrated with WSDL where a series of pointers reference a policy

22 Slide 22 Reactivity Proprietary & Confidential WS-SecurityPolicy Defines assertions that address security parameters SecurityToken identifies –Types of security tokens accepted –Issuer of the token –Optional details about particular token types (e.g. what set of user names are supported) Integrity –What parts of a message are signed –XML signature algorithms used –Parameters defining how the algorithm should be executed

23 Slide 23 Reactivity Proprietary & Confidential WS-SecurityPolicy Confidentiality –What parts of a message are encrypted –Algorithms and parameters used Visibility –What parts of a message must be visible to intermediary web services SecurityHeader –Constrains how the security header is processed MessageAge –Acceptable message lifetime based on the WSS timestamp

24 Slide 24 Reactivity Proprietary & Confidential WS-SecureConversation Eliminates the overhead of carrying and validating authentication information in each message Establishes a mutually authenticated security context Multiple messages may be exchanged within this context Creates an end-to-end secured channel at the application layer Like SSL it is provides a session oriented authenticated and encrypted data pipe SSL is restricted to point-to-point sessions between intermediate nodes

25 Slide 25 Reactivity Proprietary & Confidential WS-Federation Describes how to share identities and attributes across multiple trust domains Layered on WS-Trust Tokens issued by one domains STS are used to request a new security token from the STS of another domain

26 Slide 26 Reactivity Proprietary & Confidential Federation Token Exchanges Security Token Service Policy Security Token Web Service Policy Security Token Requestor Policy Security Token Security Token Service Policy Security Token Trust Relationship Trust Domain 1Trust Domain 2 1 2 3 4

27 Slide 27 Reactivity Proprietary & Confidential WS-Federation Sequence Requestor Web Service Requestor STS Web Service STS Rqst Security Token Issue Security Token Rqst Security Token with Token Reference Issue Security Token from Service Domain Invoke Service w Security Token Validate Security Token Approve Security Token Return Service Response

28 Slide 28 Reactivity Proprietary & Confidential Security and Privacy - Today Today transactions are secured using WSS toolkits to implement the Web Service security standards Usually support for X.509 Certificates or password credentials HTML SWS + password / X.509 Cert

29 Slide 29 Reactivity Proprietary & Confidential Security and Privacy – “Tomorrow” SAML Tokens for use in WSS security headers to support Federated Identities User Authentication supplied by CT/FIM Requests SAML assertions from SAML authority to build SAML tokens Crossover from Browser/User security world to Web Services HTML WSS + SAML Token WSS with SAML SAML Authority Login SAML Assertions

30 Slide 30 Reactivity Proprietary & Confidential Security and Privacy – “Tomorrow” Web services infrastructure moves toward WS-Trust credential servers for token issuance and support of WS-Federation WS-Trust toolkits provide messaging and protocol support for development of clients and servers WSS+Token WS-Trust WS-Trust Credential Server Tokens WS-Federation Ids WS-Trust Server Tk

31 Slide 31 Reactivity Proprietary & Confidential Web Service security dilemma Svc Database Integration User Interface Security Layer Business Logic CIO’s and IT Directors do not believe application programmers can verifiably implement enterprise security policies Use of toolkits does not scale to even modest deployments Tools do not exist to define, verify or modify security policy Transactions must be monitored and audited Security policy management must be federated

32 Slide 32 Reactivity Proprietary & Confidential Perimeters?

33 Slide 33 Reactivity Proprietary & Confidential Cherry Picking from Different Domains Trust Domains Service Oriented Application Network Domains

34 Slide 34 Reactivity Proprietary & Confidential Controlling a Service Oriented Application

35 Slide 35 Reactivity Proprietary & Confidential Reactivity in the enterprise

36 Slide 36 Reactivity Proprietary & Confidential The Reactivity Gateway Message Pipeline

37 Slide 37 Reactivity Proprietary & Confidential The Reactivity Gateway Message Pipeline

38 Slide 38 Reactivity Proprietary & Confidential Multi-layer mediation of transactions Data transformation –ex. service virtualization Security Credential Mapping –ex. SSL external to SAML internal Transport mapping –ex. XML/MQ to SOAP/HTTPS Cross-layer information sharing with advanced header manipulation

39 Slide 39 Reactivity Proprietary & Confidential Reactivity’s Policy Aware Core Report & Audit Optional sub-polices allow secure separation between projects, business units, geographies Deploy Policy and Mark Messages Collaborate & Compare Policy Delegate & Create Policy ControlAgility Visually identify policy conflicts Multi-stage approval for efficient workflow Policy version linked to message pair ensuring consistency and auditability One-click deploy & rollback for efficiency FunctionsBenefits Policy aware event and message logs enable rapid issue identification and accurate audits Policy Aware Core ensures XML Web services security with speed, flexibility and visibility

40 Slide 40 Reactivity Proprietary & Confidential Reactivity’s Vision of XML Infrastructure Application Infrastructure Server/Application Based Functions Network Infrastructure Packet based functions XML Infrastructure XML Message based functions – A new layer required for connecting distributed XML web services and enforcing message transport policies XML Infrastructure XML Message based functions – A new layer required for connecting distributed XML web services and enforcing message transport policies

Download ppt "January 19, 2005 Andrew Nash Chief Technology Officer, Reactivity xmlCoP Interoperable Trust Networks."

Similar presentations

GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.

SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.

Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Web Service Architecture Part I- Overview and Models (based on W3C Working Group Note Frank.

Web Service Architecture Part I- Overview and Models (based on W3C Working Group Note Frank.
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.

Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
Prashanth Kumar Muthoju

Prashanth Kumar Muthoju
GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Security COMP6017 Topics on Web Services Dr Nicholas Gibbins – 2012-2013.

Security COMP6017 Topics on Web Services Dr Nicholas Gibbins –

Similar presentations

Ads by Google