WS-Trust Joseph Calandrino Vincent Noël Department of Computer Science University of Virginia February 9, 2004.

Slides:



Advertisements
Similar presentations
Service Bus Service Bus Access Control.
Advertisements

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
 Rich Randall Development Lead Microsoft Corporation BB44.
1 Understanding Web Services Presented By: Woodas Lai.
Web Service Security CS409 Application Services Even Semester 2007.
Portable Identity & WS - Trust Prabath Siriwardena Director, Security Architecture.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Core Web Service Security Patterns
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
SAML Overview Woosik Lee Ubiquitous Network System Laboratory Kyonggi University 신묘년 새해 복 많이 받으세요 ^^
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Web services security I
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
Security COMP6017 Topics on Web Services Dr Nicholas Gibbins –
Web Service Standards, Security & Management Chris Peiris
Datacenter LOB web service LOB app Partner Mobile Device.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Florida Atlantic University Department of Computer and Electrical Engineering &Computer Science ( CEECS ) Secure Systems Research Group Fall 2009 “A Pattern.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.
17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.
An XML based Security Assertion Markup Language
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna
Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.
Web Services Security and Further References Presented by Ashraf Memon Presented by Ashraf Memon.
Semantic Web Technologies Research Topics and Projects discussion Brief Readings Discussion Research Presentations.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting , Padova, Italy.
Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.
Leveraging Web Service Security Standards Richard Jacob WSRP F2F LA, March, 2004.
IETF 64 SIP WG Spam for Internet Telephony Prevention using Security Assertion Markup Language Draft-schwartz-sipping-spit-saml-00.txt.
Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.
Usage of ebMS in a Four-Corner-Model e-CODEX specifications.
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
August 3, 2004WSRP Technical Committee WSRP v2 leveraging WS-Security 1. Motivation 2. WS-Securtiy Roadmap and Status 3. WSRP Use Cases 4. Strawman/Issues.
Access Policy - Federation March 23, 2016
Tim Bornholtz Director of Technology Services
InfiNET Solutions 5/21/
Presentation transcript:

WS-Trust Joseph Calandrino Vincent Noël Department of Computer Science University of Virginia February 9, 2004

Motivation A SOAP message protected by WS-Security presents three possible issues with regards to security tokens: Security token format incompatibility Security token trust Namespace differences

Introduction WS-Trust addresses these issues by: Defining a request/response protocol –Client sends RequestSecurityToken –Client receives RequestSecurityTokenResponse Introducing a Security Token Service (STS)

WS-Trust Model

STS Functions A Security Token Service allows: Token Exchange Token Issuance Token Validation

Request – Challenge Operation ClientSTS Client requests token from STS STS sends a challenge to Client Client sends an answer to STS STS sends token(s) to Client Example

WS-Trust Example Client understands X.509 certificates only Service understands SAML only No established trust between Client and Service * Based on

WS-Trust Example The Security Assertions Markup Language (SAML) is an XML-based framework for Web services that enables the exchange of authentication and authorization information among business partners. SAML - Reminder

WS-Trust Example – message 1 SOAP client sends initial request to SOAP service:

sdfOIDFKLSoidefsdflk … akjsdflaksf

sdfOIDFKLSoidefsdflk … akjsdflaksf Identity of Client established through XML signature

sdfOIDFKLSoidefsdflk … akjsdflaksf Identity of Client established through XML signature…. Keyed through X.509 certificate

WS-Trust Example – message 2 SOAP gateway recognizes that it must map to SAML, so it contacts the STS

SAML ReqExchange <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk …

SAML ReqExchange <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk … The RequestSecurityToken object is the core of this request…

SAML ReqExchange <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk …... Which is asking for a SAML token…

SAML ReqExchange <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk …... Which is asking for a SAML token in exchange for the provided X.509 token.

WS-Trust Example – message 3 The STS sends back the token in the requested format

SAML <saml:Assertion AssertionID="2se8e/vaskfsdif=" Issuer=" IssueInstant=" T16:58:33.173Z"> <saml:Conditions NotBefore=" T16:53:33.173Z" NotOnOrAfter=" T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant=" T16:57:30.000Z">...converted client identifier...

SAML <saml:Assertion AssertionID="2se8e/vaskfsdif=" Issuer=" IssueInstant=" T16:58:33.173Z"> <saml:Conditions NotBefore=" T16:53:33.173Z" NotOnOrAfter=" T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant=" T16:57:30.000Z">...converted client identifier... The SAML assertion is returned

SAML <saml:Assertion AssertionID="2se8e/vaskfsdif=" Issuer=" IssueInstant=" T16:58:33.173Z"> <saml:Conditions NotBefore=" T16:53:33.173Z" NotOnOrAfter=" T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant=" T16:57:30.000Z">...converted client identifier... The new client identifier is used

WS-Trust Example – message 4 The gateway formats and send the message for the service

<saml:Assertion AssertionID="2se8e/vaskfsdif=“ Issuer=" IssueInstant=" T16:58:33.173Z"> <saml:Conditions NotBefore=" T16:53:33.173Z" NotOnOrAfter=" T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant=" T16:57:30.000Z"> Client urn:oasis:names:tc:SAML:1.0:cm:sender-vouches

<saml:Assertion AssertionID="2se8e/vaskfsdif=“ Issuer=" IssueInstant=" T16:58:33.173Z"> <saml:Conditions NotBefore=" T16:53:33.173Z" NotOnOrAfter=" T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant=" T16:57:30.000Z"> Client urn:oasis:names:tc:SAML:1.0:cm:sender-vouches The SAML Assertion is inserted

<saml:Assertion AssertionID="2se8e/vaskfsdif=“ Issuer=" IssueInstant=" T16:58:33.173Z"> <saml:Conditions NotBefore=" T16:53:33.173Z" NotOnOrAfter=" T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant=" T16:57:30.000Z"> Client urn:oasis:names:tc:SAML:1.0:cm:sender-vouches The ConfirmationMethod is sender-vouches

Conclusion WS-trust address the security token needs of SOAP messages secured using WS- security. –Format: An STS is used to exchange tokens into formats understandable by recipients –Trust: The STS issues signed tokens forming the basis of trust for entities with which it has formed a trust relationship. –Namespace: The STS will return tokens in appropriate syntax for the recipient.

Credits WS-trust spec: (Copyright© (c) 2001, 2002 International Business Machines Corporation, Microsoft Corporation, RSA Security Inc., VeriSign Inc. All rights reserved. ) XML.com WS-trust overview

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.