WS-Trust Joseph Calandrino Vincent Noël Department of Computer Science University of Virginia February 9, 2004
Motivation A SOAP message protected by WS-Security presents three possible issues with regards to security tokens: Security token format incompatibility Security token trust Namespace differences
Introduction WS-Trust addresses these issues by: Defining a request/response protocol –Client sends RequestSecurityToken –Client receives RequestSecurityTokenResponse Introducing a Security Token Service (STS)
WS-Trust Model
STS Functions A Security Token Service allows: Token Exchange Token Issuance Token Validation
Request – Challenge Operation ClientSTS Client requests token from STS STS sends a challenge to Client Client sends an answer to STS STS sends token(s) to Client Example
WS-Trust Example Client understands X.509 certificates only Service understands SAML only No established trust between Client and Service * Based on
WS-Trust Example The Security Assertions Markup Language (SAML) is an XML-based framework for Web services that enables the exchange of authentication and authorization information among business partners. SAML - Reminder
WS-Trust Example – message 1 SOAP client sends initial request to SOAP service:
sdfOIDFKLSoidefsdflk … akjsdflaksf
sdfOIDFKLSoidefsdflk … akjsdflaksf Identity of Client established through XML signature
sdfOIDFKLSoidefsdflk … akjsdflaksf Identity of Client established through XML signature…. Keyed through X.509 certificate
WS-Trust Example – message 2 SOAP gateway recognizes that it must map to SAML, so it contacts the STS
SAML ReqExchange <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk …
SAML ReqExchange <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk … The RequestSecurityToken object is the core of this request…
SAML ReqExchange <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk …... Which is asking for a SAML token…
SAML ReqExchange <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk …... Which is asking for a SAML token in exchange for the provided X.509 token.
WS-Trust Example – message 3 The STS sends back the token in the requested format
SAML <saml:Assertion AssertionID="2se8e/vaskfsdif=" Issuer=" IssueInstant=" T16:58:33.173Z"> <saml:Conditions NotBefore=" T16:53:33.173Z" NotOnOrAfter=" T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant=" T16:57:30.000Z">...converted client identifier...
SAML <saml:Assertion AssertionID="2se8e/vaskfsdif=" Issuer=" IssueInstant=" T16:58:33.173Z"> <saml:Conditions NotBefore=" T16:53:33.173Z" NotOnOrAfter=" T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant=" T16:57:30.000Z">...converted client identifier... The SAML assertion is returned
SAML <saml:Assertion AssertionID="2se8e/vaskfsdif=" Issuer=" IssueInstant=" T16:58:33.173Z"> <saml:Conditions NotBefore=" T16:53:33.173Z" NotOnOrAfter=" T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant=" T16:57:30.000Z">...converted client identifier... The new client identifier is used
WS-Trust Example – message 4 The gateway formats and send the message for the service
<saml:Assertion AssertionID="2se8e/vaskfsdif=“ Issuer=" IssueInstant=" T16:58:33.173Z"> <saml:Conditions NotBefore=" T16:53:33.173Z" NotOnOrAfter=" T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant=" T16:57:30.000Z"> Client urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
<saml:Assertion AssertionID="2se8e/vaskfsdif=“ Issuer=" IssueInstant=" T16:58:33.173Z"> <saml:Conditions NotBefore=" T16:53:33.173Z" NotOnOrAfter=" T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant=" T16:57:30.000Z"> Client urn:oasis:names:tc:SAML:1.0:cm:sender-vouches The SAML Assertion is inserted
<saml:Assertion AssertionID="2se8e/vaskfsdif=“ Issuer=" IssueInstant=" T16:58:33.173Z"> <saml:Conditions NotBefore=" T16:53:33.173Z" NotOnOrAfter=" T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant=" T16:57:30.000Z"> Client urn:oasis:names:tc:SAML:1.0:cm:sender-vouches The ConfirmationMethod is sender-vouches
Conclusion WS-trust address the security token needs of SOAP messages secured using WS- security. –Format: An STS is used to exchange tokens into formats understandable by recipients –Trust: The STS issues signed tokens forming the basis of trust for entities with which it has formed a trust relationship. –Namespace: The STS will return tokens in appropriate syntax for the recipient.
Credits WS-trust spec: (Copyright© (c) 2001, 2002 International Business Machines Corporation, Microsoft Corporation, RSA Security Inc., VeriSign Inc. All rights reserved. ) XML.com WS-trust overview