SlideShare a Scribd company logo

Identity, Security Credentials, and XML Web Services

Jorgen Thelin
Jorgen Thelin

The document discusses identity, security, and XML web services. It defines identity as who a person is and how they prove it. Identity provides permissions in computing systems as in real life. Standards like SAML and WS-Security encode identity credentials in XML for use in web services. Examples show username tokens, X.509 certificates, and SAML assertions transmitted in SOAP message headers to authenticate callers and pass identity attributes between systems.

Technology
1 of 12
Download to read offline
Identity, Security, and XML Web Services The Importance of Interoperable Security Credentials Jorgen Thelin <Jorgen.Thelin@capeclear.com> Abstract The use of security credentials and the concepts of single-sign-on and quot;identityquot; will play a big part in Web Service products as the technology matures and developers start writing true enter- prise-grade line-of-business applications. The emerging XML security standards such as SAML are reviewed, along with the various quot;identityquot; standards such as Passport and Liberty, to provide an overview of the evolution of Web Service platform products to support these. This paper examines just how quot;identity awarequot; Web Service implementations need to be, and the value a Web Services platform can add in masking developers from the complexity in this area. Lessons are drawn from the experience of using EJB security technology for real-world security scenarios. Table of Contents 1. Introduction ............................................................................................................................... 1 2. What is Identity? ........................................................................................................................ 2 2.1. Identity - Who are you? ..................................................................................................... 2 2.2. Identity - Proof of identity .................................................................................................. 2 2.3. Identity - Permissions ....................................................................................................... 3 3. Web Services and Identity ............................................................................................................ 3 3.1. Does this affect Web Services? ........................................................................................... 3 3.2. Security and Identity Considerations for Web Services Applications .......................................... 3 4. Interoperable XML Security and Identity ........................................................................................ 4 4.1. Requirements for Interoperable Security and Identity .............................................................. 4 4.2. Types of Security Tokens .................................................................................................. 4 4.3. Types of XML Security Interaction Dialogues ....................................................................... 5 5. SAML v1.0 ............................................................................................................................... 6 5.1. SAML Assertion Types ..................................................................................................... 7 6. Examples of Security Credentials in a SOAP Message ....................................................................... 7 6.1. A Username Token in a WS-Security SOAP Header ............................................................... 7 6.2. Binary X509 Certificate in a WS-Security SOAP Header ......................................................... 8 6.3. A SAML Assertion in a WS-Security SOAP Header ............................................................... 9 7. Single-sign-on Services ................................................................................................................ 9 7.1. Liberty Alliance ............................................................................................................. 10 7.2. Microsoft .NET Passport .................................................................................................. 10 7.3. WS-Trust ...................................................................................................................... 10 8. Identity-awareness in Web Services .............................................................................................. 10 9. Security in the Ultimate Web Services Platform .............................................................................. 11 10. Summary ............................................................................................................................... 11 Bibliography ............................................................................................................................... 11 Glossary ..................................................................................................................................... 12 1. Introduction This paper looks at the related concepts of identity and credentials, and how XML-based approaches are are now being used to provide increased interoperability among security systems. The various specifications and standards in this area are examined, and examples provided of how XML format security credentials are being used with SOAP and Web Services to allow end-to-end flow of identity and authentication information. Proceedings by deepX Ltd. 1 Rendered by www.RenderX.com
Identity, Security, and XML Web Services 2. What is Identity? A definition from Cambridge Dictionaries Online: Identity [ noun ] Who a person is, or the qualities of a person or group which make them different from others. Source: http://dictionary.cambridge.org/define.asp?key=identity*1+0 At its most basic then, the concept of quot;identityquot; is about: • Who you are • How you prove who you are • What that allows you to do We will now explore these aspects in turn, and see how they apply to XML Web Services, and demonstrate the importance of standardized and interoperable security credentials. 2.1. Identity - Who are you? An identity equates to a particular subject or principal For example: Joe Bloggs - who lives at the address: 123 My Street, Your Town A subject usually equates to a single person, but could also be a group, corporation, or even something like an automated software agent component. The main thing is that there must be some way to distinguish one subject from another - there must be some differ- ences otherwise we are actually dealing with just a single subject! 2.2. Identity - Proof of identity The next question is how do you prove who you are? What credentials can you present to prove your identity? In real life, this is usually through some official documents such as: • Driving License • Passport In computing terms, a user also has a set of security credentials. Some common examples include: • username + password The password acts as a quot;shared secretquot; that is only known to the receiver and that one user. Possession of that password proves the user is who they say they are. Unfortunately most users tend to use insecure or easily guessable passwords, or divulge their passwords through quot;social engineeringquot; attacks. • X509 certificates X509 certificates are part of the Internet standard public / private key crypto- graphy system. A certificate is digitally signed by an issuing authority and binds a public key to a particular subject. Possession of that subject's private key to match the public key in the certificate proves the identity asserted by the certific- ate. It is technically possible to create fake security credentials in computing systems just as much as in real life - and in both cases various steps (both technical and procedural) are taken to make it hard to do this, and make it easier to detect the fakes. Proceedings by deepX Ltd. 2 Rendered by www.RenderX.com
Identity, Security, and XML Web Services 2.3. Identity - Permissions The third question is what does this identity prove about us? What does this identity allow us to do? Some real life examples illustrate the concept here: • Passports • Holding a UK passport proves someone is a UK Citizen • Being a UK Citizen allows that person to live and work in the UK • Being a UK Citizen also allows that person to live and work in any other country in the European Union • Losing their passport does not stop someone being a UK Citizen; it just makes it harder to prove they are a citizen. • Driving Licenses • A standard driving license shows someone is allowed to drive a car • Someone is not allowed to drive a Heavy Goods Vehicle unless they hold a HGV Driving License The permissions and entitlements for an identity is ultimately determined by the set of credentials that were presented to assert that identity. Permissions and credentials are then used to make policy enforcement decisions, such as: • Is a person allowed to drive a Heavy Goods Vehicle? • Is a person allowed to work in the UK? 3. Web Services and Identity 3.1. Does this affect Web Services? Security and Identity is a fundamental requirement of any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller's identity, so the concepts just discussed will become increasingly important to Web Services developers and users. The challenge is to how to represent and prove a caller's identity in an open and interoperable way. 3.2. Security and Identity Considerations for Web Services Applications There are several security and identity considerations that need to be borne in mind for any Web Services application: • Caller Authentication • Caller Authorization • Caller Attributes 3.2.1. Authentication Web Services authentication is about mechanisms to answer the following questions: • Who is the caller? Proceedings by deepX Ltd. 3 Rendered by www.RenderX.com
Identity, Security, and XML Web Services • How did they prove their identity? • Do we trust the source of these credentials? 3.2.2. Authorization Web Services authorization is about answering the following questions: • What is the caller allowed to do? 3.2.3. Attributes Caller identity attributes are concerned with answers to the following questions: • What other facts or unique attributes do we know about the caller? For example, e-mail address, display pref- erences, department, employee number • How do we use this attribute information in the application? For example, customizing the data returned to the caller based on their display preferences 4. Interoperable XML Security and Identity 4.1. Requirements for Interoperable Security and Identity To achieve interoperable security and identity, web services require standardized mechanisms of doing all of the following: • Representing security credential data in XML • There needs to be a standardized format for representing security credentials and tokens using XML, to allow the widest interoperability. • For example, this can be done through the Security Assertions Markup Language (SAML) specification [SAML], or using the encoding rules for binary security tokens defined in the WS_Security specification [WSSE]. • Obtaining credential data or security tickets • For true interoperability, there needs to be a standardized mechanism to obtain security credentials or tickets in the first place. This is usually done by using a WSDL and SOAP call to an interface on a security authority service such as a single-sign-on product. • For example, single-sign-on services such as Microsoft Passport [.NET Passport] Liberty Alliance [Liberty Alliance] specifications can issue session ticket tokens valid for the defined period. • Transport credential data in a SOAP message • There needs to be a way of packaging the credential data or security tokens into a SOAP message in an agreed manner, so that both client and server can find, decode and process the credentials in the necessary manner. • For example, SOAP header fields defined in the ws-security specification [WSSE] 4.2. Types of Security Tokens The WS-Security specification [WSSE] defines the following types of security tokens: Proceedings by deepX Ltd. 4 Rendered by www.RenderX.com
Identity, Security, and XML Web Services • Unsigned security tokens • Username • Signed security tokens • X.509 certificates (binary) • Kerberos tickets (binary) • XML security tokens • Any XML token, such as SAML • Usually self verifying / signed This leads to two main types of interaction when security credentials are being used with XML SOAP messages: • Using non self-validating credentials - See Section 4.3.1 • Using self-validating credentials - See Section 4.3.2 The main difference between these two is whether the receiver of the XML message can verify and validate the security credentials in the SOAP message without referring back to the authority service that issued the credentials. 4.3. Types of XML Security Interaction Dialogues 4.3.1. Typical XML Security Dialogue - Non Self-Validating Credentials The receiver of the credentials needs to query the security service to validate the credentials. Proceedings by deepX Ltd. 5 Rendered by www.RenderX.com
Identity, Security, and XML Web Services Figure 1. Typical XML Security Dialogue - Non Self-Validating Credentials 4.3.2. Typical XML Security Dialogue - Self-Validating Credentials The receiver of the credentials can validate those credentials themselves, and does not need to query the security service to check the credentials. Self-validating credentials are usually achieved by the authority service which issued the security token digitally signing the credentials using their private key, and the receiver of the credentials then verifying using the issuing authority's public key which it already trusts. Figure 2. Typical XML Security Dialogue - Self-Validating Credentials 5. SAML v1.0 SAML is an XML-based framework for exchanging security information. It provides a standardized format for encoding credentials using XML. It is a published standard specification defined by the Organization for the Advancement of Structured Information Standards (OASIS) organization. Proceedings by deepX Ltd. 6 Rendered by www.RenderX.com
Identity, Security, and XML Web Services The SAML specification defines: • How to represent security credentials (quot;Assertionsquot; in SAML parlance) using XML • An XML message exchange protocol for querying a SAML Authority service The SAML specification DOES NOT define: • How to obtail security credentials (quot;Assertionsquot;) in the first place 5.1. SAML Assertion Types There are three types of assertions defined in the SAML specification [SAML] • SAML Authentication Assertions • The results of an authentication action performed on a subject by a SAML authority Statements of the form: quot;An issuing authority asserts that subject S was authenticated by means M at time Tquot; • SAML Attribute Assertions • Attribute information about a subject • Statements of the form: quot;An issuing authority asserts that subject S is associated with attributes A, B and C with values 'a', 'b' and 'c'quot; • SAML Authorization Assertions • Authorization permissions that apply to a subject with respect to a specified resource • Statements of the form: quot;An issuing authority decides whether to grant the request by subject S for access type A to resource R given evidence Equot; 6. Examples of Security Credentials in a SOAP Message The following sections provide examples of the main type of security credentials carried in SOAP message: • Username token - Section 6.1 X509 binary certificate - Section 6.2 SAML authentication assertion - Section 6.3 6.1. A Username Token in a WS-Security SOAP Header <SOAP:Envelope xmlns:SOAP=quot;...quot;> <SOAP:Header> <wsse:Security xmlns:wsse=quot;http://schemas.xmlsoap.org/ws/2002/12/secextquot;> <wsse:UsernameToken> <wsse:Username>jthelin</wsse:Username> <wsse:Password Type=quot;wsse:PasswordDigestquot; >XYZabc123</wsse:Password> Proceedings by deepX Ltd. 7 Rendered by www.RenderX.com
Identity, Security, and XML Web Services </wsse:UsernameToken> ... </wsse:Security> </SOAP:Header> <SOAP:Body Id=quot;MsgBodyquot;> <!-- SOAP Body data --> </SOAP:Body> </SOAP:Envelope> This example shows a SOAP message with a WS-Security header containing a username / password token. The token is for the user 'jthelin' in this example, and the base64-encoded copy of the SHA1 digest hash value of the password is included in the header too. To confirm these credentials are valid, the receiver of this message must querying the security authority for this user to confirm whether the enclosed password digest is correct for this user. 6.2. Binary X509 Certificate in a WS-Security SOAP Header <SOAP:Envelope xmlns:SOAP=quot;...quot;> <SOAP:Header> <wsse:Security xmlns:wsse=quot;http://schemas.xmlsoap.org/ws/2002/12/secextquot;> <wsse:BinarySecurityToken Id=quot;X509Tokenquot; wsse=quot;http://schemas.xmlsoap.org/ws/2002/12/secextquot; ValueType=quot;wsse:X509v3quot; EncodingType=quot;wsse:Base64Binaryquot; > MIIEZzCCA9CgAwIBAgIQEmtJZc0... </wsse:BinarySecurityToken> <ds:Signature xmlns:ds=quot;http://www.w3.org/2000/09/xmldsig#quot;> <ds:SignedInfo> ... </ds:SignedInfo> <ds:SignatureValue> ... </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI=quot;#X509Tokenquot; /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> ... </wsse:Security> </SOAP:Header> <SOAP:Body Id=quot;MsgBodyquot;> <!-- SOAP Body data --> </SOAP:Body> </SOAP:Envelope> Proceedings by deepX Ltd. 8 Rendered by www.RenderX.com
Identity, Security, and XML Web Services This example shows an X.509 digital certificate being included in the WS-Security SOAP header as a binary token. The token has been signed in accordance with the XML Digital Signature specification [XML Signature], and using the key information from the X.509 certificate to calculate the signature hash. 6.3. A SAML Assertion in a WS-Security SOAP Header <SOAP:Envelope xmlns:SOAP=quot;...quot;> <SOAP:Header> <wsse:Security xmlns:wsse=quot;http://schemas.xmlsoap.org/ws/2002/12/secextquot;> <saml:Assertion xmlns:saml=quot;urn:oasis:names:tc:SAML:1.0:assertionquot; MajorVersion=quot;1quot; MinorVersion=quot;0quot; AssertionID=quot;SecurityToken-mc375268quot; Issuer=quot;mycompanyquot; IssueInstant=quot;2002-07-23T11:32:05.6228146-07:00quot; > ... </saml:Assertion> <ds:Signature xmlns:ds=quot;http://www.w3.org/2000/09/xmldsig#quot;> <ds:SignedInfo> ... </ds:SignedInfo> <ds:SignatureValue> ... </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <saml:AssertionIDReference> SecurityToken-mc375268 </saml:AssertionIDReference> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> ... </wsse:Security> </SOAP:Header> <SOAP:Body Id=quot;MsgBodyquot;> <!-- SOAP Body data --> </SOAP:Body> </SOAP:Envelope> This example shows a SAML assertion being included in the WS-Security SOAP header as an XML token. The SAML token has been signed in accordance with the XML Digital Signature specification [XML Signature], and using the key information from the SAML assertion to calculate the signature hash. 7. Single-sign-on Services Single-sign-on services provide a single point of logon and authentication. They also provide a standardized way to obtain suitable credentials to prove an authenticated identity. The main contenders currently seem to be: • Liberty Alliance [Liberty Alliance] Proceedings by deepX Ltd. 9 Rendered by www.RenderX.com
Identity, Security, and XML Web Services Microsoft Passport [.NET Passport] Proprietary security products such as Netegrity SiteMinder which are added direct SAML interfaces WS-Trust - A new specification to provide a standardized interface[WS-Trust] This still remains an area needing real standardization, and is an area that Web Services Interoperability Organiz- ation (WS-I)[WS-I] is now turning its attention to through it's Web Services Basic Security Profile. 7.1. Liberty Alliance The Liberty Alliance Project [Liberty Alliance] is a cross-industry group aiming to establish an open standard for federated network identity The Liberty specification v1.0 has two main facets: • Single sign-on • Identity federation 7.2. Microsoft .NET Passport Microsoft .NET Passport [.NET Passport] is a suite of Web-based services that makes using the Internet and pur- chasing online easier and faster for users. Microsoft has previously declared plans to upgrade the current Passport facilities to: • Provide an XML interface • Support federation • Use Kerberos v5 as the underlying mechanism for securely exchanging credentials 7.3. WS-Trust WS-Trust [WS-Trust] is a proposed specification in the WS-Security family to provide a standardized way to acquire security tokens from an authority service. WS-Trust is still very early in the standardization process, but is the most likely candidate for a common interface to security authorities for the future. 8. Identity-awareness in Web Services Question: Do web services themselves need to be identity-aware? Answer: Not really, in most cases. A mature web services platform product such as CapeClear 4 Server [CC4 Server] can handle almost all the quot;boilerplatequot; work of authentication and enforcement of access control lists. This is typically done through config- uring interceptors or plugins on a deployed web service to implement the required security policy. Most standard authentication and authorization functions are best done in a uniform manner by the platform, rather than being implemented on an application-by-application basis. Interceptor plugins allow this to be done as a deployment policy decision, rather than as an implementation decision. A Web Service application only needs to be Identity-aware if it needs to make use of user-specific attributes asserted for the caller. For example, reading the delivery address from the user's MS Passport record. Proceedings by deepX Ltd. 10 Rendered by www.RenderX.com
Identity, Security, and XML Web Services 9. Security in the Ultimate Web Services Platform The ultimate goal will be to have declarative security functions for web services just like we already have for Enterprise Java Beans (EJB) systems now. So, we want to get to the situation of being able to make declarative statement of a web service applications security requirements in the following areas: • Permitted authentication realms / single-sign-on services • Required transport security attributes (for example, quot;Callers must use encrypted / SSL connectionsquot;) • Required message security attributes (for example, quot;Messages must be digitally signedquot;) • Role-based access control lists applied at the granularity of the operation / method call. There are some moves afoot to add some of this declarative security information into WSDL files, but there are no real standards for this at the moment. Watch this space though. This places control of security with application administrators rather than developers, and allows a uniform way to apply a security policy to enterprise web services. 10. Summary quot;Identityquot; is one of the fundamental concepts underpinning all Web Service security mechanisms, and will become increasingly important as more enterprise web services get deployed. Having a standard XML-based serialized form of credentials is vital for true end-to-end interoperability. Standardization of specifications for credential exchange and single-sign-on using XML and SOAP are still incomplete, so widespread interoperability is not yet possible. However, this is such an important area that it is the next thing that WS-I are developing an interoperability profile for. It is best to use a mature Web Services runtime platform such as Cape Clear Server to handle most quot;boilerplatequot; security tasks such as enforcing authentication and authorization requirements. Bibliography [CC4 Server] Cape Clear 4 Server - Enterprise-grade Web Services Integration Platform from Cape Clear Software Inc. http://www.capeclear.com/products/server/ [Kerberos] J. Kohl and C. Neuman, quot;The Kerberos Network Authentication Service (V5),quot; RFC 1510, September 1993. http://www.ietf.org/rfc/rfc1510.txt [Liberty Alliance] Liberty Alliance Project http://www.projectliberty.org/ [.NET Passport] Microsoft .NET Passport http://www.passport.com/ [SAML] SAML - Security Assertions Markup Language v1.0, OASIS XML-Based Security Services Technical Committee, 05-Nov-2002 http://www.oasis-open.org/committees/security/#documents/ [SOAP] W3C Note, quot;SOAP: Simple Object Access Protocol 1.1quot;, 08-May-2000. http://www.w3.org/TR/2000/NOTE- SOAP-20000508 [WS-I] WS-I - The Web Services Interoperability Organization http://www.ws-i.org/ [WSSE] WS-Security specification v1.0, 05-Apr-2002 http://schemas.xmlsoap.org/specs/ws-security/ws-security.htm Proceedings by deepX Ltd. 11 Rendered by www.RenderX.com
Identity, Security, and XML Web Services [WSSE-XML] WS-Security Profile for XML-based Tokens v1.0, 28-Aug-2002 http://msdn.microsoft.com/library/en- us/dnglobspec/html/ws-security-xml-tokens.asp [WS-Trust] WS-Trust specification v1.0, 18-Dec-2002 http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws- trust.asp [XML Signature] W3C Recommendation, quot;XML Signature Syntax and Processingquot;, 12 February 2002. http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/ [XML Encryption] W3C Recommendation, quot;XML Encryption Syntax and Processingquot; 10 December 2002. http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/ Glossary EJB Enterprise Java Beans OASIS Organization for the Advancement of Structured Information Standards SAML Security Assertions Markup Language WS-I Web Services Interoperability Organization Biography Jorgen Thelin Chief Scientist Cape Clear Software Inc. London United Kingdom Jorgen.Thelin@capeclear.com Jorgen Thelin is the Chief Scientist at Cape Clear Software Inc, where he focuses on Web Services technology and standards. Previously, he has worked on a number of major Java-based projects for blue-chip companies such as Reuters, J.P.Morgan, and BSkyB before moving to Orbware to design and build the Orcas EJB server. He holds a Computing Science degree from Stirling University, Scotland, and an MBA from Warwick Business School, England. He has been using the Java programming language since early 1996, and is a Sun Certified Java Programmer, Developer, and Architect. Proceedings by deepX Ltd. 12 Rendered by www.RenderX.com

Recommended

Blacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential usersBlacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential usersIAEME Publication
 
Blacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential usersBlacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential usersIAEME Publication
 
O Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10bO Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10bBruce O'Dell
 
3d passwords
3d passwords 3d passwords
3d passwords Sunanda Bansal
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web SecurityOliver Pfaff
 
Context Automation (with video demos)
Context Automation (with video demos)Context Automation (with video demos)
Context Automation (with video demos)Phil Windley
 
C0361419
C0361419C0361419
C0361419iosrjournals
 
76 s201923
76 s20192376 s201923
76 s201923IJRAT
 

Recommended

Blacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential usersBlacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential usersIAEME Publication
 
Blacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential usersBlacklisting and blocking anonymous credential users
Blacklisting and blocking anonymous credential usersIAEME Publication
 
O Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10bO Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10bBruce O'Dell
 
3d passwords
3d passwords 3d passwords
3d passwords Sunanda Bansal
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web SecurityOliver Pfaff
 
Context Automation (with video demos)
Context Automation (with video demos)Context Automation (with video demos)
Context Automation (with video demos)Phil Windley
 
C0361419
C0361419C0361419
C0361419iosrjournals
 
76 s201923
76 s20192376 s201923
76 s201923IJRAT
 
Identity and Access Management and electronic Identities _ Belgian Federal Go...
Identity and Access Management and electronic Identities _ Belgian Federal Go...Identity and Access Management and electronic Identities _ Belgian Federal Go...
Identity and Access Management and electronic Identities _ Belgian Federal Go...E-Government Center Moldova
 
Modern Method for Detecting Web Phishing Using Visual Cryp-tography (VC) and ...
Modern Method for Detecting Web Phishing Using Visual Cryp-tography (VC) and ...Modern Method for Detecting Web Phishing Using Visual Cryp-tography (VC) and ...
Modern Method for Detecting Web Phishing Using Visual Cryp-tography (VC) and ...IJERA Editor
 
Managing IT security and Business Ethics
Managing IT security and Business EthicsManaging IT security and Business Ethics
Managing IT security and Business EthicsRahul Sharma
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization ModelsCSCJournals
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingOKsystem
 
Self-service Password Reset
Self-service Password ResetSelf-service Password Reset
Self-service Password ResetPortalGuard dba PistolStar, Inc.
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationOliver Pfaff
 
Claims based identity for windows
Claims based identity for windowsClaims based identity for windows
Claims based identity for windowsPradeep Krishnamurthy
 
The Domains of Identity & Self-Sovereign Identity MyData 2018
The Domains of Identity & Self-Sovereign Identity MyData 2018The Domains of Identity & Self-Sovereign Identity MyData 2018
The Domains of Identity & Self-Sovereign Identity MyData 2018Kaliya "Identity Woman" Young
 
Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsOlivier Potonniée
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access ControlManaging PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access ControlRamesh Nagappan
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolIJERD Editor
 
Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12Rahul Sule
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
Government Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformGovernment Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformRamesh Nagappan
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web ServicesJorgen Thelin
 
Easing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEasing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEntrust Datacard
 
The Best Practice with Code Signing Certificates - CodeSignCert.com
The Best Practice with Code Signing Certificates - CodeSignCert.comThe Best Practice with Code Signing Certificates - CodeSignCert.com
The Best Practice with Code Signing Certificates - CodeSignCert.comKayra Obrain
 

More Related Content

What's hot

Identity and Access Management and electronic Identities _ Belgian Federal Go...
Identity and Access Management and electronic Identities _ Belgian Federal Go...Identity and Access Management and electronic Identities _ Belgian Federal Go...
Identity and Access Management and electronic Identities _ Belgian Federal Go...E-Government Center Moldova
 
Modern Method for Detecting Web Phishing Using Visual Cryp-tography (VC) and ...
Modern Method for Detecting Web Phishing Using Visual Cryp-tography (VC) and ...Modern Method for Detecting Web Phishing Using Visual Cryp-tography (VC) and ...
Modern Method for Detecting Web Phishing Using Visual Cryp-tography (VC) and ...IJERA Editor
 
Managing IT security and Business Ethics
Managing IT security and Business EthicsManaging IT security and Business Ethics
Managing IT security and Business EthicsRahul Sharma
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization ModelsCSCJournals
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingOKsystem
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationOliver Pfaff
 
The Domains of Identity & Self-Sovereign Identity MyData 2018
The Domains of Identity & Self-Sovereign Identity MyData 2018The Domains of Identity & Self-Sovereign Identity MyData 2018
The Domains of Identity & Self-Sovereign Identity MyData 2018Kaliya "Identity Woman" Young
 
Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsOlivier Potonniée
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access ControlManaging PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access ControlRamesh Nagappan
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolIJERD Editor
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
Government Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformGovernment Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformRamesh Nagappan
 

What's hot (19)

Identity and Access Management and electronic Identities _ Belgian Federal Go...
Identity and Access Management and electronic Identities _ Belgian Federal Go...Identity and Access Management and electronic Identities _ Belgian Federal Go...
Identity and Access Management and electronic Identities _ Belgian Federal Go...
 
Modern Method for Detecting Web Phishing Using Visual Cryp-tography (VC) and ...
Modern Method for Detecting Web Phishing Using Visual Cryp-tography (VC) and ...Modern Method for Detecting Web Phishing Using Visual Cryp-tography (VC) and ...
Modern Method for Detecting Web Phishing Using Visual Cryp-tography (VC) and ...
 
Managing IT security and Business Ethics
Managing IT security and Business EthicsManaging IT security and Business Ethics
Managing IT security and Business Ethics
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization Models
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
 
Self-service Password Reset
Self-service Password ResetSelf-service Password Reset
Self-service Password Reset
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services Federation
 
Claims based identity for windows
Claims based identity for windowsClaims based identity for windows
Claims based identity for windows
 
The Domains of Identity & Self-Sovereign Identity MyData 2018
The Domains of Identity & Self-Sovereign Identity MyData 2018The Domains of Identity & Self-Sovereign Identity MyData 2018
The Domains of Identity & Self-Sovereign Identity MyData 2018
 
Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applications
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card Authentication
 
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access ControlManaging PIV Card Lifecycle and Converging Physical & Logical Access Control
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication Protocol
 
Shmat ccs12
Shmat ccs12Shmat ccs12
Shmat ccs12
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
 
Government Citizen ID using Java Card Platform
Government Citizen ID using Java Card PlatformGovernment Citizen ID using Java Card Platform
Government Citizen ID using Java Card Platform
 

Similar to Identity, Security Credentials, and XML Web Services

Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web ServicesJorgen Thelin
 
Easing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEasing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEntrust Datacard
 
The Best Practice with Code Signing Certificates - CodeSignCert.com
The Best Practice with Code Signing Certificates - CodeSignCert.comThe Best Practice with Code Signing Certificates - CodeSignCert.com
The Best Practice with Code Signing Certificates - CodeSignCert.comKayra Obrain
 
The Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineThe Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineRapidSSLOnline.com
 
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2dP2PSystem
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfJUSTSTYLISH3B2MOHALI
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identityWAFAA AL SALMAN
 
TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015sllongo3
 
With-All-Due-Diligence20150330
With-All-Due-Diligence20150330With-All-Due-Diligence20150330
With-All-Due-Diligence20150330Jim Kramer
 
Self-Sovereign Identity for the Decentralized Web Summit
Self-Sovereign Identity for the Decentralized Web SummitSelf-Sovereign Identity for the Decentralized Web Summit
Self-Sovereign Identity for the Decentralized Web SummitKaliya "Identity Woman" Young
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd Iaetsd
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLGlobalSign
 
Salesforce DevOps Online Training Institute
Salesforce DevOps Online Training InstituteSalesforce DevOps Online Training Institute
Salesforce DevOps Online Training Instituteeshwarvisualpath
 
Build and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityBuild and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityT.Rob Wyatt
 
DevDay: Extending CorDapps with Self-Sovereign Identity: Technology Deepdive ...
DevDay: Extending CorDapps with Self-Sovereign Identity: Technology Deepdive ...DevDay: Extending CorDapps with Self-Sovereign Identity: Technology Deepdive ...
DevDay: Extending CorDapps with Self-Sovereign Identity: Technology Deepdive ...R3
 
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaCordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaVasiliy Suvorov
 
The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates RapidSSLOnline.com
 
The Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesThe Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesCheapSSLsecurity
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication ModelsRaj Chanchal
 

Similar to Identity, Security Credentials, and XML Web Services (20)

Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web Services
 
Easing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEasing the Pains of Certificate Management
Easing the Pains of Certificate Management
 
The Best Practice with Code Signing Certificates - CodeSignCert.com
The Best Practice with Code Signing Certificates - CodeSignCert.comThe Best Practice with Code Signing Certificates - CodeSignCert.com
The Best Practice with Code Signing Certificates - CodeSignCert.com
 
The Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineThe Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonline
 
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
 
Jsse
JsseJsse
Jsse
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identity
 
TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015
 
With-All-Due-Diligence20150330
With-All-Due-Diligence20150330With-All-Due-Diligence20150330
With-All-Due-Diligence20150330
 
Self-Sovereign Identity for the Decentralized Web Summit
Self-Sovereign Identity for the Decentralized Web SummitSelf-Sovereign Identity for the Decentralized Web Summit
Self-Sovereign Identity for the Decentralized Web Summit
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authentication
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSL
 
Salesforce DevOps Online Training Institute
Salesforce DevOps Online Training InstituteSalesforce DevOps Online Training Institute
Salesforce DevOps Online Training Institute
 
Build and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityBuild and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of Mediocrity
 
DevDay: Extending CorDapps with Self-Sovereign Identity: Technology Deepdive ...
DevDay: Extending CorDapps with Self-Sovereign Identity: Technology Deepdive ...DevDay: Extending CorDapps with Self-Sovereign Identity: Technology Deepdive ...
DevDay: Extending CorDapps with Self-Sovereign Identity: Technology Deepdive ...
 
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaCordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
 
The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates
 
The Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesThe Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL Certificates
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication Models
 

More from Jorgen Thelin

The Internet of Cars - Towards the Future of the Connected Car
The Internet of Cars - Towards the Future of the Connected CarThe Internet of Cars - Towards the Future of the Connected Car
The Internet of Cars - Towards the Future of the Connected CarJorgen Thelin
 
Orleans: Cloud Computing for Everyone - SOCC 2011
Orleans: Cloud Computing for Everyone - SOCC 2011Orleans: Cloud Computing for Everyone - SOCC 2011
Orleans: Cloud Computing for Everyone - SOCC 2011Jorgen Thelin
 
Identity Services Drilldown - TechEd NA 2009
Identity Services Drilldown - TechEd NA 2009Identity Services Drilldown - TechEd NA 2009
Identity Services Drilldown - TechEd NA 2009Jorgen Thelin
 
Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Jorgen Thelin
 
Live Identity Services Drilldown - PDC 2008
Live Identity Services Drilldown - PDC 2008Live Identity Services Drilldown - PDC 2008
Live Identity Services Drilldown - PDC 2008Jorgen Thelin
 
The New Enterprise Alphabet - .Net, XML And XBRL
The New Enterprise Alphabet - .Net, XML And XBRLThe New Enterprise Alphabet - .Net, XML And XBRL
The New Enterprise Alphabet - .Net, XML And XBRLJorgen Thelin
 
WS-* Specifications Update 2007
WS-* Specifications Update 2007WS-* Specifications Update 2007
WS-* Specifications Update 2007Jorgen Thelin
 
WS-* Protocol Workshop Process Overview
WS-* Protocol Workshop Process OverviewWS-* Protocol Workshop Process Overview
WS-* Protocol Workshop Process OverviewJorgen Thelin
 
Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Jorgen Thelin
 
Web Services Discovery for Devices
Web Services Discovery for DevicesWeb Services Discovery for Devices
Web Services Discovery for DevicesJorgen Thelin
 
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)Jorgen Thelin
 
Making Sense Of Web Services
Making Sense Of Web ServicesMaking Sense Of Web Services
Making Sense Of Web ServicesJorgen Thelin
 
Interoperability and Windows Communication Foundation (WCF) Overview
Interoperability and Windows Communication Foundation (WCF) OverviewInteroperability and Windows Communication Foundation (WCF) Overview
Interoperability and Windows Communication Foundation (WCF) OverviewJorgen Thelin
 
Real World Business Interoperability
Real World Business InteroperabilityReal World Business Interoperability
Real World Business InteroperabilityJorgen Thelin
 
Achieving Interoperability Through Web Services
Achieving Interoperability Through Web ServicesAchieving Interoperability Through Web Services
Achieving Interoperability Through Web ServicesJorgen Thelin
 
Zero-Defects Plug and Play -- General Quality Frameworks and Processes for Ac...
Zero-Defects Plug and Play -- General Quality Frameworks and Processes for Ac...Zero-Defects Plug and Play -- General Quality Frameworks and Processes for Ac...
Zero-Defects Plug and Play -- General Quality Frameworks and Processes for Ac...Jorgen Thelin
 
Web Services Security Tutorial
Web Services Security TutorialWeb Services Security Tutorial
Web Services Security TutorialJorgen Thelin
 
Web Service Oriented Architecture
Web Service Oriented ArchitectureWeb Service Oriented Architecture
Web Service Oriented ArchitectureJorgen Thelin
 
Web Services Container
Web Services ContainerWeb Services Container
Web Services ContainerJorgen Thelin
 
Server Farms and XML Web Services
Server Farms and XML Web ServicesServer Farms and XML Web Services
Server Farms and XML Web ServicesJorgen Thelin
 

More from Jorgen Thelin (20)

The Internet of Cars - Towards the Future of the Connected Car
The Internet of Cars - Towards the Future of the Connected CarThe Internet of Cars - Towards the Future of the Connected Car
The Internet of Cars - Towards the Future of the Connected Car
 
Orleans: Cloud Computing for Everyone - SOCC 2011
Orleans: Cloud Computing for Everyone - SOCC 2011Orleans: Cloud Computing for Everyone - SOCC 2011
Orleans: Cloud Computing for Everyone - SOCC 2011
 
Identity Services Drilldown - TechEd NA 2009
Identity Services Drilldown - TechEd NA 2009Identity Services Drilldown - TechEd NA 2009
Identity Services Drilldown - TechEd NA 2009
 
Protecting Online Identities - MIX09
Protecting Online Identities - MIX09Protecting Online Identities - MIX09
Protecting Online Identities - MIX09
 
Live Identity Services Drilldown - PDC 2008
Live Identity Services Drilldown - PDC 2008Live Identity Services Drilldown - PDC 2008
Live Identity Services Drilldown - PDC 2008
 
The New Enterprise Alphabet - .Net, XML And XBRL
The New Enterprise Alphabet - .Net, XML And XBRLThe New Enterprise Alphabet - .Net, XML And XBRL
The New Enterprise Alphabet - .Net, XML And XBRL
 
WS-* Specifications Update 2007
WS-* Specifications Update 2007WS-* Specifications Update 2007
WS-* Specifications Update 2007
 
WS-* Protocol Workshop Process Overview
WS-* Protocol Workshop Process OverviewWS-* Protocol Workshop Process Overview
WS-* Protocol Workshop Process Overview
 
Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)
 
Web Services Discovery for Devices
Web Services Discovery for DevicesWeb Services Discovery for Devices
Web Services Discovery for Devices
 
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
 
Making Sense Of Web Services
Making Sense Of Web ServicesMaking Sense Of Web Services
Making Sense Of Web Services
 
Interoperability and Windows Communication Foundation (WCF) Overview
Interoperability and Windows Communication Foundation (WCF) OverviewInteroperability and Windows Communication Foundation (WCF) Overview
Interoperability and Windows Communication Foundation (WCF) Overview
 
Real World Business Interoperability
Real World Business InteroperabilityReal World Business Interoperability
Real World Business Interoperability
 
Achieving Interoperability Through Web Services
Achieving Interoperability Through Web ServicesAchieving Interoperability Through Web Services
Achieving Interoperability Through Web Services
 
Zero-Defects Plug and Play -- General Quality Frameworks and Processes for Ac...
Zero-Defects Plug and Play -- General Quality Frameworks and Processes for Ac...Zero-Defects Plug and Play -- General Quality Frameworks and Processes for Ac...
Zero-Defects Plug and Play -- General Quality Frameworks and Processes for Ac...
 
Web Services Security Tutorial
Web Services Security TutorialWeb Services Security Tutorial
Web Services Security Tutorial
 
Web Service Oriented Architecture
Web Service Oriented ArchitectureWeb Service Oriented Architecture
Web Service Oriented Architecture
 
Web Services Container
Web Services ContainerWeb Services Container
Web Services Container
 
Server Farms and XML Web Services
Server Farms and XML Web ServicesServer Farms and XML Web Services
Server Farms and XML Web Services
 

Recently uploaded

QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 

Recently uploaded (20)

QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 

Identity, Security Credentials, and XML Web Services

  • 1. Identity, Security, and XML Web Services The Importance of Interoperable Security Credentials Jorgen Thelin <Jorgen.Thelin@capeclear.com> Abstract The use of security credentials and the concepts of single-sign-on and quot;identityquot; will play a big part in Web Service products as the technology matures and developers start writing true enter- prise-grade line-of-business applications. The emerging XML security standards such as SAML are reviewed, along with the various quot;identityquot; standards such as Passport and Liberty, to provide an overview of the evolution of Web Service platform products to support these. This paper examines just how quot;identity awarequot; Web Service implementations need to be, and the value a Web Services platform can add in masking developers from the complexity in this area. Lessons are drawn from the experience of using EJB security technology for real-world security scenarios. Table of Contents 1. Introduction ............................................................................................................................... 1 2. What is Identity? ........................................................................................................................ 2 2.1. Identity - Who are you? ..................................................................................................... 2 2.2. Identity - Proof of identity .................................................................................................. 2 2.3. Identity - Permissions ....................................................................................................... 3 3. Web Services and Identity ............................................................................................................ 3 3.1. Does this affect Web Services? ........................................................................................... 3 3.2. Security and Identity Considerations for Web Services Applications .......................................... 3 4. Interoperable XML Security and Identity ........................................................................................ 4 4.1. Requirements for Interoperable Security and Identity .............................................................. 4 4.2. Types of Security Tokens .................................................................................................. 4 4.3. Types of XML Security Interaction Dialogues ....................................................................... 5 5. SAML v1.0 ............................................................................................................................... 6 5.1. SAML Assertion Types ..................................................................................................... 7 6. Examples of Security Credentials in a SOAP Message ....................................................................... 7 6.1. A Username Token in a WS-Security SOAP Header ............................................................... 7 6.2. Binary X509 Certificate in a WS-Security SOAP Header ......................................................... 8 6.3. A SAML Assertion in a WS-Security SOAP Header ............................................................... 9 7. Single-sign-on Services ................................................................................................................ 9 7.1. Liberty Alliance ............................................................................................................. 10 7.2. Microsoft .NET Passport .................................................................................................. 10 7.3. WS-Trust ...................................................................................................................... 10 8. Identity-awareness in Web Services .............................................................................................. 10 9. Security in the Ultimate Web Services Platform .............................................................................. 11 10. Summary ............................................................................................................................... 11 Bibliography ............................................................................................................................... 11 Glossary ..................................................................................................................................... 12 1. Introduction This paper looks at the related concepts of identity and credentials, and how XML-based approaches are are now being used to provide increased interoperability among security systems. The various specifications and standards in this area are examined, and examples provided of how XML format security credentials are being used with SOAP and Web Services to allow end-to-end flow of identity and authentication information. Proceedings by deepX Ltd. 1 Rendered by www.RenderX.com
  • 2. Identity, Security, and XML Web Services 2. What is Identity? A definition from Cambridge Dictionaries Online: Identity [ noun ] Who a person is, or the qualities of a person or group which make them different from others. Source: http://dictionary.cambridge.org/define.asp?key=identity*1+0 At its most basic then, the concept of quot;identityquot; is about: • Who you are • How you prove who you are • What that allows you to do We will now explore these aspects in turn, and see how they apply to XML Web Services, and demonstrate the importance of standardized and interoperable security credentials. 2.1. Identity - Who are you? An identity equates to a particular subject or principal For example: Joe Bloggs - who lives at the address: 123 My Street, Your Town A subject usually equates to a single person, but could also be a group, corporation, or even something like an automated software agent component. The main thing is that there must be some way to distinguish one subject from another - there must be some differ- ences otherwise we are actually dealing with just a single subject! 2.2. Identity - Proof of identity The next question is how do you prove who you are? What credentials can you present to prove your identity? In real life, this is usually through some official documents such as: • Driving License • Passport In computing terms, a user also has a set of security credentials. Some common examples include: • username + password The password acts as a quot;shared secretquot; that is only known to the receiver and that one user. Possession of that password proves the user is who they say they are. Unfortunately most users tend to use insecure or easily guessable passwords, or divulge their passwords through quot;social engineeringquot; attacks. • X509 certificates X509 certificates are part of the Internet standard public / private key crypto- graphy system. A certificate is digitally signed by an issuing authority and binds a public key to a particular subject. Possession of that subject's private key to match the public key in the certificate proves the identity asserted by the certific- ate. It is technically possible to create fake security credentials in computing systems just as much as in real life - and in both cases various steps (both technical and procedural) are taken to make it hard to do this, and make it easier to detect the fakes. Proceedings by deepX Ltd. 2 Rendered by www.RenderX.com
  • 3. Identity, Security, and XML Web Services 2.3. Identity - Permissions The third question is what does this identity prove about us? What does this identity allow us to do? Some real life examples illustrate the concept here: • Passports • Holding a UK passport proves someone is a UK Citizen • Being a UK Citizen allows that person to live and work in the UK • Being a UK Citizen also allows that person to live and work in any other country in the European Union • Losing their passport does not stop someone being a UK Citizen; it just makes it harder to prove they are a citizen. • Driving Licenses • A standard driving license shows someone is allowed to drive a car • Someone is not allowed to drive a Heavy Goods Vehicle unless they hold a HGV Driving License The permissions and entitlements for an identity is ultimately determined by the set of credentials that were presented to assert that identity. Permissions and credentials are then used to make policy enforcement decisions, such as: • Is a person allowed to drive a Heavy Goods Vehicle? • Is a person allowed to work in the UK? 3. Web Services and Identity 3.1. Does this affect Web Services? Security and Identity is a fundamental requirement of any real-world deployment of a Web Services application Ultimately all security policy decisions are based on the caller's identity, so the concepts just discussed will become increasingly important to Web Services developers and users. The challenge is to how to represent and prove a caller's identity in an open and interoperable way. 3.2. Security and Identity Considerations for Web Services Applications There are several security and identity considerations that need to be borne in mind for any Web Services application: • Caller Authentication • Caller Authorization • Caller Attributes 3.2.1. Authentication Web Services authentication is about mechanisms to answer the following questions: • Who is the caller? Proceedings by deepX Ltd. 3 Rendered by www.RenderX.com
  • 4. Identity, Security, and XML Web Services • How did they prove their identity? • Do we trust the source of these credentials? 3.2.2. Authorization Web Services authorization is about answering the following questions: • What is the caller allowed to do? 3.2.3. Attributes Caller identity attributes are concerned with answers to the following questions: • What other facts or unique attributes do we know about the caller? For example, e-mail address, display pref- erences, department, employee number • How do we use this attribute information in the application? For example, customizing the data returned to the caller based on their display preferences 4. Interoperable XML Security and Identity 4.1. Requirements for Interoperable Security and Identity To achieve interoperable security and identity, web services require standardized mechanisms of doing all of the following: • Representing security credential data in XML • There needs to be a standardized format for representing security credentials and tokens using XML, to allow the widest interoperability. • For example, this can be done through the Security Assertions Markup Language (SAML) specification [SAML], or using the encoding rules for binary security tokens defined in the WS_Security specification [WSSE]. • Obtaining credential data or security tickets • For true interoperability, there needs to be a standardized mechanism to obtain security credentials or tickets in the first place. This is usually done by using a WSDL and SOAP call to an interface on a security authority service such as a single-sign-on product. • For example, single-sign-on services such as Microsoft Passport [.NET Passport] Liberty Alliance [Liberty Alliance] specifications can issue session ticket tokens valid for the defined period. • Transport credential data in a SOAP message • There needs to be a way of packaging the credential data or security tokens into a SOAP message in an agreed manner, so that both client and server can find, decode and process the credentials in the necessary manner. • For example, SOAP header fields defined in the ws-security specification [WSSE] 4.2. Types of Security Tokens The WS-Security specification [WSSE] defines the following types of security tokens: Proceedings by deepX Ltd. 4 Rendered by www.RenderX.com
  • 5. Identity, Security, and XML Web Services • Unsigned security tokens • Username • Signed security tokens • X.509 certificates (binary) • Kerberos tickets (binary) • XML security tokens • Any XML token, such as SAML • Usually self verifying / signed This leads to two main types of interaction when security credentials are being used with XML SOAP messages: • Using non self-validating credentials - See Section 4.3.1 • Using self-validating credentials - See Section 4.3.2 The main difference between these two is whether the receiver of the XML message can verify and validate the security credentials in the SOAP message without referring back to the authority service that issued the credentials. 4.3. Types of XML Security Interaction Dialogues 4.3.1. Typical XML Security Dialogue - Non Self-Validating Credentials The receiver of the credentials needs to query the security service to validate the credentials. Proceedings by deepX Ltd. 5 Rendered by www.RenderX.com
  • 6. Identity, Security, and XML Web Services Figure 1. Typical XML Security Dialogue - Non Self-Validating Credentials 4.3.2. Typical XML Security Dialogue - Self-Validating Credentials The receiver of the credentials can validate those credentials themselves, and does not need to query the security service to check the credentials. Self-validating credentials are usually achieved by the authority service which issued the security token digitally signing the credentials using their private key, and the receiver of the credentials then verifying using the issuing authority's public key which it already trusts. Figure 2. Typical XML Security Dialogue - Self-Validating Credentials 5. SAML v1.0 SAML is an XML-based framework for exchanging security information. It provides a standardized format for encoding credentials using XML. It is a published standard specification defined by the Organization for the Advancement of Structured Information Standards (OASIS) organization. Proceedings by deepX Ltd. 6 Rendered by www.RenderX.com
  • 7. Identity, Security, and XML Web Services The SAML specification defines: • How to represent security credentials (quot;Assertionsquot; in SAML parlance) using XML • An XML message exchange protocol for querying a SAML Authority service The SAML specification DOES NOT define: • How to obtail security credentials (quot;Assertionsquot;) in the first place 5.1. SAML Assertion Types There are three types of assertions defined in the SAML specification [SAML] • SAML Authentication Assertions • The results of an authentication action performed on a subject by a SAML authority Statements of the form: quot;An issuing authority asserts that subject S was authenticated by means M at time Tquot; • SAML Attribute Assertions • Attribute information about a subject • Statements of the form: quot;An issuing authority asserts that subject S is associated with attributes A, B and C with values 'a', 'b' and 'c'quot; • SAML Authorization Assertions • Authorization permissions that apply to a subject with respect to a specified resource • Statements of the form: quot;An issuing authority decides whether to grant the request by subject S for access type A to resource R given evidence Equot; 6. Examples of Security Credentials in a SOAP Message The following sections provide examples of the main type of security credentials carried in SOAP message: • Username token - Section 6.1 X509 binary certificate - Section 6.2 SAML authentication assertion - Section 6.3 6.1. A Username Token in a WS-Security SOAP Header <SOAP:Envelope xmlns:SOAP=quot;...quot;> <SOAP:Header> <wsse:Security xmlns:wsse=quot;http://schemas.xmlsoap.org/ws/2002/12/secextquot;> <wsse:UsernameToken> <wsse:Username>jthelin</wsse:Username> <wsse:Password Type=quot;wsse:PasswordDigestquot; >XYZabc123</wsse:Password> Proceedings by deepX Ltd. 7 Rendered by www.RenderX.com
  • 8. Identity, Security, and XML Web Services </wsse:UsernameToken> ... </wsse:Security> </SOAP:Header> <SOAP:Body Id=quot;MsgBodyquot;> <!-- SOAP Body data --> </SOAP:Body> </SOAP:Envelope> This example shows a SOAP message with a WS-Security header containing a username / password token. The token is for the user 'jthelin' in this example, and the base64-encoded copy of the SHA1 digest hash value of the password is included in the header too. To confirm these credentials are valid, the receiver of this message must querying the security authority for this user to confirm whether the enclosed password digest is correct for this user. 6.2. Binary X509 Certificate in a WS-Security SOAP Header <SOAP:Envelope xmlns:SOAP=quot;...quot;> <SOAP:Header> <wsse:Security xmlns:wsse=quot;http://schemas.xmlsoap.org/ws/2002/12/secextquot;> <wsse:BinarySecurityToken Id=quot;X509Tokenquot; wsse=quot;http://schemas.xmlsoap.org/ws/2002/12/secextquot; ValueType=quot;wsse:X509v3quot; EncodingType=quot;wsse:Base64Binaryquot; > MIIEZzCCA9CgAwIBAgIQEmtJZc0... </wsse:BinarySecurityToken> <ds:Signature xmlns:ds=quot;http://www.w3.org/2000/09/xmldsig#quot;> <ds:SignedInfo> ... </ds:SignedInfo> <ds:SignatureValue> ... </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI=quot;#X509Tokenquot; /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> ... </wsse:Security> </SOAP:Header> <SOAP:Body Id=quot;MsgBodyquot;> <!-- SOAP Body data --> </SOAP:Body> </SOAP:Envelope> Proceedings by deepX Ltd. 8 Rendered by www.RenderX.com
  • 9. Identity, Security, and XML Web Services This example shows an X.509 digital certificate being included in the WS-Security SOAP header as a binary token. The token has been signed in accordance with the XML Digital Signature specification [XML Signature], and using the key information from the X.509 certificate to calculate the signature hash. 6.3. A SAML Assertion in a WS-Security SOAP Header <SOAP:Envelope xmlns:SOAP=quot;...quot;> <SOAP:Header> <wsse:Security xmlns:wsse=quot;http://schemas.xmlsoap.org/ws/2002/12/secextquot;> <saml:Assertion xmlns:saml=quot;urn:oasis:names:tc:SAML:1.0:assertionquot; MajorVersion=quot;1quot; MinorVersion=quot;0quot; AssertionID=quot;SecurityToken-mc375268quot; Issuer=quot;mycompanyquot; IssueInstant=quot;2002-07-23T11:32:05.6228146-07:00quot; > ... </saml:Assertion> <ds:Signature xmlns:ds=quot;http://www.w3.org/2000/09/xmldsig#quot;> <ds:SignedInfo> ... </ds:SignedInfo> <ds:SignatureValue> ... </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <saml:AssertionIDReference> SecurityToken-mc375268 </saml:AssertionIDReference> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> ... </wsse:Security> </SOAP:Header> <SOAP:Body Id=quot;MsgBodyquot;> <!-- SOAP Body data --> </SOAP:Body> </SOAP:Envelope> This example shows a SAML assertion being included in the WS-Security SOAP header as an XML token. The SAML token has been signed in accordance with the XML Digital Signature specification [XML Signature], and using the key information from the SAML assertion to calculate the signature hash. 7. Single-sign-on Services Single-sign-on services provide a single point of logon and authentication. They also provide a standardized way to obtain suitable credentials to prove an authenticated identity. The main contenders currently seem to be: • Liberty Alliance [Liberty Alliance] Proceedings by deepX Ltd. 9 Rendered by www.RenderX.com
  • 10. Identity, Security, and XML Web Services Microsoft Passport [.NET Passport] Proprietary security products such as Netegrity SiteMinder which are added direct SAML interfaces WS-Trust - A new specification to provide a standardized interface[WS-Trust] This still remains an area needing real standardization, and is an area that Web Services Interoperability Organiz- ation (WS-I)[WS-I] is now turning its attention to through it's Web Services Basic Security Profile. 7.1. Liberty Alliance The Liberty Alliance Project [Liberty Alliance] is a cross-industry group aiming to establish an open standard for federated network identity The Liberty specification v1.0 has two main facets: • Single sign-on • Identity federation 7.2. Microsoft .NET Passport Microsoft .NET Passport [.NET Passport] is a suite of Web-based services that makes using the Internet and pur- chasing online easier and faster for users. Microsoft has previously declared plans to upgrade the current Passport facilities to: • Provide an XML interface • Support federation • Use Kerberos v5 as the underlying mechanism for securely exchanging credentials 7.3. WS-Trust WS-Trust [WS-Trust] is a proposed specification in the WS-Security family to provide a standardized way to acquire security tokens from an authority service. WS-Trust is still very early in the standardization process, but is the most likely candidate for a common interface to security authorities for the future. 8. Identity-awareness in Web Services Question: Do web services themselves need to be identity-aware? Answer: Not really, in most cases. A mature web services platform product such as CapeClear 4 Server [CC4 Server] can handle almost all the quot;boilerplatequot; work of authentication and enforcement of access control lists. This is typically done through config- uring interceptors or plugins on a deployed web service to implement the required security policy. Most standard authentication and authorization functions are best done in a uniform manner by the platform, rather than being implemented on an application-by-application basis. Interceptor plugins allow this to be done as a deployment policy decision, rather than as an implementation decision. A Web Service application only needs to be Identity-aware if it needs to make use of user-specific attributes asserted for the caller. For example, reading the delivery address from the user's MS Passport record. Proceedings by deepX Ltd. 10 Rendered by www.RenderX.com
  • 11. Identity, Security, and XML Web Services 9. Security in the Ultimate Web Services Platform The ultimate goal will be to have declarative security functions for web services just like we already have for Enterprise Java Beans (EJB) systems now. So, we want to get to the situation of being able to make declarative statement of a web service applications security requirements in the following areas: • Permitted authentication realms / single-sign-on services • Required transport security attributes (for example, quot;Callers must use encrypted / SSL connectionsquot;) • Required message security attributes (for example, quot;Messages must be digitally signedquot;) • Role-based access control lists applied at the granularity of the operation / method call. There are some moves afoot to add some of this declarative security information into WSDL files, but there are no real standards for this at the moment. Watch this space though. This places control of security with application administrators rather than developers, and allows a uniform way to apply a security policy to enterprise web services. 10. Summary quot;Identityquot; is one of the fundamental concepts underpinning all Web Service security mechanisms, and will become increasingly important as more enterprise web services get deployed. Having a standard XML-based serialized form of credentials is vital for true end-to-end interoperability. Standardization of specifications for credential exchange and single-sign-on using XML and SOAP are still incomplete, so widespread interoperability is not yet possible. However, this is such an important area that it is the next thing that WS-I are developing an interoperability profile for. It is best to use a mature Web Services runtime platform such as Cape Clear Server to handle most quot;boilerplatequot; security tasks such as enforcing authentication and authorization requirements. Bibliography [CC4 Server] Cape Clear 4 Server - Enterprise-grade Web Services Integration Platform from Cape Clear Software Inc. http://www.capeclear.com/products/server/ [Kerberos] J. Kohl and C. Neuman, quot;The Kerberos Network Authentication Service (V5),quot; RFC 1510, September 1993. http://www.ietf.org/rfc/rfc1510.txt [Liberty Alliance] Liberty Alliance Project http://www.projectliberty.org/ [.NET Passport] Microsoft .NET Passport http://www.passport.com/ [SAML] SAML - Security Assertions Markup Language v1.0, OASIS XML-Based Security Services Technical Committee, 05-Nov-2002 http://www.oasis-open.org/committees/security/#documents/ [SOAP] W3C Note, quot;SOAP: Simple Object Access Protocol 1.1quot;, 08-May-2000. http://www.w3.org/TR/2000/NOTE- SOAP-20000508 [WS-I] WS-I - The Web Services Interoperability Organization http://www.ws-i.org/ [WSSE] WS-Security specification v1.0, 05-Apr-2002 http://schemas.xmlsoap.org/specs/ws-security/ws-security.htm Proceedings by deepX Ltd. 11 Rendered by www.RenderX.com
  • 12. Identity, Security, and XML Web Services [WSSE-XML] WS-Security Profile for XML-based Tokens v1.0, 28-Aug-2002 http://msdn.microsoft.com/library/en- us/dnglobspec/html/ws-security-xml-tokens.asp [WS-Trust] WS-Trust specification v1.0, 18-Dec-2002 http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws- trust.asp [XML Signature] W3C Recommendation, quot;XML Signature Syntax and Processingquot;, 12 February 2002. http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/ [XML Encryption] W3C Recommendation, quot;XML Encryption Syntax and Processingquot; 10 December 2002. http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/ Glossary EJB Enterprise Java Beans OASIS Organization for the Advancement of Structured Information Standards SAML Security Assertions Markup Language WS-I Web Services Interoperability Organization Biography Jorgen Thelin Chief Scientist Cape Clear Software Inc. London United Kingdom Jorgen.Thelin@capeclear.com Jorgen Thelin is the Chief Scientist at Cape Clear Software Inc, where he focuses on Web Services technology and standards. Previously, he has worked on a number of major Java-based projects for blue-chip companies such as Reuters, J.P.Morgan, and BSkyB before moving to Orbware to design and build the Orcas EJB server. He holds a Computing Science degree from Stirling University, Scotland, and an MBA from Warwick Business School, England. He has been using the Java programming language since early 1996, and is a Sun Certified Java Programmer, Developer, and Architect. Proceedings by deepX Ltd. 12 Rendered by www.RenderX.com