Professional Documents
Culture Documents
Secure Web Services
Secure Web Services
Web Services
Jim Ducharme
Director of Development
Netegrity, Inc.
Session 1372
Overall Presentation Goal
2 Session 1372
Learning Objectives
3 Session 1372
Agenda
4 Session 1372
What Is Security?
• Access control
– Identity management—Who are your users?
– Authentication—verifying user identity
– Authorization—what a user can do
– Auditing—keep track of what a user does
• Secure communication
– Keeping the conversation between
two parties private
5 Session 1372
Identity Management
7 Session 1372
Authentication Schemes
8 Session 1372
Authentication Schemes (Cont.)
9 Session 1372
Authentication Schemes (Cont.)
XML Signatures
• Binds a user identity to an XML document
• Proves messages are unaltered since
were signed
– What they signed is what you got…
• Document is signed using the sender’s
private key
• Signature is verified using the sender’s
public key
• Issue: How does the recipient get the
user’s public key?
10 Session 1372
Sharing User Information
11 Session 1372
Sharing User Information (Cont.)
SAML
• XML specification based on S2ML
being finalized out of OASIS TC
• Provides ability to pass user profile
information, authentication tokens,
and authorization entitlements
• Based on the concept of assertions
– A trusted authenticating authority
can state facts it knows about a user
– Authentication assertions
– Authorization assertions
12 Session 1372
How SAML Works
1. Employee of Widgets,
(3) Inc. authenticates
with SAML Enabled
XML HTTP POST XML access control product
PO PO w/ 2. Employee retrieves a
SAML set of SAML assertions
(1) (2) and binds it to the XML
Credentials SAML (4) purchase order
SAML
(Includes Authentication
assertion and attribute
SAML Enabled SAML Enabled assertions with
spending limits)
Auth engine Auth Engine 3. PO w/ SAML assertions
is sent to Pens Inc.
(5)
4. Assertion is extracted
from PO, verified.
Web Partner is authenticated
Users Partners Service and employee is
authorized
5. If authorized, Web
Widgets, Inc. Pens, Inc. service request
is passed on
13 Session 1372
Hosted Identity Services
14 Session 1372
Hosted Identity Services (Cont.)
Microsoft Passport
• Part of Microsoft’s .NET strategy
• Centralized user store and authentication
service
• Reduces identity management and
authentication burden of service providers
• Currently limited to browser-based apps
• Attractive to consumer based services
15 Session 1372
Hosted Identity Services (Cont.)
Liberty Alliance
• Formed in Sept ’01
– Sun, AOL, etc.
• Developing a solution to support “federated”
user identity
• Common framework to enable single sign-on
and identity sharing
• A lot of muscle behind the effort but no real
solutions available yet
16 Session 1372
Secure Communication
18 Session 1372
How Centralized Access
Control Works
Delegated Administration
and Management
Discover Auth/Az
Users Encryption
Web Service
Transport
Non-repudiation
Digital Signing
Web Service
Consume SAML
Discovery
Web Service
TransactionMinder
21 Session 1372
For More Information…