SlideShare a Scribd company logo

State-of-the-Art in Web Services Federation

Oliver Pfaff
Oliver Pfaff

With respect to the enablement of federated identity, Web services have advantages over traditional Web applications because Web services technologies natively support the externalization of subject authentication in a standard way. This is facilitated through dedicated security services provided by the infrastructure (WS-Trust STSs). However, when it comes to advanced identity federation use cases demanding more sophisticated federation features, Web services also suffer from a scattered technology landscape not easily accessible for non-experts. This landscape at least comprises WS-Federation, Liberty-Alliance ID-WSF, OASIS WSFED. This contribution investigates these Web services federation technologies. It uses a health- care use case that demands sophisticated features in identity federation to pinpoint their capabilities. Moreover, it considers the identity federation enablement features of common Web services stacks e.g. Apache Axis, Microsoft WCF and Sun Metro. This aims at providing a compass for those who are charged with architecting, designing and building identity federation solutions in Web services environments: Which technologies are out there? What are they good for? How are they supported in Web services stack?

Technology
1 of 25
State-of-the-Art in Web Services Federation European Identity Conference 2009 Dr. Oliver Pfaff Copyright © Siemens AG 2009. All rights reserved.
What’s Next? Dive deeper into identity federation for Web services Key points for this discussion: Web services vs. traditional Web applications – what is the Web services magic? Asking for identity assertions vs. expressing them vs. supplying them – what makes the real difference? Presentation overview: Setting the scene About Web services Good news But things complicate quickly Conclusions and outlook Copyright © Siemens AG 2009. All rights reserved. Page 2 May 2009 Siemens IT Solutions and Services
Setting the Scene Reminder: A ‘Simple’ Trick Needs To Be Done Resource provider User Request identity assertions Authorization Supply identity assertions Resource Authentication User data Identity provider Copyright © Siemens AG 2009. All rights reserved. Page 3 May 2009 Siemens IT Solutions and Services
Setting the Scene Main Aspect#1: Acquiring Identity Assertions Expressiveness requirements: Request identity assertions: articulate the need to present identity assertions and express expectations on their issuer, contained information and their security binding Supply identity assertions: embody identity assertions with protocol primitives of the given protocol stack Security requirements: Proof-of-possession (for identity assertions): verify that it is actually John Doe who presents an identity assertion such as: authentication authority says: this is ‘John Doe’, an employee of ‘acme.example’ with the role ‘manager’ Copyright © Siemens AG 2009. All rights reserved. Page 4 May 2009 Siemens IT Solutions and Services
Setting the Scene Main Aspect#2: Asserting Identity Expressiveness requirements: IdM: imprint arbitrary subject identifiers (e.g. X.500 distinguished names, RFC 822 names) and subject attributes (e.g. statically/dynamically assigned) Authentication (of users): support arbitrary authentication schemes and authentication process-related metadata e.g. level of assurance Authorization: enable the supply of subject-related authorization decisions/policies Security requirements: Authentication (of identity assertions): verify the authenticity of identity assertions Copyright © Siemens AG 2009. All rights reserved. Page 5 May 2009 Siemens IT Solutions and Services
About Web Services Defining Web Services A Web service is a software system identified by a URI, whose public interfaces and bindings are defined and described using XML. Its definition can be discovered by other software systems. These systems may then interact with the Web service in a manner prescribed by its definition, using XML based messages conveyed by Internet protocols Source: W3C Copyright © Siemens AG 2009. All rights reserved. Page 6 May 2009 Siemens IT Solutions and Services
About Web Services System Model WSDL document WS consumer WS provider Application WS SOAP messages WS Application logic stack stack logic WSDL: the manual for a Web service; defines its service contract and allows to publish it in a document WS-stack: the protocol engine for a Web service Provide SOAP message exchange esp. SOAP header processing including the SOAP security headers Also provide utilities for the publication of business functionality as Web service Well-known examples: Apache Axis, Microsoft WCF, Sun Metro Copyright © Siemens AG 2009. All rights reserved. Page 7 May 2009 Siemens IT Solutions and Services
About Web Services Web Service Contracts (WSDL) Provide declarative descriptions for the functionality of a Web service esp.: Business functionality: Messages: which vocabulary is spoken by the Web service? Operations: which operations does it offer? Bindings: how to integrate with the underlying protocol stack? Ports: where to reach an endpoint of a Web service? Security functionality: User authentication: which objects (aka identity assertions) to provide in order to establish user authentication – including which attributes and other information to present? Message authentication: how to compute cryptographic checksums over request / response messages or parts thereof – including identity assertions? Message encryption: how to encrypt request/response messages or parts thereof – including identity assertions? Copyright © Siemens AG 2009. All rights reserved. Page 8 May 2009 Siemens IT Solutions and Services
About Web Services Security Token Services (WS-Trust) sp:Issued Token Are Web services that specialize on sp:Protection supplying certain security services esp. XML Document Token user authentication WS consumer Provide a request/response framework for Application WS security token processing – issuance/ logic stack WS request/response validation/renewal/negotiation/cancellation STS request/response WS-stacks natively support: XML Document XML Document Acquisition of security tokens from STSs XML Document XML Document - triggered by WSDL child elements WS sp:IssuedToken stack STS XML Document Cryptographic binding of security tokens to SOAP messages - triggered by STS sp:ProtectionToken child elements logic As Web services, STSs may require their own security tokens for authenticating and authorizing security token requests Identity store Copyright © Siemens AG 2009. All rights reserved. Page 9 May 2009 Siemens IT Solutions and Services
About Web Services WS-* Security Technologies Compass Provides msg authentication Allows publishing of XML Signature W3C standard SOAP Message Provides msg encryption WS-Policy WS-SecurityPolicy Security W3C OASIS standard OASIS standard standard (WS-SX TC) (WSS TC) Defines security Allows profiling of Provides user XML Encryption for STSs W3C standard authentication Defines WSs for managing WS-Trust Security token <Abstract> OASIS standard (WS-SX TC) Is a kind of Is an extension to SAML assertion WSFED OASIS standard OASIS committee (SAML TC) specification Copyright © Siemens AG 2009. All rights reserved. Page 10 May 2009 Siemens IT Solutions and Services
About Web Services Requirements On Identity Federation Solutions Stay in the Web services model i.e.: Request the supply of identity assertions as well as their SOAP message binding as a part of the WSDL Rationale: declarative description of service interfaces incl. security Supply identity assertions with SOAP message, esp. their headers Rationale: decoupling of business and security functionality Perform proof-of-possession for identity assertions by binding them with SOAP message contents Rationale: security Deliver security functionality such as user authentication in the form factor of a Web service Rationale: decoupling, separation of concerns Copyright © Siemens AG 2009. All rights reserved. Page 11 May 2009 Siemens IT Solutions and Services
Good News Main Aspect#1: Web Services Do It Natively Expressiveness requirements: Request identity assertions: the Web service contract allows to articulate requirements on identity assertions (WS-SecurityPolicy, WS-Trust): Whom to ask for the identity assertion? What to imprint into the identity assertion? How to secure it (proof-of-possession)? Supply identity assertions: WS-stacks natively acquire identity assertions (triggered by WS-SecurityPolicy sections in WSDLs; governed by WS-Trust) STSs provide native Web service abstractions dedicated to the issuance of identity assertions (defined by WS-Trust) WS-stacks natively transfer identity assertions within SOAP headers (triggered by WS-SecurityPolicy sections in WSDLs; governed by the SAML token profile of SOAP message security) Security requirements: Proof-of-possession (for identity assertions): WS-stacks natively support the cryptographic binding of identity assertions to SOAP messages (triggered by WS- SecurityPolicy sections in WSDLs; governed by the SAML token profile of SOAP message security) Copyright © Siemens AG 2009. All rights reserved. Page 12 May 2009 Siemens IT Solutions and Services
Good News Main Aspect#2: Has a Common-Sense Solution saml:Assertion objects present the common-sense solution for asserting identity in Web services environments. Copyright © Siemens AG 2009. All rights reserved. Page 13 May 2009 Siemens IT Solutions and Services
Good News Use Case Coverage The native Web services functionality covers the basic SSO use case in identity federation characterized by: Singular identity assertion per SOAP request Cleartext subject identifiers e.g. X.500 distinguished names, RFC 822 names (i.e. static information from persistence) User-centric subject attributes e.g. organizational affiliation or role assignments Copyright © Siemens AG 2009. All rights reserved. Page 14 May 2009 Siemens IT Solutions and Services
But Things Complicate Quickly More Sophisticated Use Cases But the native support does not cover more sophisticated SSO use cases and other identity federation use cases e.g.: Supply of multiple assertions per request e.g. WSs that ask for security tokens from multiple STSs Pseudonyms as privacy-preserving user identifiers Embodiment of subject-related authorization decisions or policies in identity assertions Commonly quoted options to choose identity federation protocols for more sophisticated use cases in Web services environments include: SAML 2.0 WS-Federation - generation 1 WS-Federation - generation 2 Liberty Alliance ID-WSF Liberty Alliance ID-SIS XSPA Copyright © Siemens AG 2009. All rights reserved. Page 15 May 2009 Siemens IT Solutions and Services
But Things Complicate Quickly Brief Assessment SAML 2.0 WS-Federation WS-Federation Liberty Alliance Liberty Alliance XSPA generation 1 generation 2 ID-WSF ID-SIS Deliverables Specifies identity assertions (for Specifies identity Specifies identity Defines a framework for Defines particular Adds access control arbitrary environments). Defines federation primitives federation primitives - building identity-based identity-based services: model to basic SSO use protocols, bindings and profiles - beyond SSO beyond SSO services employee profile, case. The considered for identity federation (mainly for personal profile, geo- authz model is health- Web applications) location, presence, care and RBAC specific contact book Use cases SSO, SLO, name identifier SLO, attribute SLO, attribute/authz Authn, SSO, identity N.a. (no federation- Profiles standard mapping/management, service, pseudonym service, pseudonym mapping, permission-based enabler) abstractions according attribute/authz service service (note: SSO is service (note: SSO is attribute sharing, identity given objective natively covered) natively covered) service description and discovery Identity saml:Assertion Arbitrary security Arbitrary security saml:Assertion (produced N.a. (no federation- saml:Assertion assertion token including but token including but by the ID-WSF SSO enabler) form-factors not limited to not limited to service) saml:Assertion saml:Assertion Expressiven AuthnRequest is NameID and Inherits WS-Trust Inherits WS-Trust Builds upon SAML N.a. (no federation- Profiles standard ess AuthnContext-centric: can not RST/RSTR and RST/RSTR and AuthnRequest/ Response enabler) abstractions according express expectations re assigned extends it according extends it according i.e. those parts of the given objective attributes and authz information. given use cases given use cases SAML specification suite AuthnRequest is also Web that are Web services service security unaware: can not unaware and builds own express expectations re binding solutions around the of identity assertions with SOAP shortcommunings inherited messages. from this design decision Extensibility SAML request and response Inherits WS-Trust Inherits WS-Trust Does not provide relevant N.a. (no federation- Profiles standard messages define generic RST/RSTR and RST/RSTR and extension points in self- enabler) abstractions according extension points extends it according extends it according defined vocabulary given objective given use cases given use cases Web SAML-defined SOAP bindings Native Web service Native Web service Native Web service Native Web service Native Web service services remain ‘naïve’: empty specification specification specification specification specification integration soap:Header, Web service security unaware, no WSDL Standard OASIS standard Published vendor Emerging OASIS Liberty Alliance standard Liberty Alliance standard Emerging OASIS specification standard standard Copyright © Siemens AG 2009. All rights reserved. Page 16 May 2009 Siemens IT Solutions and Services
But Things Complicate Quickly Web Services Fitness of SAML 2.0 Usage with traditional Usage with Web applications Web services Inherit Web service security unawareness of the SAML bindings Web service security unaware • Request primitives do not help much (cf. below) • Query primitives present candidates Copyright © Siemens AG 2009. All rights reserved. Page 17 May 2009 Siemens IT Solutions and Services
But Things Complicate Quickly Limitations of samlp:AuthnRequest Does mean „perform authn and provide report in the form of a saml:Assertion“ Among the main subsections in saml:Assertion objects it allows to express expectations on saml:Subject and saml:AuthnStatement Does not allow to express expectations on the saml:AttributeStatement subsection – this ability is key for claims-based approaches Web services use sp:RequestSecurityTokenTemplate which allows to shape the saml:AttributeStatement section (via wst:Claims child elements) Does not cover the proof-of-possession – this ability is key to advanced security models. Note that this requires To trigger the imprinting of certain information in the assertion Web services use abstractions such as wst:Entropy, wst:KeyType, wst:KeySize To trigger the cryptographic binding with the SOAP request Web services use various binding mechanisms Does not allow to request security tokens that are no SAML assertions – this ability is key for a holistic modeling (e.g. initial authn steps based on x509:Certificate objects and subsequent authn steps based on saml:Assertion objects) Copyright © Siemens AG 2009. All rights reserved. Page 18 May 2009 Siemens IT Solutions and Services
But Things Complicate Quickly Also Expect Difficulties Beyond The Specifications Following aspects do stress the features of currently available WS-stacks: Supply of multiple security tokens resp. identity assertions per WS request resp. transfer and handling of SAML assertion chains Supply of user-specific arguments in security token requests Handling of SAML assertions that embody subject-related authorization decisions or policies e.g. XACML policies Recommendation: select WS-stacks with care the more sophisticated an identity federation architecture gets. Copyright © Siemens AG 2009. All rights reserved. Page 19 May 2009 Siemens IT Solutions and Services
Conclusions Web Services Vs. Traditional Web Applications Dedicated, client-understood abstractions to request identity assertions: Web services use WS-SecurityPolicy sections in WSDLs Web applications do not have similar means and depends on workarounds for this limitation (SAML profiles, Shibboleth, Liberty Alliance ID-FF) or do implicitly invoke WS clients (CardSpace) Dedicated service abstractions for issuing identity assertions: Web services build upon STSs (WS-Trust) Web applications build upon specific abstractions that are defined by and confined to specific federation protocol technologies (e.g. SAML profiles, Shibboleth, Liberty Alliance ID-FF) Dedicated protocol layer for securely supplying identity assertions Web services have the SOAP message header layer and its security headers (SOAP message security, SAML token profile) and can esp. care about proof-of- possession Web applications do not have that and use the HTML layer as a replacement. They can not care about proof-of-possession because browsers are unaware of the identity assertion abstraction Copyright © Siemens AG 2009. All rights reserved. Page 20 May 2009 Siemens IT Solutions and Services
Conclusions Technology Options Web services natively support the basic SSO use case in identity federation: If your requirements match the basic SSO use case, there is no need to worry about complementary specifications such as WS-Federation, ID-WSF, ID-SIS, XSPA… Beware of false friends: WS-Federation is no prerequisite for Web services federation If your requirements go beyond basic SSO, there is not yet a silver bullet: Whether WS-Federation, ID-WSF, ID-SIS or XSPA do help, needs to be determined according the specific case Technology should follow use case: don‘t choose by (presumed) technology preference; choose by needs of your use case Check whether suggested solutions stay in the Web services model SAML vs. WS-* discussions are frequently encountered but are actually voodoo: there is a continental divide - you either have a Web application or a Web service: If you have a Web application, the SAML 2.0 specification suite will be a top candidate for an identity federation solution If you have a Web service, the SAML 2.0 specification suite will contribute the saml:Assertion abstraction but hardly much more Copyright © Siemens AG 2009. All rights reserved. Page 21 May 2009 Siemens IT Solutions and Services
Outlook The discussed approach ‘First authenticate, then transfer authenticated subject information’ presents a new paradigm for IdM in distributed systems. This is breaking with the traditional tight coupling between producers (e.g. authentication) and consumers (e.g. authorization) of authenticated subject information. Expect this paradigm shift to happen – may be slowly, but steadily: Web services re-prioritize the paradigms for IdM in distributed systems: The emerging paradigm ‘First authenticate, then transfer authenticated subject information’ becomes the default approach. The traditional paradigm ‘First transfer unauthenticated user data, then authenticate’ becomes an exception. Other market participants sing the same song (cf. Microsoft Geneva, IdM and SOA whitepapers of various vendors) - just in other words Copyright © Siemens AG 2009. All rights reserved. Page 22 May 2009 Siemens IT Solutions and Services
Abbreviations ID-FF – Identity Federation Framework ID-SIS - Identity Service Interface Specifications ID-WSF - Identity Web Services Framework IdM – Identity Management RST – Request Security Token RSTR – Request Security Token Response SAML – Security Assertion Markup Language SLO – Single Log Out SOAP – Simple Object Access Protocol SSO – Single Sign On STS – Security Token Service W3C – World Wide Web Consortium WS – Web Service WSDL - Web Services Description Language XSPA - Cross-Enterprise Security and Privacy Authorization Copyright © Siemens AG 2009. All rights reserved. Page 23 May 2009 Siemens IT Solutions and Services
Namespace Prefixes saml – SAML (assertion syntax) samlp – SAML (protocol syntax) sp – WS-SecurityPolicy wsp – WS-Policy wst – WS-Trust Copyright © Siemens AG 2009. All rights reserved. Page 24 May 2009 Siemens IT Solutions and Services
Author Dr. Oliver Pfaff Siemens IT Solutions and Services E-Mail: oliver.pfaff@siemens.com Copyright © Siemens AG 2009. All rights reserved. Page 25 May 2009 Siemens IT Solutions and Services

Recommended

Identity systems
Identity systemsIdentity systems
Identity systemsJim Fenton
 
Comodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyComodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyJayHicks
 
Extending Enterprise Security into the Cloud
Extending Enterprise Security into the CloudExtending Enterprise Security into the Cloud
Extending Enterprise Security into the CloudCA API Management
 
Web-services
Web-services Web-services
Web-services webhostingguy
 
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...Novell
 
Intel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntelAPAC
 
Bloombase Spitfire SOA Security Server Brochure
Bloombase Spitfire SOA Security Server BrochureBloombase Spitfire SOA Security Server Brochure
Bloombase Spitfire SOA Security Server BrochureBloombase
 
Layer 7: The Importance of Standards for Enterprise SOA and Cloud Security
Layer 7: The Importance of Standards for Enterprise SOA and Cloud SecurityLayer 7: The Importance of Standards for Enterprise SOA and Cloud Security
Layer 7: The Importance of Standards for Enterprise SOA and Cloud SecurityCA API Management
 

Recommended

Identity systems
Identity systemsIdentity systems
Identity systemsJim Fenton
 
Comodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyComodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyJayHicks
 
Extending Enterprise Security into the Cloud
Extending Enterprise Security into the CloudExtending Enterprise Security into the Cloud
Extending Enterprise Security into the CloudCA API Management
 
Web-services
Web-services Web-services
Web-services webhostingguy
 
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...Novell
 
Intel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntelAPAC
 
Bloombase Spitfire SOA Security Server Brochure
Bloombase Spitfire SOA Security Server BrochureBloombase Spitfire SOA Security Server Brochure
Bloombase Spitfire SOA Security Server BrochureBloombase
 
Layer 7: The Importance of Standards for Enterprise SOA and Cloud Security
Layer 7: The Importance of Standards for Enterprise SOA and Cloud SecurityLayer 7: The Importance of Standards for Enterprise SOA and Cloud Security
Layer 7: The Importance of Standards for Enterprise SOA and Cloud SecurityCA API Management
 
Cybercom Enhanced Security Platform, CESP-ID
Cybercom Enhanced Security Platform, CESP-IDCybercom Enhanced Security Platform, CESP-ID
Cybercom Enhanced Security Platform, CESP-IDabelsonp
 
Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Identity, Security, and XML Web Services -- The Importance of Interoperable S...Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Identity, Security, and XML Web Services -- The Importance of Interoperable S...Jorgen Thelin
 
Layer 7 SecureSpan Solution
Layer 7 SecureSpan SolutionLayer 7 SecureSpan Solution
Layer 7 SecureSpan SolutionCA API Management
 
Sybase Afaria için Samsun Advanced Enterprise Server Farkları
Sybase Afaria için Samsun Advanced Enterprise Server FarklarıSybase Afaria için Samsun Advanced Enterprise Server Farkları
Sybase Afaria için Samsun Advanced Enterprise Server FarklarıSybase Türkiye
 
Password fatigation
Password fatigationPassword fatigation
Password fatigationVASCO Data Security
 
Monitoring Principles & z/VSE Monitoring Options
Monitoring Principles & z/VSE Monitoring OptionsMonitoring Principles & z/VSE Monitoring Options
Monitoring Principles & z/VSE Monitoring OptionsIBM India Smarter Computing
 
03.egovFrame Runtime Environment Training Book
03.egovFrame Runtime Environment Training Book03.egovFrame Runtime Environment Training Book
03.egovFrame Runtime Environment Training BookChuong Nguyen
 
Instant Agility in Oracle Fusion Middleware through Design Time @ Run Time (O...
Instant Agility in Oracle Fusion Middleware through Design Time @ Run Time (O...Instant Agility in Oracle Fusion Middleware through Design Time @ Run Time (O...
Instant Agility in Oracle Fusion Middleware through Design Time @ Run Time (O...Lucas Jellema
 
SharePoint as digital service platform
SharePoint as digital service platformSharePoint as digital service platform
SharePoint as digital service platformNir Levy
 
Manage Agility through Manage-ability – Introducing Design Time at Run Time ...
Manage Agility through Manage-ability – Introducing Design Time at Run Time ...Manage Agility through Manage-ability – Introducing Design Time at Run Time ...
Manage Agility through Manage-ability – Introducing Design Time at Run Time ...Lucas Jellema
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingOKsystem
 
Juniper Enterprise Guest Access
Juniper Enterprise Guest AccessJuniper Enterprise Guest Access
Juniper Enterprise Guest AccessAltaware, Inc.
 
Secure Architecture Evaluation for Agent Based Web Service Discovery
Secure Architecture Evaluation for Agent Based Web Service DiscoverySecure Architecture Evaluation for Agent Based Web Service Discovery
Secure Architecture Evaluation for Agent Based Web Service DiscoveryIDES Editor
 
The Intricacies Of Enterprise Integration Soa Vs Esb
The Intricacies Of Enterprise Integration Soa Vs EsbThe Intricacies Of Enterprise Integration Soa Vs Esb
The Intricacies Of Enterprise Integration Soa Vs Esbrsnarayanan
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityOliver Pfaff
 
On technical security issues in cloud computing
On technical security issues in cloud computingOn technical security issues in cloud computing
On technical security issues in cloud computingsashi799
 
Making Sense Of Web Services
Making Sense Of Web ServicesMaking Sense Of Web Services
Making Sense Of Web ServicesJorgen Thelin
 
Bridging the Enterprise and the Cloud from Layer 7
Bridging the Enterprise and the Cloud from Layer 7Bridging the Enterprise and the Cloud from Layer 7
Bridging the Enterprise and the Cloud from Layer 7CA API Management
 
Pattern For Ws Security
Pattern For Ws SecurityPattern For Ws Security
Pattern For Ws SecurityGianfranco Conti
 
Unified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPUnified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPOliver Pfaff
 
Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Jorgen Thelin
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web ServicesJorgen Thelin
 

More Related Content

What's hot

Cybercom Enhanced Security Platform, CESP-ID
Cybercom Enhanced Security Platform, CESP-IDCybercom Enhanced Security Platform, CESP-ID
Cybercom Enhanced Security Platform, CESP-IDabelsonp
 
Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Identity, Security, and XML Web Services -- The Importance of Interoperable S...Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Identity, Security, and XML Web Services -- The Importance of Interoperable S...Jorgen Thelin
 
Sybase Afaria için Samsun Advanced Enterprise Server Farkları
Sybase Afaria için Samsun Advanced Enterprise Server FarklarıSybase Afaria için Samsun Advanced Enterprise Server Farkları
Sybase Afaria için Samsun Advanced Enterprise Server FarklarıSybase Türkiye
 
Monitoring Principles & z/VSE Monitoring Options
Monitoring Principles & z/VSE Monitoring OptionsMonitoring Principles & z/VSE Monitoring Options
Monitoring Principles & z/VSE Monitoring OptionsIBM India Smarter Computing
 
03.egovFrame Runtime Environment Training Book
03.egovFrame Runtime Environment Training Book03.egovFrame Runtime Environment Training Book
03.egovFrame Runtime Environment Training BookChuong Nguyen
 
Instant Agility in Oracle Fusion Middleware through Design Time @ Run Time (O...
Instant Agility in Oracle Fusion Middleware through Design Time @ Run Time (O...Instant Agility in Oracle Fusion Middleware through Design Time @ Run Time (O...
Instant Agility in Oracle Fusion Middleware through Design Time @ Run Time (O...Lucas Jellema
 
SharePoint as digital service platform
SharePoint as digital service platformSharePoint as digital service platform
SharePoint as digital service platformNir Levy
 
Manage Agility through Manage-ability – Introducing Design Time at Run Time ...
Manage Agility through Manage-ability – Introducing Design Time at Run Time ...Manage Agility through Manage-ability – Introducing Design Time at Run Time ...
Manage Agility through Manage-ability – Introducing Design Time at Run Time ...Lucas Jellema
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingOKsystem
 
Juniper Enterprise Guest Access
Juniper Enterprise Guest AccessJuniper Enterprise Guest Access
Juniper Enterprise Guest AccessAltaware, Inc.
 
Secure Architecture Evaluation for Agent Based Web Service Discovery
Secure Architecture Evaluation for Agent Based Web Service DiscoverySecure Architecture Evaluation for Agent Based Web Service Discovery
Secure Architecture Evaluation for Agent Based Web Service DiscoveryIDES Editor
 
The Intricacies Of Enterprise Integration Soa Vs Esb
The Intricacies Of Enterprise Integration Soa Vs EsbThe Intricacies Of Enterprise Integration Soa Vs Esb
The Intricacies Of Enterprise Integration Soa Vs Esbrsnarayanan
 

What's hot (14)

Cybercom Enhanced Security Platform, CESP-ID
Cybercom Enhanced Security Platform, CESP-IDCybercom Enhanced Security Platform, CESP-ID
Cybercom Enhanced Security Platform, CESP-ID
 
Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Identity, Security, and XML Web Services -- The Importance of Interoperable S...Identity, Security, and XML Web Services -- The Importance of Interoperable S...
Identity, Security, and XML Web Services -- The Importance of Interoperable S...
 
Layer 7 SecureSpan Solution
Layer 7 SecureSpan SolutionLayer 7 SecureSpan Solution
Layer 7 SecureSpan Solution
 
Sybase Afaria için Samsun Advanced Enterprise Server Farkları
Sybase Afaria için Samsun Advanced Enterprise Server FarklarıSybase Afaria için Samsun Advanced Enterprise Server Farkları
Sybase Afaria için Samsun Advanced Enterprise Server Farkları
 
Password fatigation
Password fatigationPassword fatigation
Password fatigation
 
Monitoring Principles & z/VSE Monitoring Options
Monitoring Principles & z/VSE Monitoring OptionsMonitoring Principles & z/VSE Monitoring Options
Monitoring Principles & z/VSE Monitoring Options
 
03.egovFrame Runtime Environment Training Book
03.egovFrame Runtime Environment Training Book03.egovFrame Runtime Environment Training Book
03.egovFrame Runtime Environment Training Book
 
Instant Agility in Oracle Fusion Middleware through Design Time @ Run Time (O...
Instant Agility in Oracle Fusion Middleware through Design Time @ Run Time (O...Instant Agility in Oracle Fusion Middleware through Design Time @ Run Time (O...
Instant Agility in Oracle Fusion Middleware through Design Time @ Run Time (O...
 
SharePoint as digital service platform
SharePoint as digital service platformSharePoint as digital service platform
SharePoint as digital service platform
 
Manage Agility through Manage-ability – Introducing Design Time at Run Time ...
Manage Agility through Manage-ability – Introducing Design Time at Run Time ...Manage Agility through Manage-ability – Introducing Design Time at Run Time ...
Manage Agility through Manage-ability – Introducing Design Time at Run Time ...
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
 
Juniper Enterprise Guest Access
Juniper Enterprise Guest AccessJuniper Enterprise Guest Access
Juniper Enterprise Guest Access
 
Secure Architecture Evaluation for Agent Based Web Service Discovery
Secure Architecture Evaluation for Agent Based Web Service DiscoverySecure Architecture Evaluation for Agent Based Web Service Discovery
Secure Architecture Evaluation for Agent Based Web Service Discovery
 
The Intricacies Of Enterprise Integration Soa Vs Esb
The Intricacies Of Enterprise Integration Soa Vs EsbThe Intricacies Of Enterprise Integration Soa Vs Esb
The Intricacies Of Enterprise Integration Soa Vs Esb
 

Similar to State-of-the-Art in Web Services Federation

Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityOliver Pfaff
 
On technical security issues in cloud computing
On technical security issues in cloud computingOn technical security issues in cloud computing
On technical security issues in cloud computingsashi799
 
Making Sense Of Web Services
Making Sense Of Web ServicesMaking Sense Of Web Services
Making Sense Of Web ServicesJorgen Thelin
 
Bridging the Enterprise and the Cloud from Layer 7
Bridging the Enterprise and the Cloud from Layer 7Bridging the Enterprise and the Cloud from Layer 7
Bridging the Enterprise and the Cloud from Layer 7CA API Management
 
Unified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPUnified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPOliver Pfaff
 
Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Jorgen Thelin
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web ServicesJorgen Thelin
 
Monetizing The Enterprise: Borderless Networks
Monetizing The Enterprise: Borderless NetworksMonetizing The Enterprise: Borderless Networks
Monetizing The Enterprise: Borderless NetworksCisco Service Provider
 
Cisco Sona
Cisco SonaCisco Sona
Cisco Sonajayconde
 
Smartronix - Building Secure Applications on the AWS Cloud
Smartronix - Building Secure Applications on the AWS CloudSmartronix - Building Secure Applications on the AWS Cloud
Smartronix - Building Secure Applications on the AWS CloudAmazon Web Services
 
SmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketSmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketOKsystem
 
Over the Air 2011 Security Workshop
Over the Air 2011 Security Workshop Over the Air 2011 Security Workshop
Over the Air 2011 Security Workshop Ericsson Labs
 
O Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10bO Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10bBruce O'Dell
 
AWS IoT Deep Dive - AWS IoT Web Day
AWS IoT Deep Dive - AWS IoT Web DayAWS IoT Deep Dive - AWS IoT Web Day
AWS IoT Deep Dive - AWS IoT Web DayAWS Germany
 

Similar to State-of-the-Art in Web Services Federation (20)

Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
 
On technical security issues in cloud computing
On technical security issues in cloud computingOn technical security issues in cloud computing
On technical security issues in cloud computing
 
Making Sense Of Web Services
Making Sense Of Web ServicesMaking Sense Of Web Services
Making Sense Of Web Services
 
Bridging the Enterprise and the Cloud from Layer 7
Bridging the Enterprise and the Cloud from Layer 7Bridging the Enterprise and the Cloud from Layer 7
Bridging the Enterprise and the Cloud from Layer 7
 
Pattern For Ws Security
Pattern For Ws SecurityPattern For Ws Security
Pattern For Ws Security
 
Unified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPUnified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAP
 
Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web Services
 
Monetizing The Enterprise: Borderless Networks
Monetizing The Enterprise: Borderless NetworksMonetizing The Enterprise: Borderless Networks
Monetizing The Enterprise: Borderless Networks
 
Net Services
Net ServicesNet Services
Net Services
 
Cisco Sona
Cisco SonaCisco Sona
Cisco Sona
 
Day6
Day6Day6
Day6
 
Smartronix - Building Secure Applications on the AWS Cloud
Smartronix - Building Secure Applications on the AWS CloudSmartronix - Building Secure Applications on the AWS Cloud
Smartronix - Building Secure Applications on the AWS Cloud
 
SmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketSmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication market
 
Over the Air 2011 Security Workshop
Over the Air 2011 Security Workshop Over the Air 2011 Security Workshop
Over the Air 2011 Security Workshop
 
O Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10bO Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10b
 
AWS IoT Deep Dive - AWS IoT Web Day
AWS IoT Deep Dive - AWS IoT Web DayAWS IoT Deep Dive - AWS IoT Web Day
AWS IoT Deep Dive - AWS IoT Web Day
 
Lotusphere 2011 SHOW104
Lotusphere 2011 SHOW104Lotusphere 2011 SHOW104
Lotusphere 2011 SHOW104
 
Federated and fabulous identity
Federated and fabulous identityFederated and fabulous identity
Federated and fabulous identity
 
OpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumOpenSSO Tech Overview Aquarium
OpenSSO Tech Overview Aquarium
 

More from Oliver Pfaff

Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT SecurityOliver Pfaff
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services SecurityOliver Pfaff
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 
IT-Security@Contemporary Life
IT-Security@Contemporary LifeIT-Security@Contemporary Life
IT-Security@Contemporary LifeOliver Pfaff
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web SecurityOliver Pfaff
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
Does REST Change the Game for IAM?
Does REST Change the Game for IAM?Does REST Change the Game for IAM?
Does REST Change the Game for IAM?Oliver Pfaff
 
Trust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityTrust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityOliver Pfaff
 
Identifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessIdentifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessOliver Pfaff
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceOliver Pfaff
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Oliver Pfaff
 
Identity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareIdentity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareOliver Pfaff
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?Oliver Pfaff
 

More from Oliver Pfaff (16)

Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT Security
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services Security
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'
 
IT-Security@Contemporary Life
IT-Security@Contemporary LifeIT-Security@Contemporary Life
IT-Security@Contemporary Life
 
OAuth Base Camp
OAuth Base CampOAuth Base Camp
OAuth Base Camp
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web Security
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
Does REST Change the Game for IAM?
Does REST Change the Game for IAM?Does REST Change the Game for IAM?
Does REST Change the Game for IAM?
 
Analyzing OAuth
Analyzing OAuthAnalyzing OAuth
Analyzing OAuth
 
Trust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityTrust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-Security
 
Identifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessIdentifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusiness
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
 
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
 
Identity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareIdentity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health Care
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?
 

Recently uploaded

A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...itnewsafrica
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 

Recently uploaded (20)

A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 

State-of-the-Art in Web Services Federation

  • 1. State-of-the-Art in Web Services Federation European Identity Conference 2009 Dr. Oliver Pfaff Copyright © Siemens AG 2009. All rights reserved.
  • 2. What’s Next? Dive deeper into identity federation for Web services Key points for this discussion: Web services vs. traditional Web applications – what is the Web services magic? Asking for identity assertions vs. expressing them vs. supplying them – what makes the real difference? Presentation overview: Setting the scene About Web services Good news But things complicate quickly Conclusions and outlook Copyright © Siemens AG 2009. All rights reserved. Page 2 May 2009 Siemens IT Solutions and Services
  • 3. Setting the Scene Reminder: A ‘Simple’ Trick Needs To Be Done Resource provider User Request identity assertions Authorization Supply identity assertions Resource Authentication User data Identity provider Copyright © Siemens AG 2009. All rights reserved. Page 3 May 2009 Siemens IT Solutions and Services
  • 4. Setting the Scene Main Aspect#1: Acquiring Identity Assertions Expressiveness requirements: Request identity assertions: articulate the need to present identity assertions and express expectations on their issuer, contained information and their security binding Supply identity assertions: embody identity assertions with protocol primitives of the given protocol stack Security requirements: Proof-of-possession (for identity assertions): verify that it is actually John Doe who presents an identity assertion such as: authentication authority says: this is ‘John Doe’, an employee of ‘acme.example’ with the role ‘manager’ Copyright © Siemens AG 2009. All rights reserved. Page 4 May 2009 Siemens IT Solutions and Services
  • 5. Setting the Scene Main Aspect#2: Asserting Identity Expressiveness requirements: IdM: imprint arbitrary subject identifiers (e.g. X.500 distinguished names, RFC 822 names) and subject attributes (e.g. statically/dynamically assigned) Authentication (of users): support arbitrary authentication schemes and authentication process-related metadata e.g. level of assurance Authorization: enable the supply of subject-related authorization decisions/policies Security requirements: Authentication (of identity assertions): verify the authenticity of identity assertions Copyright © Siemens AG 2009. All rights reserved. Page 5 May 2009 Siemens IT Solutions and Services
  • 6. About Web Services Defining Web Services A Web service is a software system identified by a URI, whose public interfaces and bindings are defined and described using XML. Its definition can be discovered by other software systems. These systems may then interact with the Web service in a manner prescribed by its definition, using XML based messages conveyed by Internet protocols Source: W3C Copyright © Siemens AG 2009. All rights reserved. Page 6 May 2009 Siemens IT Solutions and Services
  • 7. About Web Services System Model WSDL document WS consumer WS provider Application WS SOAP messages WS Application logic stack stack logic WSDL: the manual for a Web service; defines its service contract and allows to publish it in a document WS-stack: the protocol engine for a Web service Provide SOAP message exchange esp. SOAP header processing including the SOAP security headers Also provide utilities for the publication of business functionality as Web service Well-known examples: Apache Axis, Microsoft WCF, Sun Metro Copyright © Siemens AG 2009. All rights reserved. Page 7 May 2009 Siemens IT Solutions and Services
  • 8. About Web Services Web Service Contracts (WSDL) Provide declarative descriptions for the functionality of a Web service esp.: Business functionality: Messages: which vocabulary is spoken by the Web service? Operations: which operations does it offer? Bindings: how to integrate with the underlying protocol stack? Ports: where to reach an endpoint of a Web service? Security functionality: User authentication: which objects (aka identity assertions) to provide in order to establish user authentication – including which attributes and other information to present? Message authentication: how to compute cryptographic checksums over request / response messages or parts thereof – including identity assertions? Message encryption: how to encrypt request/response messages or parts thereof – including identity assertions? Copyright © Siemens AG 2009. All rights reserved. Page 8 May 2009 Siemens IT Solutions and Services
  • 9. About Web Services Security Token Services (WS-Trust) sp:Issued Token Are Web services that specialize on sp:Protection supplying certain security services esp. XML Document Token user authentication WS consumer Provide a request/response framework for Application WS security token processing – issuance/ logic stack WS request/response validation/renewal/negotiation/cancellation STS request/response WS-stacks natively support: XML Document XML Document Acquisition of security tokens from STSs XML Document XML Document - triggered by WSDL child elements WS sp:IssuedToken stack STS XML Document Cryptographic binding of security tokens to SOAP messages - triggered by STS sp:ProtectionToken child elements logic As Web services, STSs may require their own security tokens for authenticating and authorizing security token requests Identity store Copyright © Siemens AG 2009. All rights reserved. Page 9 May 2009 Siemens IT Solutions and Services
  • 10. About Web Services WS-* Security Technologies Compass Provides msg authentication Allows publishing of XML Signature W3C standard SOAP Message Provides msg encryption WS-Policy WS-SecurityPolicy Security W3C OASIS standard OASIS standard standard (WS-SX TC) (WSS TC) Defines security Allows profiling of Provides user XML Encryption for STSs W3C standard authentication Defines WSs for managing WS-Trust Security token <Abstract> OASIS standard (WS-SX TC) Is a kind of Is an extension to SAML assertion WSFED OASIS standard OASIS committee (SAML TC) specification Copyright © Siemens AG 2009. All rights reserved. Page 10 May 2009 Siemens IT Solutions and Services
  • 11. About Web Services Requirements On Identity Federation Solutions Stay in the Web services model i.e.: Request the supply of identity assertions as well as their SOAP message binding as a part of the WSDL Rationale: declarative description of service interfaces incl. security Supply identity assertions with SOAP message, esp. their headers Rationale: decoupling of business and security functionality Perform proof-of-possession for identity assertions by binding them with SOAP message contents Rationale: security Deliver security functionality such as user authentication in the form factor of a Web service Rationale: decoupling, separation of concerns Copyright © Siemens AG 2009. All rights reserved. Page 11 May 2009 Siemens IT Solutions and Services
  • 12. Good News Main Aspect#1: Web Services Do It Natively Expressiveness requirements: Request identity assertions: the Web service contract allows to articulate requirements on identity assertions (WS-SecurityPolicy, WS-Trust): Whom to ask for the identity assertion? What to imprint into the identity assertion? How to secure it (proof-of-possession)? Supply identity assertions: WS-stacks natively acquire identity assertions (triggered by WS-SecurityPolicy sections in WSDLs; governed by WS-Trust) STSs provide native Web service abstractions dedicated to the issuance of identity assertions (defined by WS-Trust) WS-stacks natively transfer identity assertions within SOAP headers (triggered by WS-SecurityPolicy sections in WSDLs; governed by the SAML token profile of SOAP message security) Security requirements: Proof-of-possession (for identity assertions): WS-stacks natively support the cryptographic binding of identity assertions to SOAP messages (triggered by WS- SecurityPolicy sections in WSDLs; governed by the SAML token profile of SOAP message security) Copyright © Siemens AG 2009. All rights reserved. Page 12 May 2009 Siemens IT Solutions and Services
  • 13. Good News Main Aspect#2: Has a Common-Sense Solution saml:Assertion objects present the common-sense solution for asserting identity in Web services environments. Copyright © Siemens AG 2009. All rights reserved. Page 13 May 2009 Siemens IT Solutions and Services
  • 14. Good News Use Case Coverage The native Web services functionality covers the basic SSO use case in identity federation characterized by: Singular identity assertion per SOAP request Cleartext subject identifiers e.g. X.500 distinguished names, RFC 822 names (i.e. static information from persistence) User-centric subject attributes e.g. organizational affiliation or role assignments Copyright © Siemens AG 2009. All rights reserved. Page 14 May 2009 Siemens IT Solutions and Services
  • 15. But Things Complicate Quickly More Sophisticated Use Cases But the native support does not cover more sophisticated SSO use cases and other identity federation use cases e.g.: Supply of multiple assertions per request e.g. WSs that ask for security tokens from multiple STSs Pseudonyms as privacy-preserving user identifiers Embodiment of subject-related authorization decisions or policies in identity assertions Commonly quoted options to choose identity federation protocols for more sophisticated use cases in Web services environments include: SAML 2.0 WS-Federation - generation 1 WS-Federation - generation 2 Liberty Alliance ID-WSF Liberty Alliance ID-SIS XSPA Copyright © Siemens AG 2009. All rights reserved. Page 15 May 2009 Siemens IT Solutions and Services
  • 16. But Things Complicate Quickly Brief Assessment SAML 2.0 WS-Federation WS-Federation Liberty Alliance Liberty Alliance XSPA generation 1 generation 2 ID-WSF ID-SIS Deliverables Specifies identity assertions (for Specifies identity Specifies identity Defines a framework for Defines particular Adds access control arbitrary environments). Defines federation primitives federation primitives - building identity-based identity-based services: model to basic SSO use protocols, bindings and profiles - beyond SSO beyond SSO services employee profile, case. The considered for identity federation (mainly for personal profile, geo- authz model is health- Web applications) location, presence, care and RBAC specific contact book Use cases SSO, SLO, name identifier SLO, attribute SLO, attribute/authz Authn, SSO, identity N.a. (no federation- Profiles standard mapping/management, service, pseudonym service, pseudonym mapping, permission-based enabler) abstractions according attribute/authz service service (note: SSO is service (note: SSO is attribute sharing, identity given objective natively covered) natively covered) service description and discovery Identity saml:Assertion Arbitrary security Arbitrary security saml:Assertion (produced N.a. (no federation- saml:Assertion assertion token including but token including but by the ID-WSF SSO enabler) form-factors not limited to not limited to service) saml:Assertion saml:Assertion Expressiven AuthnRequest is NameID and Inherits WS-Trust Inherits WS-Trust Builds upon SAML N.a. (no federation- Profiles standard ess AuthnContext-centric: can not RST/RSTR and RST/RSTR and AuthnRequest/ Response enabler) abstractions according express expectations re assigned extends it according extends it according i.e. those parts of the given objective attributes and authz information. given use cases given use cases SAML specification suite AuthnRequest is also Web that are Web services service security unaware: can not unaware and builds own express expectations re binding solutions around the of identity assertions with SOAP shortcommunings inherited messages. from this design decision Extensibility SAML request and response Inherits WS-Trust Inherits WS-Trust Does not provide relevant N.a. (no federation- Profiles standard messages define generic RST/RSTR and RST/RSTR and extension points in self- enabler) abstractions according extension points extends it according extends it according defined vocabulary given objective given use cases given use cases Web SAML-defined SOAP bindings Native Web service Native Web service Native Web service Native Web service Native Web service services remain ‘naïve’: empty specification specification specification specification specification integration soap:Header, Web service security unaware, no WSDL Standard OASIS standard Published vendor Emerging OASIS Liberty Alliance standard Liberty Alliance standard Emerging OASIS specification standard standard Copyright © Siemens AG 2009. All rights reserved. Page 16 May 2009 Siemens IT Solutions and Services
  • 17. But Things Complicate Quickly Web Services Fitness of SAML 2.0 Usage with traditional Usage with Web applications Web services Inherit Web service security unawareness of the SAML bindings Web service security unaware • Request primitives do not help much (cf. below) • Query primitives present candidates Copyright © Siemens AG 2009. All rights reserved. Page 17 May 2009 Siemens IT Solutions and Services
  • 18. But Things Complicate Quickly Limitations of samlp:AuthnRequest Does mean „perform authn and provide report in the form of a saml:Assertion“ Among the main subsections in saml:Assertion objects it allows to express expectations on saml:Subject and saml:AuthnStatement Does not allow to express expectations on the saml:AttributeStatement subsection – this ability is key for claims-based approaches Web services use sp:RequestSecurityTokenTemplate which allows to shape the saml:AttributeStatement section (via wst:Claims child elements) Does not cover the proof-of-possession – this ability is key to advanced security models. Note that this requires To trigger the imprinting of certain information in the assertion Web services use abstractions such as wst:Entropy, wst:KeyType, wst:KeySize To trigger the cryptographic binding with the SOAP request Web services use various binding mechanisms Does not allow to request security tokens that are no SAML assertions – this ability is key for a holistic modeling (e.g. initial authn steps based on x509:Certificate objects and subsequent authn steps based on saml:Assertion objects) Copyright © Siemens AG 2009. All rights reserved. Page 18 May 2009 Siemens IT Solutions and Services
  • 19. But Things Complicate Quickly Also Expect Difficulties Beyond The Specifications Following aspects do stress the features of currently available WS-stacks: Supply of multiple security tokens resp. identity assertions per WS request resp. transfer and handling of SAML assertion chains Supply of user-specific arguments in security token requests Handling of SAML assertions that embody subject-related authorization decisions or policies e.g. XACML policies Recommendation: select WS-stacks with care the more sophisticated an identity federation architecture gets. Copyright © Siemens AG 2009. All rights reserved. Page 19 May 2009 Siemens IT Solutions and Services
  • 20. Conclusions Web Services Vs. Traditional Web Applications Dedicated, client-understood abstractions to request identity assertions: Web services use WS-SecurityPolicy sections in WSDLs Web applications do not have similar means and depends on workarounds for this limitation (SAML profiles, Shibboleth, Liberty Alliance ID-FF) or do implicitly invoke WS clients (CardSpace) Dedicated service abstractions for issuing identity assertions: Web services build upon STSs (WS-Trust) Web applications build upon specific abstractions that are defined by and confined to specific federation protocol technologies (e.g. SAML profiles, Shibboleth, Liberty Alliance ID-FF) Dedicated protocol layer for securely supplying identity assertions Web services have the SOAP message header layer and its security headers (SOAP message security, SAML token profile) and can esp. care about proof-of- possession Web applications do not have that and use the HTML layer as a replacement. They can not care about proof-of-possession because browsers are unaware of the identity assertion abstraction Copyright © Siemens AG 2009. All rights reserved. Page 20 May 2009 Siemens IT Solutions and Services
  • 21. Conclusions Technology Options Web services natively support the basic SSO use case in identity federation: If your requirements match the basic SSO use case, there is no need to worry about complementary specifications such as WS-Federation, ID-WSF, ID-SIS, XSPA… Beware of false friends: WS-Federation is no prerequisite for Web services federation If your requirements go beyond basic SSO, there is not yet a silver bullet: Whether WS-Federation, ID-WSF, ID-SIS or XSPA do help, needs to be determined according the specific case Technology should follow use case: don‘t choose by (presumed) technology preference; choose by needs of your use case Check whether suggested solutions stay in the Web services model SAML vs. WS-* discussions are frequently encountered but are actually voodoo: there is a continental divide - you either have a Web application or a Web service: If you have a Web application, the SAML 2.0 specification suite will be a top candidate for an identity federation solution If you have a Web service, the SAML 2.0 specification suite will contribute the saml:Assertion abstraction but hardly much more Copyright © Siemens AG 2009. All rights reserved. Page 21 May 2009 Siemens IT Solutions and Services
  • 22. Outlook The discussed approach ‘First authenticate, then transfer authenticated subject information’ presents a new paradigm for IdM in distributed systems. This is breaking with the traditional tight coupling between producers (e.g. authentication) and consumers (e.g. authorization) of authenticated subject information. Expect this paradigm shift to happen – may be slowly, but steadily: Web services re-prioritize the paradigms for IdM in distributed systems: The emerging paradigm ‘First authenticate, then transfer authenticated subject information’ becomes the default approach. The traditional paradigm ‘First transfer unauthenticated user data, then authenticate’ becomes an exception. Other market participants sing the same song (cf. Microsoft Geneva, IdM and SOA whitepapers of various vendors) - just in other words Copyright © Siemens AG 2009. All rights reserved. Page 22 May 2009 Siemens IT Solutions and Services
  • 23. Abbreviations ID-FF – Identity Federation Framework ID-SIS - Identity Service Interface Specifications ID-WSF - Identity Web Services Framework IdM – Identity Management RST – Request Security Token RSTR – Request Security Token Response SAML – Security Assertion Markup Language SLO – Single Log Out SOAP – Simple Object Access Protocol SSO – Single Sign On STS – Security Token Service W3C – World Wide Web Consortium WS – Web Service WSDL - Web Services Description Language XSPA - Cross-Enterprise Security and Privacy Authorization Copyright © Siemens AG 2009. All rights reserved. Page 23 May 2009 Siemens IT Solutions and Services
  • 24. Namespace Prefixes saml – SAML (assertion syntax) samlp – SAML (protocol syntax) sp – WS-SecurityPolicy wsp – WS-Policy wst – WS-Trust Copyright © Siemens AG 2009. All rights reserved. Page 24 May 2009 Siemens IT Solutions and Services
  • 25. Author Dr. Oliver Pfaff Siemens IT Solutions and Services E-Mail: oliver.pfaff@siemens.com Copyright © Siemens AG 2009. All rights reserved. Page 25 May 2009 Siemens IT Solutions and Services

Editor's Notes

  1. The wishlist comprises: Do address following use cases: Single-sign-on (considered here) Name identifier management … Single-sign-out Do this trick for Web applications Web services (considered here)
  2. Informally: a special brand of Web applications with XML-based service contract: WSDL XML-based protocol stack: IP-TCP-(SSL/TLS)-HTTP- SOAP-DIY Note: WSDL and SOAP are W3C recommendations (aka standards)
  3. Simple data types (string, integer, date…) are defined by XML Schema Compound data types are defined by e.g. OASIS for specific domains (e.g. provisioning, authorization, federation) Further complex data types can be defined (e.g. CardSpace, eFA, custom…)
  4. Security token = identity assertion
  5. SAML assertions provide a standard format to securely marshal authenticated subject information for WSs and traditional Web applications: WSs support holder-of-key subject confirmation models Web applications are limited to bearer models WSs have a native understanding about their handling (Web applications do not): Request SAML assertions: through WS-SecurityPolicy sections in WSDLs Issue SAML assertions: through WS-Trust STS WSs ( sp:IssuedToken ) or arbitrary WSs ( sp:SamlToken ) Transfer SAML assertions: as child elements of wsse:Security SOAP headers (Almost) all is off-the-shelf: WS-stacks natively support request, transfer and parsing of SAML assertions Issuance requires WS-Trust STSs or STS-style WSs; the supply and consumption of SAML assertion contents (usually) is solution-specific
  6. Expect WS-Trust STSs to deliver the basic enablement services for identity federation; additional requirements should be covered by making use of extension points in WS-Trust.