security and identity issues in cross-agency soa

May 2006

Security and Identity Issues Security and Identity Issues in Cross-Agency SOAin Cross-Agency SOAPhilip WalstonSenior Product Manager

[email protected]

May 2006

Security and Identity Issues in Cross-Agency SOA

Agenda and ThemeAgenda and Theme

Security and identity in SOA The challenges of security and identity What is federation about? Why federation of Web services is hard Breaking the problem down Tactical, standards-based solutions

Theme: A pragmatic approach to cross-agency SOA

Security and federation for SOA is a complex problem, and the standards are still evolving. However, we can take a realistic look at what most services are being used for, we can build standards-compliant solutions today.

May 2006


Security in Cross-Domain ComputingSecurity in Cross-Domain Computing

Firewall

Secure Zone

Resource (Server)

Directory Server

Identities

• WS-Security

• WS-SC

• WS-Trust

• XKMS

• etc…

SecurityTechnologies

• Encryption

• Signing

• Transport Layer

• Certificates/PKI

• Biometrics

• Fobs

• etc…

SecurityMechanisms

AlexSue

Francis

Internet or Intranet

Requestor (Client)

• XML Encryption

• XML Signing

• X.509

• SSL/TLS

May 2006


The Security Challenge of Cross-Agency SOAThe Security Challenge of Cross-Agency SOA

Firewall

Secure Zone

Resource (Server)

Directory Server

Identities

AlexSue


Requestor (Client)

Policy Application Point(s)

Policy Enforcement Point

• Coordinating common security policy

• Granular (operation-level) security

• Applying (coding) and testing security

• Dealing with changes

Issues

Mutual Security PolicyProgram

X

May 2006


Tactical StrategyTactical Strategy

Firewall

Secure Zone

Resource (Server)

Directory Server

Identities

AlexSue


Requestor (Client)

Program X

Mutual Security Policy

Policy Application Point(s)

• Security PEP intermediary (server proxy)

• Spec-compliant toolkits

• Plethora of WS-* and other specs

• WS-Policy (soon)

Security Mechanisms

XML Gateway

Policy Enforcement Point

May 2006


Identity in Cross-Domain ComputingIdentity in Cross-Domain Computing

Firewall

Secure Zone

Resource (Server)

Directory Server

Identities

• IBM Tivoli Acess Mgr.

• Netegrity Siteminder

• RSA ClearTrust

• etc…

Authentication and Authorization Technologies

• Username/password

• Digest

• Certificates/PKI

• Biometrics

• Fobs

• etc…

Identity Validation Mechanisms

AlexSue

Francis


Requestor (Client)

• LDAP

• Active Directory

• Radius

• RACF

• ACLs

May 2006


Token Id=12345…


What’s Single Sign On (SSO) Really About?What’s Single Sign On (SSO) Really About?

ID Server

Sue

Requestor (Client)

Resource (Server)1. Provide credentials

2.-n. Provide Token

Generate token

Validate token

May 2006


Why Does SSO Work for Browsers?Why Does SSO Work for Browsers?

1. HTTP Redirects

1. Post

5. Post + Token

3. Post Creds

4. Receive token

Web Server

2. Redirect

Security Token

ServiceTime

This is a greatly simplified version of the actual request/response

flow

Web Browser-Based Client

May 2006



2. A Client-side Persistence Model

Security Token

Service

Persist token:

•In pages

•As URL artifact

•As cookie

May 2006



3. SSL Protection of Tokens

Malicious Third Party

X

May 2006


AlexScott

Francis

The Identity Challenge of Cross-Agency SOAThe Identity Challenge of Cross-Agency SOA

Firewall

Blue’s Server

Blue’s Directory

Server

AgencyGreen

Frank

Sue

Program X

Green’s Directory

Server

AgencyBlue

Green’s Client

Islands of Identity

Need to share not only authentication and authorization

information, but also identity attribute information

Big privacy and confidentiality issues…

May 2006


What Hasn’t Worked in the PastWhat Hasn’t Worked in the Past

Firewall

Blue’s Directory

Server

Frank

Sue

Program X

Green’s Directory

Server

AgencyBlue

Remote Directory Access

Directory Synchronization

• Online access through firewall mazes

• Latency in replication

• People leave, fired, etc

Issues

AgencyGreen

May 2006


What We Really Need is Effective What We Really Need is Effective Separation of ConcernsSeparation of Concerns

Blue’s Directory

Server

Frank

Sue

Program X

Green’s Directory

Server

AgencyBlue

Authentication

Authorization

• Build dynamic trust relationships

• Transport the security context so that authentication and authorization can be distributed

• Enforce privacy issues

• Time out sessions/global logout

Core Requirements

Trust

AgencyGreen

May 2006


The MechanismThe Mechanism

Blue’s Directory

Server

Frank

Sue

Program X

Green’s Identity Server

Trust

1. Acquire Token with statement of authentication (and possibly authorization, attributes) in this

security domain

2. Validate token here according to

trust model

3. Mutually secure the transaction between parties

May 2006


Validation / Authorization Blurs the Concept of IdentityValidation / Authorization Blurs the Concept of Identity

Ephemeral identity

• Time of day

• Origin IP

• Attributes

• Remote authorization statements

• Different trust paths

• etc…

+Conventional Identity

(e.g. DN=CN=Phil Walston)

May 2006


Issue – Identity MappingIssue – Identity Mapping

• Fan in

• E.g. to service account

• Map to local existing account

• E.g. phil.walston -> pwalston

• Map to role

• E.g. TrustedAdministrator

• Etc…

May 2006


Why is Federation/SSO of Web Services So Hard?Why is Federation/SSO of Web Services So Hard?

Browser Client

Web Services Client

Web Services Server

Web Server

Identity Provider / Security Token

Service

SSL

SSL

WSSWSS

SOAP Message with bound

security token

Token protected from hijack, replay,

etc by SSL

Token protected from hijack, replay,

etc by XML Signatures

Application Identity

User Identity

Certificate and key pair

• SSL

• HTTP redirects

• Simple signing

• Cookies

• URL query parameters

• WSS

• Embedded, signed security tokens

• Considerable orchestration at client

• Manual token caching

Web Browser

Domain

Web Services

Domain

May 2006


Tactical StrategyTactical Strategy

Blue’s Directory

Server

Frank

Sue

Program X

Green’s Directory

Server

AgencyBlue

Trust

The dominant pattern is RPC-ish client/server

Ask Yourself: What do you really need?

Federation ID Provider & Security

Token Service

Authentication Responsibility

Authorization Responsibility

1. Security Token Issuer for Green

2. Token Validator for Blue

3. Orchestration code in client application

Token Orchestration & Caching Layer

Federation Policy Enforcement Point

Message Level Security

AgencyGreen

May 2006


The Standards and Specifications LandscapeThe Standards and Specifications Landscape

Security• Existing / emerging W3C and OASIS

SSL/TLS, XML Crypto/Sig, WSS, WS-SecureConversation, WS-SecurityPolicy ….

Identity• WS-Federation (Focus on technology)

IBM, Microsoft, BEA, RSA, Verisign SAML, SSL/TLS, WSS, WS-Trust, WS-Policy, WS-

MetadataExchange• Liberty Alliance (Focus on business problem)

Consortium of over 150 companies SAML, SSL/TLS, WSS

• Government E-Authentication

May 2006


ConclusionsConclusions

Federation is simply SSO between different security domains

The new issue for secure cross-agency (federated) SOA is resolving security and trust models for remote entities

Security and federation for Web services have roots in distributed computing model, but are much more complicated

Variable security model No automatic orchestration of client (redirects) No formal client-side persistence model

This all leads to much more independent clients and servers, different security mechanisms, and much more complex logistics

Implementing secure federated Web services is extremely complex, and current support in application servers is very limited

Third-party infrastructure, however, does exist to provide drop-in security and federation for Web services

May 2006

Philip Walston

Layer 7 Technologies

1501 – 700 West Georgia St.

Vancouver, BC

Canada

(800) 681-9377

[email protected]

http://www.layer7tech.com

For further information:

security and identity issues in cross-agency soa

Documents

theme security

challenges of security

testing security dealing

crossagency soasecurity

sso work

identity issues

token id

standardscompliant solutions