ws-trust “from each,according to his ability;to each, according to his need. “ karl marx ahmet...
TRANSCRIPT
WS-Trust
“From each,according to his ability;to each , according to his need. “
Karl marx
Ahmet Emre Naza Selçuk Durna 2001100379 2001101675
DefinitionsClaim – A claim is a statement made about a client, service or other resourceSecurity Token – A security token represents a collection of claims.Security Token Service – A security token service (STS) is a Web service that issues security tokensTrust – Trust is the characteristic that one entity is willing to rely upon a second entity to execute a set of actions and/or to make set of assertions about a set of subjects and/or scopes.Interoperable - able to exchange and use information.
Introduction Interoperable security problem WS-Security will standardize how information is added to
SOAP messages One important class of information is security
tokens(X.509 ,Kerberos ,SAML ,XACML ,etc) Two scenarios:
WS-Security policy specifies how web services actors can assert to potential transaction partners their policies with respect to WS-Security mechanisms, including their capabilitities and preferences with respect to security tokens
WS-Trust is a proposal that enables security token interoperability by defining a request/response protocol by which SOAP actors can request of some trusted authority that a particular security token be exchanged for another.
WS-Trust OverviewA SOAP message protected by WS-Security presents three possible issues with regards to security tokens:
Security token format incompatibility Security token trust Namespace differences
WS-Trust OverviewWS-Trust addresses these issues by:
Defining a request/response protocol Client sends RequestSecurityToken Client receives RequestSecurityTokenResponse
Introducing a Security Token Service (STS)
STS Functions
A Security Token Service allows:
Token Exchange
Token Issuance
Token Validation
WS-Trust Model
Request – Challenge Operation
Client STS
Client requests token from STS
STS sends a challenge to Client
Client sends an answer to STS
STS sends token(s) to Client
Example
WS-Trust Example Client understands
X.509 certificates only
Service understands SAML only
The service does not directly trust the client
The client is not required to anticipate the preference that the service has for SAML Assertions
WS-Trust Example
The Security Assertions Markup Language (SAML) is an XML-based framework for Web services that enables the exchange of authentication and authorization information among business partners.
X.509 is a digital certificate standard, specifying certificate structure. Main fields are ID, subject field, validity dates, public key, and CA signature
SAML and X.509 - Reminder
WS-Trust Example – message 1
SOAP client sends initial request to SOAP service:
<soap:Envelope> <soap:Header><ws:Security>
<ws:BinarySecurityToken id="X509token" ValueType="X.509"> sdfOIDFKLSoidefsdflk …
</ws:BinarySecurityToken> <ds:Signature> <ds:Reference><ds:Ref URI="#PO"/>
</ds:Reference> <ds:SignatureValue>akjsdflaksf
</ds:SignatureValue> <ds:KeyInfo> <ws:BinarySecurityTokenReference URI="#X509token"/>
</ds:KeyInfo> </ds:Signature>
</ws:Security></soap:Header><soap:Body>
<po:PurchaseOrder ID="PO"/></soap:Body></soap:Envelope>
<soap:Envelope> <soap:Header><ws:Security>
<ws:BinarySecurityToken id="X509token" ValueType="X.509"> sdfOIDFKLSoidefsdflk …
</ws:BinarySecurityToken> <ds:Signature> <ds:Reference><ds:Ref URI="#PO"/>
</ds:Reference> <ds:SignatureValue>akjsdflaksf
</ds:SignatureValue> <ds:KeyInfo> <ws:BinarySecurityTokenReference URI="#X509token"/>
</ds:KeyInfo> </ds:Signature>
</ws:Security></soap:Header><soap:Body>
<po:PurchaseOrder ID="PO"/></soap:Body></soap:Envelope>
Identity of Client established through XML signature
<soap:Envelope> <soap:Header><ws:Security>
<ws:BinarySecurityToken id="X509token" ValueType="X.509"> sdfOIDFKLSoidefsdflk …
</ws:BinarySecurityToken> <ds:Signature> <ds:Reference><ds:Ref URI="#PO"/>
</ds:Reference> <ds:SignatureValue>akjsdflaksf
</ds:SignatureValue> <ds:KeyInfo> <ws:BinarySecurityTokenReference URI="#X509token"/>
</ds:KeyInfo> </ds:Signature>
</ws:Security></soap:Header><soap:Body>
<po:PurchaseOrder ID="PO"/></soap:Body></soap:Envelope>
Identity of Client established through XML signature….
Keyed through X.509 certificate
WS-Trust Example – message 2
SOAP gateway recognizes that it must map to SAML, so it contacts the STS
<soap:Envelope><soap:Header>
<ws:Security>
</ws:Security></soap:Header><soap:Body>
<wstrust:RequestSecurityToken><wstrust:TokenType>SAML</TokenType><wstrust:RequestType>ReqExchange</RequestType><wstrust:OnBehalfOf><ws:BinarySecurityToken id="originaltoken"ValueType="X.509>
sdfOIDFKLSoidefsdflk …</ws:BinarySecurityToken>
</wstrust:OnBehalfOf></wstrust:RequestSecurityToken>
</soap:Body></soap:Envelope>
<soap:Envelope><soap:Header>
<ws:Security>
</ws:Security></soap:Header><soap:Body>
<wstrust:RequestSecurityToken><wstrust:TokenType>SAML</TokenType><wstrust:RequestType>ReqExchange</RequestType><wstrust:OnBehalfOf><ws:BinarySecurityToken id="originaltoken"ValueType="X.509>
sdfOIDFKLSoidefsdflk …</ws:BinarySecurityToken>
</wstrust:OnBehalfOf></wstrust:RequestSecurityToken>
</soap:Body></soap:Envelope>
The RequestSecurityToken object is the core of this request…
<soap:Envelope><soap:Header>
<ws:Security>
</ws:Security></soap:Header><soap:Body>
<wstrust:RequestSecurityToken><wstrust:TokenType>SAML</TokenType><wstrust:RequestType>ReqExchange</RequestType><wstrust:OnBehalfOf><ws:BinarySecurityToken id="originaltoken"ValueType="X.509>
sdfOIDFKLSoidefsdflk …</ws:BinarySecurityToken>
</wstrust:OnBehalfOf></wstrust:RequestSecurityToken>
</soap:Body></soap:Envelope>
... Which is asking for a SAML token…
<soap:Envelope><soap:Header>
<ws:Security>
</ws:Security></soap:Header><soap:Body>
<wstrust:RequestSecurityToken><wstrust:TokenType>SAML</TokenType><wstrust:RequestType>ReqExchange</RequestType><wstrust:OnBehalfOf><ws:BinarySecurityToken id="originaltoken"ValueType="X.509>
sdfOIDFKLSoidefsdflk …</ws:BinarySecurityToken>
</wstrust:OnBehalfOf></wstrust:RequestSecurityToken>
</soap:Body></soap:Envelope>
... Which is asking for a SAML token in exchange for the provided X.509 token.
WS-Trust Example – message 3
The STS sends back the token in the requested format
<soap:Body><wstrust:RequestSecurityTokenResponse><wstrust:TokenType>SAML</TokenType><wstrust:RequestedSecurityToken><saml:Assertion AssertionID="2se8e/vaskfsdif="Issuer="www.sts.com"IssueInstant="2002-06-19T16:58:33.173Z"><saml:Conditions NotBefore="2002-06-19T16:53:33.173Z"NotOnOrAfter="2002-06-19T17:08:33.173Z"/>
<saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509"AuthenticationInstant="2002-06-19T16:57:30.000Z"><saml:Subject>
...converted client identifier...</saml:Subject>
</saml:AuthenticationStatement><ds:Signature><-- calculated by STS --></ds:Signature>
</saml:Assertion></wstrust:RequestedSecurityToken>
</wstrust:RequestSecurityTokenResponse></soap:Body>
<soap:Body><wstrust:RequestSecurityTokenResponse><wstrust:TokenType>SAML</TokenType><wstrust:RequestedSecurityToken><saml:Assertion AssertionID="2se8e/vaskfsdif="Issuer="www.sts.com"IssueInstant="2002-06-19T16:58:33.173Z"><saml:Conditions NotBefore="2002-06-19T16:53:33.173Z"NotOnOrAfter="2002-06-19T17:08:33.173Z"/>
<saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509"AuthenticationInstant="2002-06-19T16:57:30.000Z"><saml:Subject>
...converted client identifier...</saml:Subject>
</saml:AuthenticationStatement><ds:Signature><-- calculated by STS --></ds:Signature>
</saml:Assertion></wstrust:RequestedSecurityToken>
</wstrust:RequestSecurityTokenResponse></soap:Body>
The SAML assertion is returned
<soap:Body><wstrust:RequestSecurityTokenResponse><wstrust:TokenType>SAML</TokenType><wstrust:RequestedSecurityToken><saml:Assertion AssertionID="2se8e/vaskfsdif="Issuer="www.sts.com"IssueInstant="2002-06-19T16:58:33.173Z"><saml:Conditions NotBefore="2002-06-19T16:53:33.173Z"NotOnOrAfter="2002-06-19T17:08:33.173Z"/>
<saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509"AuthenticationInstant="2002-06-19T16:57:30.000Z"><saml:Subject>
...converted client identifier...</saml:Subject>
</saml:AuthenticationStatement><ds:Signature><-- calculated by STS --></ds:Signature>
</saml:Assertion></wstrust:RequestedSecurityToken>
</wstrust:RequestSecurityTokenResponse></soap:Body>
The new client identifier is used
WS-Trust Example – message 4
The gateway formats and send the message for the service
<ws:Security><saml:AssertionAssertionID="2se8e/vaskfsdif=“ Issuer="www.sts.com"IssueInstant="2002-06-19T16:58:33.173Z"><saml:ConditionsNotBefore="2002-06-19T16:53:33.173Z"NotOnOrAfter="2002-06-19T17:08:33.173Z"/><saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509"AuthenticationInstant="2002-06-19T16:57:30.000Z"><saml:Subject><saml:NameIdentifier>Client</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
</saml:SubjectConfirmation></saml:Subject>
</saml:AuthenticationStatement><ds:Signature><-- calculated by STS --></ds:Signature>
</saml:Assertion></ws:Security>
<ws:Security><saml:AssertionAssertionID="2se8e/vaskfsdif=“ Issuer="www.sts.com"IssueInstant="2002-06-19T16:58:33.173Z"><saml:ConditionsNotBefore="2002-06-19T16:53:33.173Z"NotOnOrAfter="2002-06-19T17:08:33.173Z"/><saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509"AuthenticationInstant="2002-06-19T16:57:30.000Z"><saml:Subject><saml:NameIdentifier>Client</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
</saml:SubjectConfirmation></saml:Subject>
</saml:AuthenticationStatement><ds:Signature><-- calculated by STS --></ds:Signature>
</saml:Assertion></ws:Security>
The SAML Assertion is inserted
<ws:Security><saml:AssertionAssertionID="2se8e/vaskfsdif=“ Issuer="www.sts.com"IssueInstant="2002-06-19T16:58:33.173Z"><saml:ConditionsNotBefore="2002-06-19T16:53:33.173Z"NotOnOrAfter="2002-06-19T17:08:33.173Z"/><saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509"AuthenticationInstant="2002-06-19T16:57:30.000Z"><saml:Subject><saml:NameIdentifier>Client</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
</saml:SubjectConfirmation></saml:Subject>
</saml:AuthenticationStatement><ds:Signature><-- calculated by STS --></ds:Signature>
</saml:Assertion></ws:Security>
The ConfirmationMethod is sender-vouches
Conclusion WS-trust address the security token
needs of SOAP messages secured using WS-security. Format: A STS is used to exchange tokens
into formats understandable by recipients Trust: The STS issues signed tokens
forming the basis of trust for entities with which it has formed a trust relationship.
Namespace: The STS will return tokens in appropriate syntax for the recipient.
Credits WS-trust spec: http://www-106.ibm.com/developerworks/library/ws-trust/ XML.com WS-trust overviewhttp://webservices.xml.com/lpt/a/ws/2003/06/24/ws-trust.html