ws-trust joseph calandrino vincent noël department of computer science university of virginia...
TRANSCRIPT
WS-Trust
Joseph CalandrinoVincent Noël
Department of Computer ScienceUniversity of Virginia
February 9, 2004
Motivation
A SOAP message protected by WS-Security presents three possible issues with regards to security tokens:
• Security token format incompatibility
• Security token trust
• Namespace differences
Introduction
WS-Trust addresses these issues by:
• Defining a request/response protocol– Client sends RequestSecurityToken– Client receives RequestSecurityTokenResponse
• Introducing a Security Token Service (STS)
WS-Trust Model
STS Functions
A Security Token Service allows:
• Token Exchange
• Token Issuance
• Token Validation
Request – Challenge Operation
Client STS
Client requests token from STS
STS sends a challenge to Client
Client sends an answer to STS
STS sends token(s) to Client
Example
WS-Trust Example• Client understands
X.509 certificates only
• Service understands SAML only
• No established trust between Client and Service
* Based on http://webservices.xml.com/lpt/a/ws/2003/06/24/ws-trust.html
WS-Trust Example
• The Security Assertions Markup Language (SAML) is an XML-based framework for Web services that enables the exchange of authentication and authorization information among business partners.
SAML - Reminder
WS-Trust Example – message 1• SOAP client sends initial request to SOAP service:
<soap:Envelope> <soap:Header><ws:Security>
<ws:BinarySecurityToken id="X509token" ValueType="X.509"> sdfOIDFKLSoidefsdflk …
</ws:BinarySecurityToken> <ds:Signature> <ds:Reference><ds:Ref URI="#PO"/>
</ds:Reference> <ds:SignatureValue>akjsdflaksf
</ds:SignatureValue> <ds:KeyInfo> <ws:BinarySecurityTokenReference URI="#X509token"/>
</ds:KeyInfo> </ds:Signature>
</ws:Security></soap:Header><soap:Body>
<po:PurchaseOrder ID="PO"/></soap:Body></soap:Envelope>
<soap:Envelope> <soap:Header><ws:Security>
<ws:BinarySecurityToken id="X509token" ValueType="X.509"> sdfOIDFKLSoidefsdflk …
</ws:BinarySecurityToken> <ds:Signature> <ds:Reference><ds:Ref URI="#PO"/>
</ds:Reference> <ds:SignatureValue>akjsdflaksf
</ds:SignatureValue> <ds:KeyInfo> <ws:BinarySecurityTokenReference URI="#X509token"/>
</ds:KeyInfo> </ds:Signature>
</ws:Security></soap:Header><soap:Body>
<po:PurchaseOrder ID="PO"/></soap:Body></soap:Envelope>
Identity of Client established through XML signature
<soap:Envelope> <soap:Header><ws:Security>
<ws:BinarySecurityToken id="X509token" ValueType="X.509"> sdfOIDFKLSoidefsdflk …
</ws:BinarySecurityToken> <ds:Signature> <ds:Reference><ds:Ref URI="#PO"/>
</ds:Reference> <ds:SignatureValue>akjsdflaksf
</ds:SignatureValue> <ds:KeyInfo> <ws:BinarySecurityTokenReference URI="#X509token"/>
</ds:KeyInfo> </ds:Signature>
</ws:Security></soap:Header><soap:Body>
<po:PurchaseOrder ID="PO"/></soap:Body></soap:Envelope>
Identity of Client established through XML signature….
Keyed through X.509 certificate
WS-Trust Example – message 2• SOAP gateway recognizes that it must map to SAML, so it contacts the STS
<soap:Envelope><soap:Header>
<ws:Security>
</ws:Security></soap:Header><soap:Body>
<wstrust:RequestSecurityToken><wstrust:TokenType>SAML</TokenType><wstrust:RequestType>ReqExchange</RequestType><wstrust:OnBehalfOf><ws:BinarySecurityToken id="originaltoken"ValueType="X.509>
sdfOIDFKLSoidefsdflk …</ws:BinarySecurityToken>
</wstrust:OnBehalfOf></wstrust:RequestSecurityToken>
</soap:Body></soap:Envelope>
<soap:Envelope><soap:Header>
<ws:Security>
</ws:Security></soap:Header><soap:Body>
<wstrust:RequestSecurityToken><wstrust:TokenType>SAML</TokenType><wstrust:RequestType>ReqExchange</RequestType><wstrust:OnBehalfOf><ws:BinarySecurityToken id="originaltoken"ValueType="X.509>
sdfOIDFKLSoidefsdflk …</ws:BinarySecurityToken>
</wstrust:OnBehalfOf></wstrust:RequestSecurityToken>
</soap:Body></soap:Envelope>
The RequestSecurityToken object is the core of this request…
<soap:Envelope><soap:Header>
<ws:Security>
</ws:Security></soap:Header><soap:Body>
<wstrust:RequestSecurityToken><wstrust:TokenType>SAML</TokenType><wstrust:RequestType>ReqExchange</RequestType><wstrust:OnBehalfOf><ws:BinarySecurityToken id="originaltoken"ValueType="X.509>
sdfOIDFKLSoidefsdflk …</ws:BinarySecurityToken>
</wstrust:OnBehalfOf></wstrust:RequestSecurityToken>
</soap:Body></soap:Envelope>
... Which is asking for a SAML token…
<soap:Envelope><soap:Header>
<ws:Security>
</ws:Security></soap:Header><soap:Body>
<wstrust:RequestSecurityToken><wstrust:TokenType>SAML</TokenType><wstrust:RequestType>ReqExchange</RequestType><wstrust:OnBehalfOf><ws:BinarySecurityToken id="originaltoken"ValueType="X.509>
sdfOIDFKLSoidefsdflk …</ws:BinarySecurityToken>
</wstrust:OnBehalfOf></wstrust:RequestSecurityToken>
</soap:Body></soap:Envelope>
... Which is asking for a SAML token in exchange for the provided X.509 token.
WS-Trust Example – message 3• The STS sends back the token in the requested format
<soap:Body><wstrust:RequestSecurityTokenResponse><wstrust:TokenType>SAML</TokenType><wstrust:RequestedSecurityToken><saml:Assertion AssertionID="2se8e/vaskfsdif="Issuer="www.sts.com"IssueInstant="2002-06-19T16:58:33.173Z"><saml:Conditions NotBefore="2002-06-19T16:53:33.173Z"NotOnOrAfter="2002-06-19T17:08:33.173Z"/>
<saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509"AuthenticationInstant="2002-06-19T16:57:30.000Z"><saml:Subject>
...converted client identifier...</saml:Subject>
</saml:AuthenticationStatement><ds:Signature><-- calculated by STS --></ds:Signature>
</saml:Assertion></wstrust:RequestedSecurityToken>
</wstrust:RequestSecurityTokenResponse></soap:Body>
<soap:Body><wstrust:RequestSecurityTokenResponse><wstrust:TokenType>SAML</TokenType><wstrust:RequestedSecurityToken><saml:Assertion AssertionID="2se8e/vaskfsdif="Issuer="www.sts.com"IssueInstant="2002-06-19T16:58:33.173Z"><saml:Conditions NotBefore="2002-06-19T16:53:33.173Z"NotOnOrAfter="2002-06-19T17:08:33.173Z"/>
<saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509"AuthenticationInstant="2002-06-19T16:57:30.000Z"><saml:Subject>
...converted client identifier...</saml:Subject>
</saml:AuthenticationStatement><ds:Signature><-- calculated by STS --></ds:Signature>
</saml:Assertion></wstrust:RequestedSecurityToken>
</wstrust:RequestSecurityTokenResponse></soap:Body>
The SAML assertion is returned
<soap:Body><wstrust:RequestSecurityTokenResponse><wstrust:TokenType>SAML</TokenType><wstrust:RequestedSecurityToken><saml:Assertion AssertionID="2se8e/vaskfsdif="Issuer="www.sts.com"IssueInstant="2002-06-19T16:58:33.173Z"><saml:Conditions NotBefore="2002-06-19T16:53:33.173Z"NotOnOrAfter="2002-06-19T17:08:33.173Z"/>
<saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509"AuthenticationInstant="2002-06-19T16:57:30.000Z"><saml:Subject>
...converted client identifier...</saml:Subject>
</saml:AuthenticationStatement><ds:Signature><-- calculated by STS --></ds:Signature>
</saml:Assertion></wstrust:RequestedSecurityToken>
</wstrust:RequestSecurityTokenResponse></soap:Body>
The new client identifier is used
WS-Trust Example – message 4• The gateway formats and send the message for the service
<ws:Security><saml:AssertionAssertionID="2se8e/vaskfsdif=“ Issuer="www.sts.com"IssueInstant="2002-06-19T16:58:33.173Z"><saml:ConditionsNotBefore="2002-06-19T16:53:33.173Z"NotOnOrAfter="2002-06-19T17:08:33.173Z"/><saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509"AuthenticationInstant="2002-06-19T16:57:30.000Z"><saml:Subject><saml:NameIdentifier>Client</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
</saml:SubjectConfirmation></saml:Subject>
</saml:AuthenticationStatement><ds:Signature><-- calculated by STS --></ds:Signature>
</saml:Assertion></ws:Security>
<ws:Security><saml:AssertionAssertionID="2se8e/vaskfsdif=“ Issuer="www.sts.com"IssueInstant="2002-06-19T16:58:33.173Z"><saml:ConditionsNotBefore="2002-06-19T16:53:33.173Z"NotOnOrAfter="2002-06-19T17:08:33.173Z"/><saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509"AuthenticationInstant="2002-06-19T16:57:30.000Z"><saml:Subject><saml:NameIdentifier>Client</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
</saml:SubjectConfirmation></saml:Subject>
</saml:AuthenticationStatement><ds:Signature><-- calculated by STS --></ds:Signature>
</saml:Assertion></ws:Security>
The SAML Assertion is inserted
<ws:Security><saml:AssertionAssertionID="2se8e/vaskfsdif=“ Issuer="www.sts.com"IssueInstant="2002-06-19T16:58:33.173Z"><saml:ConditionsNotBefore="2002-06-19T16:53:33.173Z"NotOnOrAfter="2002-06-19T17:08:33.173Z"/><saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509"AuthenticationInstant="2002-06-19T16:57:30.000Z"><saml:Subject><saml:NameIdentifier>Client</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
</saml:SubjectConfirmation></saml:Subject>
</saml:AuthenticationStatement><ds:Signature><-- calculated by STS --></ds:Signature>
</saml:Assertion></ws:Security>
The ConfirmationMethod is sender-vouches
Conclusion
• WS-trust address the security token needs of SOAP messages secured using WS-security.– Format: An STS is used to exchange tokens
into formats understandable by recipients– Trust: The STS issues signed tokens forming
the basis of trust for entities with which it has formed a trust relationship.
– Namespace: The STS will return tokens in appropriate syntax for the recipient.
Credits
• WS-trust spec:
http://www-106.ibm.com/developerworks/library/ws-trust/(Copyright© (c) 2001, 2002 International Business Machines Corporation, Microsoft Corporation, RSA Security Inc., VeriSign Inc. All rights reserved. )
• XML.com WS-trust overview
http://webservices.xml.com/lpt/a/ws/2003/06/24/ws-trust.html