April 28, 2009
description
Transcript of April 28, 2009
© 2009 The MITRE Corporation. All rights Reserved.
April 28, 2009
MITRE Public Release Statement Case Number 09-017
Norman F. Brickman, [email protected] Westman, [email protected]
SOA and Browsers- - -
Is A CommonInfrastructure Emerging?
© 2009 The MITRE Corporation. All rights Reserved.
SOA and Browsers- - -
Is A CommonInfrastructure Emerging?
Norman F. Brickman, [email protected] Westman, [email protected]
April 28, 2009MITRE Public Release Statement Case Number 09-0171
© 2009 The MITRE Corporation. All rights Reserved.
3
Agenda:■ Purpose of presentation■ Transactions – SOA versus Web browser
– Both can be based on SOAP + WS-Star
■ Federation Needs – SOA versus Web browser– Both can be based on SOAP + WS-Trust + WS-Policy
■ Information Cards– Browser strategic technology based on SOAP + WS-Star– Introduction & Live Demo
■ SOA Service Chaining– Introduction & Live Demo
■ Summary
© 2009 The MITRE Corporation. All rights Reserved.
4
Purpose of Presentation ■ Discuss an emerging common protocol -- for both SOA & Web
browser– SOAP, WS-Trust, WS-Policy, WS-Security, WS-MEX, others
■ Review the common environments– SOA / SOAP– Browser – Information Cards
■ Demonstrate both– Information Cards– SOA SOAP Service Chaining with WS-Trust / STS
■ Potential impact & benefits
© 2009 The MITRE Corporation. All rights Reserved.
5
Introduction – SOA Transactions■ Machine to machine communications.
– SOA consumer to SOA service producer
■ Two primary modes– REST
■ Simple to use, easier to learn. ■ Smaller learning curve ■ Capitalizes on the Web HTTP infrastructure
– SOAP + WS-Trust + WS-Policy + other WS-Star ■ Designed to handle distributed computing environments■ Built-in error handling (faults)■ Has established underlying standards (WS-Star) for security, policy,
reliable messaging, security tokens, etc.■ Has integrated standards combining policy extraction and security
token handling with the actual transaction
© 2009 The MITRE Corporation. All rights Reserved.
6
SOA Sequence of Operations
© 2009 The MITRE Corporation. All rights Reserved.
7
Introduction – Browser Transactions■ Well established, HTTP foundation■ Information Cards
– New, standards-based, integrates several protocols– HTML + SOAP + WS-Trust + WS-Policy + other WS-Star
■ Integrated 4-step transaction protocol■ Higgins Project and Cardspace and others■ Emerging technology. Not yet universally accepted.■ Promising security paradigms■ Targeted for secure integration of identity and attribute information
Strategic approach for Cloud Computing
© 2009 The MITRE Corporation. All rights Reserved.
Transaction Protocol Pattern –Browser with Information Cards
Identity Provider(IP-STS)
Relying Party(RP)
Client (User’s Laptop)
Client attempts to Access a resource1
User
4
User selects an IdP
5
Request security token(WS-Trust)
6
Return security token based on RP-STS’s requirements
STS Usage - Web Browser - Information Cards - Operation with RP-STS
Original chart obtained from Steve Woodward, Microsoft, and modified
2 Retrieves access policy information
7
User approves release of token
Blue = Human actions
Identity Selector pops up.(Choose an Identity Provider which satisfies requirements)
3Form + Token released to RP
8
© 2009 The MITRE Corporation. All rights Reserved.
9
Federation ■ Increasingly required
– No need to pre-register your system users
■ Based on passing of security tokens■ SOA SOAP standards-based approach
– WS-Trust -- Security Token Service (STS) for security tokens
■ Browser– Information Cards
■ Same federation approach as SOA SOAP– Several other protocols to choose from!
© 2009 The MITRE Corporation. All rights Reserved.
Federation Technologies -- Web Browser
© 2009 The MITRE Corporation. All rights Reserved.
11
Live Demonstration -- Information Cards ■ Information Card presence in Windows XP
– CardSpace
■ Obtain a managed Information Card– Uses attributes from the MITRE employee Active Directory– Authentication based on Login/Password
■ Configurable to CAC card, software cert, security token, etc
■ Access Control– Use the Information Card for authentication and authorization– Use ABAC to control access to targets
© 2009 The MITRE Corporation. All rights Reserved.
12
Live Demonstration – SOA Service Chaining■ MITRE Service Chaining Investigation
– Collaboration / joint sponsorship of several agencies– Initial investigation topics: identity handling, security tokens,
WS-Security, SAML, SOAP, STS interoperability, encryption and digital signature, best practices, general issues
– Demonstration shows transaction communications for:■ SOAP, WS-Trust, SAML security token, User access to portal
© 2009 The MITRE Corporation. All rights Reserved.
13
Live Demonstration – SOA Service Chaining■ Demonstration of one step in a chain
– User access to portal– Portal obtains security token(s) from STS– SOAP-based transaction to target service
© 2009 The MITRE Corporation. All rights Reserved.
14
Commercial Marketplace Summary ■ SOA and SOAP and WS-Security
– Participation by all major vendors
■ WS-Trust– Issuance of security tokens– IBM, Oracle, Microsoft, Ping Identity, Layer 7, etc
■ WS-SecurityPolicy– Established standard– Integrated with Information Card operations
■ SOA usage is now getting established
■ SAML for security token assertions– All vendors participate– Interoperability is “fairly well” established
© 2009 The MITRE Corporation. All rights Reserved.
15
Potential Payoff■ Promising Security
– Three levels■ Network, message, security token
– True end-to-end security– WS-Security framework for security tokens– SAML compatible– Better ABAC (Attribute Based Access Control)
■ Access requirements are integrated with the protocol
■ One common infrastructure– Administration– Cost advantages
■ Authentication and authorization characteristics compatible with Cloud Computing requirements
© 2009 The MITRE Corporation. All rights Reserved.
16
Summary■ SOA and Web Browser (with Information Cards)
– Very similar protocols
■ Potential security, costs, administration, and other improvements■ New, standards-based, integrated operational protocol
– 1) Metadata retrieval– 2) Security token retrieval– 3) Submit transaction
■ Information Cards– Off-the-shelf today– Business case is not yet market proven– Strategic capabilities for Cloud Computing
■ STS– Here today