April 28, 2009

© 2009 The MITRE Corporation. All rights Reserved.

April 28, 2009

MITRE Public Release Statement Case Number 09-017

Norman F. Brickman, [email protected] Westman, [email protected]

SOA and Browsers- - -

Is A CommonInfrastructure Emerging?


SOA and Browsers- - -

Is A CommonInfrastructure Emerging?

Norman F. Brickman, [email protected] Westman, [email protected]

April 28, 2009MITRE Public Release Statement Case Number 09-0171


3

Agenda:■ Purpose of presentation■ Transactions – SOA versus Web browser

– Both can be based on SOAP + WS-Star

■ Federation Needs – SOA versus Web browser– Both can be based on SOAP + WS-Trust + WS-Policy

■ Information Cards– Browser strategic technology based on SOAP + WS-Star– Introduction & Live Demo

■ SOA Service Chaining– Introduction & Live Demo

■ Summary


4

Purpose of Presentation ■ Discuss an emerging common protocol -- for both SOA & Web

browser– SOAP, WS-Trust, WS-Policy, WS-Security, WS-MEX, others

■ Review the common environments– SOA / SOAP– Browser – Information Cards

■ Demonstrate both– Information Cards– SOA SOAP Service Chaining with WS-Trust / STS

■ Potential impact & benefits


5

Introduction – SOA Transactions■ Machine to machine communications.

– SOA consumer to SOA service producer

■ Two primary modes– REST

■ Simple to use, easier to learn. ■ Smaller learning curve ■ Capitalizes on the Web HTTP infrastructure

– SOAP + WS-Trust + WS-Policy + other WS-Star ■ Designed to handle distributed computing environments■ Built-in error handling (faults)■ Has established underlying standards (WS-Star) for security, policy,

reliable messaging, security tokens, etc.■ Has integrated standards combining policy extraction and security

token handling with the actual transaction


6

SOA Sequence of Operations


7

Introduction – Browser Transactions■ Well established, HTTP foundation■ Information Cards

– New, standards-based, integrates several protocols– HTML + SOAP + WS-Trust + WS-Policy + other WS-Star

■ Integrated 4-step transaction protocol■ Higgins Project and Cardspace and others■ Emerging technology. Not yet universally accepted.■ Promising security paradigms■ Targeted for secure integration of identity and attribute information

Strategic approach for Cloud Computing


Transaction Protocol Pattern –Browser with Information Cards

Identity Provider(IP-STS)

Relying Party(RP)

Client (User’s Laptop)

Client attempts to Access a resource1

User

4

User selects an IdP

5

Request security token(WS-Trust)

6

Return security token based on RP-STS’s requirements

STS Usage - Web Browser - Information Cards - Operation with RP-STS

Original chart obtained from Steve Woodward, Microsoft, and modified

2 Retrieves access policy information

7

User approves release of token

Blue = Human actions

Identity Selector pops up.(Choose an Identity Provider which satisfies requirements)

3Form + Token released to RP

8


9

Federation ■ Increasingly required

– No need to pre-register your system users

■ Based on passing of security tokens■ SOA SOAP standards-based approach

– WS-Trust -- Security Token Service (STS) for security tokens

■ Browser– Information Cards

■ Same federation approach as SOA SOAP– Several other protocols to choose from!


Federation Technologies -- Web Browser


11

Live Demonstration -- Information Cards ■ Information Card presence in Windows XP

– CardSpace

■ Obtain a managed Information Card– Uses attributes from the MITRE employee Active Directory– Authentication based on Login/Password

■ Configurable to CAC card, software cert, security token, etc

■ Access Control– Use the Information Card for authentication and authorization– Use ABAC to control access to targets


12

Live Demonstration – SOA Service Chaining■ MITRE Service Chaining Investigation

– Collaboration / joint sponsorship of several agencies– Initial investigation topics: identity handling, security tokens,

WS-Security, SAML, SOAP, STS interoperability, encryption and digital signature, best practices, general issues

– Demonstration shows transaction communications for:■ SOAP, WS-Trust, SAML security token, User access to portal


13

Live Demonstration – SOA Service Chaining■ Demonstration of one step in a chain

– User access to portal– Portal obtains security token(s) from STS– SOAP-based transaction to target service


14

Commercial Marketplace Summary ■ SOA and SOAP and WS-Security

– Participation by all major vendors

■ WS-Trust– Issuance of security tokens– IBM, Oracle, Microsoft, Ping Identity, Layer 7, etc

■ WS-SecurityPolicy– Established standard– Integrated with Information Card operations

■ SOA usage is now getting established

■ SAML for security token assertions– All vendors participate– Interoperability is “fairly well” established


15

Potential Payoff■ Promising Security

– Three levels■ Network, message, security token

– True end-to-end security– WS-Security framework for security tokens– SAML compatible– Better ABAC (Attribute Based Access Control)

■ Access requirements are integrated with the protocol

■ One common infrastructure– Administration– Cost advantages

■ Authentication and authorization characteristics compatible with Cloud Computing requirements


16

Summary■ SOA and Web Browser (with Information Cards)

– Very similar protocols

■ Potential security, costs, administration, and other improvements■ New, standards-based, integrated operational protocol

– 1) Metadata retrieval– 2) Security token retrieval– 3) Submit transaction

■ Information Cards– Off-the-shelf today– Business case is not yet market proven– Strategic capabilities for Cloud Computing

■ STS– Here today

April 28, 2009

Documents

Transcript of April 28, 2009