1 / 14

Introduction to Implementing XML web services authentication

Introduction to Implementing XML web services authentication. John Messing Law-on-Line, Inc. Prepared for Maricopa County ICJIS May 17, 2006. Legal: Proving up audit trails. Regulatory contexts (Sarbanes-Oxley) Evidence in court - In re Vee Vinhnee, 336 BR 437 (BAP 9 th Cir. 2005).

keon
Télécharger la présentation

Introduction to Implementing XML web services authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Implementing XML web services authentication John Messing Law-on-Line, Inc. Prepared for Maricopa County ICJIS May 17, 2006

  2. Legal: Proving up audit trails • Regulatory contexts (Sarbanes-Oxley) • Evidence in court - In re Vee Vinhnee, 336 BR 437 (BAP 9th Cir. 2005). • Digital data base records offered into evidence must be established first as unchanged since creation through foundational testimony from a qualified witness, preferably aided by cryptographic protections.

  3. SAML and WSS: related OASIS standards • Not yet interoperable • But WSS includes a SAML profile

  4. SAML • Authentication for • Access control • Audit purposes • Used with • Web browsers • SOAP messages

  5. WSS • Protections for SOAP messages on the wire • Defines bindings for W3C XML encryption and XML signatures to SOAP messages • Conveys security tokens in SOAP headers for credentialing, integrity and confidentiality • WSS profiles • Kerberos tickets • X.509 certificates • Username/Password tokens • SAML Assertions • XRML Licenses

  6. Limited protection • For data in transit between the end user’s machine and the web service. • No protection against malware on the user’s machine that hijacks a legitimate authentication. • Serious Internet banking problem • May need also to capture and data-mine usage • Not yet addressed by standards

  7. Scope • SAML • authentication for single sign-on purposes • includes web browsing in addition to SOAP • WSS • Broader purposes such as digital rights protection, but includes only SOAP

  8. Techniques • WSS places SAML token inside the header to authenticate the SOAP body. • In SAML itself, the assertion resides in the SOAP body, to authenticate the user. • Since SAML 2.0, attributes can be encrypted, so features are otherwise comparable in many ways. • NB – Signing, encryption, and Base64 encoding in addition XML parsing are processor-intensive operations that can limit the scalability of SOA implementations.

  9. Usefulness • Federated authentication can be indispensable across security domains. • SAML generally is more mature than WSS • MS opposes SAML except as part of WSS • WS-I.org – implementation vetting efforts by vendors supporting WSS • SAML and WSS each seem compatible with GJXML, NIEM and ECF 3.x

  10. Security Token Service • Brokered authentication to mediate non-interoperable security methods and update diverse security data stores. • Relies on WS-Trust and WSS SAML profile • Useful where DotNet implementations interact with non-MS web services in SOA • Custom built or proprietary solutions

  11. Document security • SAML and WSS do not address document level security. • Acrobat 5+ and OASIS DSS do. • ECF 3.0 provides for document level security (5 signature profiles) and allows for optional messaging layer security using WS-I BP 1.0 (WSS derived)

  12. Related presentations • SAML update • SAML animation • WSS 1.1 • STS

  13. IPR Considerations • Open standards usually provide for an agreement to license proprietary intellectual property of vendors to participants that is needed to implement a standard. • The terms are generally not self-executing. • Requesting and obtaining licenses can be time-consuming and frustrating. But it must be done. • E.g. WebMethod and Epicentric patent claims to SOAP 1.2. • Obtain licenses from all vendor participants who agree to the use of their IPR in the standards. • Understand the license terms and implications, including royalty obligations, before investing heavily.

  14. End • John Messing • Law-on-Line, Inc. • 5151 E. Broadway Blvd., Suite 1600 • Tucson, AZ 85711 • (520) 512-5432 (office) • (520) 512-5401 (fax) • (520) 270-1953 (mobile) • johnmessing@lawonline.biz

More Related