Académique Documents
Professionnel Documents
Culture Documents
Layer 7 Technologies
White Paper
Identity Federation in Web Services
Contents
Introduction ................................................................
................................................................................................
.................................................. 3
The Identity Problem ................................
................................................................................................................................
.................................... 3
Integration and Isolation................................
................................................................................................
........................................................... 3
Identity Silos................................
................................................................................................................................
.............................................. 3
Cross-Departmental
Departmental Application Integration ............................................................................................
............................ 4
Legacy System Access ................................
...............................................................................................................................
............................... 5
Corporate Mergers and Acquisitions ................................................................................................
........................................ 5
External Trading Partners ................................
................................................................................................
......................................................... 5
Approaches to Bridging Identity Silos ................................................................................................
........................................... 5
Custom Hard-Coding ................................
................................................................................................................................
................................. 5
Identity Consolidation ................................
...............................................................................................................................
............................... 6
Directory Synchronization................................
................................................................................................
......................................................... 6
Single Sign-On Approaches ................................
................................................................................................
....................................................... 6
The Role of Standards ................................
................................................................................................................................
................................... 7
Addressing Identity Isolation ................................
................................................................................................
........................................................ 8
Simple and Effective................................
................................................................................................................................
.................................. 8
Flexible ................................................................
................................................................................................
...................................................... 8
Standards-Based ................................
................................................................................................................................
....................................... 9
Turnkey Solution ................................
................................................................................................................................
....................................... 9
Local Control ................................
................................................................................................................................
............................................. 9
Secure ................................................................
................................................................................................
....................................................... 9
Conclusion ................................................................
................................................................................................
..................................................... 9
About Layer 7 Technologies ................................
................................................................................................
........................................................ 10
Contact Layer 7 Technologies ................................
................................................................................................
..................................................... 10
Legal Information ................................
................................................................................................................................
........................................ 10
Introduction
XML-based
based Web services are a powerful vehicle for reusing shared application logic across diverse business
processes. These processes often need to traverse multiple departments, business units, and partners residing in
separate security domains with independent preferences, capabilities, and requirements. As a consequence,
serious communication, propagation and processing problems arise as each independent security domain
do
attempts to share Web services and applications. This problem, known as a “federation” problem, complicates and
restricts the wide-spread
spread implementation of Web services.
Identity Silos
Before applications can interact with h other applications or end
end-users,
users, some form of access control is usually
applied. At a minimum, access control consists of both authentication and authorization. Authentication involves
the presentation and validation of credentials, and authorization involves
olves granting access, rights, or entitlements
based on the interpretation of the authentication results. In short, applications take the presented credentials,
initiate a validation of the credentials by contacting an appropriate identity store or provide
provider,r, and receive back a
success or failure result, as well as other related information. This information is then subjected to some form of
access control policy or business logic, and the identity is granted or denied rights accordingly. When integrating
applications via Web services, identical mechanisms for authentication and authorization are used.
Copyright © 2010 Layer 7 Technologies
ogies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights
yrights are the property of their respective owners. 3
Identity Federation in Web Services
For consistent management, identities are typically stored in the same security domain as the application. An
identity may represent another application, a hu
human user, or a group of users, and consist of elements such as
common name, fully qualified name, group, role, certificate, and security clearance. During the authentication and
authorization process, the exact elements in an identity are matched to the fu
functional
nctional requirements of the
applications or Web services served by the identity provider.
If a legitimate user, application, or Web service authenticates against a corresponding identity provider in one
identity silo, their identity (or any evidence of the authentication) may have no relevance when requesting access
to another application or Web eb service in another identity silo. In this case, the integration is broken,
broken and the
authorization in one silo will fail even though the authentication succeeded in another silo. For Web services, this
problem is compounded by the fact that most interacti
interactions
ons happen between applications, meaning that no
practical user intervention is possible.
As the following examples illustrate, identity silos are the root cause of integration issues in many
ma common
integration scenarios:
who often need access to two or more se separate applications and corresponding databases to provide a positive
service experience to clients. Further complicating matters is the fact that, while protecting the customer’s
personal data, financial institutions must also provide an audit trail to he
help support non-repudiation
repudiation procedures
and ensure regulatory compliance.
Other examples undoubtedly exist, but the these four scenarios illustrate some of the real impact associated with
application identity silos. Despite being a common problem for a number of years, little has been done to directly
address the issue. Most proposed solutions have had limited success, and as Web services usage expands, the
problem becomes more acute as the human options for bri bridging identity silos disappears.
Occasionally used, this is an inefficient and inflexible approach that deals with a pervasive p
problem
roblem one instance at
a time. Little or no re-use
use is likely, as each integration requires the development of a new bridging application with
the potential for subsequent implementation errors and security compromises
compromises.
Identity Consolidation
Identity consolidation
lidation maps identities associated with one authentication source to a single consolidated identity
for authorization purposes. For example, staff members that have access rights to a retail banking application
might be identified as the single identity ““EMP_RETL”
EMP_RETL” when accessing the foreign exchange and treasury
applications. This provides a bridging mechanism between distinct identity silos, but obscures potentially
important differences between members of the consolidated identity, thus eliminating the aability
bility to make fine-
fine
grained authorization decisions. This simple bridging approach also produces some fundamental management
issues.
Updating the authentication and authorization processes when an individual identity account is inevitably removed
from the group is both critical and tedious. Hours or even days might elapse before changes are propagated. The
end result is often deactivation of the original consolidated account, followed by reassignment of “survivor”
identities to a new account. This administrative nightmare can be difficult to automate, and any associated
problems can break the integration or worse, create lapses in security.
Directory Synchronization
Directory synchronization addresses some of the shortcomings of consolidation by replicating some or all remote
identities into a separate store. This replicated store is effectively an exact copy of the identity store used by
remote entities residing in another security domain. The challenges associated with maintaining granularity are
effectively overcome since all accessing entities retain a distinct identity, facilitati
facilitating
ng local authentication and fine-
fine
grained identity-based
based authorization while ensuring a detailed audit trail. Despite these improvements, directory
synchronization also introduces some significant administrative challenges.
Once the replicated store of identities has been created on the provider
provider-side, an ongoing mechanism must be
established to keep the two copies synchronized. In addition to ensuring connectivity, synchronization tools need
to update the replicated copy either on a periodic basis, or in real
real-time
time as changes occur to the original store.
s In
some cases, this can lead to race conditions as updates occur asynchronously with additions and/or changes. The
latency associated with updates can result in inadvertent access for revoked identities and/or denied access for
new identities.
Single Sign-On
On Approaches
Single Sign-On
On (SSO) systems are an effective mechanism for providing single login access to a variety of back-end
back
systems through Web portals and other gateway applications. A given entity signs on once and is granted the
correct accesss and entitlements on multiple systems through some form of opaque cookie or token. Scaling SSO
systems to encompass a broader spectrum of integration scenari
scenarios,
os, however, can be challenging.
challenging
The SSO model does not eliminate the proliferation of disparate user IDs and passwords, but instead, simply masks
this issue for some pre-defined
defined processes. Local applications are still responsible for authorizing users and
determining what to do with the authentication token. This requires pre pre-negotiation
negotiation of roles and
an entitlements, as
well as considerable amounts of custom code to process or map the incoming identities.
In the Web environment, most SSO products use cookies as evidence of authentication. This works well for human
users signing into a Web browser page, but does not translate well between applications, or in Web services
integrations where there is no equivalent to a browser application. In both of these situations, the deployment of
custom code or platform-specific agents is required to properly interpr
interpret
et and verify the cookies.
SAML-enabled SSO To address this, several SSO products also support Security Assertion Markup Language
products provide the (SAML) tokens that offer more flexibility than proprietary cookies. SAML is standards-
standards
based, has no dependency on a Web browser, and has growing cross-vendor
cross
best promise for interoperability (see The Role of Standards below for more information). Typically, the
cross-boundary originating identity and some form of evidence of that identity’s successful
exchange of identity authentication are contained in a SAML assertion. Systems can pass these SAML tokens
and authentication both behind and across firewalls to a corresponding SAML “receiver” to receive,
receive
by securely process, and verify the token. This approach is sometimes referred to as “Federated
SSO” or “Federated Identity
Identity,” and requires that the implementation team define exact
transferring security protocols for the token. If not protected in some manner, the same token can
credentials between be used for subsequent replay attacks
attacks.
systems
An important part of the solution, SSO systems still require considerable pre-
pre
negotiation of identity context between silos, as well as the code to support proper authorization within this
context. The introduction of SAML does provide a potentially powerful mechanism for exchanging both identity
and evidence of authentication, butut it still requires significant infrastructure to securely exchange tokens, validate
their authenticity, and correctly authorize users. This can lead to an expensive and time-consuming
consuming Web services
implementation process even if an SSO system is already in place for an existing Web portal application.
One of the first standards to become available from multiple vendors was SAML, created by the Organization for
the Advancement of Structured Information Standards (OASIS). Designed to deliver much-needed
needed interoperability
between compliant Web access management and security products, the SAML specification itself does not define
any new authentication technologies or approaches, nor does it address how to create privacy or security policies.
Rather, SAML makes it possible to transf
transfer security credentials between systems with one-time
time authentication.
SAML forms the basis for many Web-based
based SSO systems, and has proven interoperability between major vendors.
Other standards activities are focused on strategically extending applications and Web services beyond security
domain firewalls to facilitate Web services
services-based integration.
The Liberty Alliance is composed of a diverse group of companies spearheaded by Sun Microsystems. The
collaboration claims that it is the only open body worki
working
ng on federated identity, but a group spearheaded by
Microsoft, IBM, BEA, and others has presented the WSWS-Federation standard to accomplish similar tasks. From the
beginning, IBM and Microsoft have been major forces behind the advancement of Web services, and both have
helped develop a series of standards in addition to the WS
WS-Federation standard.
Standards work continues, sometimes yielding results that overlap with OASIS and the Liberty Alliance. To
complicate matters further, the recent Liberty Alliance specification attempts to subsume the current SAML
standard, while the next version of SAML attempts to do the same with the Liberty Alliance standard.
The multitude of standards and standards bodies merely provides alternate methods for solving a similar problem
set. The eventual convergence of these efforts, possibly after the introduction of the WS-Federation
Federation standard,
does little to solve today’s pressing identity bridging problems.
Flexible
Identities and related management policies are constantly in flux due to both ordinary and extraordinary changes
in operational, business, and regulatory needs. Any solution must be able to adapt to these changes in near real
time without
thout uncontrollable delays or escalating costs. To achieve this, the solution should be capable of
leveraging existing
ing infrastructure investments
investments.
Standards-Based
Identity- and integration-related
related standards are evolving rapidly in various standards bodies.. Any solution must take
advantage of existing work, as well as be able to adapt to new standards as they become ubiquitous in order to
ensure maximum flexibility when interoperating with other systems.
Turnkey Solution
A solution adds little value if it requires
equires the development of new code, or a significant integration effort to become
operational. To ensure consistency, reliability, and rapid deployment without placing unnecessary dependencies
on third-party
party systems, all required attributes and technologi
technologies should be present in a tightly integrated, turnkey
solution.
Local Control
In order to allow local administrators to manage the policies relevant to their respective security domains, the
solution must permit independent control over the authentication and
The problem remains one authorization processes. Authentication should occurur close to the requestor to
ensure maximum reliability in the identity assertion. Authorization of the
of cost-effectively
requestor should occur close to the provider to maintain strict localized access
managing cross- control.
boundary authentication
and authorization in the Secure
face of changing industry Identity information often provides access to sensitive data and must be
standards, business protected during an exchange. Security tokens should be shielded from
expropriation and not reused through placement in a new message or replay in
policies and government
the same message. To provide a thorough twotwo-sided
sided audit trail, all actions
regulations performed by a rrequestor
equestor should be securely logged by the requestor’s
authentication provider, as well as the authorizing provider
provider.
Conclusion
Securely exchanging identity is critical to the successful integration of applications across identity silos. As
information technology
nology rationalization and productivity pressures move more companies towards Web services,
more applications will be delivered as XML
XML-based Web services to enable their reuse across diverse business
processes. Since business processes often impact systems across multiple departments, business units, or partners,
these Web services will require identity federation to ensure that authentication and authorization occur in the
appropriate security domains. Although various disparate technologies have attempted to address these
requirements, they fail to deliver a practical, flexible, and cost
cost-effective solution for Web services.
The Layer 7 SecureSpan™ XML Firewall is the first turnkey solution to bridge identities in federated Web services
environments while ensuring the confidentiality, flexibility, and consistent security required in an enterprise-class
enterprise
solution. For more information, please visit the Layer 7 web site: www.layer7tech.com
www.layer7tech.com.
Email:
info@layer7tech.com
Web Site:
www.layer7tech.com
Phone:
604-681-9377
1-800-681-9377 (toll free)
Fax:
604-681-9387
Address:
US Office
1200 G Street, NW, Suite 800
Washington, DC 20005
Canada Office
Suite 405-1100 Melville Street
Vancouver, BC
V6E 4A6 Canada
Legal Information
Copyright © 2010 by Layer 7 Technologies, Inc. (www.layer7tech.com). Contents confidential. All rights reserved.
SecureSpan™ is a registered trademark of Layer 7 Technologies, Inc. All other mentioned trade names and/or
trademarks are the property of their respective owners.