Extending Identity and Access Management to Web Services A Case Study

1
Extending Identity and Access Management to Web
Services - A Case Study

• K. Scott Morrison
• Director, Architecture

2
Bio K. Scott Morrison

• Director, Architecture at Layer 7 Technologies
• http//www.layer7tech.com
• Layer 7 is based in Vancouver BC, Canada
• Co-author of Sams Java Web Services Unleashed
  Wroxs Professional JMS
• Over 40 other publications in academic journals
  and trade magazines
• Co-editor WS-I Basic Security Profile
• Frequent speaker on Web services, XML,
  mobile/wireless computing systems, distributed
  systems architecture, and Java design issues

3
Agenda and Theme

• Identity in distributed computing
• The complexity of identity in Web services
• Extending Identity and Access Mgmt. to Web
  services with SecureSpan
• Federation challenges
• SecureSpan Identity Bridging

Theme SecureSpan extends identity and access
management to Web services.
4
The Centralized Identity Store
Identity Validation Mechanisms
Resources (Various Servers)
Firewall

• Username/password
• Digest
• Certificates/PKI
• Biometrics
• Fobs
• etc

Centralized Directory Server
Internal Network
Internet or Intranet
Authentication and Authorization Technologies
Remote Network

• LDAP
• Active Directory
• Radius
• RACF
• ACLs
• etc

5
Identity Access Management (IAM) Provided
Critical Functionality
Critical Added Functionality
Identity Management Layer
Firewall

• Management of identities
• Association between identities and resources
  (authorization)
• Audit
• Integrated PKI
• etc

Internal Network
Internet or Intranet
Remote Network
6
How Do We Validate Remote Users?
Identity Management (IAM) System
Firewall
Internal Network
Identities
Internet or Intranet
Alex
Scott
Program XYZ
7
This is the Classic Distributed Computing Problem
Identity Validation Mechanisms
Firewall

• Username/password
• Digest
• Certificates/PKI
• Biometrics
• Fobs
• etc

Resource (Server)
IAM Server
Requestor (Client)
Internal Network
Identities
Internet or Intranet
Authentication and Authorization Technologies

• LDAP
• Active Directory
• Radius
• RACF
• ACLs
• etc

Alex
Scott
Program XYZ
8
Asserting Identity in Web Services is Complicated

• There weren't many options on the web
• HTTP AUTHORIZE header (plaintext, digest, NTLM,
  etc)
• Forms
• SSL client-side certificates
• In Web services, these apply too, but in
  addition
• Various profiles for security tokens
• X509.v3
• Username/token
• Kerberos
• SAML
• REL
• plus many more to come
• So we need specialized infrastructure to handle
  this

9
Web Services Best Practice is Dedicated Appliance
SecureSpan Gateway
Gateway Appliance Responsible for
SecureSpan Manager

• Consistent application of security policy
• Validation of schemas
• Transform
• Monitoring
• PKI
• Policy publication

Web Services Server
IAM Server
Appliances offer consistency and performance
Web Services Client
Internal Network
Identities
Internet or Intranet
Alex
Protects investment in IAM by extending its reach
to Web services
Scott
Program XYZ
10
The Issue with XML/Web Services Gateways
WSDL
WSDL Security Changes
Web Services Server
Which API do you program to?
Web Services Client
Shift of burden to client
Administrative changes to policy change API
Security implemented in code is difficult to
change
Very programmer intensive
11
Solution The SecureSpan Bridge
This is the solution implemented at Guardian Life
Bridge/Gateway Combination Allows

• Complete, end-to-end control over Web services
  security
• Dynamic, run-time application of Policy
• Security model can be tuned anytime against
  observed performance
• All without any code changes!

Secure SOAP Msg (WS-Security)
Internal Network
DMZ
WS-Policy Document
Layer 7 SecureSpan Bridge
12
The Federation Challenge
Blues Application Server
Islands of Identity
Blues IAM Server
Greens IAM Server
Firewall
Greens Client
Organization Blue
Need to share not only authentication and
authorization information, but also identity
attribute information
Michelle
Dimitri
Organization Green
Program XYZ
Big privacy and confidentiality issues
13
What Hasnt Worked in the Past
Issues

• Online access through firewall mazes
• Latency in replication
• People leave, fired, etc

Blues Directory Server
Greens Directory Server
Remote Directory Access
Firewall
Organization Blue
Directory Synchronization
Michelle
Dimitri
Organization Green
Program XYZ
14
What We Really Need is Effective Separation of
Concerns
Authentication
Blues IAM Server
Greens IAM Server
Authorization
Trust
Organization Blue
Core Requirements

• Build dynamic trust relationships
• Transport the security context so that
  authentication and authorization can be
  distributed
• Enforce privacy issues
• Time out sessions/global logout

Michelle
Dimitri
Organization Green
Program XYZ
15
The Standards Landscape

• Liberty Alliance
• Consortium of over 150 companies
• Focus on the business problem
• Core technologies SAML, SSL/TLS, WSS
• WS-Federation
• IBM, Microsoft, BEA, RSA, Verisign
• Focus on technology
• Core technologies SAML, SSL/TLS, WSS, WS-Trust,
  WS-Policy, WS-MetadataExchange

16
Federation/SSO of Web Services is Much Harder
Than Web Browsers

• SSL
• HTTP redirects
• Simple signing
• Cookies
• URL query parameters

Token protected from hijack, replay, etc by SSL
Web Browser Domain
Web Services Domain
Web Server
SSL
Browser Client
Identity Provider / Security Token Service
SSL
Web Services Server
WSS
WSS
Web Services Client
User Identity
SOAP Message with bound security token
Token protected from hijack, replay, etc by XML
Signatures

• WSS
• Embedded, signed security tokens
• Considerable orchestration at client
• Manual token caching

Application Identity
Certificate and key pair
17
ltSOAP-ENVEnvelopegt
ltSOAP-ENVHeadergt
ltSAMLAssertiongt
Statement 1
Issuing Authority signature covers assertion and
binds statements to Subjects public key

Statement n
ltSubjectConfirmationgt ltKeyInfogt
ltdsSignaturegt
Issuing Authority
Subject signs its message
The key used in Subjects signature across the
message body is the analogue of the one bound
into the assertion.
ltdsSignaturegt
Subject
ltSOAP-ENVBODYgt
18
The SecureSpan Solution From Layer 7 Technologies
SecureSpan Manager
SecureSpan Gateway
SecureSpan Gateway
WSS secure SOAP messages with bound SAML tokens
SecureSpan Agent
WS-Trust Token Requests
Organization Blue
WS-MetadataExch. of WS-Policy Documents
Features and Benefits
Michelle
1. Turnkey solution for federating Web services
Includes integral PKI 2. Fully
standards-based 3. Automatic trust orchestration
in agent 4. True declarative security
Dimitri
Organization Green
Program X
19
Conclusions

• Organizations need to extend their IAM systems
  to Web services, but preserve their investment in
  these existing systems
• All Web services standards are a moving target
• Implementing federated Web services is extremely
  complex, and current toolkits are not up to this
  challenge
• Layer 7s SecureSpan solution can provide
  standards-based IAM and federation today for Web
  services, with no code modifications
• Complete insulation from standards churn and
  proprietary mechanisms

20
For further information
K. Scott Morrison Layer 7 Technologies Suite 501
858 Beatty St. Vancouver, BC V6B
1C1 Canada (800) 681-9377 smorrison_at_layer7tech.co
m http//www.layer7tech.com