1 / 16

April 28, 2009

April 28, 2009. SOA and Browsers - - - Is A Common Infrastructure Emerging?. Norman F. Brickman, nfb@mitre.org Roger Westman, rwestman@mitre.org. MITRE Public Release Statement Case Number 09-017. April 28, 2009.

ami
Download Presentation

April 28, 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. April 28, 2009 SOA and Browsers- - -Is A CommonInfrastructure Emerging? Norman F. Brickman, nfb@mitre.orgRoger Westman, rwestman@mitre.org MITRE Public Release Statement Case Number 09-017

  2. April 28, 2009 SOA and Browsers- - -Is A CommonInfrastructure Emerging?Norman F. Brickman, nfb@mitre.orgRoger Westman, rwestman@mitre.org MITRE Public Release Statement Case Number 09-0171

  3. Agenda: • Purpose of presentation • Transactions – SOA versus Web browser • Both can be based on SOAP + WS-Star • Federation Needs – SOA versus Web browser • Both can be based on SOAP + WS-Trust + WS-Policy • Information Cards • Browser strategic technology based on SOAP +WS-Star • Introduction & Live Demo • SOA Service Chaining • Introduction & Live Demo • Summary

  4. Purpose of Presentation • Discuss an emerging common protocol -- for both SOA & Web browser • SOAP, WS-Trust, WS-Policy, WS-Security, WS-MEX, others • Review the common environments • SOA / SOAP • Browser – Information Cards • Demonstrate both • Information Cards • SOA SOAP Service Chaining with WS-Trust / STS • Potential impact & benefits

  5. Introduction – SOA Transactions • Machine to machine communications. • SOA consumer to SOA service producer • Two primary modes • REST • Simple to use, easier to learn. • Smaller learning curve • Capitalizes on the Web HTTP infrastructure • SOAP + WS-Trust + WS-Policy + other WS-Star • Designed to handle distributed computing environments • Built-in error handling (faults) • Has established underlying standards (WS-Star) for security, policy, reliable messaging, security tokens, etc. • Has integrated standards combining policy extraction and security token handling with the actual transaction

  6. SOA Sequence of Operations

  7. Introduction – Browser Transactions • Well established, HTTP foundation • Information Cards • New, standards-based, integrates several protocols • HTML + SOAP + WS-Trust + WS-Policy + other WS-Star • Integrated 4-step transaction protocol • Higgins Project and Cardspace and others • Emerging technology. Not yet universally accepted. • Promising security paradigms • Targeted for secure integration of identity and attribute information • Strategic approach for Cloud Computing

  8. Transaction Protocol Pattern –Browser with Information Cards STS Usage - Web Browser - Information Cards - Operation with RP-STS User approves release of token User Client (User’s Laptop) 7 Client attempts to Access a resource User selects an IdP 1 4 2 Retrieves access policy information 3 8 Form + Token released to RP Request security token (WS-Trust) Identity Selector pops up. (Choose an Identity Provider which satisfies requirements) Relying Party(RP) 5 6 Return security token based on RP-STS’s requirements Blue = Human actions Identity Provider(IP-STS) Original chart obtained from Steve Woodward, Microsoft, and modified

  9. Federation • Increasingly required • No need to pre-register your system users • Based on passing of security tokens • SOA SOAP standards-based approach • WS-Trust -- Security Token Service (STS) for security tokens • Browser • Information Cards • Same federation approach as SOA SOAP • Several other protocols to choose from!

  10. Federation Technologies -- Web Browser

  11. Live Demonstration -- Information Cards • Information Card presence in Windows XP • CardSpace • Obtain a managed Information Card • Uses attributes from the MITRE employee Active Directory • Authentication based on Login/Password • Configurable to CAC card, software cert, security token, etc • Access Control • Use the Information Card for authentication and authorization • Use ABAC to control access to targets

  12. Live Demonstration – SOA Service Chaining • MITRE Service Chaining Investigation • Collaboration / joint sponsorship of several agencies • Initial investigation topics: identity handling, security tokens, WS-Security, SAML, SOAP, STS interoperability, encryption and digital signature, best practices, general issues • Demonstration shows transaction communications for: • SOAP, WS-Trust, SAML security token, User access to portal

  13. Live Demonstration – SOA Service Chaining • Demonstration of one step in a chain • User access to portal • Portal obtains security token(s) from STS • SOAP-based transaction to target service

  14. Commercial Marketplace Summary • SOA and SOAP and WS-Security • Participation by all major vendors • WS-Trust • Issuance of security tokens • IBM, Oracle, Microsoft, Ping Identity, Layer 7, etc • WS-SecurityPolicy • Established standard • Integrated with Information Card operations • SOA usage is now getting established • SAML for security token assertions • All vendors participate • Interoperability is “fairly well” established

  15. Potential Payoff • Promising Security • Three levels • Network, message, security token • True end-to-end security • WS-Security framework for security tokens • SAML compatible • Better ABAC (Attribute Based Access Control) • Access requirements are integrated with the protocol • One common infrastructure • Administration • Cost advantages • Authentication and authorization characteristics compatible with Cloud Computing requirements

  16. Summary • SOA and Web Browser (with Information Cards) • Very similar protocols • Potential security, costs, administration, and other improvements • New, standards-based, integrated operational protocol • 1) Metadata retrieval • 2) Security token retrieval • 3) Submit transaction • Information Cards • Off-the-shelf today • Business case is not yet market proven • Strategic capabilities for Cloud Computing • STS • Here today

More Related