Web Services and Identity Management

Web Services and Identity Management Mark Diodati, CPA, CISA, CISSP, MCSE Technical Architecture Principal

Agenda • Web Services • Market Sizing • Definition and Usage • Components • Protocols • Identity Management • Business Values • Components • Protocols • Models • E2E SSO Example

Web Services Market • By 2005, the worldwide market for IT professional services relating to Web services based on application integration and middleware products will reach $17 billion (70% probability). • By 2005, the market for Web services solutions will reach $28 billion (70% probability). Source: “Web Services Solutions: A Potential $28 Billion Market”Gartner Group, Feb 28th, 2002

Web Services Definition • Web Services are loosely coupled software components delivered over Internet standard technologies • Web Services perform functions that are • Programming language neutral • Hardware and software platform independent • Distributed across the network • Self-describing, and modular • Published, located, and invoked across the Web

Web Services Usage • Original usage • Any service offered via the Web • User accessing information via a browser • Current emphasis • Application to application interactions • Remote procedure calls over HTTP (SOAP) • Invocation of dynamically located modules • Self describing interfaces defined in XML

Web Services Components • Web Servers and Browsers • Directory Servers • Stores for information, policies, and (potentially) provides user authentication • Examples: iPlanet Directory Server, and Microsoft Active Directory • Portal Servers • Enables companies and users to personalize content • Example: Plumtree • Content Management Systems • Enables customers to manage content lifecycle across many web servers • Example: Vignette • Web Access Management Systems • Provides authentication and authorization services spanning organizations and platforms • Example: RSA ClearTrust

Web Services Components • Content Management Systems • Enables customers to manage content lifecycle across many web servers. • Example: Vignette • Certificate Authorities • Issues server and user X.509 certificates to enable session encryption and user authentication. • Example: RSA Keon Certificate Authority. • Application Servers • Application servers run J2EE applications and do the back end grunt work • Examples: BEA WebLogic, IBM Web Sphere • Typically requires a web server to serve content (either its own or an independent server).

Web Services Protocols • Extensible Markup Language (XML) • The data format description language for web services • Self-describing, portable document • Simple Object Access Protocol (SOAP) • Protocol for delivering XML messages • Can bind over HTTP/S, MIME, FTP • Can hide complexity of XML • Universal Description, Discovery and Integration (UDDI) • The “where” (DNS) of web services (registry) • UDDI is the metric of a “well-behaved” web service • Web Services Description Language (WSDL) • The “how” and “what” of web services • Describes how to interact with the web service

Web Services Protocols

“Well-Behaved” Web Services UDDI Registry WSDL Points to description Points to service Describes Service Finds Service Service Consumer Web Service SOAP Communicates with XML Messages

Identity Management Business Values • User Productivity and Empowerment • Timely access to data and applications • Personalization of content and delivery of services through self-service processes • IT Management efficiency and Help Desk Cost Avoidance • Streamlines the efforts required to keep the data consistent and up to date • Simplifies user sign-on, which, combined with self-service features, reduces calls to the help desk associated with forgotten passwords and other basic issues Source: “Justifying the 2003 IT Budget: Identity Management Brings Quantifiable ROI to Security”, Giga Information Group, October 22, 2002

Identity Management Business Values • Application Development Agility • Accelerates application development cycles through reusable integration and security components • Improving business competitiveness by helping organizations build new services and expose existing applications more quickly • Security Auditing and Compliance • Assists organizations in evaluating compliance to access-control policies as Assists organizations in consistently enforcing such policies throughout the enterprise Web services are not possible without identity management Source: “Justifying the 2003 IT Budget: Identity Management Brings Quantifiable ROI to Security”, Giga Information Group, October 22, 2002

Identity Management Components • Provisioning Management • Add, delete, or modify user accounts • Provides self-service capabilities, such as password reset • Access Management • Authenticate Users • Authorize Users • Single Sign-On (SSO) • Enterprise to Enterprise Single Sign-On (E2E SSO) • Directory Management • Central data repository, where user profiles and rights are stored and maintained

Security Assertion Markup Language (SAML) • Primary use is facilitate SSO and E2E SSO • Three types of assertions • Authentication • Authorization • Attribute • Requires SOAP over HTTP (for now) • It is assumed that the requester and responder have a trust relationship • Browser-driven interaction • Push. Assertion is embedded in HTML form and pushed to destination site. • Pull. URL includes “artifact” embedded in URL. Destination site dereferences artifact and pulls SAML assertion from authority.

SAML Use Cases • Single Sign-on • Web user authenticates at a Web site. Web user then accesses another Web site without re-authenticating • Organization SSO • E2E SSO • Authorization Service • User attempts to access a resource or service. The access controller for that resource (policy enforcement point) checks the user's rights with a policy decision point • Attribute Service • User moves from one Web site to another – customer loyalty information or context is passed to simplify the users experience as part of a federated information services

XML Key Management Specification (XKMS) • Support for PKI integration with XML • Lots of assumed underlying PKI support throughout SAML, SOAP, XML Dig Sig, XML Enc • Goal is to simplify PKI operations and functions for XML based clients • Transfers the processing associated with many PKI operational functions from the client to a back-end server • Smarter services allowing simpler clients • Acts as a wrapper for traditional PKI, and based on underlying PKIX defined infrastructures • Requires SOAP and UDDI

WS-Security • OASIS Standard • IBM, VeriSign, Microsoft, Sun • Generic specification to protect SOAP message contents, including SAML • Security extensions in SOAP headers to protect • Integrity • Encryption • Authentication • Leverages existing XML standards (encryption, digital signature) • Security tokens: supports UN/PW, X.509, and Kerberos tickets

Web Services Protocols

Identity Management Models • Centralized Identity Management • User actually has a single identity across multiple applications • Simpler to manage for single or limited applications • Has privacy issues. User information is stored on centralized servers • Example: Microsoft Passport • Federated Identity Management • Can leverage existing identities, won’t force a replacement • Greater choice for users • Better protection of user privacy • User “opts in” • User data is not stored in one repository • Example: Liberty Alliance

Liberty Alliance • Wide industry support • Based Upon SAML • Goals • Enable consumers to maintain personal information • Provide an open standard for single sign-on with decentralized authentication and open authorization from multiple providers

E2E SSOExample: The Weary Traveler

Questions? No!Dammit!

Web Services and Identity Management