1 / 29

WS-Trust

WS-Trust. “ From each,according to his ability;to each , according to his need. “ Karl marx. Ahmet Emre Naza Selçuk Durna 2001100379 2001101675. Definitions.

jovan
Download Presentation

WS-Trust

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WS-Trust “From each,according to his ability;to each , according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna 2001100379 2001101675

  2. Definitions • Claim – A claim is a statement made about a client, service or other resource • Security Token – A security token represents a collection of claims. • Security Token Service – A security token service (STS) is a Web service that issuessecurity tokens • Trust – Trust is the characteristic that one entity is willing to rely upon a second entityto execute a set of actions and/or to make set of assertions about a set of subjectsand/or scopes. • Interoperable - able to exchange and use information.

  3. Introduction • Interoperable security problem • WS-Security will standardize how information is added to SOAP messages • One important class of information is security tokens(X.509 ,Kerberos ,SAML ,XACML ,etc) • Two scenarios: • WS-Security policyspecifies how web services actors can assert to potential transaction partners their policies with respect to WS-Security mechanisms, including their capabilitities and preferences with respect to security tokens • WS-Trust is a proposal that enables security token interoperability by defining a request/response protocol by which SOAP actors can request of some trusted authority that a particular security token be exchanged for another.

  4. WS-Trust Overview A SOAP message protected by WS-Security presents three possible issues with regards to security tokens: • Security token format incompatibility • Security token trust • Namespace differences

  5. WS-Trust Overview WS-Trust addresses these issues by: • Defining a request/response protocol • Client sends RequestSecurityToken • Client receives RequestSecurityTokenResponse • Introducing a Security Token Service (STS)

  6. STS Functions A Security Token Service allows: • Token Exchange • Token Issuance • Token Validation

  7. WS-Trust Model

  8. Request – Challenge Operation Example Client STS Client requests token from STS STS sends a challenge to Client Client sends an answer to STS STS sends token(s) to Client

  9. WS-Trust Example • Client understands X.509 certificates only • Service understands SAML only • The service does not directly trust the client • The client is not required to anticipate the preference that the service has for SAML Assertions

  10. WS-Trust Example SAML and X.509 - Reminder • The Security Assertions Markup Language (SAML) is an XML-based framework for Web services that enables the exchange of authentication and authorization information among business partners. • X.509 is a digital certificate standard, specifying certificate structure. Main fields are ID, subject field, validity dates, public key, and CA signature

  11. WS-Trust Example – message 1 • SOAP client sends initial request to SOAP service:

  12. <soap:Envelope> <soap:Header> <ws:Security> <ws:BinarySecurityToken id="X509token" ValueType="X.509"> sdfOIDFKLSoidefsdflk … </ws:BinarySecurityToken> <ds:Signature> <ds:Reference> <ds:Ref URI="#PO"/> </ds:Reference> <ds:SignatureValue> akjsdflaksf </ds:SignatureValue> <ds:KeyInfo> <ws:BinarySecurityTokenReference URI="#X509token"/> </ds:KeyInfo> </ds:Signature> </ws:Security> </soap:Header> <soap:Body> <po:PurchaseOrder ID="PO"/> </soap:Body> </soap:Envelope>

  13. <soap:Envelope> <soap:Header> <ws:Security> <ws:BinarySecurityToken id="X509token" ValueType="X.509"> sdfOIDFKLSoidefsdflk … </ws:BinarySecurityToken> <ds:Signature> <ds:Reference> <ds:Ref URI="#PO"/> </ds:Reference> <ds:SignatureValue> akjsdflaksf </ds:SignatureValue> <ds:KeyInfo> <ws:BinarySecurityTokenReference URI="#X509token"/> </ds:KeyInfo> </ds:Signature> </ws:Security> </soap:Header> <soap:Body> <po:PurchaseOrder ID="PO"/> </soap:Body> </soap:Envelope> Identity of Client established through XML signature

  14. <soap:Envelope> <soap:Header> <ws:Security> <ws:BinarySecurityToken id="X509token" ValueType="X.509"> sdfOIDFKLSoidefsdflk … </ws:BinarySecurityToken> <ds:Signature> <ds:Reference> <ds:Ref URI="#PO"/> </ds:Reference> <ds:SignatureValue> akjsdflaksf </ds:SignatureValue> <ds:KeyInfo> <ws:BinarySecurityTokenReference URI="#X509token"/> </ds:KeyInfo> </ds:Signature> </ws:Security> </soap:Header> <soap:Body> <po:PurchaseOrder ID="PO"/> </soap:Body> </soap:Envelope> Identity of Client established through XML signature…. Keyed through X.509 certificate

  15. WS-Trust Example – message 2 • SOAP gateway recognizes that it must map to SAML, so it contacts the STS

  16. <soap:Envelope> <soap:Header> <ws:Security> </ws:Security> </soap:Header> <soap:Body> <wstrust:RequestSecurityToken> <wstrust:TokenType>SAML</TokenType> <wstrust:RequestType>ReqExchange</RequestType> <wstrust:OnBehalfOf> <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk … </ws:BinarySecurityToken> </wstrust:OnBehalfOf> </wstrust:RequestSecurityToken> </soap:Body> </soap:Envelope>

  17. The RequestSecurityTokenobject is the core of this request… <soap:Envelope> <soap:Header> <ws:Security> </ws:Security> </soap:Header> <soap:Body> <wstrust:RequestSecurityToken> <wstrust:TokenType>SAML</TokenType> <wstrust:RequestType>ReqExchange</RequestType> <wstrust:OnBehalfOf> <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk … </ws:BinarySecurityToken> </wstrust:OnBehalfOf> </wstrust:RequestSecurityToken> </soap:Body> </soap:Envelope>

  18. ... Which is asking for a SAML token… <soap:Envelope> <soap:Header> <ws:Security> </ws:Security> </soap:Header> <soap:Body> <wstrust:RequestSecurityToken> <wstrust:TokenType>SAML</TokenType> <wstrust:RequestType>ReqExchange</RequestType> <wstrust:OnBehalfOf> <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk … </ws:BinarySecurityToken> </wstrust:OnBehalfOf> </wstrust:RequestSecurityToken> </soap:Body> </soap:Envelope>

  19. ... Which is asking for a SAML token in exchange for the provided X.509 token. <soap:Envelope> <soap:Header> <ws:Security> </ws:Security> </soap:Header> <soap:Body> <wstrust:RequestSecurityToken> <wstrust:TokenType>SAML</TokenType> <wstrust:RequestType>ReqExchange</RequestType> <wstrust:OnBehalfOf> <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk … </ws:BinarySecurityToken> </wstrust:OnBehalfOf> </wstrust:RequestSecurityToken> </soap:Body> </soap:Envelope>

  20. WS-Trust Example – message 3 • The STS sends back the token in the requested format

  21. <soap:Body> <wstrust:RequestSecurityTokenResponse> <wstrust:TokenType>SAML</TokenType> <wstrust:RequestedSecurityToken> <saml:Assertion AssertionID="2se8e/vaskfsdif=" Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z"> <saml:Subject> ...converted client identifier... </saml:Subject> </saml:AuthenticationStatement> <ds:Signature><-- calculated by STS --></ds:Signature> </saml:Assertion> </wstrust:RequestedSecurityToken> </wstrust:RequestSecurityTokenResponse> </soap:Body>

  22. The SAML assertion is returned <soap:Body> <wstrust:RequestSecurityTokenResponse> <wstrust:TokenType>SAML</TokenType> <wstrust:RequestedSecurityToken> <saml:Assertion AssertionID="2se8e/vaskfsdif=" Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z"> <saml:Subject> ...converted client identifier... </saml:Subject> </saml:AuthenticationStatement> <ds:Signature><-- calculated by STS --></ds:Signature> </saml:Assertion> </wstrust:RequestedSecurityToken> </wstrust:RequestSecurityTokenResponse> </soap:Body>

  23. The new client identifier is used <soap:Body> <wstrust:RequestSecurityTokenResponse> <wstrust:TokenType>SAML</TokenType> <wstrust:RequestedSecurityToken> <saml:Assertion AssertionID="2se8e/vaskfsdif=" Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z"> <saml:Subject> ...converted client identifier... </saml:Subject> </saml:AuthenticationStatement> <ds:Signature><-- calculated by STS --></ds:Signature> </saml:Assertion> </wstrust:RequestedSecurityToken> </wstrust:RequestSecurityTokenResponse> </soap:Body>

  24. WS-Trust Example – message 4 • The gateway formats and send the message for the service

  25. <ws:Security> <saml:Assertion AssertionID="2se8e/vaskfsdif=“ Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z"> <saml:Subject> <saml:NameIdentifier>Client</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:sender-vouches </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> <ds:Signature><-- calculated by STS --></ds:Signature> </saml:Assertion> </ws:Security>

  26. The SAML Assertion is inserted <ws:Security> <saml:Assertion AssertionID="2se8e/vaskfsdif=“ Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z"> <saml:Subject> <saml:NameIdentifier>Client</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:sender-vouches </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> <ds:Signature><-- calculated by STS --></ds:Signature> </saml:Assertion> </ws:Security>

  27. The ConfirmationMethod is sender-vouches <ws:Security> <saml:Assertion AssertionID="2se8e/vaskfsdif=“ Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z"> <saml:Subject> <saml:NameIdentifier>Client</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:sender-vouches </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> <ds:Signature><-- calculated by STS --></ds:Signature> </saml:Assertion> </ws:Security>

  28. Conclusion • WS-trust address the security token needs of SOAP messages secured using WS-security. • Format: A STS is used to exchange tokens into formats understandable by recipients • Trust: The STS issues signed tokens forming the basis of trust for entities with which it has formed a trust relationship. • Namespace: The STS will return tokens in appropriate syntax for the recipient.

  29. Credits • WS-trust spec: http://www-106.ibm.com/developerworks/library/ws-trust/ • XML.com WS-trust overview http://webservices.xml.com/lpt/a/ws/2003/06/24/ws-trust.html

More Related