290 likes | 641 Views
WS-Trust. “ From each,according to his ability;to each , according to his need. “ Karl marx. Ahmet Emre Naza Selçuk Durna 2001100379 2001101675. Definitions.
E N D
WS-Trust “From each,according to his ability;to each , according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna 2001100379 2001101675
Definitions • Claim – A claim is a statement made about a client, service or other resource • Security Token – A security token represents a collection of claims. • Security Token Service – A security token service (STS) is a Web service that issuessecurity tokens • Trust – Trust is the characteristic that one entity is willing to rely upon a second entityto execute a set of actions and/or to make set of assertions about a set of subjectsand/or scopes. • Interoperable - able to exchange and use information.
Introduction • Interoperable security problem • WS-Security will standardize how information is added to SOAP messages • One important class of information is security tokens(X.509 ,Kerberos ,SAML ,XACML ,etc) • Two scenarios: • WS-Security policyspecifies how web services actors can assert to potential transaction partners their policies with respect to WS-Security mechanisms, including their capabilitities and preferences with respect to security tokens • WS-Trust is a proposal that enables security token interoperability by defining a request/response protocol by which SOAP actors can request of some trusted authority that a particular security token be exchanged for another.
WS-Trust Overview A SOAP message protected by WS-Security presents three possible issues with regards to security tokens: • Security token format incompatibility • Security token trust • Namespace differences
WS-Trust Overview WS-Trust addresses these issues by: • Defining a request/response protocol • Client sends RequestSecurityToken • Client receives RequestSecurityTokenResponse • Introducing a Security Token Service (STS)
STS Functions A Security Token Service allows: • Token Exchange • Token Issuance • Token Validation
Request – Challenge Operation Example Client STS Client requests token from STS STS sends a challenge to Client Client sends an answer to STS STS sends token(s) to Client
WS-Trust Example • Client understands X.509 certificates only • Service understands SAML only • The service does not directly trust the client • The client is not required to anticipate the preference that the service has for SAML Assertions
WS-Trust Example SAML and X.509 - Reminder • The Security Assertions Markup Language (SAML) is an XML-based framework for Web services that enables the exchange of authentication and authorization information among business partners. • X.509 is a digital certificate standard, specifying certificate structure. Main fields are ID, subject field, validity dates, public key, and CA signature
WS-Trust Example – message 1 • SOAP client sends initial request to SOAP service:
<soap:Envelope> <soap:Header> <ws:Security> <ws:BinarySecurityToken id="X509token" ValueType="X.509"> sdfOIDFKLSoidefsdflk … </ws:BinarySecurityToken> <ds:Signature> <ds:Reference> <ds:Ref URI="#PO"/> </ds:Reference> <ds:SignatureValue> akjsdflaksf </ds:SignatureValue> <ds:KeyInfo> <ws:BinarySecurityTokenReference URI="#X509token"/> </ds:KeyInfo> </ds:Signature> </ws:Security> </soap:Header> <soap:Body> <po:PurchaseOrder ID="PO"/> </soap:Body> </soap:Envelope>
<soap:Envelope> <soap:Header> <ws:Security> <ws:BinarySecurityToken id="X509token" ValueType="X.509"> sdfOIDFKLSoidefsdflk … </ws:BinarySecurityToken> <ds:Signature> <ds:Reference> <ds:Ref URI="#PO"/> </ds:Reference> <ds:SignatureValue> akjsdflaksf </ds:SignatureValue> <ds:KeyInfo> <ws:BinarySecurityTokenReference URI="#X509token"/> </ds:KeyInfo> </ds:Signature> </ws:Security> </soap:Header> <soap:Body> <po:PurchaseOrder ID="PO"/> </soap:Body> </soap:Envelope> Identity of Client established through XML signature
<soap:Envelope> <soap:Header> <ws:Security> <ws:BinarySecurityToken id="X509token" ValueType="X.509"> sdfOIDFKLSoidefsdflk … </ws:BinarySecurityToken> <ds:Signature> <ds:Reference> <ds:Ref URI="#PO"/> </ds:Reference> <ds:SignatureValue> akjsdflaksf </ds:SignatureValue> <ds:KeyInfo> <ws:BinarySecurityTokenReference URI="#X509token"/> </ds:KeyInfo> </ds:Signature> </ws:Security> </soap:Header> <soap:Body> <po:PurchaseOrder ID="PO"/> </soap:Body> </soap:Envelope> Identity of Client established through XML signature…. Keyed through X.509 certificate
WS-Trust Example – message 2 • SOAP gateway recognizes that it must map to SAML, so it contacts the STS
<soap:Envelope> <soap:Header> <ws:Security> </ws:Security> </soap:Header> <soap:Body> <wstrust:RequestSecurityToken> <wstrust:TokenType>SAML</TokenType> <wstrust:RequestType>ReqExchange</RequestType> <wstrust:OnBehalfOf> <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk … </ws:BinarySecurityToken> </wstrust:OnBehalfOf> </wstrust:RequestSecurityToken> </soap:Body> </soap:Envelope>
The RequestSecurityTokenobject is the core of this request… <soap:Envelope> <soap:Header> <ws:Security> </ws:Security> </soap:Header> <soap:Body> <wstrust:RequestSecurityToken> <wstrust:TokenType>SAML</TokenType> <wstrust:RequestType>ReqExchange</RequestType> <wstrust:OnBehalfOf> <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk … </ws:BinarySecurityToken> </wstrust:OnBehalfOf> </wstrust:RequestSecurityToken> </soap:Body> </soap:Envelope>
... Which is asking for a SAML token… <soap:Envelope> <soap:Header> <ws:Security> </ws:Security> </soap:Header> <soap:Body> <wstrust:RequestSecurityToken> <wstrust:TokenType>SAML</TokenType> <wstrust:RequestType>ReqExchange</RequestType> <wstrust:OnBehalfOf> <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk … </ws:BinarySecurityToken> </wstrust:OnBehalfOf> </wstrust:RequestSecurityToken> </soap:Body> </soap:Envelope>
... Which is asking for a SAML token in exchange for the provided X.509 token. <soap:Envelope> <soap:Header> <ws:Security> </ws:Security> </soap:Header> <soap:Body> <wstrust:RequestSecurityToken> <wstrust:TokenType>SAML</TokenType> <wstrust:RequestType>ReqExchange</RequestType> <wstrust:OnBehalfOf> <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk … </ws:BinarySecurityToken> </wstrust:OnBehalfOf> </wstrust:RequestSecurityToken> </soap:Body> </soap:Envelope>
WS-Trust Example – message 3 • The STS sends back the token in the requested format
<soap:Body> <wstrust:RequestSecurityTokenResponse> <wstrust:TokenType>SAML</TokenType> <wstrust:RequestedSecurityToken> <saml:Assertion AssertionID="2se8e/vaskfsdif=" Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z"> <saml:Subject> ...converted client identifier... </saml:Subject> </saml:AuthenticationStatement> <ds:Signature><-- calculated by STS --></ds:Signature> </saml:Assertion> </wstrust:RequestedSecurityToken> </wstrust:RequestSecurityTokenResponse> </soap:Body>
The SAML assertion is returned <soap:Body> <wstrust:RequestSecurityTokenResponse> <wstrust:TokenType>SAML</TokenType> <wstrust:RequestedSecurityToken> <saml:Assertion AssertionID="2se8e/vaskfsdif=" Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z"> <saml:Subject> ...converted client identifier... </saml:Subject> </saml:AuthenticationStatement> <ds:Signature><-- calculated by STS --></ds:Signature> </saml:Assertion> </wstrust:RequestedSecurityToken> </wstrust:RequestSecurityTokenResponse> </soap:Body>
The new client identifier is used <soap:Body> <wstrust:RequestSecurityTokenResponse> <wstrust:TokenType>SAML</TokenType> <wstrust:RequestedSecurityToken> <saml:Assertion AssertionID="2se8e/vaskfsdif=" Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z"> <saml:Subject> ...converted client identifier... </saml:Subject> </saml:AuthenticationStatement> <ds:Signature><-- calculated by STS --></ds:Signature> </saml:Assertion> </wstrust:RequestedSecurityToken> </wstrust:RequestSecurityTokenResponse> </soap:Body>
WS-Trust Example – message 4 • The gateway formats and send the message for the service
<ws:Security> <saml:Assertion AssertionID="2se8e/vaskfsdif=“ Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z"> <saml:Subject> <saml:NameIdentifier>Client</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:sender-vouches </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> <ds:Signature><-- calculated by STS --></ds:Signature> </saml:Assertion> </ws:Security>
The SAML Assertion is inserted <ws:Security> <saml:Assertion AssertionID="2se8e/vaskfsdif=“ Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z"> <saml:Subject> <saml:NameIdentifier>Client</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:sender-vouches </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> <ds:Signature><-- calculated by STS --></ds:Signature> </saml:Assertion> </ws:Security>
The ConfirmationMethod is sender-vouches <ws:Security> <saml:Assertion AssertionID="2se8e/vaskfsdif=“ Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z"> <saml:Subject> <saml:NameIdentifier>Client</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:sender-vouches </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> <ds:Signature><-- calculated by STS --></ds:Signature> </saml:Assertion> </ws:Security>
Conclusion • WS-trust address the security token needs of SOAP messages secured using WS-security. • Format: A STS is used to exchange tokens into formats understandable by recipients • Trust: The STS issues signed tokens forming the basis of trust for entities with which it has formed a trust relationship. • Namespace: The STS will return tokens in appropriate syntax for the recipient.
Credits • WS-trust spec: http://www-106.ibm.com/developerworks/library/ws-trust/ • XML.com WS-trust overview http://webservices.xml.com/lpt/a/ws/2003/06/24/ws-trust.html