SOA and Browsers - Semanticommunity.info

fortnecessityusefulSoftware and s/w Development

Dec 14, 2013 (3 years and 8 months ago)

105 views

© 2009 The MITRE Corporation. All rights Reserved.

April 28, 2009

MITRE Public Release Statement

Case
Number
09
-
017

Norman F. Brickman, nfb@mitre.org

Roger Westman, rwestman@mitre.org

SOA and Browsers

-

-

-

Is A Common

Infrastructure


Emerging?




© 2009 The MITRE Corporation. All rights Reserved.

SOA and Browsers

-

-

-

Is A Common

Infrastructure


Emerging?


Norman F. Brickman, nfb@mitre.org

Roger Westman, rwestman@mitre.org

April 28, 2009

MITRE Public Release Statement

Case Number 09
-
0171

© 2009 The MITRE Corporation. All rights Reserved.

3

Agenda:


Purpose of presentation


Transactions


SOA versus Web browser


Both can be based on
SOAP

+
WS
-
Star


Federation Needs


SOA versus Web browser


Both can be based on
SOAP

+
WS
-
Trust

+
WS
-
Policy


Information Cards


Browser strategic technology based on
SOAP

+

WS
-
Star


Introduction & Live Demo


SOA Service Chaining


Introduction & Live Demo


Summary

© 2009 The MITRE Corporation. All rights Reserved.

4

Purpose of Presentation


Discuss an emerging common protocol
--

for both SOA & Web
browser


SOAP, WS
-
Trust, WS
-
Policy, WS
-
Security, WS
-
MEX, others


Review the common environments


SOA / SOAP


Browser


Information Cards


Demonstrate both


Information Cards


SOA SOAP Service Chaining with WS
-
Trust / STS


Potential impact & benefits


© 2009 The MITRE Corporation. All rights Reserved.

5

Introduction


SOA Transactions


M
achine to machine communications.


SOA consumer to SOA service producer


Two primary modes


REST


Simple to use, easier to learn.


Smaller learning curve


Capitalizes on the Web HTTP infrastructure


SOAP + WS
-
Trust + WS
-
Policy + other WS
-
Star


Designed to handle distributed computing environments


Built
-
in error handling (faults)


Has established underlying standards (WS
-
Star) for security, policy,
reliable messaging, security tokens, etc.


Has integrated standards combining policy extraction and security
token handling with the actual transaction

© 2009 The MITRE Corporation. All rights Reserved.

6

SOA
Sequence of Operations

© 2009 The MITRE Corporation. All rights Reserved.

7

Introduction


Browser Transactions


Well established, HTTP foundation


Information Cards


New, standards
-
based, integrates several protocols


HTML +

SOAP + WS
-
Trust + WS
-
Policy + other WS
-
Star


Integrated 4
-
step transaction protocol


Higgins Project and
Cardspace

and others


Emerging technology. Not yet universally accepted.


Promising security paradigms


Targeted for secure integration of identity and attribute information

-
Strategic approach for Cloud Computing

© 2009 The MITRE Corporation. All rights Reserved.

Transaction Protocol Pattern


Browser with Information Cards

Identity Provider

(
IP
-
STS)

Relying Party

(RP)

Client


(User’s Laptop)

Client
attempts
to

Access a
resource

1

User

4

User selects an
IdP

5

Request security
token

(WS
-
Trust)

6

Return security token based

on
RP
-
STS’s
requirements

STS Usage
-

Web Browser
-

Information
Cards
-

Operation with RP
-
STS

Original chart obtained from Steve
Woodward, Microsoft, and modified

2

Retrieves access

policy information

7

User approves release of token

Blue = Human actions

Identity Selector pops up.

(Choose an Identity Provider

which satisfies requirements)

3

Form + Token

released
to RP

8

© 2009 The MITRE Corporation. All rights Reserved.

9

Federation


Increasingly required


No need to pre
-
register your system users


Based on passing of security tokens


SOA SOAP standards
-
based approach


WS
-
Trust
--

Security Token Service (STS) for security tokens


Browser


Information Cards


Same federation approach as SOA SOAP


Several other protocols to choose from!

© 2009 The MITRE Corporation. All rights Reserved.

Federation Technologies
--

Web Browser


© 2009 The MITRE Corporation. All rights Reserved.

11

Live Demonstration
--

Information Cards


Information Card presence in Windows XP


CardSpace


Obtain a managed Information Card


Uses attributes from the MITRE employee Active Directory


Authentication based on Login/Password


Configurable to CAC card, software cert, security token, etc


Access Control


Use the Information Card for authentication and authorization


Use ABAC to control access to targets

© 2009 The MITRE Corporation. All rights Reserved.

12

Live Demonstration


SOA Service Chaining


MITRE Service Chaining Investigation


Collaboration / joint sponsorship of several agencies


Initial investigation topics: identity handling, security tokens,
WS
-
Security, SAML, SOAP, STS interoperability, encryption
and digital signature, best practices, general issues


Demonstration shows transaction communications for:


SOAP, WS
-
Trust, SAML security token, User access to portal


© 2009 The MITRE Corporation. All rights Reserved.

13

Live Demonstration


SOA Service Chaining


Demonstration of one step in a chain


User access to portal


Portal obtains security token(s) from STS


SOAP
-
based transaction to target service

© 2009 The MITRE Corporation. All rights Reserved.

14

Commercial Marketplace Summary


SOA and SOAP and WS
-
Security


Participation by all major vendors


WS
-
Trust


Issuance of security tokens


IBM, Oracle, Microsoft, Ping Identity, Layer 7, etc


WS
-
SecurityPolicy


Established standard


Integrated with Information Card operations


SOA usage is now getting established


SAML for security token assertions


All vendors participate


Interoperability is “fairly well” established

© 2009 The MITRE Corporation. All rights Reserved.

15

Potential Payoff


Promising Security


Three levels


Network, message, security token


True end
-
to
-
end security


WS
-
Security framework for security tokens


SAML compatible


Better ABAC (Attribute Based Access Control)


Access requirements are integrated with the protocol


One common infrastructure


Administration


Cost advantages


Authentication and authorization characteristics compatible
with Cloud Computing requirements

© 2009 The MITRE Corporation. All rights Reserved.

16

Summary


SOA and Web Browser
(with Information Cards)


Very similar protocols


Potential security, costs, administration, and other improvements


New, standards
-
based, integrated operational protocol


1) Metadata retrieval


2) Security token retrieval


3) Submit transaction


Information Cards


Off
-
the
-
shelf today


Business case is not yet market proven


Strategic capabilities for Cloud Computing


STS


Here today