WS-Federation - PowerPoint PPT Presentation

About This Presentation
Title:

WS-Federation

Description:

Attribute Service Example. Attributes may have associated scopes ... Business model. Token formats. Attribute stores. Directory services ... – PowerPoint PPT presentation

Number of Views:21
Avg rating:3.0/5.0
Slides: 44
Provided by: zw4j
Category:

less

Transcript and Presenter's Notes

Title: WS-Federation


1
WS-Federation
  • Jim Van Dyke Zhengping Wu

Partially adapted from workshop slides by Tony
Nadalin (IBM) and Chris Kaler (Microsoft)
2
Agenda
  • Introduction
  • Trust Topologies
  • Single Sign-out
  • Attribute Services
  • Pseudonym Services
  • Active/Passive Profiles
  • Summary and Conclusions
  • Demo
  • References

3
What is Federation?
  • Federation
  • A collection of realms/domains that have
    established trust
  • The technology and business arrangements
    necessary to interconnect users, applications,
    and systems
  • Federated systems can interoperate across
    organizational and technical boundaries (i.e.,
    various operating systems or security platforms)

4
Federated ATM Network
Account Number and PIN
Visiting Bank Network
Funds
Network of Trust
Home Bank Network
5
WS-Federation
  • Primary Goal Single Sign-On access across
    trust domains using identities from the different
    domains
  • WS-Federation defines a model for this by
    building on the WS- security specifications
  • Brokering trust
  • Sign out messages
  • Attribute service
  • Pseudonym service

6
WS-Federation Terms
  • Authorities
  • Security Token Service (STS) Web service that
    issues security tokens makes assertions based on
    evidence that it trusts to whoever trusts it
  • Identity Provider (IP) Entity that acts as an
    authentication service to end requestors (an
    extension of a basic STS)
  • Principles
  • Requestor
  • Resource
  • Other Services

7
One Protocol, Multiple Bindings
  • Common protocol (WS-Trust)
  • Two profiles of the model are defined
  • Smart/Active clients (SOAP)
  • Passive clients (Browser HTTP/S)
  • Supporting services (attribute/pseudonym/)

HTTP messages
Security Token Service
HTTPReceiver
SOAP Receiver
SOAP messages
8
Trust Topologies
  • Federation approach must address different trust
    topologies
  • Model existing business practices
  • Leverage existing infrastructure
  • Sample topologies
  • Direct trust
  • Exchange
  • Validation
  • Indirect trust
  • Delegation

9
Direct TrustToken Exchange
IP/STS
IP/STS
Trust
Get accesstoken
Get identity token
1
2
Resource
Requestor
3
10
Direct Trust Flow
Requestor Service
Requestor IP/STS
WS Service
Service IP/STS
11
Direct TrustToken Validation
IP/STS
IP/STS
Trust
Get identity token
Get accessverification
1
3
Resource
Requestor
2
12
Indirect Trust
IP/STS
B
IP/STS
IP/STS
A
C
1
2
Resource
Requestor
3
C trusts B which vouches for A who vouches for
client
13
Delegation
IP/STS
IP/STS
IP/STS
Trust
Trust
1
2
4
Resource
Resource
3
5
Requestor
14
Single Sign-Out
IP/STS

IP/STS
Requestor
2

2
1
2
Resource
15
Sign-Out Message
  • ltSEnvelopegt
  • ltSHeadergt
  • ...
  • ltwsuTimestamp wsuId"ts"gt
  • ... lt/wsuTimestampgt
  • ltwsseSecuritygt
  • lt!-- Signature referecing IDs "ts"
    "so" --gt
  • ...
  • lt/wsseSecuritygt
  • lt/SHeadergt

16
Sign-Out Message (cont.)
  • ltSBodygt
  • ltwsseSignOut wsuId"so"gt
  • ltwsseSignOutBasisgt
  • ltwsseUsernameTokengt
  • ltwsseUsernamegtNNKlt/wsseUsernamegt
  • lt/wsseUsernameTokengt
  • lt/wsseSignOutBasisgt
  • lt/wsseSignOutgt
  • lt/SBodygt
  • lt/SEnvelopegt

17
Requesting Sign-Out Message
  • ltwsseRequestSSOMessagesgt
  • ltwsaEndpointReferencegt
  • ltwsaReferencegthttp//business456.com/SSO
  • lt/wsaReferencegt
  • lt/wsaEndpointReferencegt
  • ltwsseUsernameTokengt
  • ltwsseUsernamegtNicholaslt/wsseUsernamegt
  • lt/wsseUsernameTokengt
  • lt/wseeRequestSSOMessagesgt

18
Attribute Service
  • Scenario You ask a weather service for the
    current weather (or visit a weather site) it
    provides a personalized response because it knows
    your zip code
  • Why it worked
  • Policy indicated an attribute service
  • Identity information was used to find zip code
  • Weather service was authorized to access zip code
    (opt-in)
  • Specification defines the concept of an attribute
    service but not a specific interface

19
Attribute Service Example
  • Attributes may have associated scopes
  • Each attribute may have its own access control
    and privacy policy

20
Attribute Scoping
Zip 12309 FN Fred ID 3442 Nick
Freddo ID FJ454 Nick Fredster ID
3-55-34
(fabrikam123.com)
(business456.com)
(example.com)
Model allows for attributes to be scoped
21
Attribute Discovery
  • Open design model
  • Any attribute store can be used
  • Integration with legacy systems
  • Discovery via policy
  • Requestors policy ? attribute service
  • Attribute service has its own policy
  • Communication is governed by this policy
  • UDDI is an example store

22
Attribute Discovery
Attribute Service
3
4
Get FN
2
Requestor
Resource
1
23
Attribute Example
Attribute Service
IP/STS
IP/STS
Trust
Trust
Zip 12309 FN Fred
4
1
2
3
Resource
Requestor
24
Protecting Identity
  • Single sign-on also needs to
  • Prevent identity tracking
  • Provide anonymity
  • Other forms of identity tracking still exist
  • Address
  • Phone number
  • Credit card
  • Social security number

25
Identity Approaches
  • One federation model
  • Multiple identity approaches
  • Static identifier, possibly obfuscated
  • Static per-target identifier
  • One-time identifier

26
Static Identifier Example
IP/STS
Fred ? Fred_at_STS
1
Resource
Requestor
2
Fred_at_STS
27
Static Per-Target Example
IP/STS
Fred ? A123
Fred ? B456
1
3
Resource
Resource
4
2
A123
B456
Requestor
28
Pseudonym Service
  • This service provides a mechanism for associating
    alternate identities
  • Pseudonyms represent alternate identities
  • Depends on scope of request
  • Subject to authorization control
  • Can be integrated with IP/STS

29
Pseudonym Discovery
Pseudonym Service
3
4
2
Requestor
Resource
1
30
Pseudonym Example 1
B456.com Pseudonym Service
B456.com IP
Trust
Fred ? A123_at_B456.com
A123_at_B456.com ? Freddo_at_F123.com
1
3
Requestor
Resource
2
A123_at_B456.com
  • Service sets pseudonym for its domain

31
Pseudonym Example 2
B456.com Pseudonym Service
B456.com IP
Trust
Fred ? B456_at_B456.com
B456_at_B456.com ? Freddo_at_F123.com
1
3
4
Requestor
Resource
2
B456_at_B456.com
  • Service fetches pseudonym for its domain

32
Pseudonym/STS Integration
Token Request
  • Pseudonym STS can work together
  • Single physical service
  • Separate but tightly coupled services

33
Pseudonym Example 3
B456.com Pseudonym Service
B456.com IP
Trust
2
Fred ? Freddo_at_F123.com
Fred ? Freddo_at_F123.com
1
Requestor
Resource
3
Freddo_at_F123.com
  • Use pseudonyms to obtain initial token

34
Active (Smart Client) Profile
  • Describes options for SOAP-enabled clients
  • Varied models based on policy
  • Business needs
  • Inter-organization relationships
  • Regulations
  • Strong authentication of all requests

35
Example Flow (SOAP)
Requesting Service
Requestors IP/STS
Target Service
Targets IP/STS
Acquire policy
36
Passive Profile
  • Describes options for browser clients
  • URL-only
  • GET, POST body
  • Cookies (a custom caching mechanism)
  • Uses redirection to effect messages
  • Should conform as closely as possible to WS-Trust
    protocols

37
Example Flow (Browser)
Requesting Browser
Requestors IP/STS
Target Resource
Targets IP/STS
Get resource
38
WS-FederationFeatures
  • Cross-domain trust federation
  • Generic token acquisition
  • Enables different trust topologies
  • Single Sign-On / Sign-Off
  • Identity Protection and Privacy
  • Attributes and Pseudonyms
  • End-to-end security
  • No HTTPS required

39
WS-Federation Summary
  • Integrates with existing infrastructures
  • Business model
  • Token formats
  • Attribute stores
  • Directory services
  • Together with the other WS- specifications,
    provides a rich fabric for building secure,
    reliable, transacted systems across federation
    boundaries

40
Basic Trust Federation Demo
  • 3 Participants Client, Service, STS
  • No trust relationship between Client (requestor)
    and Service (resource)
  • Client and Server trust the STS
  • Uses WSE 2.0 Supports WS-Security, WS-Policy,
    WS-SecurityPolicy, WS-Trust,
    WS-SecureConversation, and WS-Addressing.

41
Optional Extensions of Demo
Token Validation
Mapping with WS-Addressing
42
Primary References
  • WS-Federation Feedback Workshop
  • These workshop slides provide an overview of
    WS-Federation.
  • http//www-106.ibm.com/developerworks/offers/WS-Sp
    ecworkshops/ws-fed200311.html
  • Federation of Identities in a Web Services World
  • This whitepaper discusses using WS-Federation to
    federate identities across trust domains.
  • http//msdn.microsoft.com/ws-federation/

43
Secondary References
  • Web Services Federation Language (WS-Federation)
  • This is the complete WS-Federation specification.
  • http//msdn.microsoft.com/ws/2003/07/ws-federation
    /
  • WS-Federation Active Requestor Profile
  • This is the specification for active profiles in
    WS-Federation.
  • http//msdn.microsoft.com/ws/2003/07/ws-active-pro
    file/
  • WS-Federation Passive Requestor Profile
  • This is the specification for passive profiles in
    WS-Federation.
  • http//msdn.microsoft.com/ws/2003/07/ws-passive-pr
    ofile/
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "WS-Federation" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!