The world of Assertions in XML

1
The world of Assertions in XML Web Services

• Krishna Sankar
• ksankar_at_cisco.com

2
Agenda

• Introduction
• SAML
• Scenario

3
Assertions (SAML)
AuthC
AuthZ
Authorizations (XACML)
AccessC
Policies
SPML
XrML
DRM
WS-Security
Web Svcs
4
(No Transcript)
5
WS-XXX Processing ModelPutting it on the wire is
not enough
Trust Model
Web Service End Point Policy
WS-Policy
WS-Trust
WS-Privacy
Secure Conversation Federation Authorization
Privacy Model
6
19th Annual Tech Ex Awards November 19, 2002
Protocols Winners SAML WS-Security Securing
Web services is no easy task. The same virtues
that make Web services so promising for
e-businessthey're platform-independent,
text-based, and self-describingcreate major
security concerns, giving pause to businesses
considering a move to the hot new
interoperability technology. Two standards are
emerging to secure Web services Security
Assertion Markup Language (SAML) and WS-Security,
both proposals submitted to OASIS.
7
(No Transcript)
8
Definition Description Discovery
Blocks Processing rules Extensibility Security
Grid ?
9
Context
10
What is SAML ?

• XML based Framework
• A set of XML vocabularies for
• Authentication Assertion
• Attribute Assertion
• AuthZ decision Assertion
• Session Assertion (Future)
• Credential Assertion (Future)
• So that data traveling on the wire is standardized

11
What is SAML ?

• A standard message exchange protocol
• Clarity in orchestrating how you ask for and get
  the information you need
• Rules for how the messages ride on and in
  transport protocols
• For better interoperability

12
In Short SAML is

• A standard way of exchanging security related
  data across heterogeneous, distributed systems
  crossing domain (geographical, namespace,
  temporal, spatial, organizational,) boundaries

13
Policies Models
Authentication Authority
Attribute Authority
Session Authority
Policy Decision Point
Credentials Collector
Session Assertion
Credential Assertion
AuthZ Decision AssrN
Attribute Assertion
Authentication Assertion
Credentials
System/ Entity/ Principal
Policy Enforcement Point
14
SAML assertions

• Assertions are declarations of fact, according to
  someone
• SAML assertions are compounds of one or more of
  three kinds of statement about subject (human
  or program)
• Authentication
• Attribute
• Authorization decision
• You can extend SAML to make your own kinds of
  assertions and statements
• Assertions can be digitally signed

15
All statements in an assertion share common
information

• Issuer ID and issuance timestamp
• Assertion ID
• Subject
• Name plus the security domain
• Optional subject confirmation, e.g. public key
• Conditions under which assertion is valid
• SAML clients must reject assertions containing
  unsupported conditions
• Special kind of condition assertion validity
  period
• Additional advice
• E.g., to explain how the assertion was made

16
Assertion structure
17
(No Transcript)
18
JSR 155 Web Services Security Assertions

• Distributed Assertion Framework
• Elements
• Assertions (SAML) SPI
• Req/Response (SAML)
• Authorities (Model, SPI)
• Protocol (SOAP, JAX-RPC)
• Web Services Security
• Use cases (Distributed Security)

19
Scenario
20
Widely Distributed AuthC AuthZ

• Collaboration across multiple, independent and
  geographically dispersed stakeholders
• Stakeholders able to enforce policies even when
  controlled by different administrative domains
• Traditional ACLs
• Cannot scale. Cause too many errors
• Multiple layers of management would impose
  restrictions

Courtsey DOE report LBNL-42928
Certificate-based Access Control for widely
distributed resources
21
Effective permission
22
SAML
XACML
Courtsey DOE report LBNL-41349
Authorization Attribute Certificates for Widely
Distributed Access Control
23
Hot From the Press

• Web-Services Security Quality of Protection
• How actors are to be authenticated, using what
  mechanisms and with what parameter value ranges,
• Which XML elements are to be encrypted, for what
  individual recipients, recipient roles or keys,
  using what algorithms and key sizes,
• Which XML elements are to be integrity protected,
  using what mechanisms, with which algorithms and
  key sizes, and
• What additional qualifications the service
  consumer must demonstrate in order to
  successfully access the API".

24
Web-Services Security Quality of Protection

• This is a relatively restrictive use of the term
  "security policy". A more comprehensive
  definition addresses such requirements as
• Privacy (retention period, intended usage,
  further disclosure),
• Trust (initial parameters of the signature
  validation procedure, including those keys or
  authorities that are trusted directly, policy
  identifiers, maximum trust path length), and
• Non-repudiation (requirements for notarization
  and time-stamping).

25
Extensible Name Service (XNS) Technical Committee

• The purpose of this committee is to continue work
  on the XNS digital identity protocol
• The goal of XNS is to provide an open,
  extensible, federated Web services infrastructure
  for digital identity and relationship management
  including naming, addressing, describing,
  asserting, and linking of digital identities and
  their attributes. XNS can be used to represent
  all participants in Web services, including
  people, organizations, applications, devices,
  documents, schemas, and other digital objects.
• The XNS specifications are based on the IETF
  URI/URN specifications, the W3C XML and Web
  services specifications, and the OASIS Security
  Services TC

26
Introduction

• Krishna Sankar is currently with Cisco Systems as
  a Distinguished Engineer in their Customer
  Advocacy Organization. He has about 20 years of
  experiences ranging from software architecture
  development to industrial engineering to author,
  speaker, entrepreneur and technology evangelist.
  He has worked with many organizations incl US Air
  Force, Navy, HP, Qantas, Air Canada and Ford.
• His security experiences include work in
  information infrastructure security, role based
  access control systems, distributed services
  framework and the CISSP security certification.
  He has been speaking in conferences on XML
  Security as well as contributing to security (and
  XML) standards.
• He is an elected member of OASIS Technical
  Advisory Board, elected member of Java Executive
  Committee, Editor of Grid Authorization working
  group, Editor of the Digital Signature Services
  technical committee
• He is also involved in European Union Network and
  Information Security Infrastructure initiatives.
• His technology interests include Adaptive
  Networking, Grid computing, XML web services
  standards, distributed security, Linux kernel
  security, web service/web process networks
  e-commerce - dynamic configurable multi-partner
  trading networks. Krishna lives in Silicon Valley
  with his wife Usha and son Kaushik.

27
Questions ?