Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger."— Presentation transcript:

1 © 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, nfb@mitre.org Roger Westman, rwestman@mitre.org SOA and Browsers - - - Is A Common Infrastructure Emerging?

2 © 2009 The MITRE Corporation. All rights Reserved. SOA and Browsers - - - Is A Common Infrastructure Emerging? Norman F. Brickman, nfb@mitre.org Roger Westman, rwestman@mitre.org April 28, 2009 MITRE Public Release Statement Case Number 09-0171

3 © 2009 The MITRE Corporation. All rights Reserved. 3 Agenda: ■Purpose of presentation ■Transactions – SOA versus Web browser –Both can be based on SOAP + WS-Star ■Federation Needs – SOA versus Web browser –Both can be based on SOAP + WS-Trust + WS-Policy ■Information Cards –Browser strategic technology based on SOAP + WS-Star –Introduction & Live Demo ■SOA Service Chaining –Introduction & Live Demo ■Summary

4 © 2009 The MITRE Corporation. All rights Reserved. 4 Purpose of Presentation ■Discuss an emerging common protocol -- for both SOA & Web browser –SOAP, WS-Trust, WS-Policy, WS-Security, WS-MEX, others ■Review the common environments –SOA / SOAP –Browser – Information Cards ■Demonstrate both –Information Cards –SOA SOAP Service Chaining with WS-Trust / STS ■Potential impact & benefits

5 © 2009 The MITRE Corporation. All rights Reserved. 5 Introduction – SOA Transactions ■M achine to machine communications. –SOA consumer to SOA service producer ■Two primary modes –REST ■Simple to use, easier to learn. ■Smaller learning curve ■Capitalizes on the Web HTTP infrastructure –SOAP + WS-Trust + WS-Policy + other WS-Star ■Designed to handle distributed computing environments ■Built-in error handling (faults) ■Has established underlying standards (WS-Star) for security, policy, reliable messaging, security tokens, etc. ■Has integrated standards combining policy extraction and security token handling with the actual transaction

6 © 2009 The MITRE Corporation. All rights Reserved. 6 SOA Sequence of Operations

7 © 2009 The MITRE Corporation. All rights Reserved. 7 Introduction – Browser Transactions ■Well established, HTTP foundation ■Information Cards –New, standards-based, integrates several protocols –HTML + SOAP + WS-Trust + WS-Policy + other WS-Star ■Integrated 4-step transaction protocol ■Higgins Project and Cardspace and others ■Emerging technology. Not yet universally accepted. ■Promising security paradigms ■Targeted for secure integration of identity and attribute information ­Strategic approach for Cloud Computing

8 © 2009 The MITRE Corporation. All rights Reserved. Transaction Protocol Pattern – Browser with Information Cards Identity Provider (IP-STS) Relying Party (RP) Client (User’s Laptop) Client attempts to Access a resource 1 User 4 User selects an IdP 5 Request security token (WS-Trust) 6 Return security token based on RP-STS’s requirements STS Usage - Web Browser - Information Cards - Operation with RP-STS Original chart obtained from Steve Woodward, Microsoft, and modified 2 Retrieves access policy information 7 User approves release of token Blue = Human actions Identity Selector pops up. (Choose an Identity Provider which satisfies requirements) 3 Form + Token released to RP 8

9 © 2009 The MITRE Corporation. All rights Reserved. 9 Federation ■Increasingly required –No need to pre-register your system users ■Based on passing of security tokens ■SOA SOAP standards-based approach –WS-Trust -- Security Token Service (STS) for security tokens ■Browser –Information Cards ■Same federation approach as SOA SOAP –Several other protocols to choose from!

10 © 2009 The MITRE Corporation. All rights Reserved. Federation Technologies -- Web Browser

11 © 2009 The MITRE Corporation. All rights Reserved. 11 Live Demonstration -- Information Cards ■Information Card presence in Windows XP –CardSpace ■Obtain a managed Information Card –Uses attributes from the MITRE employee Active Directory –Authentication based on Login/Password ■Configurable to CAC card, software cert, security token, etc ■Access Control –Use the Information Card for authentication and authorization –Use ABAC to control access to targets

12 © 2009 The MITRE Corporation. All rights Reserved. 12 Live Demonstration – SOA Service Chaining ■MITRE Service Chaining Investigation –Collaboration / joint sponsorship of several agencies –Initial investigation topics: identity handling, security tokens, WS-Security, SAML, SOAP, STS interoperability, encryption and digital signature, best practices, general issues –Demonstration shows transaction communications for: ■SOAP, WS-Trust, SAML security token, User access to portal

13 © 2009 The MITRE Corporation. All rights Reserved. 13 Live Demonstration – SOA Service Chaining ■Demonstration of one step in a chain –User access to portal –Portal obtains security token(s) from STS –SOAP-based transaction to target service

14 © 2009 The MITRE Corporation. All rights Reserved. 14 Commercial Marketplace Summary ■SOA and SOAP and WS-Security –Participation by all major vendors ■WS-Trust –Issuance of security tokens –IBM, Oracle, Microsoft, Ping Identity, Layer 7, etc ■WS-SecurityPolicy –Established standard –Integrated with Information Card operations ■SOA usage is now getting established ■SAML for security token assertions –All vendors participate –Interoperability is “fairly well” established

15 © 2009 The MITRE Corporation. All rights Reserved. 15 Potential Payoff ■Promising Security –Three levels ■Network, message, security token –True end-to-end security –WS-Security framework for security tokens –SAML compatible –Better ABAC (Attribute Based Access Control) ■Access requirements are integrated with the protocol ■One common infrastructure –Administration –Cost advantages ■Authentication and authorization characteristics compatible with Cloud Computing requirements

16 © 2009 The MITRE Corporation. All rights Reserved. 16 Summary ■SOA and Web Browser (with Information Cards) –Very similar protocols ■Potential security, costs, administration, and other improvements ■New, standards-based, integrated operational protocol –1) Metadata retrieval –2) Security token retrieval –3) Submit transaction ■Information Cards –Off-the-shelf today –Business case is not yet market proven –Strategic capabilities for Cloud Computing ■STS –Here today

Download ppt "© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger."

Similar presentations

 Jan Alexander Program Manager Microsoft Corporation BB43.

 Jan Alexander Program Manager Microsoft Corporation BB43.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft

Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
.NET Framework V3.0 Mike Taulty Developer & Platform Group Microsoft Ltd

.NET Framework V3.0 Mike Taulty Developer & Platform Group Microsoft Ltd
Adoption Time Single paradigm, mature tools, stable design patterns and frameworks Software developer’s comfort zone Competing paradigms, no tools,

Adoption Time Single paradigm, mature tools, stable design patterns and frameworks Software developer’s comfort zone Competing paradigms, no tools,
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
1 Higgins 1: a species of Tasmanian long-tailed mouse 2: the name of an open source collaboration of IBM, Novell, Oracle, Parity…

1 Higgins 1: a species of Tasmanian long-tailed mouse 2: the name of an open source collaboration of IBM, Novell, Oracle, Parity…
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.

Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.

Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.
NIH iTrust Peter Alterman/Debbie Bucci National Institutes of Health October 2010.

NIH iTrust Peter Alterman/Debbie Bucci National Institutes of Health October 2010.
Prashanth Kumar Muthoju

Prashanth Kumar Muthoju
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
An Introduction to Information Card Barry Dorrans Charteris plc

An Introduction to Information Card Barry Dorrans Charteris plc

Similar presentations

Ads by Google