Presentation is loading. Please wait.

Presentation is loading. Please wait.

WS-Trust Joseph Calandrino Vincent Noël Department of Computer Science University of Virginia February 9, 2004.

Published byJuniper Lee Modified over 9 years ago

Similar presentations

Presentation on theme: "WS-Trust Joseph Calandrino Vincent Noël Department of Computer Science University of Virginia February 9, 2004."— Presentation transcript:

1 WS-Trust Joseph Calandrino Vincent Noël Department of Computer Science University of Virginia February 9, 2004

2 Motivation A SOAP message protected by WS-Security presents three possible issues with regards to security tokens: Security token format incompatibility Security token trust Namespace differences

3 Introduction WS-Trust addresses these issues by: Defining a request/response protocol –Client sends RequestSecurityToken –Client receives RequestSecurityTokenResponse Introducing a Security Token Service (STS)

4 WS-Trust Model

5 STS Functions A Security Token Service allows: Token Exchange Token Issuance Token Validation

6 Request – Challenge Operation ClientSTS Client requests token from STS STS sends a challenge to Client Client sends an answer to STS STS sends token(s) to Client Example

7 WS-Trust Example Client understands X.509 certificates only Service understands SAML only No established trust between Client and Service * Based on http://webservices.xml.com/lpt/a/ws/2003/06/24/ws-trust.html

8 WS-Trust Example The Security Assertions Markup Language (SAML) is an XML-based framework for Web services that enables the exchange of authentication and authorization information among business partners. SAML - Reminder

9 WS-Trust Example – message 1 SOAP client sends initial request to SOAP service:

10 sdfOIDFKLSoidefsdflk … akjsdflaksf

11 sdfOIDFKLSoidefsdflk … akjsdflaksf Identity of Client established through XML signature

12 sdfOIDFKLSoidefsdflk … akjsdflaksf Identity of Client established through XML signature…. Keyed through X.509 certificate

13 WS-Trust Example – message 2 SOAP gateway recognizes that it must map to SAML, so it contacts the STS

14 SAML ReqExchange <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk …

15 SAML ReqExchange <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk … The RequestSecurityToken object is the core of this request…

16 SAML ReqExchange <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk …... Which is asking for a SAML token…

17 SAML ReqExchange <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk …... Which is asking for a SAML token in exchange for the provided X.509 token.

18 WS-Trust Example – message 3 The STS sends back the token in the requested format

19 SAML <saml:Assertion AssertionID="2se8e/vaskfsdif=" Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z">...converted client identifier...

20 SAML <saml:Assertion AssertionID="2se8e/vaskfsdif=" Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z">...converted client identifier... The SAML assertion is returned

21 SAML <saml:Assertion AssertionID="2se8e/vaskfsdif=" Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z">...converted client identifier... The new client identifier is used

22 WS-Trust Example – message 4 The gateway formats and send the message for the service

23 <saml:Assertion AssertionID="2se8e/vaskfsdif=“ Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z"> Client urn:oasis:names:tc:SAML:1.0:cm:sender-vouches

24 <saml:Assertion AssertionID="2se8e/vaskfsdif=“ Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z"> Client urn:oasis:names:tc:SAML:1.0:cm:sender-vouches The SAML Assertion is inserted

25 <saml:Assertion AssertionID="2se8e/vaskfsdif=“ Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z"> Client urn:oasis:names:tc:SAML:1.0:cm:sender-vouches The ConfirmationMethod is sender-vouches

26 Conclusion WS-trust address the security token needs of SOAP messages secured using WS- security. –Format: An STS is used to exchange tokens into formats understandable by recipients –Trust: The STS issues signed tokens forming the basis of trust for entities with which it has formed a trust relationship. –Namespace: The STS will return tokens in appropriate syntax for the recipient.

27 Credits WS-trust spec: http://www-106.ibm.com/developerworks/library/ws-trust/ (Copyright© (c) 2001, 2002 International Business Machines Corporation, Microsoft Corporation, RSA Security Inc., VeriSign Inc. All rights reserved. ) XML.com WS-trust overview http://webservices.xml.com/lpt/a/ws/2003/06/24/ws-trust.html

Download ppt "WS-Trust Joseph Calandrino Vincent Noël Department of Computer Science University of Virginia February 9, 2004."

Similar presentations

Service Bus Service Bus Access Control.

Service Bus Service Bus Access Control.
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop 7.7.2011 London, UK.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
 Rich Randall Development Lead Microsoft Corporation BB44.

 Rich Randall Development Lead Microsoft Corporation BB44.
1 Understanding Web Services Presented By: Woodas Lai.

1 Understanding Web Services Presented By: Woodas Lai.
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
Portable Identity & WS - Trust Prabath Siriwardena Director, Security Architecture.

Portable Identity & WS - Trust Prabath Siriwardena Director, Security Architecture.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Core Web Service Security Patterns

Core Web Service Security Patterns
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
SAML Overview Woosik Lee 2011. 1. 3 Ubiquitous Network System Laboratory Kyonggi University 신묘년 새해 복 많이 받으세요 ^^

SAML Overview Woosik Lee Ubiquitous Network System Laboratory Kyonggi University 신묘년 새해 복 많이 받으세요 ^^
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Similar presentations

Ads by Google