Presentation is loading. Please wait.

Presentation is loading. Please wait.

WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna 2001100379 2001101675.

Published byVincent McKinney Modified over 9 years ago

Similar presentations

Presentation on theme: "WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna 2001100379 2001101675."— Presentation transcript:

1 WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna 2001100379 2001101675

2 Definitions  Claim – A claim is a statement made about a client, service or other resource  Security Token – A security token represents a collection of claims.  Security Token Service – A security token service (STS) is a Web service that issues security tokens  Trust – Trust is the characteristic that one entity is willing to rely upon a second entity to execute a set of actions and/or to make set of assertions about a set of subjects and/or scopes.  Interoperable - able to exchange and use information.

3 Introduction  Interoperable security problem  WS-Security will standardize how information is added to SOAP messages  One important class of information is security tokens(X.509,Kerberos,SAML,XACML,etc)  Two scenarios: WS-Security policy specifies how web services actors can assert to potential transaction partners their policies with respect to WS-Security mechanisms, including their capabilitities and preferences with respect to security tokens WS-Trust is a proposal that enables security token interoperability by defining a request/response protocol by which SOAP actors can request of some trusted authority that a particular security token be exchanged for another.

4 WS-Trust Overview A SOAP message protected by WS- Security presents three possible issues with regards to security tokens:  Security token format incompatibility  Security token trust  Namespace differences

5 WS-Trust Overview WS-Trust addresses these issues by:  Defining a request/response protocol Client sends RequestSecurityToken Client receives RequestSecurityTokenResponse  Introducing a Security Token Service (STS)

6 STS Functions A Security Token Service allows:  Token Exchange  Token Issuance  Token Validation

7 WS-Trust Model

8 Request – Challenge Operation ClientSTS Client requests token from STS STS sends a challenge to Client Client sends an answer to STS STS sends token(s) to Client Example

9 WS-Trust Example  Client understands X.509 certificates only  Service understands SAML only  The service does not directly trust the client  The client is not required to anticipate the preference that the service has for SAML Assertions

10 WS-Trust Example  The Security Assertions Markup Language (SAML) is an XML-based framework for Web services that enables the exchange of authentication and authorization information among business partners.  X.509 is a digital certificate standard, specifying certificate structure. Main fields are ID, subject field, validity dates, public key, and CA signature SAML and X.509 - Reminder

11 WS-Trust Example – message 1  SOAP client sends initial request to SOAP service:

12 sdfOIDFKLSoidefsdflk … akjsdflaksf

13 sdfOIDFKLSoidefsdflk … akjsdflaksf Identity of Client established through XML signature

14 sdfOIDFKLSoidefsdflk … akjsdflaksf Identity of Client established through XML signature…. Keyed through X.509 certificate

15 WS-Trust Example – message 2  SOAP gateway recognizes that it must map to SAML, so it contacts the STS

16 SAML ReqExchange <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk …

17 SAML ReqExchange <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk … The RequestSecurityToken object is the core of this request…

18 SAML ReqExchange <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk …... Which is asking for a SAML token…

19 SAML ReqExchange <ws:BinarySecurityToken id="originaltoken" ValueType="X.509> sdfOIDFKLSoidefsdflk …... Which is asking for a SAML token in exchange for the provided X.509 token.

20 WS-Trust Example – message 3  The STS sends back the token in the requested format

21 SAML <saml:Assertion AssertionID="2se8e/vaskfsdif=" Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z">...converted client identifier...

22 SAML <saml:Assertion AssertionID="2se8e/vaskfsdif=" Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z">...converted client identifier... The SAML assertion is returned

23 SAML <saml:Assertion AssertionID="2se8e/vaskfsdif=" Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z">...converted client identifier... The new client identifier is used

24 WS-Trust Example – message 4  The gateway formats and send the message for the service

25 <saml:Assertion AssertionID="2se8e/vaskfsdif=“ Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z"> Client urn:oasis:names:tc:SAML:1.0:cm:sender-vouches

26 <saml:Assertion AssertionID="2se8e/vaskfsdif=“ Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z"> Client urn:oasis:names:tc:SAML:1.0:cm:sender-vouches The SAML Assertion is inserted

27 <saml:Assertion AssertionID="2se8e/vaskfsdif=“ Issuer="www.sts.com" IssueInstant="2002-06-19T16:58:33.173Z"> <saml:Conditions NotBefore="2002-06-19T16:53:33.173Z" NotOnOrAfter="2002-06-19T17:08:33.173Z"/> <saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509" AuthenticationInstant="2002-06-19T16:57:30.000Z"> Client urn:oasis:names:tc:SAML:1.0:cm:sender-vouches The ConfirmationMethod is sender-vouches

28 Conclusion  WS-trust address the security token needs of SOAP messages secured using WS-security. Format: A STS is used to exchange tokens into formats understandable by recipients Trust: The STS issues signed tokens forming the basis of trust for entities with which it has formed a trust relationship. Namespace: The STS will return tokens in appropriate syntax for the recipient.

29 Credits  WS-trust spec: http://www-106.ibm.com/developerworks/library/ws- trust/http://www-106.ibm.com/developerworks/library/ws- trust/  XML.com WS-trust overview http://webservices.xml.com/lpt/a/ws/2003/06/24/ws- trust.html

Download ppt "WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna 2001100379 2001101675."

Similar presentations

Service Bus Service Bus Access Control.

Service Bus Service Bus Access Control.
UDDI v3.0 (Universal Description, Discovery and Integration)

UDDI v3.0 (Universal Description, Discovery and Integration)
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
Portable Identity & WS - Trust Prabath Siriwardena Director, Security Architecture.

Portable Identity & WS - Trust Prabath Siriwardena Director, Security Architecture.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.

SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
SAML Overview Woosik Lee 2011. 1. 3 Ubiquitous Network System Laboratory Kyonggi University 신묘년 새해 복 많이 받으세요 ^^

SAML Overview Woosik Lee Ubiquitous Network System Laboratory Kyonggi University 신묘년 새해 복 많이 받으세요 ^^
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.

Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
X.509 Certificate management in.Net By, Vishnu Kamisetty

X.509 Certificate management in.Net By, Vishnu Kamisetty
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
Security COMP6017 Topics on Web Services Dr Nicholas Gibbins – 2012-2013.

Security COMP6017 Topics on Web Services Dr Nicholas Gibbins –

Similar presentations

Ads by Google