Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

Similar documents
Identity-Enabled Web Services

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

Chapter 17 Web Services Additional Topics

The Business of Identity: Business Drivers and Use Cases of Identity Web Services

Network Security Essentials

Federated Web Services with Mobile Devices

SAML-Based SSO Solution

Access Management Handbook

5 OAuth Essentials for API Access Control

Identity and capability management and federation

SAP Single Sign-On 2.0 Overview Presentation

IBM Fundamentals of Applying Tivoli Security and Compliance Management Solutions V2.

CA SiteMinder. Federation in Your Enterprise 12.51

OATH : An Initiative for Open AuTHentication

Lesson 13 Securing Web Services (WS-Security, SAML)

SAML-Based SSO Solution

WEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices

IBM Tivoli Identity Manager V5.1 Fundamentals

SELF SERVICE INTERFACE CODE OF CONNECTION

eid Interoperability for PEGS WS-Federation

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Identity Provider for SAP Single Sign-On and SAP Identity Management

International Journal of Computer Science Trends and Technology (IJCST) Volume 3 Issue 6, Nov-Dec 2015

Novell Access Manager 3.1

CA CloudMinder. SSO Partnership Federation Guide 1.51

CA SiteMinder Federation

Cloud Access Manager Overview

Canadian Access Federation: Trust Assertion Document (TAD)

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Global Reference Architecture: Overview of National Standards. Michael Jacobson, SEARCH Diane Graski, NCSC Oct. 3, 2013 Arizona ewarrants

Advanced Client Conor P. Cahill Systems Technology Lab Intel Corporation

Managing PIV Life-cycle & Converging Physical & Logical Access Control

INTEGRATED SECURITY SYSTEM FOR E-GOVERNMENT BASED ON SAML STANDARD

Public Key Infrastructure

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

Dell One Identity Cloud Access Manager 8.0. Overview

AIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition 1.1.0

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

Tivoli Federated Identity Manager. Sven-Erik Vestergaard Certified IT Specialist Security architect SWG Nordic

Cybersecurity and Secure Authentication with SAP Single Sign-On

Identity Management (IdM) is a crosscutting focus area for DHS

Introducing ArisID An open source, declarative identity API for developers

Datapower is both a security appliance & can provide a firewall mechanism to get into Systems of Record

Canadian Access Federation: Trust Assertion Document (TAD)

Berner Fachhochschule. Technik und Informatik. Web Services. An Introduction. Prof. Dr. Eric Dubuis Berner Fachhochschule Biel

Technologies for Securing the Networked Supply Chain. Alex Deacon Advanced Products and Research Group VeriSign, Inc.

Federated Identity Manager Business Gateway Version Configuration Guide GC

KEY DISTRIBUTION AND USER AUTHENTICATION

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Warm Up to Identity Protocol Soup

Services Specifications: Realizing New Business Capabilities

Working with AD RMS Clients

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Distribution and Integration Technologies

SAP Security in a Hybrid World. Kiran Kola

SafeNet Authentication Client

SOA-20: The Role of Policy Enforcement in SOA Management

CA CloudMinder. SSO Partnership Federation Guide 1.53

Service Interface Design RSVZ / INASTI 12 July 2006

DEPLOYING MULTI-TIER APPLICATIONS ACROSS MULTIPLE SECURITY DOMAINS

CA SiteMinder Federation

Bill Wear. VirtualVault Product Manager. Internet Banking Case Study

Canadian Access Federation: Trust Assertion Document (TAD)

CA CloudMinder. Administration Guide 1.52

Security aspects of XML and Web services

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

U.S. E-Authentication Interoperability Lab Engineer

Web Services in Cincom VisualWorks. WHITE PAPER Cincom In-depth Analysis and Review

John Heimann Director, Security Product Management Oracle Corporation

IDENTITY MANAGEMENT AND FEDERATION BC.Net Conference April 25, 2006

Sentinet for BizTalk Server SENTINET

Increase user productivity and security by integrating identity management and enterprise single sign-on solutions.

Gestión dinámica de configuraciones en dispositivos móviles en un entorno Liberty/OMA-DM

Blueprinting Questionnaire Sample

WSO2 Identity Management

Business White Paper IDENTITY AND SECURITY. Access Manager. Novell. Comprehensive Access Management for the Enterprise

Peer-to-Peer Provisioning

Integrating Hitachi ID Suite with WebSSO Systems

Securing your Standards Based Services. Rüdiger Gartmann (con terra GmbH) Satish Sankaran (Esri)

The Device Has Left the Building

National Identity Exchange Federation. Terminology Reference. Version 1.0

Configure Unsanctioned Device Access Control

Canadian Access Federation: Trust Assertion Document (TAD)

5 OAuth EssEntiAls for APi AccEss control layer7.com

Regulatory Compliance Using Identity Management

Access Control Service Oriented Architecture

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

SharePoint 2019 and Extranet User Manager

Challenges in Authenticationand Identity Management

zentrale Sicherheitsplattform für WS Web Services Manager in Action: Leitender Systemberater Kersten Mebus

Five9 Plus Adapter for Agent Desktop Toolkit

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Canadian Access Federation: Trust Assertion Document (TAD)

OpenIAM Identity and Access Manager Technical Architecture Overview

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

The Now Platform Reference Guide

Transcription:

Identität und Autorisierung als Grundlage für sichere Web-Services Dr. Hannes P. Lubich IT Security Strategist

The Web Services Temptation For every $1 spent on software $3 to $5 is spent on integration 70% of IT budgets is spent on integration Web services replace expensive top down integration with a bottom up grass roots effort 2 2006 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Service-Oriented Architecture: Weak Spots UDDI discover Registry register, revoke use, communicate Service 1 SOAP/WSDL Service 2 3 2006 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Traditional Web Services Security Model: Security layers built on top of each other Composite processes exposed as services Web Services Human resources Sales automation Resource planning Business Processes Applications Infrastructure Sales order management Payment and billing Returns management Web servers Application servers Databases Storage Networks Voice 4 2006 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Intermediary Web Services Security Model: Additional end to end web services security Web Services Web Services Web Services Business Processes Partner A Applications Partner B Infrastructure 5 2006 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Managing and Securing Web Services Identity and Access Management Federated identity and access management Management of Distributed Web Services Federated management 6 2006 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Security Requirements for Web Services CIAO: Confidentiality, Integrity, Availability, Obligation Strong identification, authentication and authorization chain - Between users and applications, as well as between applications Monitoring, event management/correlation, and auditability Transparent and acceptable cost/risk versus benefit ratio Clearly defined change / configuration management Scalability, also in federated environments Usage of standards and best practices 7 2006 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Web Services Security Standards XML Signature ensures integrity of XML information inside a SOAP message. XML Encryption ensures confidentiality of XML information transfers. WS-Security* defines a carrier of identity and other security-related information in interactions with a Web service (IBM, Microsoft). Security Assertion Markup Language (SAML) helps to assert statements and conditions against a security authority and policies that it manages. SAML can be used in interactions between security authorities. XML Key Management (XKMS) describes how to obtain keys, certificates, tokens, and others, from a security authority and from Web services themselves. extensible Access Control Markup Language (XACML) expresses and exchanges policy definitions in XML. It can be used to reconcile policies in a federation scenario. Service Provisioning Markup Language (SPML) helps to interface a security agent or a platform itself to allow control and configuration of security. Further information: http://www.oasis-open.org/committees/ http://www.projectliberty.org/ 8 2006 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Key Standards & Specifications SAML Security Assertion Markup Language An open framework for sharing security information on the Internet through XML documents Designed to address the following - Limitations of web browser cookies SAML provides a standard way to transfer cookies across multiple Internet domains - Proprietary web single sign-on (SSO) SAML provides a standard way to implement SSO within a single domain or across multiple domains Standard managed by OASIS - SAML 1.0, 1.1, & 2.0 - CA key long-time contributor Protocol & ticket together enable federation - Cross-domain/cross-company SSO 9 2006 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Key Standards & Specifications The Liberty Alliance Project Liberty includes three phases - Phase 1: Identity Federation Framework (ID-FF) Federated network identity services including single sign-on/out, opt-in account linking, privacy - Phase 2: Identity Web Services Federation (ID-WSF) Framework for interoperable federated network identity services including identity data service definition, identity service discovery and invocation, attribute sharing, interaction, security profiles - Phase 3: Identity Services Interface Specification (ID-SIS) Interoperable identity services providing implementation of ID-WSF definitions in specific web services, e.g., personal profile, employee profile, etc. 10 2006 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Key Standards & Specifications WS-* Key Specifications Microsoft & IBM WS-Trust - Defines the protocol used for security token acquisition or challenges to a requestor to ensure the validity of a security token WS-SecureConversation - Extends WS-Security by: Defining the creation and sharing of security contexts between communicating parties using security context tokens (SCT) Specifying how derived keys (used for signing and encrypting messages associated with the security context) are computed and passed 11 2006 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Key Standards & Specifications WS-* Key Specifications Microsoft & IBM WS-Policy - Expresses the capabilities and requirements of entities used in web services environments - A policy is expressed as policy assertions - A policy assertion represents a capability or a requirement (Policy assertions are defined in the WS-PolicyAssertions specification) - WS-Policy expressions are associated with various web services components using the Web Services Policy Attachment specification (WS-PolicyAttachment) WS-Federation - Relies on the models defined in WS-Security, WS-Trust, and WS- Policy - Enables brokering of trust and security token exchange, support for privacy by hiding identity and attribute information, and federated sign-out - Competes with Liberty s ID-WSF 12 2006 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Web Services Security: Directory Backbone Users & Identity Crypto Policy Security Tokens Yellow Pages Lookup User SOAP Messages GUI: common components product GUI product GUI product GUI product GUI product GUI SPML SPML XKMS XKMS XACML SAML SAML UDDI UDDI SPML XKMS XACML SAML UDDI Policy Policy Decision Point Point SAML SAML SAML Client Client Enforcement Enforcement Point Point Gateway Gateway Enforcement Enforcement Point Point Server Server Enforcement Enforcement Point Point identities certificates policies Identity & attributes 13 2006 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. WS data Directory: web services backbone

Security Building Blocks and Interfaces Employees Partners Consultants Temp. staff Intranet Clients Partners Suppliers Internet Identity Federation HR Help Desk Provisioning Policy, Role & group Automation Account Workflow Password Delegation Single Sign-On Flexible Authentication RBAC Legacy, Web, Desktop Server Access Management Role based access control Administration - Separation of Duties Server hardening Extranet Access Management Web authentication Role based access control Web single sign-on User self-service Directory Services Employees Contractors Partners Customers Enterprise Infrastructure and Integration Services Auditing Event logging Event filtering Notification Storage Searching Reporting Physical Badges Building access Zone access Desk Telephone Mobile phone PDA IS Platforms & Applications Windows Domain Email Mainframe DBMS Portal CRM; ERP IAM Toolkit 14 2006 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Specific Web Services Security

Summary Communication End User Web Application ONE centralized user administration and provisioning environment for MANY Web applications Reduction of administrative user handling overhead by automation Closing the gap to existing PKI or SSO environments (who am I?) Secure enough primary identification and authentication process (what am I allowed to do?) Standardized application and middleware interfaces Communication Web Application - Web Application Centralized access control for transactions between applications in federated environments Confidentiality of information through strong encryption mechanisms Integrity of data being transferred and processed through digital signatures End to end availability of applications through service levels and monitoring Obligation of transactions through stringent record keeping and auditing 15 2006 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback