IBM Software Group
®
The Reality of Implementing SSO on an SOA Bus.
Martin Lansche, Consulting I/T [email protected] Software Services for WebSpherehttp://www.ibm.com/WebSphere/developer/services
last update: May 23, 2011
IBM Software Group | WebSphere software
2
WebSphere Security Presentation Series
This presentation is part of the WebSphere Security Presentation Series led by Keys Botzum with help from so many others
Available internally at http://pokgsa.ibm.com/~keys/documents/securitySeries
Related presentationsWe assume you’ve seen or are familiar with
• Core Concepts• WAS Security Introduction
You may be interested in• Advanced Authentication• SSO Conceptual Overview• Version 6.1 and 7 Security: Infrastructure Hardening• Securing Web Services Using WS-Security Policy Sets• Using WS-Security SAML with WebSphere Application Server and
DataPower
IBM Software Group | WebSphere software
3
Change is the Only Constant
This presentation reflectsMy current opinions regarding WAS securityThe product itself continues to evolve (even in PTFs)
Presentation is based on 7.0This will be revised as we learn moreYour thoughts and ideas are welcome
Disclaimer: Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
IBM Software Group | WebSphere software
4
Agenda
Setting the StageAuthentication Options through the BusSystem Identity to Provider
Transport Based
WS-Security BasedEnd-User Identity to Provider to WebSphere
Transport Based
WS-Security BasedEnd-User Identity to Provider to Non-WebSphere
WS-Security SAML ProfileFine Grain Authorization options on the Bus
IBM Software Group | WebSphere software
5
Take home messages
The intent of this presentation is not to criticize ESBs.There are many good reasons to use an ESB, and to use an ESB as a form of security gateway.
We just want to raise some security issues that you should consider regarding your ESB implementation.
We frequently see that these issues are overlooked.
Common mistakes and how to avoid them.
“Security is hard. Think hard about it”tm.
SOA Security is harder.
(Transport-based solutions refer to SOAP/HTTP(S) transport, synchronous messaging.)
IBM Software Group | WebSphere software
6
Using an ESB as your Security Gateway?
One of the reference architectures for SOA looks like this:
What are your security/requirements for your ESB?Are you just abstracting provider endpoints?
Or do you want to enforce access through your ESB?
IBM Software Group | WebSphere software
7
What is wrong with this Gateway?
IBM Software Group | WebSphere software
8
Sample SOA Message flow
1 – Authenticate and Authorize external requests2 – Invoke business process3-20 – Orchestration calls
Other services in WPSWMB servicesMainframe services
Process ServerOrchestration
MainframeServices
Security Service (AuthZ)
Application DataPower XI50Gateway
DataPower XI50ESB
WebSphereMessage
Broker
1
1
2
2
3 - 20
3 - 20 3 - 20
3 - 20Fi
rew
all
Fire
wal
l
Other Company Systems
Company Desktops
OutsourcedProvider Desktops
IBM Software Group | WebSphere software
9
Services can be called from anywhere
What stops any process on any IP connecting system from calling the Orchestration services?
WMB services?
Mainframe services?
In a poorly implemented solution, once through Gateway, any service can be called
“We trust every application on every system in our enterprise.”
Yet hosted by 3rd party• They implicitly trust every application on 10,000s of 3rd party systems
“We assume that all requests flow through DataPower ESB.”This is “security by wishful thinking”TM
IBM Software Group | WebSphere software
10
Internal “Chained” Services
Assume that Provider requires credentialsIn other words, “Able to connect” is not an option.
Consider an internal “chained” service that directly sends credentials to providerJ2EE - Local EJB method
DataPower - any service on the device are callable by any thread on the device (via 127.0.0.1) – this is a common pattern on DataPower
If chained service does not do AAA, then any “local service” can invoke the provider through the chained service.
In DataPower - all services on any domain• Essentially the entire device is your application
In J2EE - all applications in the same JVM as local EJB.
The secure approach is that chained services require AAACalling service must then present credentials.
IBM Software Group | WebSphere software
11
Agenda
Setting the StageAuthentication Options through the BusSystem Identity to Provider
Transport Based
WS-Security BasedEnd-User Identity to Provider to WebSphere
Transport Based
WS-Security BasedEnd-User Identity to Provider to Non-WebSphere
WS-Security SAML ProfileFine Grain Authorization options on the Bus
IBM Software Group | WebSphere software
12
Fundamental ESB Security
ESB must authenticate and authorize all requests from Clients (Consumers)
Provider authorization options1. Accept any request that can reach provider.
2. Based on request coming from ESB.
3. Based on end-user identity (supports ESB bypass)
4. Request came from ESB AND end-user identity.
How?How to propagate end-user identity?How to do it quickly?
IBM Software Group | WebSphere software
13
Scenarios 1 & 2
Fire
wal
l
Fire
wal
l
IBM Software Group | WebSphere software
14
Scenario #3 Flowing End User Identity – Bypass of ESB possible
BackendSystems
Application ESB
3
3
Other Company Systems
alice
Bypass ESBESB-ID
alice
alice
alice3
LDAP
alicealice alice
alice
DataPowerGateway
IBM Software Group | WebSphere software
15
Flowing End user identity – only through ESB
Fire
wal
l
Fire
wal
l
IBM Software Group | WebSphere software
16
Identity Propagation – in the abstract
IBM Software Group | WebSphere software
17
Questions r.e. System Identity vs. End-User Identity
System Identity vs. End-User Identity What is required by the business?
• Only proof request went through ESB?• Or original end-user identity?• Or both?
Does the identity need to exist in Provider registry? Real vs. ephemeral userid.
Is end-user identity enough?Do we need to assert group membership? (e.g. for ephemeral userids)
Do we need to assert business data?
Depending on the token type used, or the ESB product, some of these variants may or may not be possible… To be explained….
IBM Software Group | WebSphere software
18
Ephemeral Userids / a.k.a. Transient Userids
Assert ephemeral “Carol” as a member of Temp-Contractors-Tier1RealmUniqueSecurityName = forest.ibm.net:389/CN=Carol,CN=Temp-Users,dc=ibm,dc=net
Groups found: Group ID: group:forest.ibm.net:389/CN=Temp-Contractors-Tier1,CN=groups,DC=ibm,DC=net
Notes Carol does not exist as user in LDAPGroup “Temp-Contractors-Tier1” exists but with no members
WAS V7.0.0.x Potential Alternative – “All Authenticated In Trusted Realm” – More later…
IBM Software Group | WebSphere software
19
SOA Authorization Considerations (at Provider)
Transport AuthenticationAll endpoints under same URI share common JEE security constraint
If finer-grain authorization needed• Provider URI bound to AllAuthenticatedUsers
− Programmatic or EJB Session Authz.
Message AuthenticationWS-Sec does not address Authorization!!!
• Programmatic or EJB Session Authz.
IBM Software Group | WebSphere software
20
Agenda
Setting the StageAuthentication Options through the BusSystem Identity to Provider
Transport Based
WS-Security BasedEnd-User Identity to Provider to WebSphere
Transport Based
WS-Security BasedEnd-User Identity to Provider to Non-WebSphere
WS-Security SAML ProfileFine Grain Authorization options on the Bus
IBM Software Group | WebSphere software
21
Use Cases – System Identity to ProviderHTTP Transport
BasicAuth Authorization header (configuration)SSL Client Auth (configuration, must manage client certificates)System-specific Cookie
• LtpaToken2 Cookie (small amount of application code, ESB must share Ltpa key and realm) – See Programming Hints and Tips.
SPNEGO Authorization header (complex set-up, non-trivial application code, client must contact KDC for every request, restrictions) – see SPNEGO presentation.
Message (WAS configuration – Policy Set – JAX/WS | DataPower Configuration)UNT with passwordX509 BST (must manage client certificates)LtpaToken BST (ESB must share Ltpa key and realm) Kerberos BST (complex set-up client must contact KDC for every request)SAML BST (complex set-up, may contact STS on every call) – overkill for system account
Prefer black options.LTPA is IBM only. SAML & Kerberos raise interop issues.
IBM Software Group | WebSphere software
22
System Identity – Speed Comparisons
Note: Not based on empirical testing!!!
HTTP Transport - Called before dispatching to WS runtime.(1) LtpaToken2 Cookie
(2) BasicAuth HTTP Transport – WAS Security runtime can cache password checks
(3) SSL Mutual auth
(8) SPNEGO HTTP Transport – client must contact KDC on every request.
Message level(4) UNT
(5) LTPA BST
(6) X509 BST
(7) Self-Issued SAML BST
(9) Kerberos BST
(10) STS-Issued SAML BST
IBM Software Group | WebSphere software
23
Web Services Performance with SecurityMany forms of security are available for protecting web services messages
Transport level security (HTTPS) can be used for protecting messages in high volume production environments for integrity (signing) and confidentiality (encrypting)
HTTP authentication mechanisms have less overhead than WS-Security authentication tokens
Overhead of authentication mechanisms is reduced as the message sizes get larger
The overhead of security in these charts is a worse case since the SUT is running at 100% CPU utilization and the service implementation does not contain any business logic. This will exaggerate the cost of security.
Note: HTTPS Security does not include authentication
23
Client SUTSUT(AppServer)
This does not include th
e high cost of W
S-Security M
essage
Protection
IBM Software Group | WebSphere software
24
LTPA Cookie Generation
For WAS, see Programming Hints and Tips
DataPower Config – AAA Post ProcessingGenerate an LTPA Token
Select correct LTPA Token Version
Expiry/Key File
Wrap Token in a WS-Security Security Header = off
Unlike other AAA options, • Only one WS-Sec or Cookie can be generated in one AAA action.• No DP API for generation via XSL.
IBM Software Group | WebSphere software
25
HTTP Transport example – BasicPOST /cpid-authenticate HTTP/1.1Authorization: Basic YWxpY2U6cGFzc3dvcmQ=User-Agent: curl/7.15.0 (i586-pc-mingw32msvc) libcurl/7.15.0 OpenSSL/0.9.7e zlib/1.2.2Host: wasserver.ibm.netAccept: */*Content-Length: 357Content-Type: application/x-www-form-urlencoded<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:aut="http://tempconverter.ca/schema/authenticate"> <soapenv:Header/> <soapenv:Body>
… removed</soapenv:Body>
</soapenv:Envelope>
Overhead < 50 bytes.Any Base64 Decoder (Google it!!) can decode that string
Therefore must encrypt to ensure confidentiality – one-way (Server) SSL
IBM Software Group | WebSphere software
26
WebSphere Configuration for BasicAuth Over HTTPS
Copy WSHTTPS default – as BasicAuth-over-HTTPSRemove WS-Addressing policy
Copy Client Sample Binding as BasicAuth-Over-HTTPS-ClientRemove JMS Transport, WS-* policies
In HTTP Transport binding - set User name and Password
In SSL Transport binding - choose SSL Configuration that contains Signer certificate of SSL Server peer.
Ignore Props fileCustom Property com.ibm.websphere.transport.ssl.loadFromPolicyBinding = true may be needed on copied bindings.
IBM Software Group | WebSphere software
27
DataPower Config for HTTP Header
ServiceXML Manager
• User Agent− Basic-Auth Policy
XSLT:<xsl:variable name=“userAndPass" select=“concat($user, ‘:’, $pass)”/><xsl:variable name=“base64UP” select=“dp:encode($userAndPass,'base-64')”/><dp:set-http-request-header name=“Authorization” value=“concat(‘Basic ‘, $base64UP)”/>
No native AAA Post-Processing support
IBM Software Group | WebSphere software
28
HTTP SSL Client AuthenticationAfter decryption, as above, without Authorization Header
Q: Where does identity come from? A: The Client certificate used in the SSL Handshake.
SSL Server must require Client certificate.
SSL Client must present certificateSSL Client must renew certificates before they expireCan be a management problem.
See Hardening presentation r.e. Mutual SSL vulnerability when using SSL terminating proxies.
See Core Security presentation r.e. “too-many-trusted-issuer” problem.
SSL Server must extract identity from presented certificateRemember: end-user credentials can not be propagated downstream of SSL Server – server does not have access to end-user private key!
IBM Software Group | WebSphere software
29
Configuration
WebSphere SSL ClientSSL Config
• KeyStore− Personal Certificate (marked as
client default certificate)− Self signed, Cell Root CA
signed, or CA Signed• TrustStore
− Signer of SSL Server cert
DataPower SSL Configuration
IBM Software Group | WebSphere software
30
WS-Security Message Examples - 1
UNT without message encryption/signing – i.e. use one-way SSL< 800 bytes
<soapenv:Header><s:Security xmlns:s="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1">
<u:Timestamp><u:Created>2011-01-12T16:31:27.312Z</u:Created>
</u:Timestamp><s:UsernameToken u:Id="unt_20">
<s:Username>alice</s:Username><s:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-
1.0#PasswordText">password</s:Password><u:Created>2011-01-12T16:31:27.421Z</u:Created>
<s:Nonce>AYiP7s702hbKYh76kGKqLfWrTcwx7w9m+pJKdy0BPepmerh+MW4SJGfOzImR3A5MkUm43Ck6b+yl1Uw6P4D9BmNrcg8Y7LbyEJVHlV9+S+B8+ua757MDTGSVTb86GIi0uDAxFQMyZGsD3nvxuPi1bhuZgqh6HqEvAyO1skxH5fc=</s:Nonce>
</s:UsernameToken></s:Security>
</soapenv:Header>
UNT with message encryption/signing> 8000 bytes – see next 3 charts
IBM Software Group | WebSphere software
31
UNT – with message level encryption – 1 of 3<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wssecurity_signature_id_21">
<wsu:Created>2011-01-12T16:19:02.265Z</wsu:Created></wsu:Timestamp><wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="x509bst_22" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIICnzCCAgigAwIBAgIHANeg5OSnqzANBgkqhkiG9w0BAQUFADCBjzELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA0lCTTEdMBsGA1UECxMUbGFuc2NoZUNlbGxNYW5hZ2VyMDExFjAUBgNVBAsTDWxhbnNjaGVDZWxsMDExGTAXBgNVBAsTEFJvb3QgQ2VydGlmaWNhdGUxIDAeBgNVBAMTF2xhbnNjaGUudG9yb2xhYi5pYm0uY29tMB4XDTEwMTAwNjE5MDk1MVoXDTExMTAwNjE5MDk1MVowJzEMMAoGA1UEChMDTk1MMRcwFQYDVQQDEw5pbnRyYTItc2FtbC1pZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2PN4frm1SU/kkOVtrZDbP9x/IS9AhA/lESvPIUkYMkMNTGjhJxZ8HhMaPxjV1OWbkSIproW1iozGn2ffqmkAN0UhDjK6aBN911vzBJn9fJ8LxWqpLL/BJZiMbK2FWWjqSGMugAeUOUjiDkPFzFxjndzQrmMkhwwNtaLKJogGpTcCAwEAAaNsMGowVQYDVR0RBE4wTIFKUHJvZmlsZVVVSUQ6RG1ncjAxLURFUExPWU1FTlRfTUFOQUdFUi1kNGQ5YTRlMi1jM2VlLTQ4N2ItYWZjNS04NGJiMTg2ZDJiZjkwEQYDVR0OBAoECE2JKTyrS3ESMA0GCSqGSIb3DQEBBQUAA4GBABO+S0uqcHFFQTARWINqNrJ9RC7L1F+xSaeJ611OMJGzHT+5FiH1nQX05xp56qXxi+wEI3u8lfboWgosiJmvOudbjRTzZbcSnlNouHK/HmChpOIjir3INJFUXIWt970yiavaMoGn/G2sjgKKHWGdirn7a/ZW8ryGuFPhRd1Np5LO</wsse:BinarySecurityToken>
<enc:EncryptedKey xmlns:enc="http://www.w3.org/2001/04/xmlenc#"><enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"></enc:EncryptionMethod><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference><wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-
1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">QdZLf+KjrUg=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference></ds:KeyInfo><enc:CipherData>
IBM Software Group | WebSphere software
32
UNT – with message level encryption – 2 of 3<enc:CipherValue>t/T6cO2BSljYKj7NMmgqSCRPi0AAnFQRSXcGjbryKmS7OThBT/eRMmNPLp5dfVPR5F1R1e0Bxk4dVWGdWX/9fu
yLNniAyaTK6ALSRNKnRIQW3ckcrYu6mGF1QHHDDMWIpTjJnCDqyy9AJA7AZzPmXlSXsm3Mw5QCMw+lw+GOul0=</enc:CipherValue>
</enc:CipherData><enc:ReferenceList>
<enc:DataReference URI="#wssecurity_encryption_id_23"></enc:DataReference><enc:DataReference URI="#wssecurity_encryption_id_24"></enc:DataReference>
</enc:ReferenceList></enc:EncryptedKey><enc:EncryptedData xmlns:enc="http://www.w3.org/2001/04/xmlenc#" Id="wssecurity_encryption_id_23"
Type="http://www.w3.org/2001/04/xmlenc#Element"><enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></enc:EncryptionMethod><enc:CipherData>
<enc:CipherValue>oL4h98Zww/ur3pn5ucWCN0EDuoswYlP8gZXzZ5E4f9U5jzvr32u0uwVPCmvniB3WaBRYhuAPkjU7mLTohVzsYSHLE3zJ7L2kHykaNfpGkYvrDnx1HUe1fEEASlT1kTf9VRuXf1ETtV+OeqjHxtPr5/Bez9lEQNkkyN6WC4FWAhxqx2E8xHdg/wpDW8VOunF8rcd5iVLCa26Suk1zxc1/okAQCGNmz7xWqB3mT/jCr9fo1q9Nim4EIRAZfQKGM/93qnXXtFH7YnpWtPXbOw5mAbVSvE3Vb8ZP5vmQVvYoSkCNlwq/imInY+BMzQSODrJTQcaMDuOdReKdLPNWDm82sNS/HUGFTyfysxji9nEcuZ+coHbGlmZjnEwRpwpMzPIddjaP8J9aDma5KDSejDIlle4gk159xrKRomjumxxavw5N+wAj7s83C7eaJetL9D8uDLFcM7l35ypwVCEznPeAwlRIkM3g8sIYYgkWWWqqN0y7CjitOT6C0tNcGiqtaDGr+hQJPpUZcZt3isYP9OhiK/Z2+DdhFieOWacAtIlPFUdhv38TPXv6Gjg4e6NKfG+lKSe2Ta4jkXTzQjFayEtVPUVZCjDxEMXfso4tjKrCWGYHA5i3Y5XnWoh00aM3GVbpl/Q1UVLJZ1gvR16/E9yKhMdEaax/HYQCxB7SaG2fa2l0O8fl86t4DCC6zjs4Q+mwCUFpfE3dbICkHHHOiXIg6UQorr0e1vTKsywKjtfY/i4yw9DDvRJ7TY9umLTsCi4WZlW4t0RFRRXbifN9jr758aX6ITAUzn+IVZYBIYyxJyxXc4sRFcGWmiofeTxZ1jwq4g5olTEobPEMs8T9Jems2KEAFAmSkBQ64t5GD30+x8zdGQl+f94AE7Wv5wfGuZXtXio+U3zhDmnA+pKpJiD47uoM2l13zBkanvWKzFs9IlCmnRVxPoOSin0VtjuCYvd0NSErLr6IRq14AeNIudM43QUXXZEWtPKXSi0y52No4UuaGfPr+HXR0D2UK/Af1w8H8Wp88zFwifNqbH+nmlT53rx9wi86lG6qoFTS9ND8JB0Mm0283IcWOEmt9y9LC4wF+Xw9HwF2UOMjBLshGQYdLGICPA+4B2QhE/v10QRSaS1QXmij8HifVOVBMdwUigTcOGOohx4EGgk/Kbqg5dLq4JwhDgGJfeHT0qHsMvbv0D7VlIEGzd0FZ56R3Qd7jkTBo4kgZmZqG++HOC/s+HMdo+ASZ5gF23wofqrxGjWIY0W4hD/n6IXrgWiDizaTAjm2eLqYUknueRaIPfZZcXMNojKboAiM5MquKoKi/S8UoxV+d9WKJz54jUW/HNB2OLQiYL38sz1BEx7kaHFNaLn4uc3J7lcGUQ2BtB4ptnDm5U+QV5m5GypgjBD8gg+uprvp+bsRFWapFGG5x3Kp3g1fcQ==</enc:CipherValue>
</enc:CipherData></enc:EncryptedData><enc:EncryptedData xmlns:enc="http://www.w3.org/2001/04/xmlenc#" Id="wssecurity_encryption_id_24"
Type="http://www.w3.org/2001/04/xmlenc#Element"><enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></enc:EncryptionMethod><enc:CipherData>
IBM Software Group | WebSphere software
33
UNT – with message level encryption – 3 of 3<enc:CipherValue>wX0Nyew8PoFluxhA97u9WEDtgsBz1OELT/uYC+k0NsWLIWhuHfTKqhp6KipHuJSyM/X0mReC4n2FtDvwHtHVC0hHseornRH9l+
tWn50A4zzLEV0F/r1kNV/zmd7DioIB+DMocbcz02Gd3tTotOFRK5l81GUTWzpWA7OHNKtvlV5CgkFygENZ7rhKfg4MJYvK0kaTBwSMfcxG29pFzP67R7/6Y7/kieUltohDgVeK+p9MIVR3DmSNjN0iQiOjJw2aAm+PaVu95yagCvA488VEWg6qo3SmFiRtLStVlHRH6mIwvu5NMvf/Wy5VuD8XQlArDcJWLO7/QMGl13dd2kDTXEYo9ht923yifzUdYMIQbmdDQBZRFR6rodgEnHv5Yg8D7Y67m/UMnxzo3/3Ixm9NVjxNb2y8X0mK39ILGg/R50f2ysOsjjPQZP+svzQflGPlp5aSZDWVOwMsQ3PEUHiBlxDZnLs+06RMzrs55UsE9FlFwso4R7HVjNrk+Pkj4Oq+mv1lstCv1vbSdHoPvvm7rA+V+t+ahRSX7P8EBJdiKz+U636E7XFWS+IAwqTfCzOyDuFt6kSGwVzcIrVDlA80XEnpLtxr3bCgFCEzOQ1Puaq67d4eBF1iLomZmDQdDae4YfcMGM3upvdsTCTiOb/q7y/61Zs7owYZodOEAEH8rjiOiqCuc/g2LbpMWrWGdphtAK78iYbi342tj9lBw2c0opld7+ZyVoahf70fxIvgsDzm4+iGqCj0RXjdXTEUME6+gK7QXeIyNKFEyraa1DXtntwqgN+dVw6Xi7qC+KquZoXbVS2OXIE/ofpCO82Ka/FIbu+uw4A8i+7XuPY5TPn2JHBUpW58E4NYJlG42U5q7AWAtj1ejkTVIHMR/yz5OLgLj237fn7VhvvMQa0V81eUaNfipthPGbsm8dMy0fAlUQ71rhLt6cAh56CPZ2CHrAkUnmB2Fo0fNBXHRi4Wg59T9UMKUJrRVuSZvD914GxEnkmdID1exb5LsmoYtKlgLBKzf1wpmMwX1+wSyiIleEUwBqcvbV7zkPww7as1s0un97ppO5dmhVhMeO8W6D8rq2RoBKgIszKqnhKIYott2IipsLKQSh6vKQQ34HBhQDm/LI3e65cKelBfibbfqcRBFeOTgN+YLiaBgSWNH7ZsxBWzjfO+8XcZWrBiFJ+OL4UlXHim4Lo4cUzXUH+zR8LIToqEm5zdMj0N9Oqog20qEDw9xkWgDaIsTaBYXt45ymoAOvgTfM0uEdGAFqNep8ekn35m36ZFQZp3lw6FFcTqsyeG7swCkfE/CsHLNhJiWSA+W5IU3+XBnQE74wEFqdtvlJesa6Cxe79aUHdUdm8/Hcqu5yHuSDT7H6iVNYnnDX0K1lF6hixmbYbvJm5qGtmKaqAVFevy+CFyPVbs4t54amphXCAyeCz3nW78AxxZMUu1xJQMHb7tekOawC9sBdRnneGRFzLmUhtsnURIUqGkcw1rvnpEnxhwPvtzbjHG8W+HrAMHgruJej4Ejs9SGwwkYdSEj+k9GXNicwsQY2e2NYXhalMecobqCFFN2viXBbi3+Oe7hRRpAMd3l4fy2guUDNTvAZYj63mHbiYCrHCtq7N6VtIk6AqApgUmM3s7Zg0f1WsykYfwZXjzHHEgA192+obDvUzMU948KSP1OCqEqrsg+lGB3KhDBBuQ5SYg1UuFlo22g/Q2w/3Y5zeUgbQS/Lqbz4StLMUjiR3UgF9jbOMQ9WrlH97h/rUxjJLlwLzddh9VAppuVnpNsqyhJqcdJAiuLKiVRdQ28CX/fUb4W7jfeife5XLh2hLZtlH9a35itxJj5S03xcLgiSZC2oVdvhhdHSIkpEdKsEiprNviOuTCW6W6cwMaAibpMCkN7ShYet5ia9dItXM2/7sGLtt49lMhxkTs62dkeiGWMSSuBkpo9sAV/2CqXuv3eEU2GHKHjpjL6qrYbU6RCiqzXYQlWAydma9C3T6lkySjrOWhQsxJy5xL1i8R2Cm9VFxntmpRwejbKlGRZweCGHq3gSq6s/bQ+J20gXpi7PyaRutto9RnsrCeYKpkRFXDV5iRGSB3H5YVv5Iav5SGdyeF5l2LtLUduO+RbnWCqBdvQoOSQbYuN4xdwQd9z3BxOo5a22fiFsyG17eYXO/kz1Cmz9DnDLdGldWF3LMcDLfCe4fvkfZpY6Pv4Ed+Kx3ajrfWrCqpZuOO0LV4/fpB9phFLflcnhk72sWQ+LyhLnmyOJ2LMy7TU3bYyC+GfIvbgrkY+zuPjIQsYlPYye/8GEGvN+BNIPiU9UWP5quLK5xrS2hbHwcjEEBjiLyPAgAAJht2otdbbc8jYvK5kNGQ+UkFuPnxTrQeXa9YY4A1Gis2zePyUnubEvuxst4cHr/FRyzpSsi3kHGNGiwiXA+mMWFAptk0Wdxl6ikQCn1T6Hg+krXakarc3zsAKFpxPSqgJJH8byODEKnn4EmblafLhOQEZon/783FcjjvTFBxqbjAYavuByztfwY1L75ZoLysARVtoL8NMIVo1j7+ONqVistcwlE0N5I2BBNJxstJUUo+SwskFQTGkMdPzqxmCJskZTSb8YvnSQwpxMZLGDYrfqQkq5SjzwMbTR+HhVmZZ51nIucE23uRT8O1s0kA7Mn81lCF+Wg4mOCDfohRkhsGtN1mj2ElpW9jBUPnnf2hzwc/Xtww//qKqAmOVL/4cMwvrxbfnA5+P3TnPFKLnLMxFgnihC3szN8L8CteCQYmWWc3PhJk6fdt1rOm3ZGo5mfrW/JOgoQCvYmhGMRWLyKoSbtxWWgtkhruiUkQkO9IhAVT63PqGO+dRPksUkDhioxljkkg6sFVyDUL+BZ0RH/shQyfBrpudczIfuWxHkLHYguCR/YjwGDt11JTlzM8H6Rh7UCHZVYFECwkEbWlbS2X8M8z3jfnym6w9Mht25D1b5j4QrCtCE3VIV7EhbDWeX4SQVXX0FwFUQQM22eu04ws9JSB7cpdi+pHLg2rqdSAsDM8eshOZ5dbZv4pLYlr5V6HZALF5L7DrWYfns2GFo/TQYUzR9L+cTe/4DHhVcY3/vbk4ac+KZjFTxOsYgbGZxh400NHu6WMGgG/bHf8Qb3PtVvktdjQHLRuCTzglqTNB3e+b/UKDjKeEpDJesWzEil6OfIFDLRzbvfrHhb8FlVvQSGSajNtFUVzlh1VNEI4bH6fdZyzjHKe9Uv4s4OwicO9eowXuAkujyZU/cBo4sQXAeHsXj3bWA9vtX+2wMX6kukE/4veAXeIjnNrqkXmdp2vQWT5+jLNY7DoGSogvPXhWMEr18N4ugBmXb91/+yQvtdwXy9l/ZctVak6Pc3GmH7hbG083Anr4djxbRa3bKFvCyj65/6iORibdLvnfIPYyM8l3yRyZzoxLZ4GRpyXTlXWZ2mEMWcD7pFFnc4GUNT+jDSzajsFY5GYITF5LiqiIOA1oXJKgomHmPqyyjimRvKykHlV5/HxKCw9dD+IObCDURSoHEgAoGKdV1N1GpmYIhPnqs9JYxvvE7rwsJFbE/gDckFP0fge3fs=</enc:CipherValue>
</enc:CipherData></enc:EncryptedData>
</wsse:Security></soapenv:Header>
IBM Software Group | WebSphere software
34
WS-Sec UNT Policy Set and Client Binding
Policy set
Client Binding (without Signing/Encryption!!)General client policy set bindings > UNT-xxx-Client > WS-Security > Authentication and protection > gen_signunametoken > Callback handler
• Add User Name/Password− Can not use RunAs identity – since client does not know RunAs
password!• Optional
− com.ibm.wsspi.wssecurity.token.username.addNonce− com.ibm.wsspi.wssecurity.token.username.addTimestamp− com.ibm.wsspi.wssecurity.consumer.timestampRequired=false
when provider expects timestamp, but client does not.• SSL Transport Binding – see earlier chart
IBM Software Group | WebSphere software
35
WS-Sec UNT Provider Binding
Providing BindingGeneral provider policy set bindings > UNT-Provider > WS-Security > Authentication and protection > con_unametoken > Callback handler
• Optional – Verify Nonce/Timestamp settings
SSL Transport Binding – see earlier chart
RunAs identity is not set by default!General provider policy set bindings > UNT-Provider > WS-Security > Callers
• New Caller• Caller identity local part
− http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
IBM Software Group | WebSphere software
36
WS-Security Message Examples – X509 BST
X509 without message encryption/signing –i.e. use one-way SSL > 1800 characters
Useful when “passwords are not secure enough”.
Policy SetDisable Message Level Protection
Add Protection Token
IBM Software Group | WebSphere software
37
X509 BST Client BindingClient
ProviderRemember the Caller
Keys and Certificates• Delete Certificate Store• Add a Trust Anchor – Point to Centrally Managed keystore
Authentication and Protection• Add X509 Token Consumer
− Point to Trusted Anchor Store in callback handler
IBM Software Group | WebSphere software
38
LTPA Binary Security Token
(WAS) Policy creation similar to Username Token Start with LTPA WSSecurity Policy Set and Client/Provider bindingsOptionally remove message protection (Signing & Encryption)
LTPA Token TypeLTPA Token
•Namespace: http://www.ibm.com/websphere/appserver/tokentype/5.0.2•Local part/ValueType = LTPA•Maps to DataPower’s AAA PP option of “WebSphere LTPA V2”
LTPA Propagation Token•Namespace: http://www.ibm.com/websphere/appserver/tokentype•Local part = /LTPA_PROPAGATION•No corresponding DataPower AAA PP option
LTPA Token v2.0 •Namespace: http://www.ibm.com/websphere/appserver/tokentype•Local Part/ValueType = LTPAv2•Maps to DataPower AAA PP option of “WebSphere 7.0 Version 2”
IBM Software Group | WebSphere software
39
LTPA BST created by DataPower
AAA Post Processing – Similar to LTPA CookieGenerate an LTPA TokenSelect correct LTPA Token VersionExpiry/Key FileWrap Token in a WS-Security Security Header = onUnlike other AAA options,
• Only one WS-Sec or Cookie can be generated in one AAA action.• No DP API for generation via XSL.
LTPA Tokens should contain uniqueID, not userid.Certain AAA token transformations require custom user mapping.
• E.g. Kerberos/SPNEGO in, LTPA out.• Note: Any LDAP password authentication converts identity to
uniqueID.• See http://www-01.ibm.com/support/docview.wss?uid=swg21446677
IBM Software Group | WebSphere software
40
LTPA BST created by DataPower - Timestamp
Prior to 7.0.0.13 (APAR PM16014) LTPA BST did not need Timestamp.DataPower does not add one by default.WAS 7.0.0.13 now enforces Timestamp for policies with these options.Providers will stop accepting tokens from DataPower.
See http://www-01.ibm.com/support/docview.wss?uid=swg21453755
IBM Software Group | WebSphere software
41
Agenda
Setting the StageAuthentication Options through the BusSystem Identity to Provider
Transport Based
WS-Security BasedEnd-User Identity to Provider to WebSphere
Transport Based
WS-Security BasedEnd-User Identity to Provider to Non-WebSphere
WS-Security SAML ProfileFine Grain Authorization options on the Bus
IBM Software Group | WebSphere software
42
Use Cases – End-user Identity to IBM/WASHTTP Transport
SSL Client Auth of System connection (for trust) + HTTP UserHeader end-user identity (WAS 7.0.0.7 Provider)
• Client – small amount of application code.• Provider requires JEE Security constraint• Requires Custom code/TAI to securely implement
− ISSW has one. • (Can be used for REST applications)
Mixed Mode Identity Assertion – LtpaToken2 cookie (for trust) (speculation)UNT without passwordLtpaToken BST (ESB must share Ltpa key and realm)
Message Level Identity Assertion – Two tokens (some variants are speculation)System Token for trust
• UNT with Password, LTPA BST, X509 BST, Kerberos BST, SAML BSTEnd-user token
• UNT without Password, LTPA BSTMessage Level Identity Assertion – One token
Self-Issued SAML Assertion (BST) from ESB• X509 signature validates SAML assertion.
Prefer black options.LTPA is IBM only. SAML & Kerberos raise interop issues.
IBM Software Group | WebSphere software
43
ISSW SecureIDPropagationTAI Example
DataPower<dp:set-http-request-header name=“ASSERT_USER” select=“’alice’”/>
WAS Config Requires JEE Security constraintClient SSL Authentication Required
Unless DirectSSL Certificate properties match expected values, TAI ignores asserted User header.
WAS 7Consumer
ASSERT_USER: alice
DataPower XI50CN=ESB-DataPower,OU=..SerialNum=776716551Issuer=CN=Corp-Intermed-CA
TAI Props:trustedDirectSubjectDN= CN=ESB-DataPower,...trustedDirectSerial=776716551trustedDirectIssuerDN=CN=Corp-Intermed-CA,...userHeader=ASSERT_USER
IBM Software Group | WebSphere software
44
LTPA Cookie + LTPA BST
Two AAA actionsFirst sets LTPA BST containing end-user identity
Second sets LTPA Cookie with system identity
Original AAA action – includes Post-Process step to flow end-user identity
Timestamp.xsl – needed when previous step Post-Process generates LTPAToken
Binary WS-Security header.
Generate LtpaToken2 HTTP Cookie with DataPower system identity.
IBM Software Group | WebSphere software
45
Two UNT example
Policy set Simple – Two UNTs
Example message<s:Security xmlns:s="http://... " xmlns:u="http://..." soapenv:mustUnderstand="1">
<s:UsernameToken u:Id="unt_21"> <!– Trust identity <s:Username>ClientCellServerIdentity</s:Username><s:Password Type="http://... 1.0#PasswordText">serverPass</s:Password>
</s:UsernameToken><s:UsernameToken u:Id="unt_20"> <!– End user identity – notes – (1) no password (2) Optional TrustedRealm – userid:realm:UniqueID<s:Username>defaultWIMFileBasedRealm/alice:realm:defaultWIMFileBasedRealm/uid=alice,o=defaultWIMFileBasedRealm</s:Username></s:UsernameToken>
</s:Security>
IBM Software Group | WebSphere software
46
Two UNT Bindings - Client
Must use Application Specific Client bindingsNot reusable across applications
• Select things you want to configure.• Press Apply to get access to Callback configuration
Different binding info for each token – details in Callback handler for tokentrustedIdentity – a normal UNT with Basic Auth username and password
AssertedIdentity• Identify is as an assertion tokenIdentity to send
− Fixed identity value− Basic Auth username, but no password
− Or Current runAs identity
IBM Software Group | WebSphere software
47
Two UNT Bindings Example - Client - 1
Application Specific Binding
WS-Security -> Authentication and Protection
IBM Software Group | WebSphere software
48
Two UNT Bindings Example - Client - 2
IBM Software Group | WebSphere software
49
Two UNT Bindings – Provider
Also needs Application Specific provider bindingConfigure Authentication and protection similar to Client
trustedIdentity• Nothing special needed.
AssertedIdentity
• Set com.ibm.wsspi.wssecurity.token.IDAssertion.isUsed=true
Optional – trustedRealm – see later chart
Configure Caller PartSet both “Caller identity local part” and “Trusted identity local part”
• http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
Use identity Assertion
Callback Handler• com.ibm.ws.wssecurity.impl.auth.callback.TrustedIdentityCallbackHandler
trustedID_0 (etc) – list userids or DNs that are trusted.
IBM Software Group | WebSphere software
50
Two UNT Bindings Example – Provider
IBM Software Group | WebSphere software
51
TrustedRealm optionInterpret as “Realm Matters”Replaces confusing 6.1 “sendRealm” option – required custom Login Module to process token.Client binding - how token string is created.Provider binding – how Subject is builtSee “WebSphere Application Server V7 Security : New Features” – Security Domains
r.e. “All Authenticated In Trusted Realm” special security binding.
Provider Binding trustedRealm
Subject built using useridand uniqueID in token. No lookup in registry – no group membership.
ExceptionmyRealm/alice:realm:myRealm/uid=alice,o=IBM
true
ExceptionSubject built based on provider Registry
alicefalse
truefalseToken Contents<s:Username>?</s:Username>
Client BindingtrustedRealm
IBM Software Group | WebSphere software
52
Agenda
Setting the StageAuthentication Options through the BusSystem Identity to Provider
Transport Based
WS-Security BasedEnd-User Identity to Provider to WebSphere
Transport Based
WS-Security BasedEnd-User Identity to Provider to Non-WebSphere
WS-Security SAML ProfileFine Grain Authorization options on the Bus
IBM Software Group | WebSphere software
53
Use Cases – End-user Identity to non-IBM/WAS
What can Provider support? What does provider require?
Examples (depends on provider environment):Possible Mixed Mode Identity Assertion – SPNEGO Authorization (for trust)
• UNT without password• X509 BST
Possible Message Level Identity Assertion – Two tokens• System Token for trust
− UNT with Password, X509 BST, Kerberos BST, SAML BST• End-user token
− UNT without PasswordMessage Level Identity Assertion – One token
• Self-Issued SAML Assertion (BST) from ESB• STS-Issued SAML Assertion (BST)
IBM Software Group | WebSphere software
54
What else does SAML enable?
In addition to Interop with external providers.Ephemeral userids.
Fine-grain authorization models.
IBM Software Group | WebSphere software
55
SAML Use Cases – End-user Identity plus Group Membership
WAS 7.0.0.7 or later builds Subject from SAML attributesSAML does not specify standard attribute for group membershipYou can specify what attribute to use: “groupMName_<n>”
• Otherwise, WAS looks for "group", "groups", "memberof", “membership", "groupmembership", "members", "groupid", "role", or "roles".
Can allow assertion of ephemeral users. E.g WAS needs SecurityName, UniqueID, and Group info
How?STS could assert group info.WAS SAML Client application code.
Warning:Tight linkage of SAML token creation and Provider authorization Just because SAML asserts “role=foo” only meaningful if group “foo” exists!
IBM Software Group | WebSphere software
56
Agenda
Setting the StageAuthentication Options through the BusSystem Identity to Provider
Transport Based
WS-Security BasedEnd-User Identity to Provider to WebSphere
Transport Based
WS-Security BasedEnd-User Identity to Provider to Non-WebSphere
WS-Security SAML ProfileFine Grain Authorization options on the Bus
IBM Software Group | WebSphere software
57
Sample SAML assertion of Groups + Business Data
Ephemeral user assertion of “alice”A member of “Temp-Contractors-Tier2” (exists in WAS registry)Also a member of “Non-WAS-Group” (a non-WAS-registry group)Business info about “alice”
PhoneStateTransfer-Authorization Limit
<saml2:Subject><saml2:NameID NameQualifier="forest.ibm.net:389">alice</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"></saml2:SubjectConfirmation>
</saml2:Subject>…<saml2:AttributeStatement>
<saml2:Attribute Name=“Membership"><saml2:AttributeValue>CN=Temp-Contractors-Tier2, OU=Groups,dc=ibm,dc=net</saml2:AttributeValue><saml2:AttributeValue>Non-WAS-Group</saml2:AttributeValue>
</saml2:Attribute><saml2:Attribute Name="urn:test:Phone">
<saml2:AttributeValue>414-555-1212</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="urn:test:State“>
<saml2:AttributeValue>NV</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="urn:test:TA-Limit" NameFormat="http://www.w3.org/2001/XMLSchema#integer">
<saml2:AttributeValue>100000</saml2:AttributeValue></saml2:Attribute>
</saml2:AttributeStatement>
IBM Software Group | WebSphere software
58
Use Cases – End-user Identity plus Business Info
SAML + XACML allows fine-grained Authorization
An XACMLPolicy Enforcement Point – invokes PDP, abides by decision
Policy Decision Point – Permit/Deny response
DataPower has on-box PDP (Option 1)
Tivoli Security Policy ManagerRuntime Security Server
DataPower and off-box TSPM RTSS (Option 2)
WebSphere and on-box TSPM authorization engine (Option 3)
WebSphere and off-box TSPM RTSS (Option 4)
IBM Software Group | WebSphere software
59
Agenda - Recap
Setting the StageAuthentication Options through the BusSystem Identity to Provider
Transport Based
WS-Security BasedEnd-User Identity to Provider to WebSphere
Transport Based
WS-Security BasedEnd-User Identity to Provider to Non-WebSphere
WS-Security SAML ProfileFine Grain Authorization options on the Bus
IBM Software Group | WebSphere software
60
Futures
Nothing here is an IBM Commitment
IBM Software Group | WebSphere software
61
References
TODO: Update with lots of other links.
Security material, including presentations, papers, and booksWhere
• IBM internal – http://pokgsa.ibm.com/~keys/• Public – http://www.keysbotzum.com
IBM Software Group | WebSphere software
62Materials may not be reproduced in whole or in part without the prior written permission of IBM
Materials may not be reproduced in whole or in part without the prior written permission of IBM
© Copyright IBM Corporation 2004-2011. All rights reserved.
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml
IBM Software Group | WebSphere software
63
Additional Charts
Background material
IBM Software Group | WebSphere software
64
Thoughts on WS-Security SAML
SAML 1.1 Bearer > 3700 bytesNote that SAML Bearer tokens are signed by WAS runtime
<soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Created>2011-01-12T21:32:34.656Z</wsu:Created>
</wsu:Timestamp><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1"
AssertionID="_575214B7132267E9451294867956850" Issuer="Intra2" IssueInstant="2011-01-12T21:32:34.718Z"><saml:Conditions NotBefore="2011-01-12T21:32:34.718Z" NotOnOrAfter="2011-01-12T22:32:34.718Z">
<saml:AudienceRestrictionCondition><saml:Audience>http://localhost:80/WSSampleSei/PingService</saml:Audience>
</saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement>
<saml:Subject><saml:NameIdentifier>alice</saml:NameIdentifier><saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation>
</saml:Subject></saml:AttributeStatement>
IBM Software Group | WebSphere software
65
SAML 1.1 Bearer Token – 2 of 2<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_575214B7132267E9451294867956850">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>0JESX/C/lgc84MLbm1eYNWCephU=</ds:DigestValue>
</ds:Reference></ds:SignedInfo>
<ds:SignatureValue>ZPE+NNlIXDPdPR8aDaIkje3hjOKraB20wLBSRKa7O+2cS+4B6wt3ZdnbKScJOzpdgzAXHr5k456s3YVYpB8LZm8f5YcR/vO58VqbcB8N8JqQoj8ORAITTzJL6MGHEJKf7AQXUE5q/g4MrDjgXqs8LAJkf5WnfJ4Xl++WqolZnOU=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data>
<ds:X509Certificate>MIICnzCCAgigAwIBAgIHANeg5OSnqzANBgkqhkiG9w0BAQUFADCBjzELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA0lCTTEdMBsGA1UECxMUbGFuc2NoZUNlbGxNYW5hZ2VyMDExFjAUBgNVBAsTDWxhbnNjaGVDZWxsMDExGTAXBgNVBAsTEFJvb3QgQ2VydGlmaWNhdGUxIDAeBgNVBAMTF2xhbnNjaGUudG9yb2xhYi5pYm0uY29tMB4XDTEwMTAwNjE5MDk1MVoXDTExMTAwNjE5MDk1MVowJzEMMAoGA1UEChMDTk1MMRcwFQYDVQQDEw5pbnRyYTItc2FtbC1pZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2PN4frm1SU/kkOVtrZDbP9x/IS9AhA/lESvPIUkYMkMNTGjhJxZ8HhMaPxjV1OWbkSIproW1iozGn2ffqmkAN0UhDjK6aBN911vzBJn9fJ8LxWqpLL/BJZiMbK2FWWjqSGMugAeUOUjiDkPFzFxjndzQrmMkhwwNtaLKJogGpTcCAwEAAaNsMGowVQYDVR0RBE4wTIFKUHJvZmlsZVVVSUQ6RG1ncjAxLURFUExPWU1FTlRfTUFOQUdFUi1kNGQ5YTRlMi1jM2VlLTQ4N2ItYWZjNS04NGJiMTg2ZDJiZjkwEQYDVR0OBAoECE2JKTyrS3ESMA0GCSqGSIb3DQEBBQUAA4GBABO+S0uqcHFFQTARWINqNrJ9RC7L1F+xSaeJ611OMJGzHT+5FiH1nQX05xp56qXxi+wEI3u8lfboWgosiJmvOudbjRTzZbcSnlNouHK/HmChpOIjir3INJFUXIWt970yiavaMoGn/G2sjgKKHWGdirn7a/ZW8ryGuFPhRd1Np5LO</ds:X509Certificate>
</ds:X509Data></ds:KeyInfo>
</ds:Signature></saml:Assertion>
</wsse:Security></soapenv:Header>
IBM Software Group | WebSphere software
66
Simple PDP Example
SAML assertion contains following business data:<saml2:AttributeStatement>
<saml2:Attribute Name="urn:test:MaximumStringLength" NameFormat="http://www.w3.org/2001/XMLSchema#integer"><saml2:AttributeValue>6</saml2:AttributeValue> <!– This user can echo up to 6 characters
</saml2:Attribute></saml2:AttributeStatement>
XACML Policy contains (Permit if MaximumStringLength > echoLength):<Rule RuleId="urn:rule:EchoLength" Effect="Permit"><Condition><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than"><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#integer"AttributeId="urn:test:MaximumStringLength"/>
</Apply><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#integer"AttributeId="urn:test:EchoLength"/>
</Apply></Apply>
</Condition></Rule><Rule RuleId="urn:rule:EchoTooLong" Effect="Deny"/>
IBM Software Group | WebSphere software
67
XACML Request message<?xml version="1.0" encoding="UTF-8"?><Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd"><Subject>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>alice</AttributeValue></Attribute><Attribute
AttributeId="urn:test:MaximumStringLength"DataType="http://www.w3.org/2001/XMLSchema#integer"><AttributeValue>6</AttributeValue> <!– from the assertion
</Attribute><Attribute
AttributeId="urn:test:EchoLength"DataType="http://www.w3.org/2001/XMLSchema#integer"><AttributeValue>2</AttributeValue> <!– calculated by Xform based on payload
</Attribute></Subject><Resource/><Action/><Environment/>
</Request>
IBM Software Group | WebSphere software
68
createXACMLReq.xsl snippetsBased on store:///aaa-xacml-binding-sample.xslEmit EchoLength
<xsl:variable name="echoStringLength" select="string-length(/*[local-name()='Envelope']/*[local-name()='Body']/*[local-name()='echoStringInput']/*[local-name()='echoInput'])"/>
<xacml-context:AttributeAttributeId="urn:test:EchoLength"DataType="http://www.w3.org/2001/XMLSchema#integer"><xacml-context:AttributeValue><xsl:value-of select="$echoStringLength"/></xacml-context:AttributeValue>
</xacml-context:Attribute>
Emit subject-ID<xsl:when test="$au-method = 'saml'">
<xacml-context:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"DataType="http://www.w3.org/2001/XMLSchema#string"><xacml-context:AttributeValue><xsl:value-of select="$au-credential"/></xacml-context:AttributeValue></xacml-context:Attribute>
</xsl:when>
Emit SAML Asserted values<xsl:for-each select="./assertion//*[local-name()='Attribute']">
<xsl:variable name="name" select="@Name"/><xsl:variable name="name-format" select="@NameFormat"/><xsl:variable name="value" select="./*[local-name()='AttributeValue']"/><xacml-context:Attribute>
<xsl:attribute name="AttributeId"><xsl:value-of select="$name"/>
</xsl:attribute><xsl:attribute name="DataType">
<xsl:value-of select="$name-format"/></xsl:attribute><xacml-context:AttributeValue><xsl:value-of select="$value"/></xacml-context:AttributeValue>
</xacml-context:Attribute></xsl:for-each>