WS-WS-FederationFederation
Jim Van Dyke Zhengping Jim Van Dyke Zhengping WuWu
Partially adapted from workshop slides by Tony Nadalin (IBM) and Chris Kaler (Microsoft)
2
AgendaAgenda
IntroductionIntroduction Trust TopologiesTrust Topologies Single Sign-outSingle Sign-out Attribute ServicesAttribute Services Pseudonym ServicesPseudonym Services Active/Passive ProfilesActive/Passive Profiles Summary and ConclusionsSummary and Conclusions DemoDemo ReferencesReferences
3
What is Federation?What is Federation?
FederationFederation A collection of realms/domains that have A collection of realms/domains that have
established trustestablished trust The technology and business The technology and business
arrangements necessary to interconnect arrangements necessary to interconnect users, applications, and systemsusers, applications, and systems
Federated systems can interoperate Federated systems can interoperate across organizational and technical across organizational and technical boundaries (i.e., various operating boundaries (i.e., various operating systems or security platforms)systems or security platforms)
4
Federated ATM NetworkFederated ATM Network
Account Numberand PIN
Home Bank Network
Visiting Bank Network
Funds Network of Trust
5
WS-FederationWS-Federation Primary Goal: Primary Goal: “Single Sign-On” access “Single Sign-On” access
across trust domains using identities across trust domains using identities from the different domainsfrom the different domains
WS-Federation defines a model for WS-Federation defines a model for thisthis by by building on the WS-* security building on the WS-* security specifications:specifications: Brokering trustBrokering trust Sign out messagesSign out messages Attribute serviceAttribute service Pseudonym servicePseudonym service
6
WS-WS-Federation TermsFederation Terms AuthoritiesAuthorities
Security Token Service (STS)Security Token Service (STS) – Web service – Web service that issues security tokens; makes assertions that issues security tokens; makes assertions based on evidence that it trusts to whoever based on evidence that it trusts to whoever trusts ittrusts it
Identity Provider (IP)Identity Provider (IP) – Entity that acts as an – Entity that acts as an authentication service to end requestors (an authentication service to end requestors (an extension of a basic STS)extension of a basic STS)
PrinciplesPrinciples RequestorRequestor ResourceResource Other ServicesOther Services
7
One Protocol, Multiple One Protocol, Multiple BindingsBindings
Common protocol (WS-Trust)Common protocol (WS-Trust) Two “profiles” of the model are definedTwo “profiles” of the model are defined
Smart/Active clients (SOAP)Smart/Active clients (SOAP) Passive clients (Browser – HTTP/S)Passive clients (Browser – HTTP/S)
Supporting services (Supporting services (attribute/pseudonym/…attribute/pseudonym/…))
SecuritySecurityTokenToken
ServiceService
HTTPHTTPReceiverReceiver
HTTP messagesHTTP messages
SOAP messagesSOAP messages
SOAPSOAPReceiverReceiver
8
Trust TopologiesTrust Topologies Federation approach must address Federation approach must address
different trust topologiesdifferent trust topologies Model existing business practicesModel existing business practices Leverage existing infrastructureLeverage existing infrastructure
Sample topologiesSample topologies Direct trustDirect trust
ExchangeExchange ValidationValidation
Indirect trustIndirect trust DelegationDelegation
9
Direct TrustDirect TrustToken ExchangeToken Exchange
TrustTrust
Get identityGet identitytokentoken
Get accessGet accesstokentoken11
33
22
IP/STS IP/STS
Requestor
Resource
10
Direct TrustDirect Trust Flow FlowRequestor
ServiceRequestor
IP/STSWS
ServiceServiceIP/STS
Request token
Return token
Request token
Return token
Send secured request
Return result
Acquire policy
Return policy
11
Direct TrustDirect TrustToken ValidationToken Validation
TrustTrust
Get identityGet identitytokentoken
Get accessGet accessverificationverification
11
22
33
IP/STS IP/STS
Requestor Resource
12
Indirect TrustIndirect Trust
Trust
TrustTrust
Trust
C trusts B which vouches for A who vouches for clientC trusts B which vouches for A who vouches for client
11
33
CC
BB
AA
IP/STS
IP/STS
IP/STS
Requestor Resource22
13
DelegationDelegation
TrustTrust
11
33
22
TrustTrust
55
44
IP/STS IP/STS IP/STS
Requestor
ResourceResource
14
Single Sign-OutSingle Sign-Out
11
22
22
22
……
……IP/STSRequestor
IP/STS
Resource
15
Sign-OutSign-Out Message Message
<S:Envelope><S:Envelope> <S:Header><S:Header> ...... <wsu:Timestamp wsu:Id="ts"><wsu:Timestamp wsu:Id="ts"> ... </wsu:Timestamp>... </wsu:Timestamp> <wsse:Security><wsse:Security> <!-- Signature referecing IDs "ts" & <!-- Signature referecing IDs "ts" &
"so" -->"so" --> ...... </wsse:Security></wsse:Security> </S:Header></S:Header>
16
Sign-OutSign-Out Message (cont.) Message (cont.)
<S:Body><S:Body> <wsse:SignOut wsu:Id="so"><wsse:SignOut wsu:Id="so"> <wsse:SignOutBasis><wsse:SignOutBasis> <wsse:UsernameToken><wsse:UsernameToken>
<wsse:Username>NNK</wsse:Username><wsse:Username>NNK</wsse:Username> </wsse:UsernameToken></wsse:UsernameToken> </wsse:SignOutBasis></wsse:SignOutBasis> </wsse:SignOut></wsse:SignOut> </S:Body></S:Body></S:Envelope></S:Envelope>
17
Requesting Requesting Sign-OutSign-Out MessageMessage
<wsse:RequestSSOMessages><wsse:RequestSSOMessages><wsa:EndpointReference><wsa:EndpointReference>
<wsa:Reference>http://<wsa:Reference>http://business456.com/SSObusiness456.com/SSO
</wsa:Reference></wsa:Reference></wsa:EndpointReference></wsa:EndpointReference><wsse:UsernameToken><wsse:UsernameToken>
<wsse:Username>Nicholas</<wsse:Username>Nicholas</wsse:Username>wsse:Username></wsse:UsernameToken></wsse:UsernameToken>
</wsee:RequestSSOMessages> </wsee:RequestSSOMessages>
18
Attribute ServiceAttribute Service Scenario: You ask a weather service for the Scenario: You ask a weather service for the
current weather (or visit a weather site); it current weather (or visit a weather site); it provides provides a a personalized response because personalized response because it knows your zip codeit knows your zip code
Why it worked: Why it worked: Policy indicated an attribute servicePolicy indicated an attribute service Identity information was used to find zip codeIdentity information was used to find zip code Weather service was authorized to access zip Weather service was authorized to access zip
code (opt-in)code (opt-in)
Specification defines the concept of an Specification defines the concept of an attribute service but not a specific interfaceattribute service but not a specific interface
19
Attribute Service Attribute Service ExampleExample
Attributes may have associated scopesAttributes may have associated scopes Each attribute may have its own access Each attribute may have its own access
control and privacy policycontrol and privacy policy
20
Attribute ScopingAttribute Scoping
Zip: 12309Zip: 12309FN: FredFN: FredID: 3442 ID: 3442 Nick: FreddoNick: FreddoID: FJ454ID: FJ454Nick: FredsterNick: FredsterID: 3-55-34ID: 3-55-34……
Model allows for attributes to be scopedModel allows for attributes to be scoped
(fabrikam123.com)(fabrikam123.com)
(business456.com)(business456.com)
(example.com)(example.com)
21
Attribute DiscoveryAttribute Discovery Open design modelOpen design model
Any attribute store can be usedAny attribute store can be used Integration with legacy systemsIntegration with legacy systems
Discovery via policyDiscovery via policy Requestor’s policy Requestor’s policy attribute service attribute service Attribute service has its own policyAttribute service has its own policy Communication is governed by this Communication is governed by this
policypolicy UDDI is an example storeUDDI is an example store
22
Attribute DiscoveryAttribute Discovery
Po
licy
Po
licy
Po
licy
Po
licy
11
33
2244 ““Get FN”Get FN”
RequestorResource
Attribute Service
23
Attribute ExampleAttribute Example
TrustTrust
11
33
22 44
TrustTrust
Zip: 12309Zip: 12309FN: FredFN: Fred……
IP/STS IP/STS
Requestor Resource
Attribute Service
24
Protecting IdentityProtecting Identity Single sign-on also needs toSingle sign-on also needs to
Prevent Prevent identity trackingidentity tracking Provide anonymityProvide anonymity
Other forms of Other forms of identity trackingidentity tracking still still exist:exist: AddressAddress Phone numberPhone number Credit cardCredit card Social security numberSocial security number
25
Identity ApproachesIdentity Approaches
One federation modelOne federation model
Multiple identity approachesMultiple identity approaches Static identifier, possibly Static identifier, possibly
obfuscatedobfuscated Static per-target identifierStatic per-target identifier One-time identifierOne-time identifier
26
TrustTrust
““Fred” Fred” “Fred@STS”“Fred@STS”11
22
““Fred@STS”Fred@STS”
Static Identifier ExampleStatic Identifier ExampleIP/STS
Requestor
Resource
27
Static Per-Target ExampleStatic Per-Target Example
Trust
Trust
““Fred” Fred” “A123”“A123” 11
44
““B456”B456”
22
Trust
Trust
““Fred” Fred” “B456”“B456”
““A123”A123”
33
IP/STS
Requestor
ResourceResource
28
Pseudonym ServicePseudonym Service
This service provides a This service provides a mechanism for associating mechanism for associating alternate identitiesalternate identities
Pseudonyms represent alternate Pseudonyms represent alternate identitiesidentities Depends on scope of requestDepends on scope of request Subject to authorization controlSubject to authorization control CCan be integrated with IP/STSan be integrated with IP/STS
29
Pseudonym DiscoveryPseudonym Discovery
Po
licy
Po
licy
Po
licy
Po
licy
11
33
2244
RequestorResource
Pseudonym Service
30
TrustTrust
““Fred” Fred” “A123“[email protected]@B456.com”” ““[email protected]@B456.com” ”
“Freddo“[email protected]@F123.com””11
22
33
““[email protected]@B456.com””
Pseudonym Example 1Pseudonym Example 1
Service sets pseudonym for its domainService sets pseudonym for its domain
B456.com
IP
RequestorResource
B456.comPseudonym
Service
31
TrustTrust
““Fred” Fred” “B456“[email protected]@B456.com””
““[email protected]@B456.com” ” “Freddo“[email protected]@F123.com””
11
22
33
““[email protected]@B456.com””
Pseudonym Example 2Pseudonym Example 2
Service fetches pseudonym for its Service fetches pseudonym for its domaindomain
RequestorResource
44
B456.com
IP
B456.comPseudonym
Service
32
Pseudonym/STS IntegrationPseudonym/STS Integration
Pseudonym & STS can work togetherPseudonym & STS can work together Single physical serviceSingle physical service Separate but tightly coupled servicesSeparate but tightly coupled services
TokenTokenRequestRequest
33
TrustTrust
““Fred” Fred” “Freddo“[email protected]@F123.com””““Fred” Fred” “Freddo “[email protected]@F123.com””
11
33
““[email protected]@F123.com””
Pseudonym Example 3Pseudonym Example 3
Use pseudonyms to obtain initial tokenUse pseudonyms to obtain initial token
22
Requestor Resource
B456.com
IP
B456.comPseudonym
Service
34
Active (Smart Client) Active (Smart Client) ProfileProfile
Describes options Describes options forfor SOAP SOAP--enabledenabled clients clients
Varied models based on policyVaried models based on policy Business needsBusiness needs Inter-organization relationshipsInter-organization relationships RegulationsRegulations
Strong authentication of all Strong authentication of all requestsrequests
35
Example Flow (SOAP)Example Flow (SOAP)Requesting
ServiceRequestor’s
IP/STSTargetService
Target’sIP/STS
Acquire policy
Request token
Return token
Request token
Return token
Send secured request
Return secured response
36
Passive ProfilePassive Profile Describes options Describes options for for browserbrowser
clientsclients URL-onlyURL-only GET, GET, POST bodyPOST body Cookies (a custom caching Cookies (a custom caching
mechanism)mechanism) Uses redirection to effect messagesUses redirection to effect messages
Should conform as closely as Should conform as closely as possible to possible to WS-TrustWS-Trust protocols protocols
37
Example Flow (Browser)Example Flow (Browser)Requesting
BrowserRequestor’s
IP/STSTarget
ResourceTarget’sIP/STS
Get resource
Detect realm
Redirect to resource’s IP/STS
Redirect to requestor’s IP/STS
Login
Return identity token
Return resource token
Return secured response
38
WS-WS-FederatiFederationonFeaturesFeatures
Cross-domain trust federationCross-domain trust federation Generic token acquisitionGeneric token acquisition
Enables different trust topologiesEnables different trust topologies Single Sign-On / Sign-OffSingle Sign-On / Sign-Off Identity Protection and PrivacyIdentity Protection and Privacy
Attributes and PseudonymsAttributes and Pseudonyms End-to-endEnd-to-end security security
NNo HTTPS requiredo HTTPS required
39
WS-WS-FederatiFederationon SummarySummary
Integrates with existing infrastructuresIntegrates with existing infrastructures Business modelBusiness model Token formatsToken formats Attribute storesAttribute stores Directory servicesDirectory services
Together with the other WS-* Together with the other WS-* specifications, provides a rich fabric for specifications, provides a rich fabric for building secure, reliable, transacted building secure, reliable, transacted systems across federation boundariessystems across federation boundaries
40
Basic Trust Federation Basic Trust Federation DemoDemo 3 Participants: 3 Participants:
Client, Service, Client, Service, STSSTS
No trust No trust relationship relationship between Client between Client (requestor) and (requestor) and Service (resource)Service (resource)
Client and Server Client and Server trust the STStrust the STS Uses WSE 2.0: Supports WS-Security, WS-Policy, WS-Uses WSE 2.0: Supports WS-Security, WS-Policy, WS-SecurityPolicy, WS-Trust, WS-SecurityPolicy, WS-Trust, WS-SecureConversation, and WS-Addressing.SecureConversation, and WS-Addressing.
41
Optional Extensions of Optional Extensions of DemoDemo
Token Validation Mapping with WS-Addressing
42
Primary ReferencesPrimary References WS-Federation Feedback WorkshopWS-Federation Feedback Workshop
These workshop slides provide an overview of These workshop slides provide an overview of WS-Federation.WS-Federation.
http://www-106.ibm.com/developerworks/offhttp://www-106.ibm.com/developerworks/offers/WS-Specworkshops/ws-fed200311.htmlers/WS-Specworkshops/ws-fed200311.html
Federation of Identities in a Web Services Federation of Identities in a Web Services WorldWorld This whitepaper discusses using WS-Federation This whitepaper discusses using WS-Federation
to federate identities across trust domains.to federate identities across trust domains.http://msdn.microsoft.com/ws-federation/http://msdn.microsoft.com/ws-federation/
43
Secondary ReferencesSecondary References
Web Services Federation Language (WS-Web Services Federation Language (WS-Federation)Federation) This is the complete WS-Federation specification.This is the complete WS-Federation specification.
http://msdn.microsoft.com/ws/2003/07/ws-federationhttp://msdn.microsoft.com/ws/2003/07/ws-federation//
WS-Federation: Active Requestor ProfileWS-Federation: Active Requestor Profile This is the specification for active profiles in WS-This is the specification for active profiles in WS-
Federation.Federation.
http://msdn.microsoft.com/ws/2003/07/ws-active-prohttp://msdn.microsoft.com/ws/2003/07/ws-active-profile/file/
WS-Federation: Passive Requestor ProfileWS-Federation: Passive Requestor Profile This is the specification for passive profiles in WS-This is the specification for passive profiles in WS-
Federation.Federation.
http://msdn.microsoft.com/ws/2003/07/ws-passive-phttp://msdn.microsoft.com/ws/2003/07/ws-passive-profile/rofile/