WS-WS-FederationFederation

Jim Van Dyke Zhengping Jim Van Dyke Zhengping WuWu

Partially adapted from workshop slides by Tony Nadalin (IBM) and Chris Kaler (Microsoft)

2

AgendaAgenda

IntroductionIntroduction Trust TopologiesTrust Topologies Single Sign-outSingle Sign-out Attribute ServicesAttribute Services Pseudonym ServicesPseudonym Services Active/Passive ProfilesActive/Passive Profiles Summary and ConclusionsSummary and Conclusions DemoDemo ReferencesReferences

3

What is Federation?What is Federation?

FederationFederation A collection of realms/domains that have A collection of realms/domains that have

established trustestablished trust The technology and business The technology and business

arrangements necessary to interconnect arrangements necessary to interconnect users, applications, and systemsusers, applications, and systems

Federated systems can interoperate Federated systems can interoperate across organizational and technical across organizational and technical boundaries (i.e., various operating boundaries (i.e., various operating systems or security platforms)systems or security platforms)

4

Federated ATM NetworkFederated ATM Network

Account Numberand PIN

Home Bank Network

Visiting Bank Network

Funds Network of Trust

5

WS-FederationWS-Federation Primary Goal: Primary Goal: “Single Sign-On” access “Single Sign-On” access

across trust domains using identities across trust domains using identities from the different domainsfrom the different domains

WS-Federation defines a model for WS-Federation defines a model for thisthis by by building on the WS-* security building on the WS-* security specifications:specifications: Brokering trustBrokering trust Sign out messagesSign out messages Attribute serviceAttribute service Pseudonym servicePseudonym service

6

WS-WS-Federation TermsFederation Terms AuthoritiesAuthorities

Security Token Service (STS)Security Token Service (STS) – Web service – Web service that issues security tokens; makes assertions that issues security tokens; makes assertions based on evidence that it trusts to whoever based on evidence that it trusts to whoever trusts ittrusts it

Identity Provider (IP)Identity Provider (IP) – Entity that acts as an – Entity that acts as an authentication service to end requestors (an authentication service to end requestors (an extension of a basic STS)extension of a basic STS)

PrinciplesPrinciples RequestorRequestor ResourceResource Other ServicesOther Services

7

One Protocol, Multiple One Protocol, Multiple BindingsBindings

Common protocol (WS-Trust)Common protocol (WS-Trust) Two “profiles” of the model are definedTwo “profiles” of the model are defined

Smart/Active clients (SOAP)Smart/Active clients (SOAP) Passive clients (Browser – HTTP/S)Passive clients (Browser – HTTP/S)

Supporting services (Supporting services (attribute/pseudonym/…attribute/pseudonym/…))

SecuritySecurityTokenToken

ServiceService

HTTPHTTPReceiverReceiver

HTTP messagesHTTP messages

SOAP messagesSOAP messages

SOAPSOAPReceiverReceiver

8

Trust TopologiesTrust Topologies Federation approach must address Federation approach must address

different trust topologiesdifferent trust topologies Model existing business practicesModel existing business practices Leverage existing infrastructureLeverage existing infrastructure

Sample topologiesSample topologies Direct trustDirect trust

ExchangeExchange ValidationValidation

Indirect trustIndirect trust DelegationDelegation

9

Direct TrustDirect TrustToken ExchangeToken Exchange

TrustTrust

Get identityGet identitytokentoken

Get accessGet accesstokentoken11

33

22

IP/STS IP/STS

Requestor

Resource

10

Direct TrustDirect Trust Flow FlowRequestor

ServiceRequestor

IP/STSWS

ServiceServiceIP/STS

Request token

Return token

Request token

Return token

Send secured request

Return result

Acquire policy

Return policy

11

Direct TrustDirect TrustToken ValidationToken Validation

TrustTrust

Get identityGet identitytokentoken

Get accessGet accessverificationverification

11

22

33

IP/STS IP/STS

Requestor Resource

12

Indirect TrustIndirect Trust

Trust

TrustTrust

Trust

C trusts B which vouches for A who vouches for clientC trusts B which vouches for A who vouches for client

11

33

CC

BB

AA

IP/STS

IP/STS

IP/STS

Requestor Resource22

13

DelegationDelegation

TrustTrust

11

33

22

TrustTrust

55

44

IP/STS IP/STS IP/STS

Requestor

ResourceResource

14

Single Sign-OutSingle Sign-Out

11

22

22

22

……

……IP/STSRequestor

IP/STS

Resource

15

Sign-OutSign-Out Message Message

<S:Envelope><S:Envelope> <S:Header><S:Header> ...... <wsu:Timestamp wsu:Id="ts"><wsu:Timestamp wsu:Id="ts"> ... </wsu:Timestamp>... </wsu:Timestamp> <wsse:Security><wsse:Security> <!-- Signature referecing IDs "ts" & <!-- Signature referecing IDs "ts" &

"so" -->"so" --> ...... </wsse:Security></wsse:Security> </S:Header></S:Header>

16

Sign-OutSign-Out Message (cont.) Message (cont.)

<S:Body><S:Body> <wsse:SignOut wsu:Id="so"><wsse:SignOut wsu:Id="so"> <wsse:SignOutBasis><wsse:SignOutBasis> <wsse:UsernameToken><wsse:UsernameToken>

<wsse:Username>NNK</wsse:Username><wsse:Username>NNK</wsse:Username> </wsse:UsernameToken></wsse:UsernameToken> </wsse:SignOutBasis></wsse:SignOutBasis> </wsse:SignOut></wsse:SignOut> </S:Body></S:Body></S:Envelope></S:Envelope>

17

Requesting Requesting Sign-OutSign-Out MessageMessage

<wsse:RequestSSOMessages><wsse:RequestSSOMessages><wsa:EndpointReference><wsa:EndpointReference>

<wsa:Reference>http://<wsa:Reference>http://business456.com/SSObusiness456.com/SSO

</wsa:Reference></wsa:Reference></wsa:EndpointReference></wsa:EndpointReference><wsse:UsernameToken><wsse:UsernameToken>

<wsse:Username>Nicholas</<wsse:Username>Nicholas</wsse:Username>wsse:Username></wsse:UsernameToken></wsse:UsernameToken>

</wsee:RequestSSOMessages> </wsee:RequestSSOMessages>

18

Attribute ServiceAttribute Service Scenario: You ask a weather service for the Scenario: You ask a weather service for the

current weather (or visit a weather site); it current weather (or visit a weather site); it provides provides a a personalized response because personalized response because it knows your zip codeit knows your zip code

Why it worked: Why it worked: Policy indicated an attribute servicePolicy indicated an attribute service Identity information was used to find zip codeIdentity information was used to find zip code Weather service was authorized to access zip Weather service was authorized to access zip

code (opt-in)code (opt-in)

Specification defines the concept of an Specification defines the concept of an attribute service but not a specific interfaceattribute service but not a specific interface

19

Attribute Service Attribute Service ExampleExample

Attributes may have associated scopesAttributes may have associated scopes Each attribute may have its own access Each attribute may have its own access

control and privacy policycontrol and privacy policy

20

Attribute ScopingAttribute Scoping

Zip: 12309Zip: 12309FN: FredFN: FredID: 3442 ID: 3442 Nick: FreddoNick: FreddoID: FJ454ID: FJ454Nick: FredsterNick: FredsterID: 3-55-34ID: 3-55-34……

Model allows for attributes to be scopedModel allows for attributes to be scoped

(fabrikam123.com)(fabrikam123.com)

(business456.com)(business456.com)

(example.com)(example.com)

21

Attribute DiscoveryAttribute Discovery Open design modelOpen design model

Any attribute store can be usedAny attribute store can be used Integration with legacy systemsIntegration with legacy systems

Discovery via policyDiscovery via policy Requestor’s policy Requestor’s policy attribute service attribute service Attribute service has its own policyAttribute service has its own policy Communication is governed by this Communication is governed by this

policypolicy UDDI is an example storeUDDI is an example store

22

Attribute DiscoveryAttribute Discovery

Po

licy

Po

licy

Po

licy

Po

licy

11

33

2244 ““Get FN”Get FN”

RequestorResource

Attribute Service

23

Attribute ExampleAttribute Example

TrustTrust

11

33

22 44

TrustTrust

Zip: 12309Zip: 12309FN: FredFN: Fred……

IP/STS IP/STS

Requestor Resource

Attribute Service

24

Protecting IdentityProtecting Identity Single sign-on also needs toSingle sign-on also needs to

Prevent Prevent identity trackingidentity tracking Provide anonymityProvide anonymity

Other forms of Other forms of identity trackingidentity tracking still still exist:exist: AddressAddress Phone numberPhone number Credit cardCredit card Social security numberSocial security number

25

Identity ApproachesIdentity Approaches

One federation modelOne federation model

Multiple identity approachesMultiple identity approaches Static identifier, possibly Static identifier, possibly

obfuscatedobfuscated Static per-target identifierStatic per-target identifier One-time identifierOne-time identifier

26

TrustTrust

““Fred” Fred” “Fred@STS”“Fred@STS”11

22

““Fred@STS”Fred@STS”

Static Identifier ExampleStatic Identifier ExampleIP/STS

Requestor

Resource

27

Static Per-Target ExampleStatic Per-Target Example

Trust

Trust

““Fred” Fred” “A123”“A123” 11

44

““B456”B456”

22

Trust

Trust

““Fred” Fred” “B456”“B456”

““A123”A123”

33

IP/STS

Requestor

ResourceResource

28

Pseudonym ServicePseudonym Service

This service provides a This service provides a mechanism for associating mechanism for associating alternate identitiesalternate identities

Pseudonyms represent alternate Pseudonyms represent alternate identitiesidentities Depends on scope of requestDepends on scope of request Subject to authorization controlSubject to authorization control CCan be integrated with IP/STSan be integrated with IP/STS

29

Pseudonym DiscoveryPseudonym Discovery

Po

licy

Po

licy

Po

licy

Po

licy

11

33

2244

RequestorResource

Pseudonym Service

30

TrustTrust

““Fred” Fred” “A123“A123@B456.com@B456.com”” ““A123A123@B456.com@B456.com” ”

“Freddo“Freddo@F123.com@F123.com””11

22

33

““A123A123@B456.com@B456.com””

Pseudonym Example 1Pseudonym Example 1

Service sets pseudonym for its domainService sets pseudonym for its domain

B456.com

IP

RequestorResource

B456.comPseudonym

Service

31

TrustTrust

““Fred” Fred” “B456“B456@B456.com@B456.com””

““B456B456@B456.com@B456.com” ” “Freddo“Freddo@F123.com@F123.com””

11

22

33

““B456B456@B456.com@B456.com””

Pseudonym Example 2Pseudonym Example 2

Service fetches pseudonym for its Service fetches pseudonym for its domaindomain

RequestorResource

44

B456.com

IP

B456.comPseudonym

Service

32

Pseudonym/STS IntegrationPseudonym/STS Integration

Pseudonym & STS can work togetherPseudonym & STS can work together Single physical serviceSingle physical service Separate but tightly coupled servicesSeparate but tightly coupled services

TokenTokenRequestRequest

33

TrustTrust

““Fred” Fred” “Freddo“Freddo@F123.com@F123.com””““Fred” Fred” “Freddo “Freddo@F123.com@F123.com””

11

33

““FreddoFreddo@F123.com@F123.com””

Pseudonym Example 3Pseudonym Example 3

Use pseudonyms to obtain initial tokenUse pseudonyms to obtain initial token

22

Requestor Resource

B456.com

IP

B456.comPseudonym

Service

34

Active (Smart Client) Active (Smart Client) ProfileProfile

Describes options Describes options forfor SOAP SOAP--enabledenabled clients clients

Varied models based on policyVaried models based on policy Business needsBusiness needs Inter-organization relationshipsInter-organization relationships RegulationsRegulations

Strong authentication of all Strong authentication of all requestsrequests

35

Example Flow (SOAP)Example Flow (SOAP)Requesting

ServiceRequestor’s

IP/STSTargetService

Target’sIP/STS

Acquire policy

Request token

Return token

Request token

Return token

Send secured request

Return secured response

36

Passive ProfilePassive Profile Describes options Describes options for for browserbrowser

clientsclients URL-onlyURL-only GET, GET, POST bodyPOST body Cookies (a custom caching Cookies (a custom caching

mechanism)mechanism) Uses redirection to effect messagesUses redirection to effect messages

Should conform as closely as Should conform as closely as possible to possible to WS-TrustWS-Trust protocols protocols

37

Example Flow (Browser)Example Flow (Browser)Requesting

BrowserRequestor’s

IP/STSTarget

ResourceTarget’sIP/STS

Get resource

Detect realm

Redirect to resource’s IP/STS

Redirect to requestor’s IP/STS

Login

Return identity token

Return resource token

Return secured response

38

WS-WS-FederatiFederationonFeaturesFeatures

Cross-domain trust federationCross-domain trust federation Generic token acquisitionGeneric token acquisition

Enables different trust topologiesEnables different trust topologies Single Sign-On / Sign-OffSingle Sign-On / Sign-Off Identity Protection and PrivacyIdentity Protection and Privacy

Attributes and PseudonymsAttributes and Pseudonyms End-to-endEnd-to-end security security

NNo HTTPS requiredo HTTPS required

39

WS-WS-FederatiFederationon SummarySummary

Integrates with existing infrastructuresIntegrates with existing infrastructures Business modelBusiness model Token formatsToken formats Attribute storesAttribute stores Directory servicesDirectory services

Together with the other WS-* Together with the other WS-* specifications, provides a rich fabric for specifications, provides a rich fabric for building secure, reliable, transacted building secure, reliable, transacted systems across federation boundariessystems across federation boundaries

40

Basic Trust Federation Basic Trust Federation DemoDemo 3 Participants: 3 Participants:

Client, Service, Client, Service, STSSTS

No trust No trust relationship relationship between Client between Client (requestor) and (requestor) and Service (resource)Service (resource)

Client and Server Client and Server trust the STStrust the STS Uses WSE 2.0: Supports WS-Security, WS-Policy, WS-Uses WSE 2.0: Supports WS-Security, WS-Policy, WS-SecurityPolicy, WS-Trust, WS-SecurityPolicy, WS-Trust, WS-SecureConversation, and WS-Addressing.SecureConversation, and WS-Addressing.

41

Optional Extensions of Optional Extensions of DemoDemo

Token Validation Mapping with WS-Addressing

42

Primary ReferencesPrimary References WS-Federation Feedback WorkshopWS-Federation Feedback Workshop

These workshop slides provide an overview of These workshop slides provide an overview of WS-Federation.WS-Federation.

http://www-106.ibm.com/developerworks/offhttp://www-106.ibm.com/developerworks/offers/WS-Specworkshops/ws-fed200311.htmlers/WS-Specworkshops/ws-fed200311.html

Federation of Identities in a Web Services Federation of Identities in a Web Services WorldWorld This whitepaper discusses using WS-Federation This whitepaper discusses using WS-Federation

to federate identities across trust domains.to federate identities across trust domains.http://msdn.microsoft.com/ws-federation/http://msdn.microsoft.com/ws-federation/

43

Secondary ReferencesSecondary References

Web Services Federation Language (WS-Web Services Federation Language (WS-Federation)Federation) This is the complete WS-Federation specification.This is the complete WS-Federation specification.

http://msdn.microsoft.com/ws/2003/07/ws-federationhttp://msdn.microsoft.com/ws/2003/07/ws-federation//

WS-Federation: Active Requestor ProfileWS-Federation: Active Requestor Profile This is the specification for active profiles in WS-This is the specification for active profiles in WS-

Federation.Federation.

http://msdn.microsoft.com/ws/2003/07/ws-active-prohttp://msdn.microsoft.com/ws/2003/07/ws-active-profile/file/

WS-Federation: Passive Requestor ProfileWS-Federation: Passive Requestor Profile This is the specification for passive profiles in WS-This is the specification for passive profiles in WS-

Federation.Federation.

http://msdn.microsoft.com/ws/2003/07/ws-passive-phttp://msdn.microsoft.com/ws/2003/07/ws-passive-profile/rofile/