Introduction to Implementing XML web services authentication

1
Introduction to Implementing XML web services
authentication

• John Messing
• Law-on-Line, Inc.
• Prepared for Maricopa County ICJIS
• May 17, 2006

2
Legal Proving up audit trails

• Regulatory contexts (Sarbanes-Oxley)
• Evidence in court - In re Vee Vinhnee, 336 BR 437
  (BAP 9th Cir. 2005).
• Digital data base records offered into evidence
  must be established first as unchanged since
  creation through foundational testimony from a
  qualified witness, preferably aided by
  cryptographic protections.

3
SAML and WSS related OASIS standards

• Not yet interoperable
• But WSS includes a SAML profile

4
SAML

• Authentication for
• Access control
• Audit purposes
• Used with
• Web browsers
• SOAP messages

5
WSS

• Protections for SOAP messages on the wire
• Defines bindings for W3C XML encryption and XML
  signatures to SOAP messages
• Conveys security tokens in SOAP headers for
  credentialing, integrity and confidentiality
• WSS profiles
• Kerberos tickets
• X.509 certificates
• Username/Password tokens
• SAML Assertions
• XRML Licenses

6
Limited protection

• For data in transit between the end users
  machine and the web service.
• No protection against malware on the users
  machine that hijacks a legitimate authentication.
  
• Serious Internet banking problem
• May need also to capture and data-mine usage
• Not yet addressed by standards

7
Scope

• SAML
• authentication for single sign-on purposes
• includes web browsing in addition to SOAP
• WSS
• Broader purposes such as digital rights
  protection, but includes only SOAP

8
Techniques

• WSS places SAML token inside the header to
  authenticate the SOAP body.
• In SAML itself, the assertion resides in the SOAP
  body, to authenticate the user.
• Since SAML 2.0, attributes can be encrypted, so
  features are otherwise comparable in many ways.
• NB Signing, encryption, and Base64 encoding in
  addition XML parsing are processor-intensive
  operations that can limit the scalability of SOA
  implementations.

9
Usefulness

• Federated authentication can be indispensable
  across security domains.
• SAML generally is more mature than WSS
• MS opposes SAML except as part of WSS
• WS-I.org implementation vetting efforts by
  vendors supporting WSS
• SAML and WSS each seem compatible with GJXML,
  NIEM and ECF 3.x

10
Security Token Service

• Brokered authentication to mediate
  non-interoperable security methods and update
  diverse security data stores.
• Relies on WS-Trust and WSS SAML profile
• Useful where DotNet implementations interact with
  non-MS web services in SOA
• Custom built or proprietary solutions

11
Document security

• SAML and WSS do not address document level
  security.
• Acrobat 5 and OASIS DSS do.
• ECF 3.0 provides for document level security (5
  signature profiles) and allows for optional
  messaging layer security using WS-I BP 1.0 (WSS
  derived)

12
Related presentations

• SAML update
• SAML animation
• WSS 1.1
• STS

13
IPR Considerations

• Open standards usually provide for an agreement
  to license proprietary intellectual property of
  vendors to participants that is needed to
  implement a standard.
• The terms are generally not self-executing.
• Requesting and obtaining licenses can be
  time-consuming and frustrating. But it must be
  done.
• E.g. WebMethod and Epicentric patent claims to
  SOAP 1.2.
• Obtain licenses from all vendor participants who
  agree to the use of their IPR in the standards.
• Understand the license terms and implications,
  including royalty obligations, before investing
  heavily.

14
End

• John Messing
• Law-on-Line, Inc.
• 5151 E. Broadway Blvd., Suite 1600
• Tucson, AZ 85711
• (520) 512-5432 (office)
• (520) 512-5401 (fax)
• (520) 270-1953 (mobile)
• johnmessing_at_lawonline.biz