Title: The world of Assertions in XML
1The world of Assertions in XML Web Services
- Krishna Sankar
- ksankar_at_cisco.com
2Agenda
- Introduction
- SAML
- Scenario
3Assertions (SAML)
AuthC
AuthZ
Authorizations (XACML)
AccessC
Policies
SPML
XrML
DRM
WS-Security
Web Svcs
4(No Transcript)
5WS-XXX Processing ModelPutting it on the wire is
not enough
Trust Model
Web Service End Point Policy
WS-Policy
WS-Trust
WS-Privacy
Secure Conversation Federation Authorization
Privacy Model
619th Annual Tech Ex Awards November 19, 2002
Protocols Winners SAML WS-Security Securing
Web services is no easy task. The same virtues
that make Web services so promising for
e-businessthey're platform-independent,
text-based, and self-describingcreate major
security concerns, giving pause to businesses
considering a move to the hot new
interoperability technology. Two standards are
emerging to secure Web services Security
Assertion Markup Language (SAML) and WS-Security,
both proposals submitted to OASIS.
7(No Transcript)
8Definition Description Discovery
Blocks Processing rules Extensibility Security
Grid ?
9Context
10What is SAML ?
- XML based Framework
- A set of XML vocabularies for
- Authentication Assertion
- Attribute Assertion
- AuthZ decision Assertion
- Session Assertion (Future)
- Credential Assertion (Future)
- So that data traveling on the wire is standardized
11What is SAML ?
- A standard message exchange protocol
- Clarity in orchestrating how you ask for and get
the information you need - Rules for how the messages ride on and in
transport protocols - For better interoperability
12In Short SAML is
- A standard way of exchanging security related
data across heterogeneous, distributed systems
crossing domain (geographical, namespace,
temporal, spatial, organizational,) boundaries
13Policies Models
Authentication Authority
Attribute Authority
Session Authority
Policy Decision Point
Credentials Collector
Session Assertion
Credential Assertion
AuthZ Decision AssrN
Attribute Assertion
Authentication Assertion
Credentials
System/ Entity/ Principal
Policy Enforcement Point
14SAML assertions
- Assertions are declarations of fact, according to
someone - SAML assertions are compounds of one or more of
three kinds of statement about subject (human
or program) - Authentication
- Attribute
- Authorization decision
- You can extend SAML to make your own kinds of
assertions and statements - Assertions can be digitally signed
15All statements in an assertion share common
information
- Issuer ID and issuance timestamp
- Assertion ID
- Subject
- Name plus the security domain
- Optional subject confirmation, e.g. public key
- Conditions under which assertion is valid
- SAML clients must reject assertions containing
unsupported conditions - Special kind of condition assertion validity
period - Additional advice
- E.g., to explain how the assertion was made
16Assertion structure
17(No Transcript)
18JSR 155 Web Services Security Assertions
- Distributed Assertion Framework
- Elements
- Assertions (SAML) SPI
- Req/Response (SAML)
- Authorities (Model, SPI)
- Protocol (SOAP, JAX-RPC)
- Web Services Security
- Use cases (Distributed Security)
19Scenario
20Widely Distributed AuthC AuthZ
- Collaboration across multiple, independent and
geographically dispersed stakeholders - Stakeholders able to enforce policies even when
controlled by different administrative domains - Traditional ACLs
- Cannot scale. Cause too many errors
- Multiple layers of management would impose
restrictions
Courtsey DOE report LBNL-42928
Certificate-based Access Control for widely
distributed resources
21Effective permission
22SAML
XACML
Courtsey DOE report LBNL-41349
Authorization Attribute Certificates for Widely
Distributed Access Control
23Hot From the Press
- Web-Services Security Quality of Protection
- How actors are to be authenticated, using what
mechanisms and with what parameter value ranges, - Which XML elements are to be encrypted, for what
individual recipients, recipient roles or keys,
using what algorithms and key sizes, - Which XML elements are to be integrity protected,
using what mechanisms, with which algorithms and
key sizes, and - What additional qualifications the service
consumer must demonstrate in order to
successfully access the API".
24Web-Services Security Quality of Protection
- This is a relatively restrictive use of the term
"security policy". A more comprehensive
definition addresses such requirements as - Privacy (retention period, intended usage,
further disclosure), - Trust (initial parameters of the signature
validation procedure, including those keys or
authorities that are trusted directly, policy
identifiers, maximum trust path length), and - Non-repudiation (requirements for notarization
and time-stamping).
25Extensible Name Service (XNS) Technical Committee
- The purpose of this committee is to continue work
on the XNS digital identity protocol - The goal of XNS is to provide an open,
extensible, federated Web services infrastructure
for digital identity and relationship management
including naming, addressing, describing,
asserting, and linking of digital identities and
their attributes. XNS can be used to represent
all participants in Web services, including
people, organizations, applications, devices,
documents, schemas, and other digital objects. - The XNS specifications are based on the IETF
URI/URN specifications, the W3C XML and Web
services specifications, and the OASIS Security
Services TC
26Introduction
- Krishna Sankar is currently with Cisco Systems as
a Distinguished Engineer in their Customer
Advocacy Organization. He has about 20 years of
experiences ranging from software architecture
development to industrial engineering to author,
speaker, entrepreneur and technology evangelist.
He has worked with many organizations incl US Air
Force, Navy, HP, Qantas, Air Canada and Ford. - His security experiences include work in
information infrastructure security, role based
access control systems, distributed services
framework and the CISSP security certification.
He has been speaking in conferences on XML
Security as well as contributing to security (and
XML) standards. - He is an elected member of OASIS Technical
Advisory Board, elected member of Java Executive
Committee, Editor of Grid Authorization working
group, Editor of the Digital Signature Services
technical committee - He is also involved in European Union Network and
Information Security Infrastructure initiatives. - His technology interests include Adaptive
Networking, Grid computing, XML web services
standards, distributed security, Linux kernel
security, web service/web process networks
e-commerce - dynamic configurable multi-partner
trading networks. Krishna lives in Silicon Valley
with his wife Usha and son Kaushik.
27Questions ?