![Thesis ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Destacado
Destacado (20)
Similar a FEDERATED IDENTITY AND WEB SERVICES
Similar a FEDERATED IDENTITY AND WEB SERVICES (20)
Más de webhostingguy
Más de webhostingguy (20)
FEDERATED IDENTITY AND WEB SERVICES
- 1. Web-services & Federated Identity ISSA- Motor City, March 18/04 Paul Madsen, Senior Security Consultant Entrust - Advanced Security Technologies
- 6. Multiple Identities to manage XML-DSIG SOAP SSL/TLS WAP XML SAML HTTP XML Enc WSDL WSS UDDI App 1 App 2 App 3 Domain 1 Domain 2 User Identity Invoker Identity Intermediary Identity Trusted 3 rd Party Identity
- 8. Basic Web Services Model client service execution SOAP
- 9. Basic Web Services Model client service service development client development development execution distribution WSDL UDDI SOAP
- 10. Security Components client service service development client development development security execution distribution WSDL UDDI Services Proxy Gateway Proxy
- 12. Today client service service development client development development security execution distribution Gateway Gateway
- 13. Future client service service development client development development security execution distribution Gateway Gateway WS-Policy +
- 17. Flow Sec-WSDL WSDL UDDI Query Sec-WSDL WSDL SOAP Sec-SOAP + policy Sec-SOAP SOAP SOAP SOAP Client Security Registry Security Service
- 19. What is Network Identity? A Network Identity is a user ’s overall global set of attributes constituting their various accounts
- 25. Dependencies MSFT/IBM OASIS Liberty WS-Fed (7/8/03) WS-Security 4/5/02) Phase 1 ID-FF 1.1 (1/15/03) Phase 1 ID-FF 1.0 (7/15/02) SAML 1.0 (11/5/02) SAML 1.1 (9/2/03) Phase 1 ID-FF 1.2 (11/12/03) Phase 2 ID-WSF 1.0 (11/12/03) WS-Trust (12/18/02) Phase 3 (08/04) WSS (2/04) 2003 2004 SAML 2.0 (6/04)
- 30. SAML & Liberty overlap
- 39. Request/Response <s:Body> <ep:Query> <ep:ResourceID> http://eip.acme.com/sdfjs78 </ep:ResourceID> <ep:QueryItem itemID="type"> <ep:Select>/ ep:EP/ep:EmployeeType </ep:Select> </ep:QueryItem> </ep:Query> </s:Body> <s:Body> <ep:QueryResponse> <ep:Status code="ep:OK"/> <ep:Data itemIDRef="type"> <ep:EmployeeType> JuniorPurchasingAgent </ep:EmployeeType> </ep:Data> </ep:QueryResponse> </s:Body> Request Response
Notas del editor
- This presentation is intended to facilitate discussion about Entrust’s role in securing the Web-services architecture.
- Basic Web-services model SOAP intermediaries may exist in the message path, including in the DMZ Security functions may be performed by a SOAP intermediary
- Basic Web-services model SOAP intermediaries may exist in the message path, including in the DMZ Security functions may be performed by a SOAP intermediary
- Basic Web-services model SOAP intermediaries may exist in the message path, including in the DMZ Security functions may be performed by a SOAP intermediary
- Disadvantages Sensitive information, such as private keys sitting in the DMZ Doesn’t protect applications and data and control access to services from within the perimeter A bottleneck: even messages for low-traffic internal services have to traverse go through this control point Advantages – Enforces a strong security policy for the internal network
- Today – policy administrators have to collaborate off-line to ensure compatible policies are implemented at client and service. If an end-point deals with many other end-points, then this collaboration could become burdensome.
- One possible solution, particularly likely for B2B applications, the policy administrator in the service domain dictates policy. The client domain simply accepts the policy dictated to it. Some aspects of policy are solely a local matter, e.g. audit policy.
- App server vendors may provide application firewalls for their own environments. These may have policy consoles, but they won’t be consistent with the SOAP gateway interfaces.
- What is Network Identity? Purpose: To give the audience an idea of what network identity is. Bottom Line Message: Our ‘identity’ involves a lot of personal information about us that is very important to us. We maintain our identity and personal information in many places on the Internet. This represents both a convenience and a challenge. This page provides a definition of what is meant by user identity. You can talk about things such as: Non-network identity - look at how many cards you have in our wallet or purse – each is a separate identity Driver’s license, credit cards, ATM cards, auto insurance cards, employee identification, health insurance cards, motor club cards, membership cards, long distance cards, frequent flyer or hotel cards, etc. Think of all the information about you that exists behind each of these identities Think of all the different places where you maintain identity that is not in your wallet or purse Employment file, health records at your doctors and hospitals, web site accounts, etc
- What is Network Identity? Purpose: To demonstrate the different types of identity and personal information that we establish on the Internet and the challenges that maintaining this information on different sites creates. Bottom Line Message: It is difficult, insecure, and an inconvenience to maintain all these identities, user names and passwords, and personal information on multiple sites on the Internet. This slide builds It starts with the title only and then the definition from the last page fades in, with the column to the right empty You need to ‘page down’ or click to have the column fill in with examples of different potential network identities that automatically phase in and are provided in three sections You need to ‘page down’ or click again to have those examples disappear and three bullet points appear one after the other with related points These bullets can be explained stating such things as: When users set up accounts on the Internet, they often tailor each site to meet their own preferences, including different user names and passwords Sometimes these are different and sometimes they are the same from site to site Users have a hard time remembering what they entered in each individual site, especially user names and passwords Users have to maintain the same personal information at multiple sites and when that information changes, they have to change it at each individual site or risk incorrect information existing with different accounts Keeping track of all of this is very difficult