Tuesday, June 10, 2003 Web Services Brief Overview & Security Assertion Coordinator Pattern by Mohammad Abushadi & Riaz Ahmed for Security Group CSE -

Tuesday, June 10, 2003

Web ServicesBrief Overview & Security Assertion

Coordinator Pattern

byMohammad Abushadi & Riaz Ahmed

forSecurity Group

CSE - FAU

Tuesday, June 10, 2003

Agenda

• Overview• W3C definition • Standards used• Tools

• Architecture• Security Assertion Coordinator Pattern

Tuesday, June 10, 2003

Definition

Software system identified by a URI(Uniform Resource Identifier) whose public interfaces and bindings are defined and described using XML. Its definition can be discovered by other software systems. These systems may then interact with the Web service in a manner prescribed by its definition, using XML based messages conveyed by Internet protocols. [W3C-1]

Tuesday, June 10, 2003

Example

Orbitarium Web Service: This is a web service for retrieving the astronomical positions of the Sun, Moon, and planets of the Solar System at the current time, or at any past present or future date. The service is free for public. [Orbit-1]

Note: The service is up and running and freely available for public.

Tuesday, June 10, 2003

Standards• UDDI: Universal Description, Discovery and Integration. Like yellow

pages for Web Services. Service information. Can be public/global or private/local. [Uddi-1]

• WSDL: Web Services Description Language. Is XML based. To hold

information like the web service interfaces, access protocols and so. Similar to IDL.

• SOAP: Simple Object Access Protocol. Is XML based. Uses http as

mean of transfer, making it easy to work with firewalls since most firewalls allow http.

• SAML: Security Assertion Markup Language. Uses assertions. Three

type of assertion: authentication, attribute and authorization. Is used on top of SOAP.

Tuesday, June 10, 2003

Tools

Two types: Microsoft or Java based.• MS .NET Studio• Sun One Studio• IBM WebSphere• BEA WebLogic• and many more…

Tuesday, June 10, 2003

Client

UDDI Directory

WSDL

Service URI/URL

HTTP Server

Web Service

SOAP Mes

sage

DB

Simple Architecture

Find Service

Tuesday, June 10, 2003

Fig. Communication between SOAP client and server.[Prfct]

Tuesday, June 10, 2003

Role-based Security Assertion Coordinator Pattern

(by: Dr. Ed Fernandez, Mohammad Abushadi, Riaz Ahmed)

Intent: Seamless exchange of security data in distributed environment while maintaining role based access controls to resources in organizations.

Tuesday, June 10, 2003

Context: A distributed environment including heterogeneous systems and web services.

Problem: • Current systems lack feasible solutions to the problem of providing precise access

control to resources, often requiring custom-built approaches that may not be easy to upgrade or modify.

• The growth of the number of networked business partners and their processes requires a means to exchange security information in a standardized format that is flexible to change at the same time.

• Costs are involved in custom integration processes, where time becomes crucial in

achieving a quicker time-to-market competitive advantage. Costs include developer cost and development time.

Tuesday, June 10, 2003

• The security of the shared data becomes another concern. Consistency of data exchange has to be assured.

• Interoperability of systems across various implementation platforms stands as a

significant obstacle.

• Adding a new layer of security verification policies often proves tedious and costly in the current systems.

Tuesday, June 10, 2003

Problem: • Distributed systems are in great need of integrating their inner processes that

share commonly used data. Exchange of security related data in particular poses an important problem when the issues of interoperability is of concern. Organizations must be able to easily add new security layers across the distributed environment with little changes.

• Distributed environments must not resort to expensive global custom code changes in order to reflect new changes in security policies or data structure.

• Organizations in the distributed environment must have the ability to quickly achieve higher, more refined levels of security data control for better adherence to the continuously changing nature of organizational business rules.

• Each online destination site often has its own custom-made authentication system.

Tuesday, June 10, 2003

Solution:

Exchange security information using a standard. In particular, manage security data in the form of XML-based SAML assertions using the SOAP protocol over HTTP.

Tuesday, June 10, 2003

Cont…

Tuesday, June 10, 2003

Cont…

Tuesday, June 10, 2003

Cont…

Tuesday, June 10, 2003

Cont…

Tuesday, June 10, 2003

Consequences: • Benefits:

• Centralized data exchange

• Standardized approach

• Role-based access

• Extensibility

• Liabilities:

• Complex to implement

• Computationally expensive

Tuesday, June 10, 2003

Variants:

1. Single Sign On

2. Back Office Transactions

Tuesday, June 10, 2003

Credits• [W3C-1] http://www.w3.org/TR/2003/WD-ws-gloss-20030514/• [Orbit-1] http://www.orbitarium.com/• [Uddi-1] http://www.uddi.org• [Prfct] http://www.perfectxml.com/articles/xml/interop.asp