WS-Trust Joseph Calandrino Vincent Noël Department of Computer Science University of Virginia February 9, 2004.

WS-Trust

Joseph CalandrinoVincent Noël

Department of Computer ScienceUniversity of Virginia

February 9, 2004

Motivation

A SOAP message protected by WS-Security presents three possible issues with regards to security tokens:

• Security token format incompatibility

• Security token trust

• Namespace differences

Introduction

WS-Trust addresses these issues by:

• Defining a request/response protocol– Client sends RequestSecurityToken– Client receives RequestSecurityTokenResponse

• Introducing a Security Token Service (STS)

WS-Trust Model

STS Functions

A Security Token Service allows:

• Token Exchange

• Token Issuance

• Token Validation

Request – Challenge Operation

Client STS

Client requests token from STS

STS sends a challenge to Client

Client sends an answer to STS

STS sends token(s) to Client

Example

WS-Trust Example• Client understands

X.509 certificates only

• Service understands SAML only

• No established trust between Client and Service

* Based on http://webservices.xml.com/lpt/a/ws/2003/06/24/ws-trust.html

WS-Trust Example

• The Security Assertions Markup Language (SAML) is an XML-based framework for Web services that enables the exchange of authentication and authorization information among business partners.

SAML - Reminder

WS-Trust Example – message 1• SOAP client sends initial request to SOAP service:

<soap:Envelope> <soap:Header><ws:Security>

<ws:BinarySecurityToken id="X509token" ValueType="X.509"> sdfOIDFKLSoidefsdflk …

</ws:BinarySecurityToken> <ds:Signature> <ds:Reference><ds:Ref URI="#PO"/>

</ds:Reference> <ds:SignatureValue>akjsdflaksf

</ds:SignatureValue> <ds:KeyInfo> <ws:BinarySecurityTokenReference URI="#X509token"/>

</ds:KeyInfo> </ds:Signature>

</ws:Security></soap:Header><soap:Body>

<po:PurchaseOrder ID="PO"/></soap:Body></soap:Envelope>









Identity of Client established through XML signature









Identity of Client established through XML signature….

Keyed through X.509 certificate

WS-Trust Example – message 2• SOAP gateway recognizes that it must map to SAML, so it contacts the STS

<soap:Envelope><soap:Header>

<ws:Security>


<wstrust:RequestSecurityToken><wstrust:TokenType>SAML</TokenType><wstrust:RequestType>ReqExchange</RequestType><wstrust:OnBehalfOf><ws:BinarySecurityToken id="originaltoken"ValueType="X.509>

sdfOIDFKLSoidefsdflk …</ws:BinarySecurityToken>

</wstrust:OnBehalfOf></wstrust:RequestSecurityToken>

</soap:Body></soap:Envelope>


<ws:Security>






The RequestSecurityToken object is the core of this request…


<ws:Security>






... Which is asking for a SAML token…


<ws:Security>






... Which is asking for a SAML token in exchange for the provided X.509 token.

WS-Trust Example – message 3• The STS sends back the token in the requested format

<soap:Body><wstrust:RequestSecurityTokenResponse><wstrust:TokenType>SAML</TokenType><wstrust:RequestedSecurityToken><saml:Assertion AssertionID="2se8e/vaskfsdif="Issuer="www.sts.com"IssueInstant="2002-06-19T16:58:33.173Z"><saml:Conditions NotBefore="2002-06-19T16:53:33.173Z"NotOnOrAfter="2002-06-19T17:08:33.173Z"/>

<saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509"AuthenticationInstant="2002-06-19T16:57:30.000Z"><saml:Subject>

...converted client identifier...</saml:Subject>

</saml:AuthenticationStatement><ds:Signature><-- calculated by STS --></ds:Signature>

</saml:Assertion></wstrust:RequestedSecurityToken>

</wstrust:RequestSecurityTokenResponse></soap:Body>







The SAML assertion is returned







The new client identifier is used

WS-Trust Example – message 4• The gateway formats and send the message for the service

<ws:Security><saml:AssertionAssertionID="2se8e/vaskfsdif=“ Issuer="www.sts.com"IssueInstant="2002-06-19T16:58:33.173Z"><saml:ConditionsNotBefore="2002-06-19T16:53:33.173Z"NotOnOrAfter="2002-06-19T17:08:33.173Z"/><saml:AuthenticationStatement AuthenticationMethod= "urn:oasis:names:tc:SAML:1.0:am:X.509"AuthenticationInstant="2002-06-19T16:57:30.000Z"><saml:Subject><saml:NameIdentifier>Client</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>

urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>

</saml:SubjectConfirmation></saml:Subject>


</saml:Assertion></ws:Security>






The SAML Assertion is inserted






The ConfirmationMethod is sender-vouches

Conclusion

• WS-trust address the security token needs of SOAP messages secured using WS-security.– Format: An STS is used to exchange tokens

into formats understandable by recipients– Trust: The STS issues signed tokens forming

the basis of trust for entities with which it has formed a trust relationship.

– Namespace: The STS will return tokens in appropriate syntax for the recipient.

Credits

• WS-trust spec:

http://www-106.ibm.com/developerworks/library/ws-trust/(Copyright© (c) 2001, 2002 International Business Machines Corporation, Microsoft Corporation, RSA Security Inc., VeriSign Inc. All rights reserved. )

• XML.com WS-trust overview

http://webservices.xml.com/lpt/a/ws/2003/06/24/ws-trust.html

http://www-106.ibm.com/developerworks/library/ws-trust/



WS-Trust Joseph Calandrino Vincent Noël Department of Computer Science University of Virginia February 9, 2004.

Documents

sts sts

basis of trust

trust relationship

security tokens

soap client

wstrust overviewhttp

usedwstrust example

sts issues