Identity Driven SOAPolicy-based enforcement of machine-to-machine authentication/authorization in a SOA | |
The Problem: Machine Identities in a SOA In recent years, there has been a push among large organizations to centralize the administration of user identities and their associated access privileges to corporate resources. A key driver for identity and access centralization is security compliance. By regulating and tracking what resources a user accesses, Identity and Access Management products give corporations assurance that users’ are both authentic and restricted to those resources to which they are entitled. However, the problem of centrally controlling and auditing an identity’s access to an application resource is not limited to user-machine interactions. SOA is predicated on the ability of a machine based client application to call a machine based service. Identities therefore belong to machines not people. This complicates how identities go about proving who they claim to be and what resources they can access. First a client application must establish who it is using some kind of electronic credential and then pass this credential to a target service in a format it understands. Then every intermediary must be able to authenticate the requesting client before passing evidence that the client is who it claims to be down to the target service. Finally the target service must be able to figure out if the requestor is who it claims to be based on credentials or intermediary evidence before deciding whether it has authorization to call a service or sub-operation. Current generation Identity and Access Management solutions can’t address these requirements alone. Solution: Augmenting Machine Identities with PolicyIdentity and Access Management products are available from several vendors including IBM, Oracle, CA, Sun, Microsoft, Novell and RSA and others. All can be extended to handle machine based identities. However most don’t natively support policies that accommodate access decisions based on service specific parameters like URL address, SOAP Action, Operation name or XML element. Moreover, none address the challenge of implementing an identity based infrastructure in a SOA. This includes how digital certificate or tokens can be provisioned on a client application to prove identity; how credentials can be packed into a message based on a target service’s expectations and capabilities; how intermediates can both consume credentials, make authentication decisions and pass evidence of that authentication downstream; or how a target service can quickly parse a service call to find credentials with which to make a policy decision. New technology is therefore necessary to help Identity and Access Management systems both define and enforce service specific access policies. Layer 7 Value: Policy-based Enforcement of Identity The SecureSpan XML Firewall and VPN provide the most extensive identity based SOA security on the market. The XML Firewall can be configured against diverse IAM and Single Sign-on products so customers can leverage one or more existing policy decision points to make authentication and authorization decisions for their SOA. For scenarios requiring advanced credentialing, the SecureSpan Firewall can be used to consume diverse credential types including Kerberos, SAML 1.1 / 2.0 and X.509 certificates to make authentication decisions. If new credentials need to be generated in turn for downstream access decisions, the SecureSpan Firewall also has the ability to either request a token from a Secure Token Service (STS) using either WS-Trust or WS-Federation or generate a SAML assertion though its internal SAML issuer. For deployments requiring federation of Web services, the SecureSpan XML VPN Client can be deployed alongside the SecureSpan XML Firewall. When installed in an external identity domain, the SecureSpan XML VPN Client can negotiate a security token with a local STS, bundle the token in a WS* and WS-I compliant message and pass the message to the XML Firewall for processing and authentication.
Share: | More | ResourcesDatasheet: Download PDF | 196Kb
Solution Brief: Download PDF | 208Kb
Datasheet: Download PDF | 196 Kb
Solution Brief: Download PDF | 208 Kb
Podcast: Play Podcast | 28Mb |
