SlideShare uma empresa Scribd logo

WS-Trust

Transferir como PPTX, PDF
Prabath Siriwardena
Prabath Siriwardena

WS-Trust

EducaçãoTecnologia
1 de 53
Portable Identity & WS - Trust Prabath Siriwardena Director, Security Architecture
Portable Identity • When a subject identity established and verified in one trust domain wants to assert its identity and rights in another trust domain, this is said to be portable. • An assertion is a claim that may be challenged and proven before being believed. • Authentication is an assertion that a subject is who he claims to be. • Authorization is an assertion that the subject identity is allowed to perform a specific action.
Portable Identity & SOAP • When two entities with different trust models want interact , SOAP has no standardized and interoperable way to communicate their security properties. • Because SOAP messages are sent from one trust domain to another, the identity of the requesting subject and its assertions must travel with the message.
SAML • SAML is the XML based standard created to enable portable identities and the assertions these identities want to make. • SAML not tied in to any transport. • Defines a standard message exchange protocol. • Specifies how it is transported.
SAML • SAML is fundamentally three XML-based mechanisms. – Assertions (An XML schema and definition security assertions). – Protocol (An XML schema for request/response protocol). – Bindings (Rules for using assertions with standards transport and messaging frameworks).
SAML Assertions • SAML defines three types of assertions. – Authentication – Authorization – Attributes
SAML Encrypted Assertions • The <EncryptedAssertion> element represents an assertion in encrypted fashion, as defined by the XML Encryption Syntax and Processing specification . The <EncryptedAssertion> element.
SAML • SAML is fundamentally three XML-based mechanisms. – Assertions (An XML schema and definition security assertions). – Protocol (An XML schema for request/response protocol). – Bindings (Rules for using assertions with standards transport and messaging frameworks).
SAML and WS-Security WS-Security has a security extension to SOAP, specifies SAML assertions as one of the types of security tokens it supports in the SOAP header.
SAML and WS-Security <S12:Envelope xmlns:S12="..."> <S12:Header> <wsse:Security xmlns:wsse="..."> <saml:Assertion xmlns:saml=”… AssertionID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc” IssueInstant="2003-04-17T00:46:02Z” Issuer=www.opensaml.org MajorVersion="1“ MinorVersion="1"> <saml:AuthenticationStatement> <saml:Subject> <saml:NameIdentifier NameQualifier="www.example.com" Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName”> uid=joe,ou=people,ou=saml-demo,o=baltimore.com </saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:bearer </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion> </wsse:Security> </S12:Header> <S12:Body> .. . </S12:Body> </S12:Envelope>
SAML and WS-Security <S12:Envelope xmlns:S12="..."> <S12:Header> <wsse:Security xmlns:wsse="..."> <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <xenc:EncryptedData> <xenc:EncryptedData> </EncryptedAssertion> </wsse:Security> </S12:Header> <S12:Body> .. . </S12:Body> </S12:Envelope>
SAML and WS-Security <S12:Envelope xmlns:S12="..."> <S12:Header> <wsse:Security xmlns:wsse="..." xmlns:wsu="..." xmlns:wsse11="..."> <saml:Assertion xmlns:saml="..." AssertionID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant="2003-04-17T00:46:02Z" Issuer=”www.opensaml.org” MajorVersion="1" MinorVersion="1"> </saml:Assertion> <wsse:SecurityTokenReference wsu:Id=”STR1” wsse11:TokenType=”http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1”> <wsse:KeyIdentifier wsu:Id=”...” ValueType=”http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID”> _a75adf55-01d7-40cc-929f-dbd8372ebdfc </wsse:KeyIdentifier> </wsse:SecurityTokenReference> </wsse:Security> </S12:Header> <S12:Body> .. . </S12:Body> </S12:Envelope>
SAML and WS-Security When a key identifier is used to reference a SAML assertion, it MUST contain as its element value the corresponding SAML assertion identifier. The key identifier MUST also contain a ValueType. The key identifier MUST NOT include an EncodingType4 attribute and the element content of the key identifier MUST be encoded as xs:string.
SAML and WS-Security <wsse:SecurityTokenReference xmlns:wsse="..." xmlns:wsu="..." xmlns:wsse11="..." wsu:Id=”STR1” wsse11:TokenType=”http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1”> <saml:AuthorityBinding xmlns:saml="..." Binding=”urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding” Location=”http://www.opensaml.org/SAML-Authority” AuthorityKind= “samlp:AssertionIdReference”/> <wsse:KeyIdentifier wsu:Id=”...” ValueType=”http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID”> _a75adf55-01d7-40cc-929f-dbd8372ebdfc </wsse:KeyIdentifier> </wsse:SecurityTokenReference>
SAML and WS-Security • A SAML V1.1 assertion that exists outside of a <wsse:Security> header may be referenced from the <wsse:Security> header element by including (in the <wsse:SecurityTokenReference>) a <saml:AuthorityBinding> element that defines the location, binding, and query that may be used to acquire the identified assertion at a SAML assertion authority or responder. • Remote references to V2.0 assertions are made by Direct reference URI.
SAML and WS-Security <wsse:SecurityTokenReference xmlns:wsse="..." xmlns:wsu="..." xmlns:wsse11="...” wsu:Id=”...” wsse11:TokenType=”http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile1.1#SAMLV2.0”> <wsse:Reference wsu:Id=”...” URI=”https://saml.example.edu/assertion-authority?ID=abcde”> </wsse:Reference> </wsse:SecurityTokenReference>
QUESTION 1 When do we want to reference a SAML token and when do we not to ?
Subject Confirmation Allows the subject to be confirmed. If more than one subject confirmation is provided, then satisfying any one of them is sufficient to confirm the subject for the purpose of applying the assertion. • Bearer (defined in SAML core specification) • Holder-of-Key (defined in SAML token profile for SOAP) • Sender-vouches (defined in SAML token profile for SOAP)
Bearer • Anyone who holds the SAML token can use it. • The sender need to prove the possession of the token. • If you know OAuth 2.0 – this is just like the OAuth 2.0 Bearer token. • This does not have a key. So – Bearer SAML tokens cannot be used to sign on encrypt messages. • No point if referring Bearer token from a <SecurityTokenReference>
Holder-of-Key • Sender (Subject) of the token should prove the possession of the token. • This has a key in it and it can be used to sign or encrypt messages. • Holder-of-Key SAML tokens can be referred from a <SecurityTokenReference>
Holder-of-Key <SubjectConfirmation> <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</ConfirmationMethod> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <xenc:EncryptedKey xmlns:ds="http://www.w3.org/2000/09/xmldsig#" id="EncKeyId3C611397F54EB4BEF913213415708916"> <xenc:EncryptionMethod algorithm=http://www.w3.org/2001/04/xmlenc#rsa-1_5 /> <ds:KeyInfo> <wsse:SecuritytokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuritysecext-1.0.xsd"> <wsse:KeyIdentifier encodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-messagesecurity-1.0#Base64Binary" valueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security1.1#ThumbprintSHA1">Ye9D13/K1GFRvJjgw1kSr5/rYxE=</wsse:keyidentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>a/kALeV0b0Y3oNcE7fdepUuF0sbQUGs012r87BMBUx/FL8 </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </KeyInfo> </SubjectConfirmation>
Sender Vouches • • • The attesting entity, (presumed to be) different from the subject, vouches for the verification of the subject. The receiver MUST have an existing trust relationship with the attesting entity. The attesting entity MUST protect the assertion in combination with the message content against modification by another party.
Sender Vouches
WS-Trust • Trust – Trust is the characteristic that one entity is willing to rely upon a second entity to execute a set of actions and/or to make set of assertions about a set of subjects and/or scopes. • Direct Trust – Direct trust is when a relying party accepts as true all (or some subset of) the claims in the token sent by the requestor. • Direct Brokered Trust – Direct Brokered Trust is when one party trusts a second party who, in turn, trusts or vouches for, a third party. • Indirect Brokered Trust – Indirect Brokered Trust is a variation on direct brokered trust where the second party negotiates with the third party, or additional parties, to assess the trust of the third party.
WS-Trust
WS-Trust • A protocol framework – Supports different exchange patterns • Builds on WS-Security • Defines mechanisms for brokering trust • Provides ways to establish and access the presence of trust relationship • Defines a mechanism for issuing and exchanging security tokens • Security Token Service – Anyone can be an STS
Common Patterns • Issuance • Defines mechanisms for requesting a new token • Renewal • Defines mechanisms for renewing previously issued tokens • Validation • Defines mechanisms for verifying validity of tokens • Cancellation • Defines mechanisms for cancelling a previously issued token
WS-Trust RST REQUESTER ISSUER RSTR
RequestSecurityToken <wst:RequestSecurityToken> <wst:TokenType> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile1.1#SAMLV1.1 </wst:TokenType> <wst:RequestType> http://schemas.xmlsoap.org/ws/2005/02/trust/Issue </wst:RequestType> </wst:RequestSecurityToken>
RequestSecurityTokenCollection <wst:RequestSecurityTokenCollection xmlns:wst="...”> <!-- identity token request --> <wst:RequestSecurityToken Context="http://www.example.com/1"> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType> <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchIssue</wst:RequestType> <wsp:AppliesTo xmlns:wsp="..." xmlns:wsa="..."> <wsa:EndpointReference> <wsa:Address>http://manufacturer.example.com/</wsa:Address> </wsa:EndpointReference> </wsp:AppliesTo> <wsp:PolicyReference xmlns:wsp="..." URI='http://manufacturer.example.com/IdentityPolicy' /> </wst:RequestSecurityToken> <!-- certification claim token request --> <wst:RequestSecurityToken Context="http://www.example.com/2"> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType> <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512 /BatchIssue</wst:RequestType> <wst:Claims xmlns:wsp="..."> http://manufacturer.example.com/certification </wst:Claims> <wsp:PolicyReference URI='http://certificationbody.example.org/certificationPolicy’ /> </wst:RequestSecurityToken> </wst:RequestSecurityTokenCollection>
RequestSecurityTokenResponse <wst:RequestSecurityTokenResponse> <wst:TokenType> http://docs.oasis-open.org/wss/oasis-wss-saml-tokenprofile-1.1#SAMLV1.1 </wst:TokenType> <wst:RequestedSecurityToken> <saml:Assertion ... > ...</saml:Assertion> </wst:RequestedSecurityToken> <wst:RequestedProofToken> <xenc:EncryptedKey>...</xenc:EncryptedKey> </wst:RequestedProofToken> </wst:RequestSecurityTokenResponse>
RequestSecurityTokenResponseCollection <wst:RequestSecurityTokenResponseCollection xmlns:wst="..."> <wst:RequestSecurityTokenResponse>...</wst:RequestSecurityTokenRes ponse> + </wst:RequestSecurityTokenResponseCollection>
1 WS – Trust Token Issuer (Example) <wst:RequestSecurityToken xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType> <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"> <wsa:Address>http://localhost:8280/services/echo</wsa:Address> </wsa:EndpointReference > </wsp:AppliesTo > <wst:LifeTime> <wsu:Created xmlns:wsu=“">2011-11-15T10:29:17.487Z</wsu:Created > <wsu:Expires xmlns:wsu=“">2011-11-15T10:34:17.487Z</wsu:Expires > </wst:LifeTime> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType> <wst:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</wst:KeyType> <wst:KeySize>256</wst:KeySize> <wst:Entropy> <wst:Binarysecret type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">nVY8/so9I3uvI3OSXDcyb+9kxWxMFNiwzT7qcsr5Hpw= </wst:Binarysecret > </wst:Entropy> <wst:ComputedKeyAlgorithm>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1</wst:ComputedKeyAlgorithm> </wst:RequestSecurityToken >
2 WS – Trust Token Issuer (Example) AppliesTo This is the end point where the client going to use this token against. KeyType http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey Use Symmetric key when generating the key for the SubjectConfirmation. KeySize Use this key size when generating the key for the SubjectConfirmation.
3 WS – Trust Token Issuer (Example) Entropy/BinarySecret WS-Trust allows the requestor to provide input to the key material via a wst:Entropy element in the request. The requestor might do this to satisfy itself as to the degree of entropy (cryptographic randomness if you will) of at least some of the material used to generate the actual key which is used for SubjectConfirmation. Entropy/ComputedKeyAlgorithm : http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1 The key derivation algorithm to use if using a symmetric key for P, where P is computed using client, server, or combined entropy. With http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1 the key is computed using P_SHA1 from the TLS specification to generate a bit stream using entropy from both sides. The exact form is: key = P_SHA1 (EntREQ, EntRES) It is RECOMMENDED that EntREQ be a string of length at least 128 bits.
4 WS – Trust Token Issuer (Example) • Based on the Key Type in the request - STS will decide whether to use Holder-of-key or not. For following key types, holder-of-key subject confirmation method will be used. 1. http://docs.oasis-open.org/ws-sx/ws- trust/200512/PublicKey 2. http://docs.oasis-open.org/ws-sx/ws- trust/200512/SymmetricKey • If it is SymmetricKey - then STS will generate a key - encrypt the key using the public certificate corresponding to the end point attached to the AppliesTo element in the RST and add that to the SubjectConfirmation element in the response.
5 WS – Trust Token Issuer (Example) Key Generation • If client provides an entropy and the key computation algorithm is http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1 then, the key is generated as a function of the client entropy and the STS entropy. • If client provides an entropy but the key computation algorithm is NOT http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1 then, the key is same as the client entropy. • If neither of above happens, then the server generates an ephemeral key. • Whatever the way the key is generated, it will be encrypted with the certificate corresponding to the AppliesTo end point and will be added in to the SubjectConfirmation element in the response.
6 WS – Trust Token Issuer (Example) <SubjectConfirmation> <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</ConfirmationMethod> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <xenc:EncryptedKey xmlns:ds="http://www.w3.org/2000/09/xmldsig#" id="EncKeyId3C611397F54EB4BEF913213415708916"> <xenc:EncryptionMethod algorithm=http://www.w3.org/2001/04/xmlenc#rsa-1_5 /> <ds:KeyInfo> <wsse:SecuritytokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuritysecext-1.0.xsd"> <wsse:KeyIdentifier encodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-messagesecurity-1.0#Base64Binary" valueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security1.1#ThumbprintSHA1">Ye9D13/K1GFRvJjgw1kSr5/rYxE=</wsse:keyidentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>a/kALeV0b0Y3oNcE7fdepUuF0sbQUGs012r87BMBUx/FL8 </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </KeyInfo> </SubjectConfirmation>
7 WS – Trust Token Issuer (Example) • As per the above code, what you see inside CipherValue element is the encrypted key. And it is encrypted from a certificate which is having the thumbprint reference Ye9D13/K1GFRvJjgw1kSr5/rYxE=. • Only the service which owns the certificate having the thumbprint reference Ye9D13/K1GFRvJjgw1kSr5/rYxE= would be able to decrypt the key - which is in fact the service end point attached to the AppliesTo element. • Can anybody in the middle fool the service endpoint just by replacing the SubjectConfirmation element..? This is prevented by STS signing the SubjectConfirmation element along with Assertion parent element with it's private key. • The SAML token is protected for integrity.
8 WS – Trust Token Issuer (Example) Passing the generated key to the requestor (subject) • Client application can use SAML token to encrypt/sign the messages going from the client to the service end point. Then the question is which key would the client use to sign and encrypt - it's the same key added to the SubjectConfirmation by the STS - but it's encrypted with the public key of the service end point - so, client won't be able to decrypt it and get access to the hidden key. • There is another way, STS passes the generated key to the client. Let's look at the following element also included in the response passed from the STS to the client this is out side the Assertion element.
9 WS – Trust Token Issuer (Example) Passing the generated key to the requestor (subject) • Here in the Entropy/BinarySecret STS passed the entropy created to generate the key. • The key is generated as a function of the client entropy and the STS entropy client already knows the client entropy and can find the STS entropy inside Entropy/BinarySecret in the response - so, client can derive the key from those. <wst:Entropy> <wst:BinarySecret Type="http://schemas.xmlsoap.org/ws/2005/02/trust Nonce">3nBXagllniQA8UEAs5uRVJFrKb9dPZITK76Xk/XCO5o= </wst:BinarySecret> </wst:Entropy>
Entropy • In information theory, entropy is a measure of the uncertainty associated with a random variable. In other words, entropy adds randomness to a generated key. • In WS-Trust, under Holder-of-Key scenario - the Security Token Service has to generate a key and pass that to the client - which will later be used between the client and the service to secure the communication. <wst:Entropy> <wst:BinarySecret Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce"> nVY8/so9I3uvI3OSXDcyb+9kxWxMFNiwzT7qcsr5Hpw= </wst:BinarySecret> </wst:Entropy> <wst:ComputedKeyAlgorithm> http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1 </wst:ComputedKeyAlgorithm>
Entropy • The optional <Entropy> element allows a requestor to specify entropy that is to be used in creating the key. • The value of this element should be either a <xenc:EncryptedKey> or <wst:BinarySecret> depending on whether or not the key is encrypted. • Secrets should be encrypted unless the transport/channel is already providing encryption. • The BinarySecret element specifies a base64 encoded sequence of octets representing the requestor's entropy.
Entropy The keys resulting from <Entropy> request are determined in one of three ways. 1. Specific 2. Partial 3. Omitted
Entropy • In the case of specific keys, a <wst:RequestedProofToken> element is included in the response which indicates the specific key(s) to use unless the key was provided by the requestor(in which case there is no need to return it). This happens if the requestor does not provide entropy or issuer rejects the requestor's entropy. • In the case of partial, the <wst:Entropy> element is included in the response, which indicates partial key material from the issuer (not the full key) that is combined (by each party) with the requestor's entropy to determine the resulting key(s). In this case a <wst:ComputedKey> element is returned inside the <wst:RequestedProofToken> to indicate how the key is computed. This happens if the requestor provides entropy and the issuer honors it. Here you will see, in the response it will have an Entropy element - which includes the issuer's entropy. <wst:RequestedProofToken> <wst:ComputedKey>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1 </wst:ComputedKey> </wst:RequestedProofToken> <wst:Entropy> <wst:BinarySecret Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">3nBXagllniQA8UEAs5uRVJFrKb9dPZITK76Xk/XCO5o= </wst:BinarySecret> </wst:Entropy> </wst:RequestedProofToken>
Entropy • In the case of omitted, an existing key is used or the resulting token is not directly associated with a key. This happens if the requestor provides entropy and the responder doesn't (issuer uses the requestor's key), then a proof-of-possession token need not be returned.
Entropy
ActAs
ActAs • This OTPIONAL element in the RST indicates that the requested token is expected to contain information about the identity represented by the content of this element and the token requestor intends to use the returned token to act as this identity. • The identity that the requestor wants to act-as is specified by placing a security token or <wsse:SecurityTokenReference> element within the <wst14:ActAs> element
RequestedAttachedReferences • Since returned tokens (RquestedSecurityToken) are considered opaque to the requestor, this OPTIONAL element is specified to indicate how to reference the returned token when that token doesn't support references using URI fragments (XML ID). • This element contains a <wsse:SecurityTokenReference> element that can be used verbatim to reference the token (when the token is placed inside a message). • Typically tokens allow the use of wsu:Id so this element isn't required. • Note that a token MAY support multiple reference mechanisms; this indicates the issuer’s preferred mechanism. When encrypted tokens are returned, this element is not needed since the <xenc:EncryptedData> element supports an ID reference. If this element is not present in the RSTR then the recipient can assume that the returned token (when present in a message) supports references using URI fragments.
RequestedAttachedReferences <wst:RequestedAttachedReference> <SecurityTokenReference TokenType=http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 > <KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile1.1#SAMLID">_55696a58-9dd2</SecurityTokenReference> </wst:RequestedAttachedReference>
RequestedUnAttachedReferences • In some cases tokens need not be present in the message. This OPTIONAL element is specified to indicate how to reference the token when it is not placed inside the message. This element contains a <wsse:SecurityTokenReference> element that can be used verbatim to reference the token (when the token is not placed inside a message) for replies. Note that a token MAY support multiple external reference mechanisms; this indicates the issuer’s preferred mechanism.
lean . enterprise . middleware

Recomendados

Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)Torsten Lodderstedt
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
Json web token
Json web tokenJson web token
Json web tokenMayank Patel
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security ChecklistAmazon Web Services
 

Recomendados

Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)Torsten Lodderstedt
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
Json web token
Json web tokenJson web token
Json web tokenMayank Patel
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security ChecklistAmazon Web Services
 
Jwt Security
Jwt SecurityJwt Security
Jwt SecuritySeid Yassin
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36Torsten Lodderstedt
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Fatih Ozavci
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101Chul-Woong Yang
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101Mike Schwartz
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedTorsten Lodderstedt
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud SecurityAlert Logic
 
Firewall
FirewallFirewall
FirewallSaurabh Chauhan
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML Programming Talents
 
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?ForgeRock
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS ProtocolDevang Badrakiya
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service SecurityLuqman Shareef
 
WS - SecurityPolicy
WS - SecurityPolicyWS - SecurityPolicy
WS - SecurityPolicyPrabath Siriwardena
 

Mais conteúdo relacionado

Mais procurados

OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36Torsten Lodderstedt
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Fatih Ozavci
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud SecurityAlert Logic
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?ForgeRock
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 

Mais procurados (20)

Jwt Security
Jwt SecurityJwt Security
Jwt Security
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
 
Firewall
FirewallFirewall
Firewall
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
 
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA Firepower
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 

Destaque

Arquitecturas interoperables con GeneXus - Pablo Alzuri
Arquitecturas interoperables con GeneXus - Pablo AlzuriArquitecturas interoperables con GeneXus - Pablo Alzuri
Arquitecturas interoperables con GeneXus - Pablo AlzuriGeneXus
 
Developing Web Services With Oracle Web Logic Server
Developing Web Services With Oracle Web Logic ServerDeveloping Web Services With Oracle Web Logic Server
Developing Web Services With Oracle Web Logic ServerGaurav Sharma
 
Declarative authorization in REST services in SharePoint with F# and ServiceS...
Declarative authorization in REST services in SharePoint with F# and ServiceS...Declarative authorization in REST services in SharePoint with F# and ServiceS...
Declarative authorization in REST services in SharePoint with F# and ServiceS...Sergey Tihon
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API SecurityMuleSoft
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 

Destaque (20)

Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
 
WS - SecurityPolicy
WS - SecurityPolicyWS - SecurityPolicy
WS - SecurityPolicy
 
WS - Security
WS - SecurityWS - Security
WS - Security
 
Web Services Security - Presentation
Web Services Security - PresentationWeb Services Security - Presentation
Web Services Security - Presentation
 
Arquitecturas interoperables con GeneXus - Pablo Alzuri
Arquitecturas interoperables con GeneXus - Pablo AlzuriArquitecturas interoperables con GeneXus - Pablo Alzuri
Arquitecturas interoperables con GeneXus - Pablo Alzuri
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
 
Developing Web Services With Oracle Web Logic Server
Developing Web Services With Oracle Web Logic ServerDeveloping Web Services With Oracle Web Logic Server
Developing Web Services With Oracle Web Logic Server
 
XML Signature
XML SignatureXML Signature
XML Signature
 
tin hoc lớp 7
tin hoc lớp 7tin hoc lớp 7
tin hoc lớp 7
 
Stateful Web Services - Short Report
Stateful Web Services - Short ReportStateful Web Services - Short Report
Stateful Web Services - Short Report
 
Stateful Web Services - Presentation
Stateful Web Services - PresentationStateful Web Services - Presentation
Stateful Web Services - Presentation
 
Tin học lớp 7
Tin học lớp 7Tin học lớp 7
Tin học lớp 7
 
Rest security with oauth 2.0
Rest security with oauth 2.0Rest security with oauth 2.0
Rest security with oauth 2.0
 
Declarative authorization in REST services in SharePoint with F# and ServiceS...
Declarative authorization in REST services in SharePoint with F# and ServiceS...Declarative authorization in REST services in SharePoint with F# and ServiceS...
Declarative authorization in REST services in SharePoint with F# and ServiceS...
 
Oracle API Gateway Installation
Oracle API Gateway InstallationOracle API Gateway Installation
Oracle API Gateway Installation
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
Oracle API Gateway
Oracle API GatewayOracle API Gateway
Oracle API Gateway
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 

Semelhante a WS-Trust

What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfAngelicaPantaleon3
 
SECURITY MECHANISM FOR WEBSERVICE USING SECURITY TOKEN SERVICE(STS
SECURITY MECHANISM FOR WEBSERVICE USING SECURITY TOKEN SERVICE(STSSECURITY MECHANISM FOR WEBSERVICE USING SECURITY TOKEN SERVICE(STS
SECURITY MECHANISM FOR WEBSERVICE USING SECURITY TOKEN SERVICE(STSManoj Kumar K.M
 
Mule securing
Mule securingMule securing
Mule securingSindhu VL
 
Securing mule
Securing muleSecuring mule
Securing muleSindhu VL
 
Https interception proxies
Https interception proxiesHttps interception proxies
Https interception proxiesgeeksec80
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web ServicesJorgen Thelin
 
Soa Testing An Approach For Testing Security Aspects Of Soa Based Application
Soa Testing An Approach For Testing Security Aspects Of Soa Based ApplicationSoa Testing An Approach For Testing Security Aspects Of Soa Based Application
Soa Testing An Approach For Testing Security Aspects Of Soa Based ApplicationJaipal Naidu
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL CertificateCheapSSLUSA
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscapeSagara Gunathunga
 
SAML Executive Overview
SAML Executive OverviewSAML Executive Overview
SAML Executive OverviewPortalGuard
 

Semelhante a WS-Trust (20)

SOA Security
SOA Security SOA Security
SOA Security
 
What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdf
 
Web Service Extensions | Torry Harris Whitepaper
Web Service Extensions | Torry Harris WhitepaperWeb Service Extensions | Torry Harris Whitepaper
Web Service Extensions | Torry Harris Whitepaper
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
 
SECURITY MECHANISM FOR WEBSERVICE USING SECURITY TOKEN SERVICE(STS
SECURITY MECHANISM FOR WEBSERVICE USING SECURITY TOKEN SERVICE(STSSECURITY MECHANISM FOR WEBSERVICE USING SECURITY TOKEN SERVICE(STS
SECURITY MECHANISM FOR WEBSERVICE USING SECURITY TOKEN SERVICE(STS
 
Mule securing
Mule securingMule securing
Mule securing
 
Securing mule
Securing muleSecuring mule
Securing mule
 
Https interception proxies
Https interception proxiesHttps interception proxies
Https interception proxies
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web Services
 
Soa Testing An Approach For Testing Security Aspects Of Soa Based Application
Soa Testing An Approach For Testing Security Aspects Of Soa Based ApplicationSoa Testing An Approach For Testing Security Aspects Of Soa Based Application
Soa Testing An Approach For Testing Security Aspects Of Soa Based Application
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL Certificate
 
Mule security
Mule securityMule security
Mule security
 
Mule security
Mule securityMule security
Mule security
 
Mule security
Mule securityMule security
Mule security
 
Mule security
Mule securityMule security
Mule security
 
Mule security - pgp
Mule security - pgpMule security - pgp
Mule security - pgp
 
SAML
SAMLSAML
SAML
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscape
 
SAML Executive Overview
SAML Executive OverviewSAML Executive Overview
SAML Executive Overview
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security Avalanche
 

Mais de Prabath Siriwardena

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementPrabath Siriwardena
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersPrabath Siriwardena
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application DevelopersPrabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity ManagementPrabath Siriwardena
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Prabath Siriwardena
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusPrabath Siriwardena
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesPrabath Siriwardena
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet IdentityPrabath Siriwardena
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudPrabath Siriwardena
 

Mais de Prabath Siriwardena (20)

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Identity is Eating the World!
Identity is Eating the World!Identity is Eating the World!
Identity is Eating the World!
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat Landscape
 
GDPR for Identity Architects
GDPR for Identity ArchitectsGDPR for Identity Architects
GDPR for Identity Architects
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access Management
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity Management
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity Bus
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & Challenges
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet Identity
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and Cloud
 
Securing Insecure
Securing InsecureSecuring Insecure
Securing Insecure
 

Último

ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 

Último (20)

ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 

WS-Trust

  • 1. Portable Identity & WS - Trust Prabath Siriwardena Director, Security Architecture
  • 2. Portable Identity • When a subject identity established and verified in one trust domain wants to assert its identity and rights in another trust domain, this is said to be portable. • An assertion is a claim that may be challenged and proven before being believed. • Authentication is an assertion that a subject is who he claims to be. • Authorization is an assertion that the subject identity is allowed to perform a specific action.
  • 3. Portable Identity & SOAP • When two entities with different trust models want interact , SOAP has no standardized and interoperable way to communicate their security properties. • Because SOAP messages are sent from one trust domain to another, the identity of the requesting subject and its assertions must travel with the message.
  • 4. SAML • SAML is the XML based standard created to enable portable identities and the assertions these identities want to make. • SAML not tied in to any transport. • Defines a standard message exchange protocol. • Specifies how it is transported.
  • 5. SAML • SAML is fundamentally three XML-based mechanisms. – Assertions (An XML schema and definition security assertions). – Protocol (An XML schema for request/response protocol). – Bindings (Rules for using assertions with standards transport and messaging frameworks).
  • 6. SAML Assertions • SAML defines three types of assertions. – Authentication – Authorization – Attributes
  • 7. SAML Encrypted Assertions • The <EncryptedAssertion> element represents an assertion in encrypted fashion, as defined by the XML Encryption Syntax and Processing specification . The <EncryptedAssertion> element.
  • 8. SAML • SAML is fundamentally three XML-based mechanisms. – Assertions (An XML schema and definition security assertions). – Protocol (An XML schema for request/response protocol). – Bindings (Rules for using assertions with standards transport and messaging frameworks).
  • 9. SAML and WS-Security WS-Security has a security extension to SOAP, specifies SAML assertions as one of the types of security tokens it supports in the SOAP header.
  • 10. SAML and WS-Security <S12:Envelope xmlns:S12="..."> <S12:Header> <wsse:Security xmlns:wsse="..."> <saml:Assertion xmlns:saml=”… AssertionID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc” IssueInstant="2003-04-17T00:46:02Z” Issuer=www.opensaml.org MajorVersion="1“ MinorVersion="1"> <saml:AuthenticationStatement> <saml:Subject> <saml:NameIdentifier NameQualifier="www.example.com" Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName”> uid=joe,ou=people,ou=saml-demo,o=baltimore.com </saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:bearer </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion> </wsse:Security> </S12:Header> <S12:Body> .. . </S12:Body> </S12:Envelope>
  • 11. SAML and WS-Security <S12:Envelope xmlns:S12="..."> <S12:Header> <wsse:Security xmlns:wsse="..."> <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <xenc:EncryptedData> <xenc:EncryptedData> </EncryptedAssertion> </wsse:Security> </S12:Header> <S12:Body> .. . </S12:Body> </S12:Envelope>
  • 12. SAML and WS-Security <S12:Envelope xmlns:S12="..."> <S12:Header> <wsse:Security xmlns:wsse="..." xmlns:wsu="..." xmlns:wsse11="..."> <saml:Assertion xmlns:saml="..." AssertionID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant="2003-04-17T00:46:02Z" Issuer=”www.opensaml.org” MajorVersion="1" MinorVersion="1"> </saml:Assertion> <wsse:SecurityTokenReference wsu:Id=”STR1” wsse11:TokenType=”http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1”> <wsse:KeyIdentifier wsu:Id=”...” ValueType=”http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID”> _a75adf55-01d7-40cc-929f-dbd8372ebdfc </wsse:KeyIdentifier> </wsse:SecurityTokenReference> </wsse:Security> </S12:Header> <S12:Body> .. . </S12:Body> </S12:Envelope>
  • 13. SAML and WS-Security When a key identifier is used to reference a SAML assertion, it MUST contain as its element value the corresponding SAML assertion identifier. The key identifier MUST also contain a ValueType. The key identifier MUST NOT include an EncodingType4 attribute and the element content of the key identifier MUST be encoded as xs:string.
  • 14. SAML and WS-Security <wsse:SecurityTokenReference xmlns:wsse="..." xmlns:wsu="..." xmlns:wsse11="..." wsu:Id=”STR1” wsse11:TokenType=”http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1”> <saml:AuthorityBinding xmlns:saml="..." Binding=”urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding” Location=”http://www.opensaml.org/SAML-Authority” AuthorityKind= “samlp:AssertionIdReference”/> <wsse:KeyIdentifier wsu:Id=”...” ValueType=”http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID”> _a75adf55-01d7-40cc-929f-dbd8372ebdfc </wsse:KeyIdentifier> </wsse:SecurityTokenReference>
  • 15. SAML and WS-Security • A SAML V1.1 assertion that exists outside of a <wsse:Security> header may be referenced from the <wsse:Security> header element by including (in the <wsse:SecurityTokenReference>) a <saml:AuthorityBinding> element that defines the location, binding, and query that may be used to acquire the identified assertion at a SAML assertion authority or responder. • Remote references to V2.0 assertions are made by Direct reference URI.
  • 16. SAML and WS-Security <wsse:SecurityTokenReference xmlns:wsse="..." xmlns:wsu="..." xmlns:wsse11="...” wsu:Id=”...” wsse11:TokenType=”http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile1.1#SAMLV2.0”> <wsse:Reference wsu:Id=”...” URI=”https://saml.example.edu/assertion-authority?ID=abcde”> </wsse:Reference> </wsse:SecurityTokenReference>
  • 17. QUESTION 1 When do we want to reference a SAML token and when do we not to ?
  • 18. Subject Confirmation Allows the subject to be confirmed. If more than one subject confirmation is provided, then satisfying any one of them is sufficient to confirm the subject for the purpose of applying the assertion. • Bearer (defined in SAML core specification) • Holder-of-Key (defined in SAML token profile for SOAP) • Sender-vouches (defined in SAML token profile for SOAP)
  • 19. Bearer • Anyone who holds the SAML token can use it. • The sender need to prove the possession of the token. • If you know OAuth 2.0 – this is just like the OAuth 2.0 Bearer token. • This does not have a key. So – Bearer SAML tokens cannot be used to sign on encrypt messages. • No point if referring Bearer token from a <SecurityTokenReference>
  • 20. Holder-of-Key • Sender (Subject) of the token should prove the possession of the token. • This has a key in it and it can be used to sign or encrypt messages. • Holder-of-Key SAML tokens can be referred from a <SecurityTokenReference>
  • 21. Holder-of-Key <SubjectConfirmation> <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</ConfirmationMethod> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <xenc:EncryptedKey xmlns:ds="http://www.w3.org/2000/09/xmldsig#" id="EncKeyId3C611397F54EB4BEF913213415708916"> <xenc:EncryptionMethod algorithm=http://www.w3.org/2001/04/xmlenc#rsa-1_5 /> <ds:KeyInfo> <wsse:SecuritytokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuritysecext-1.0.xsd"> <wsse:KeyIdentifier encodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-messagesecurity-1.0#Base64Binary" valueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security1.1#ThumbprintSHA1">Ye9D13/K1GFRvJjgw1kSr5/rYxE=</wsse:keyidentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>a/kALeV0b0Y3oNcE7fdepUuF0sbQUGs012r87BMBUx/FL8 </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </KeyInfo> </SubjectConfirmation>
  • 22. Sender Vouches • • • The attesting entity, (presumed to be) different from the subject, vouches for the verification of the subject. The receiver MUST have an existing trust relationship with the attesting entity. The attesting entity MUST protect the assertion in combination with the message content against modification by another party.
  • 24. WS-Trust • Trust – Trust is the characteristic that one entity is willing to rely upon a second entity to execute a set of actions and/or to make set of assertions about a set of subjects and/or scopes. • Direct Trust – Direct trust is when a relying party accepts as true all (or some subset of) the claims in the token sent by the requestor. • Direct Brokered Trust – Direct Brokered Trust is when one party trusts a second party who, in turn, trusts or vouches for, a third party. • Indirect Brokered Trust – Indirect Brokered Trust is a variation on direct brokered trust where the second party negotiates with the third party, or additional parties, to assess the trust of the third party.
  • 26. WS-Trust • A protocol framework – Supports different exchange patterns • Builds on WS-Security • Defines mechanisms for brokering trust • Provides ways to establish and access the presence of trust relationship • Defines a mechanism for issuing and exchanging security tokens • Security Token Service – Anyone can be an STS
  • 27. Common Patterns • Issuance • Defines mechanisms for requesting a new token • Renewal • Defines mechanisms for renewing previously issued tokens • Validation • Defines mechanisms for verifying validity of tokens • Cancellation • Defines mechanisms for cancelling a previously issued token
  • 30. RequestSecurityTokenCollection <wst:RequestSecurityTokenCollection xmlns:wst="...”> <!-- identity token request --> <wst:RequestSecurityToken Context="http://www.example.com/1"> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType> <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/BatchIssue</wst:RequestType> <wsp:AppliesTo xmlns:wsp="..." xmlns:wsa="..."> <wsa:EndpointReference> <wsa:Address>http://manufacturer.example.com/</wsa:Address> </wsa:EndpointReference> </wsp:AppliesTo> <wsp:PolicyReference xmlns:wsp="..." URI='http://manufacturer.example.com/IdentityPolicy' /> </wst:RequestSecurityToken> <!-- certification claim token request --> <wst:RequestSecurityToken Context="http://www.example.com/2"> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType> <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512 /BatchIssue</wst:RequestType> <wst:Claims xmlns:wsp="..."> http://manufacturer.example.com/certification </wst:Claims> <wsp:PolicyReference URI='http://certificationbody.example.org/certificationPolicy’ /> </wst:RequestSecurityToken> </wst:RequestSecurityTokenCollection>
  • 31. RequestSecurityTokenResponse <wst:RequestSecurityTokenResponse> <wst:TokenType> http://docs.oasis-open.org/wss/oasis-wss-saml-tokenprofile-1.1#SAMLV1.1 </wst:TokenType> <wst:RequestedSecurityToken> <saml:Assertion ... > ...</saml:Assertion> </wst:RequestedSecurityToken> <wst:RequestedProofToken> <xenc:EncryptedKey>...</xenc:EncryptedKey> </wst:RequestedProofToken> </wst:RequestSecurityTokenResponse>
  • 33. 1 WS – Trust Token Issuer (Example) <wst:RequestSecurityToken xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType> <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"> <wsa:Address>http://localhost:8280/services/echo</wsa:Address> </wsa:EndpointReference > </wsp:AppliesTo > <wst:LifeTime> <wsu:Created xmlns:wsu=“">2011-11-15T10:29:17.487Z</wsu:Created > <wsu:Expires xmlns:wsu=“">2011-11-15T10:34:17.487Z</wsu:Expires > </wst:LifeTime> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType> <wst:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</wst:KeyType> <wst:KeySize>256</wst:KeySize> <wst:Entropy> <wst:Binarysecret type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">nVY8/so9I3uvI3OSXDcyb+9kxWxMFNiwzT7qcsr5Hpw= </wst:Binarysecret > </wst:Entropy> <wst:ComputedKeyAlgorithm>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1</wst:ComputedKeyAlgorithm> </wst:RequestSecurityToken >
  • 34. 2 WS – Trust Token Issuer (Example) AppliesTo This is the end point where the client going to use this token against. KeyType http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey Use Symmetric key when generating the key for the SubjectConfirmation. KeySize Use this key size when generating the key for the SubjectConfirmation.
  • 35. 3 WS – Trust Token Issuer (Example) Entropy/BinarySecret WS-Trust allows the requestor to provide input to the key material via a wst:Entropy element in the request. The requestor might do this to satisfy itself as to the degree of entropy (cryptographic randomness if you will) of at least some of the material used to generate the actual key which is used for SubjectConfirmation. Entropy/ComputedKeyAlgorithm : http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1 The key derivation algorithm to use if using a symmetric key for P, where P is computed using client, server, or combined entropy. With http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1 the key is computed using P_SHA1 from the TLS specification to generate a bit stream using entropy from both sides. The exact form is: key = P_SHA1 (EntREQ, EntRES) It is RECOMMENDED that EntREQ be a string of length at least 128 bits.
  • 36. 4 WS – Trust Token Issuer (Example) • Based on the Key Type in the request - STS will decide whether to use Holder-of-key or not. For following key types, holder-of-key subject confirmation method will be used. 1. http://docs.oasis-open.org/ws-sx/ws- trust/200512/PublicKey 2. http://docs.oasis-open.org/ws-sx/ws- trust/200512/SymmetricKey • If it is SymmetricKey - then STS will generate a key - encrypt the key using the public certificate corresponding to the end point attached to the AppliesTo element in the RST and add that to the SubjectConfirmation element in the response.
  • 37. 5 WS – Trust Token Issuer (Example) Key Generation • If client provides an entropy and the key computation algorithm is http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1 then, the key is generated as a function of the client entropy and the STS entropy. • If client provides an entropy but the key computation algorithm is NOT http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1 then, the key is same as the client entropy. • If neither of above happens, then the server generates an ephemeral key. • Whatever the way the key is generated, it will be encrypted with the certificate corresponding to the AppliesTo end point and will be added in to the SubjectConfirmation element in the response.
  • 38. 6 WS – Trust Token Issuer (Example) <SubjectConfirmation> <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</ConfirmationMethod> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <xenc:EncryptedKey xmlns:ds="http://www.w3.org/2000/09/xmldsig#" id="EncKeyId3C611397F54EB4BEF913213415708916"> <xenc:EncryptionMethod algorithm=http://www.w3.org/2001/04/xmlenc#rsa-1_5 /> <ds:KeyInfo> <wsse:SecuritytokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuritysecext-1.0.xsd"> <wsse:KeyIdentifier encodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-messagesecurity-1.0#Base64Binary" valueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security1.1#ThumbprintSHA1">Ye9D13/K1GFRvJjgw1kSr5/rYxE=</wsse:keyidentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>a/kALeV0b0Y3oNcE7fdepUuF0sbQUGs012r87BMBUx/FL8 </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </KeyInfo> </SubjectConfirmation>
  • 39. 7 WS – Trust Token Issuer (Example) • As per the above code, what you see inside CipherValue element is the encrypted key. And it is encrypted from a certificate which is having the thumbprint reference Ye9D13/K1GFRvJjgw1kSr5/rYxE=. • Only the service which owns the certificate having the thumbprint reference Ye9D13/K1GFRvJjgw1kSr5/rYxE= would be able to decrypt the key - which is in fact the service end point attached to the AppliesTo element. • Can anybody in the middle fool the service endpoint just by replacing the SubjectConfirmation element..? This is prevented by STS signing the SubjectConfirmation element along with Assertion parent element with it's private key. • The SAML token is protected for integrity.
  • 40. 8 WS – Trust Token Issuer (Example) Passing the generated key to the requestor (subject) • Client application can use SAML token to encrypt/sign the messages going from the client to the service end point. Then the question is which key would the client use to sign and encrypt - it's the same key added to the SubjectConfirmation by the STS - but it's encrypted with the public key of the service end point - so, client won't be able to decrypt it and get access to the hidden key. • There is another way, STS passes the generated key to the client. Let's look at the following element also included in the response passed from the STS to the client this is out side the Assertion element.
  • 41. 9 WS – Trust Token Issuer (Example) Passing the generated key to the requestor (subject) • Here in the Entropy/BinarySecret STS passed the entropy created to generate the key. • The key is generated as a function of the client entropy and the STS entropy client already knows the client entropy and can find the STS entropy inside Entropy/BinarySecret in the response - so, client can derive the key from those. <wst:Entropy> <wst:BinarySecret Type="http://schemas.xmlsoap.org/ws/2005/02/trust Nonce">3nBXagllniQA8UEAs5uRVJFrKb9dPZITK76Xk/XCO5o= </wst:BinarySecret> </wst:Entropy>
  • 42. Entropy • In information theory, entropy is a measure of the uncertainty associated with a random variable. In other words, entropy adds randomness to a generated key. • In WS-Trust, under Holder-of-Key scenario - the Security Token Service has to generate a key and pass that to the client - which will later be used between the client and the service to secure the communication. <wst:Entropy> <wst:BinarySecret Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce"> nVY8/so9I3uvI3OSXDcyb+9kxWxMFNiwzT7qcsr5Hpw= </wst:BinarySecret> </wst:Entropy> <wst:ComputedKeyAlgorithm> http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1 </wst:ComputedKeyAlgorithm>
  • 43. Entropy • The optional <Entropy> element allows a requestor to specify entropy that is to be used in creating the key. • The value of this element should be either a <xenc:EncryptedKey> or <wst:BinarySecret> depending on whether or not the key is encrypted. • Secrets should be encrypted unless the transport/channel is already providing encryption. • The BinarySecret element specifies a base64 encoded sequence of octets representing the requestor's entropy.
  • 44. Entropy The keys resulting from <Entropy> request are determined in one of three ways. 1. Specific 2. Partial 3. Omitted
  • 45. Entropy • In the case of specific keys, a <wst:RequestedProofToken> element is included in the response which indicates the specific key(s) to use unless the key was provided by the requestor(in which case there is no need to return it). This happens if the requestor does not provide entropy or issuer rejects the requestor's entropy. • In the case of partial, the <wst:Entropy> element is included in the response, which indicates partial key material from the issuer (not the full key) that is combined (by each party) with the requestor's entropy to determine the resulting key(s). In this case a <wst:ComputedKey> element is returned inside the <wst:RequestedProofToken> to indicate how the key is computed. This happens if the requestor provides entropy and the issuer honors it. Here you will see, in the response it will have an Entropy element - which includes the issuer's entropy. <wst:RequestedProofToken> <wst:ComputedKey>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1 </wst:ComputedKey> </wst:RequestedProofToken> <wst:Entropy> <wst:BinarySecret Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">3nBXagllniQA8UEAs5uRVJFrKb9dPZITK76Xk/XCO5o= </wst:BinarySecret> </wst:Entropy> </wst:RequestedProofToken>
  • 46. Entropy • In the case of omitted, an existing key is used or the resulting token is not directly associated with a key. This happens if the requestor provides entropy and the responder doesn't (issuer uses the requestor's key), then a proof-of-possession token need not be returned.
  • 48. ActAs
  • 49. ActAs • This OTPIONAL element in the RST indicates that the requested token is expected to contain information about the identity represented by the content of this element and the token requestor intends to use the returned token to act as this identity. • The identity that the requestor wants to act-as is specified by placing a security token or <wsse:SecurityTokenReference> element within the <wst14:ActAs> element
  • 50. RequestedAttachedReferences • Since returned tokens (RquestedSecurityToken) are considered opaque to the requestor, this OPTIONAL element is specified to indicate how to reference the returned token when that token doesn't support references using URI fragments (XML ID). • This element contains a <wsse:SecurityTokenReference> element that can be used verbatim to reference the token (when the token is placed inside a message). • Typically tokens allow the use of wsu:Id so this element isn't required. • Note that a token MAY support multiple reference mechanisms; this indicates the issuer’s preferred mechanism. When encrypted tokens are returned, this element is not needed since the <xenc:EncryptedData> element supports an ID reference. If this element is not present in the RSTR then the recipient can assume that the returned token (when present in a message) supports references using URI fragments.
  • 52. RequestedUnAttachedReferences • In some cases tokens need not be present in the message. This OPTIONAL element is specified to indicate how to reference the token when it is not placed inside the message. This element contains a <wsse:SecurityTokenReference> element that can be used verbatim to reference the token (when the token is not placed inside a message) for replies. Note that a token MAY support multiple external reference mechanisms; this indicates the issuer’s preferred mechanism.
  • 53. lean . enterprise . middleware