Securing Web Services with WS-Security: Demystifying WS-Security, WS-Policy, SAML, XML Signature, and XML Encryption
< Day Day Up > |
SAML profiles are like documented processes that define patterns of SAML usage needed to secure a resource. Like Pretty Good Privacy (PGP), SAML is designed to work without a centralized certificate authority. This is why SAML is the basis for Liberty Alliance's federated identity system, which we describe in the next section. Note that SAML assumes the resource owner trusts the SAML authorities and these authorities know the subject requesting an SAML security assertion. Transactions between two parties that do not know each other still need a trusted third party. In such cases, WS-Security needs to use XKMS instead of SAML. The detailed introduction to WS-Security is still to come in the next chapter. Knowing that WS-Security is basically security extensions to SOAP is sufficient understanding to explore how SAML fits into WS-Security here. The WS-Security SAML Profile
WS-Security defines an SAML profile (but confusingly calls it the WS-Security SAML binding) for securing SOAP messages. The WS-Security profile of SAML is based on a single interaction between a sender and a receiver. The sender is a Web service consumer who obtains one or more SAML assertions. Next, the sender adds the assertions to a SOAP message destined for the receiver (a Web service provider). The receiver processes the assertions present in the SOAP message. As with the SAML profile for SOAP, with the WS-Security SAML profile, the SAML assertion about the SOAP message is included as part of the SOAP header. SAML is just one of the security tokens defined by WS-Security. A good way to think about WS-Security is that it is a specification that takes XML security (XML Encryption and XML Signature); links that with pre-existing security technologies that it calls tokens, such as X.509, Kerberos, and SAML; and binds it all to SOAP so that it can become part of a secure Web service interaction. You attach SAML assertions to SOAP messages using WS-Security by placing assertion elements or references to assertions inside a <wsse:Security> header. Listing 6.12 illustrates a SOAP message containing an SAML assertion in a <wsse:Security> header. Listing 6.12. A SOAP Message with a <wsse:Security> Header Using a <saml:Assertion> Security Token
<S:Envelope xmlns:S="..."> <S:Header> <wsse:Security xmlns:wsse="..."> <saml:Assertion MajorVersion="1" MinorVersion="0" AssertionID="SecurityToken-ef375268" Issuer="jothy" IssueInstant="2002-07-23T11:32:05.6228146-07:00" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> ... </saml:Assertion> ... </wsse:Security> </S:Header> <S:Body> ... </S:Body> </S:Envelope>
|
< Day Day Up > |