WS-Federation: Jim Van Dyke Zhengping Wu
WS-Federation: Jim Van Dyke Zhengping Wu
WS-Federation: Jim Van Dyke Zhengping Wu
Partially adapted from workshop slides by Tony Nadalin (IBM) and Chris Kaler (Microsoft)
Agenda
Introduction
Trust Topologies
Single Sign-out
Attribute Services
Pseudonym Services
Active/Passive Profiles
Summary and Conclusions
Demo
References
2
What is Federation?
Federation
A collection of realms/domains that have
established trust
The technology and business arrangements
necessary to interconnect users, applications,
and systems
Federated systems can interoperate across
organizational and technical boundaries (i.e.,
various operating systems or security
platforms)
3
Federated ATM Network
Account Number
and PIN Visiting Bank Network
4
WS-Federation
Primary Goal: “Single Sign-On” access
across trust domains using identities from
the different domains
WS-Federation defines a model for this by
building on the WS-* security
specifications:
Brokering trust
Sign out messages
Attribute service
Pseudonym service
5
WS-Federation Terms
Authorities
Security Token Service (STS) – Web service that issues
security tokens; makes assertions based on evidence
that it trusts to whoever trusts it
Identity Provider (IP) – Entity that acts as an
authentication service to end requestors (an extension
of a basic STS)
Principles
Requestor
Resource
Other Services 6
One Protocol, Multiple Bindings
Common protocol (WS-Trust)
Two “profiles” of the model are defined
Smart/Active clients (SOAP)
Passive clients (Browser – HTTP/S)
Supporting services (attribute/pseudonym/…)
Sample topologies
Direct trust
Exchange
Validation
Indirect trust
Delegation 8
Direct Trust
Token Exchange
IP/STS IP/STS
Trust
Get access
Get identity 1
token
token 2 Resource
Requestor
9
Direct Trust Flow
Requestor Requestor WS Service
Service IP/STS Service IP/STS
Acquire policy
Return policy
Request token
Return token
Request token
Return token
Return result
10
Direct Trust
Token Validation
IP/STS IP/STS
Trust
11
Indirect Trust
IP/STS
IP/STS
B IP/STS
A C
1
2
Requestor Resource
Trust Trust
1 2 4
Resource Resource
3 5
Requestor
13
Single Sign-Out
IP/STS
…
Requestor IP/STS
2
1 2 …
2
Resource
14
Sign-Out Message
<S:Envelope>
<S:Header>
...
<wsu:Timestamp wsu:Id="ts">
... </wsu:Timestamp>
<wsse:Security>
<!-- Signature referecing IDs "ts" & "so" -->
...
</wsse:Security>
</S:Header>
15
Sign-Out Message (cont.)
<S:Body>
<wsse:SignOut wsu:Id="so">
<wsse:SignOutBasis>
<wsse:UsernameToken>
<wsse:Username>NNK</wsse:Username>
</wsse:UsernameToken>
</wsse:SignOutBasis>
</wsse:SignOut>
</S:Body>
</S:Envelope>
16
Requesting Sign-Out Message
<wsse:RequestSSOMessages>
<wsa:EndpointReference>
<wsa:Reference>http://business456.com/SSO
</wsa:Reference>
</wsa:EndpointReference>
<wsse:UsernameToken>
<wsse:Username>Nicholas</wsse:Username>
</wsse:UsernameToken>
</wsee:RequestSSOMessages>
17
Attribute Service
Scenario: You ask a weather service for the
current weather (or visit a weather site); it
provides a personalized response because it
knows your zip code
Why it worked:
Policy indicated an attribute service
Identity information was used to find zip code
Weather service was authorized to access zip code
(opt-in)
Zip: 12309
FN: Fred
ID: 3442
(fabrikam123.com)
Nick: Freddo
ID: FJ454 (business456.com)
Nick: Fredster
ID: 3-55-34 (example.com)
…
Policy
2
Policy 4
“Get FN”
Requestor
Resource
22
Attribute Example Attribute
Service
IP/STS IP/STS
Trust Trust
Zip: 12309
1 4 FN: Fred
2
…
Requestor Resource
23
Protecting Identity
Single sign-on also needs to
Prevent identity tracking
Provide anonymity
25
Static Identifier Example
IP/STS
“Fred”
1
“Fred@STS”
Resource
Requestor
“Fred@STS”
26
Static Per-Target Example
IP/STS
“Fred” “Fred”
1 3
“A123” “B456”
Resource Resource
2 4
“A123” “B456”
Requestor
27
Pseudonym Service
Policy
4
2
Policy
Requestor
Resource
29
Pseudonym Example 1
B456.com B456.com
Pseudonym
IP Trust Service
“Fred”
“A123@B456.com” “A123@B456.com”
1 3 “Freddo@F123.com”
Requestor
Resource
2
“A123@B456.com”
“Fred” “B456@B456.com”
“B456@B456.com” “Freddo@F123.com”
1 3 4
Requestor
Resource
2
“B456@B456.com”
Token
Request
2
“Fred”
“Freddo@F123.com” “Fred” “Freddo@F123.com”
1
Requestor Resource
“Freddo@F123.com”
Acquire policy
Request token
Return token
Request token
Return token
Get resource
Login
42
Secondary References
Web Services Federation Language (WS-Federation)
This is the complete WS-Federation specification.
http://msdn.microsoft.com/ws/2003/07/ws-federation/
43