Sun, Microsoft Could Align Security For Web Services

There is growing hope that 'Liberty Alliance' and 'WS-Security' security plans will soon be interoperable. See why.

Tags: WS-Security, SAML, Liberty, Support, Authentication, Security, Accounts,

Common ground is emerging between the Sun-Novell-RSA Liberty Alliance, which uses the SAML standards and the WS-Security framework proposed by Microsoft-IBM-Verisign.

And more important than the politics to developers, both groups are supplying technologies, specifications and test implementations to show that interoperability for end-to-end web service security may just be a reality - perhaps, even, by the end of the year.

Last week, Sun and the Liberty Alliance Program released Version 1.0 of their specification for implementing web services-based single sign-on. Liberty's 1.0 specifications attempt to outline a number of key single sign-on features, including: the ability for a user to link accounts held by different service providers, and to authenticate, communicate and log-out across these accounts.

The Liberty 1.0 spec is based on SAML (Security Assertion Markup Language) from the Organization for Advancement of Structured Information Standards (OASIS), and uses an XML framework for exchanging authentication and authorization information.

Microsoft Finds Merits in SAML Support
With the release of Liberty 1.0, Microsoft execs told Integration Developer News that they are planning to support SAML within WS-Security. "Last week we talked about how we would think about SAML. WS-Security will look at Liberty and SAML as just another credential type, and we expect to have support in WS-Security this year," Adam Sohn, a product manager for Microsoft .NET platform strategy group told IDN.

Notably, OASIS now manages the standards proceedings for both SAML and WS-Security, as the group has also formed a technical committee to push WS-Security standards. Read more on the scope of the OASIS commiteee here. This factor will no doubt hasten whatever agreements can be made between Liberty and WS-Security.

"OASIS is setting us up for success," Sohn said, "Members of the OASIS security committee want to see all of our work reconciled, and we want to see SAML token support in WS-Security." Sohn added that WS-Security's decision to support SAML (and Liberty) will not prompt WS-Security to "downplay" plans to support a variety of security mechanisms already at work within the enterprise, including PKI, Kerberos and even SSL.

For more on the prospective agreement between WS-Security and SAML, the UK's The Register provides a nice summary of the announcements made during the Burton Group Catalyst 2002 Conference in San Francisco.

Where Liberty and WS-Security Meet
Liberty 1.0 specifications propose a single-sign-on approach for enabling end-to-end business transactions between enterprises. It is a machine-to-machine authentication scheme, which means The Liberty version 1.0 specifications do not involve the exchange of personal information. Instead, they involve a format for exchanging authentication information between companies so that the identity of the user is safe.

The Liberty proposed functions include:
  • Opt-in account linking - Users can choose to link accounts they have with different service providers within "circles of trust" (such as companies with existing business agreements or affinity programs).
  • Simplified sign-on for linked accounts - Once a user's accounts are federated, they can log-in and authenticate at one linked account and navigate to another linked account, without having to log-in again.
  • Authentication context - Institutions or companies linking accounts can communicate the type of authentication that should be used when the user logs-in. Global log-out - Once a user logs-out of the site where they initially logged in, the user can be automatically logged-out of all of the other sites the user linked to and still maintain a live session.
  • Liberty Alliance client feature - This can be implemented on particular client solutions in fixed and wireless devices to facilitate the use of the Liberty version 1.0 specifications.

  • For its part, WS-Security's proposal for authentication is to support a wide variety of credential types, including Kerberos, PKI and even SSL. And, now that WS-Security has been transferred into the standards community at OASIS, Sohn said he expects rapid progress on WS-Security's ability to support SAML, once that standard is set by OASIS.

    There are other signs of hope for cooperation between rivals: WS-Security is developing an SAML binding, and during the recent Burton Group conference on security, WS-Security engineers demonstrated the ability to move SAML-based assertions within a WS-Security envelop.

    But WS-Security will not limit itself to SAML. Since its inception earlier this year, IBM and Microsoft intended WS-Security to provide a modular approach to an overall security framework, of which authentication is one module.

    Other proposed areas where WS-Security envisions a web services security framework include:
  • WS-Policy: will describe the capabilities and constraints of the security (and other business) policies on intermediaries and endpoints (e.g. required security tokens, supported encryption algorithms, privacy rules)
  • WS-Trust: will describe a framework for trust models that enables Web services to securely interoperate.
  • WS-Privacy: will describe a model for how Web services and requesters state privacy preferences and organizational privacy practice statements.
  • WS-SecureConversation: will describe how to manage and authenticate message exchanges between parties including security context exchange and establishing and deriving session keys.
  • WS-Federation: will describe how to manage and broker the trust relationships in a heterogeneous federated environment including support for federated identities.
  • WS-Authorization: will describe how to manage authorization data and authorization policies.

  • Microsoft's Sohn wouldn't comment on a specific date when these added WS standards might be out for formal public review, but he did say that he expects Microsoft will have first implementations and support for WS-Security in the .NET Framework by year's end.