Welcome!

Microservices Expo Authors: Karthick Viswanathan, Liz McMillan, Elizabeth White, Stackify Blog, Pat Romanski

Related Topics: Microservices Expo

Microservices Expo: Article

Identity Propagation in a SOA

The shortcomings of current solutions

One of the challenges IT organizations face is how to propagate identities in complex business processes that are commonly found in Service Oriented Architectures (SOAs). Identities, which are passed from one service invocation to the next in a business process, give the process a user context. Identities can be used to determine access rights to SOA services and for audit and compliance purposes.

For example, consider a procurement business process for an application that's used by a number of purchasing agents. Each agent has a different purchasing privilege. Say a senior agent can purchase up to $50,000 in a transaction, while a junior agent can buy only $25,000. If the business process that enables the purchase is composed of a number of SOA services, each service must know the user's identity to enforce purchasing privileges.

This article shows the need for identities in an SOA, provides examples of SOAs, and reviews the status and shortcomings of current solutions.

Introduction to Identity Propagation
Before we look at identity propagation in an SOA, let's look at it in a three-tier environment, where it's easier to illustrate the basic concepts. Once again, we'll use the procurement application scenario - except this time, the application resides in a Web-based portal instead of being loosely coupled in an SOA.

The presentation and logic tiers exist in the portal application server and the data tier resides in the database. The identity of a procurement agent is established when the user starts accessing the portal application from the Web browser and the identity spans all three tiers of the portal. This identity is used for authentication and authorization purposes throughout the business processes tha span the portal. Identity propagation in this case spans from the Web browser, to the portal, to the backend database (see Figure 1).

To fully illustrate identity propagation, let's dig deeper into this scenario and see how the identity is propagated. The procurement application, which sits in the portal, requires the user to log in to gain access. When the agent initially accesses the portal, the portal presents a JSP- or HTML-based form that requires a username and password. These credentials are sent over an encrypted SSL channel to prevent anyone from sniffing the password over the wire.

Let's assume that the portal is running in a J2EE application server. The application would typically use a Java Authentication and Authorization Service (JAAS) login module to process the username and password, and then authenticate and authorize the user. The username and password credentials are checked against an LDAP directory, or perhaps an identity management infrastructure. If the login is successful, a JAAS subject is created in the current execution context of the J2EE portal. This object is used to identify the user in the J2EE container.

The subject is used to authorize any subsequent requests from the user to a secured resource in the application server. For example, the secured resource may be an Enterprise Java Bean (EJB) that accesses the portal's backend database. The subject is used to determine if the user should have access to the EJB. The user identity could also be propagated to the database using proprietary techniques such as impersonation, which could be used to determine if the user should have access to the backend data.

Figure 2 shows how an identity can be passed from the browser to the backend database. The identity is first passed from the browser to the portal application. From there, it can be propagated to EJBs or databases. At each step, the identity is bound to the resource. For example, JAAS is used to bind the identity of the portal user to an executing thread in the portal procurement application. This way, the user's identity can be used to determine access to subsequent resources.

The identity can also be used for audit and compliance purposes. The portal can set alerts for authentication or authorization failures in the banking application or database. Useful data can also be mined based on the user identities passing through the portal. For example, the bank could determine if purchasing agents are trying to exceed their purchasing limits.

Identities in an SOA
In our example, the techniques used to propagate identities are often proprietary or non-standard. This works well in closed environments, but in heterogeneous environments where services must be interoperable, proprietary techniques fall short. SOAs are typically composed of multi-vendor heterogeneous environments.

Think of an SOA as an evolution of the three-tier architecture where applications, like the portal, are loosely coupled applications built as a collection of services. The idea is to expose business logic as services in a reusable and interoperable fashion. For example, a service could:

  • Return a list of items that can be purchased
  • Return the status of a purchase order
  • Submit a purchase order.
SOA services aren't necessarily uniform. For example, they could be exposed through different types of protocols such as JMS, REST, RMI, .NET Remoting, MQSeries, or SOAP (see Figure 3).

These services can also be orchestrated business processes where services are wired together into business flows and are often orchestrated using open standards such as BPEL. For example, consider an auto loan service, where a bank customer submits an application online. The service processes the application and does a credit check on the applicant. If the applicant's credit meets a certain standard, it's forwarded to the fulfillment service. After the processing is finished, the paperwork is sent to the orchestrating process (see Figure 4).

SOA is quite flexible and powerful, but its decoupled design makes it difficult to propagate an identity across business processes. For example, a transaction may span a multitude of messaging services such as Web Services, MQSeries, and JMS.

Each service has its own way of transporting identities. JMS and MQSeries can pass SOAP-based XML messages in their payload, but these services often aren't XML-based and use different payload types. SOAP-based Web Services have a distinct advantage over other messaging protocols since they can use WS-Security headers in the SOAP envelope to propagate identities (see Figure 5).

The WS-Security header is standardized security metadata located in a SOAP header in the SOAP envelope. WS-Security provides data integrity (XML encryption) and data authenticity (XML signature). In addition, it offers a way to insert standard security tokens such as X.509 certificates, Kerberos tickets, and Security Assertion Markup Language (SAML) assertions in the WS-Security header. For example, SAML was designed to provide a standardized exchange of security information using XML documents referred to as SAML assertions. The following code shows how an identity would be bound to a SOAP message using SAML:

<wsse:Security ...>
    . . .
    <saml:assertion= ...>
      . . .
      <saml:Subject>
        <saml:NameIdentifier ...>
          CN=Joe User, OU=purchasing, O=Widget Inc
        </saml:NameIdentifier>
      </saml:Subject>
    . . .
<wsse:Security ...>

Binding the original requestor's identity to the request itself is the way to propagate identities. The request may be modified throughout the lifecycle of the transaction, but the identity of the requester must always be attached to the request. In this context, identity propagation presents many advantages. At each step, the user's identity is used to determine access to any secured resource.

WS-Security provides the semantics for binding user information to SOAP messages. In the listing above, the identity of the user is Joe User, who is in the purchasing organization at Widget, Inc. This identity is bound to the SOAP message using SAML as defined by the open WS-Security.

The SAML token goes beyond just identifying the user. It can also package additional information about the user in the form of attributes, which are used for authorization decisions. Attribute statements provide specific details about the subject; for example, the user holds Gold status. Authorization decision statements identify what the subject is entitled to do. For example, SAML assertion attributes can be mapped to roles defined in an access control infrastructure. A relying party that processes a SAML token could use these statements for fine-grained access control.

SOA Identity Propagation
Let's return to the orchestrated business process example that accessed the credit rating and loan processing services. The fulfillment service could be exposed as a Web Service, but the credit rating service might use MQSeries to access a legacy database. These two services can use different means to propagate identities. If you need to tie these services together, how do you propagate the identity from SOAP into a native MQSeries? This can be the start of many headaches. If a business process spans multiple services, how do you relay the identity of the original requestor throughout the transaction?

To simplify this problem, identity propagation should ideally be carried out with a single security token - for instance, a SAML assertion as described above. Secure identity propagation lets you make sure that only appropriate requests are processed. It also provides an audit trail throughout a transaction. Identity propagation requires that the identity of the original requester be bound to each step of the business process or transaction.

Business processes found in SOAs often span a multitude of protocols. The security token should have a standard way to bind to these protocols. A SAML token, as a standard XML representation for describing user identity and attributes, is uniquely suited for this purpose. Figure 6 shows a simple example of a SAML token spanning the services and protocols in the credit check service.

Currently, a SAML token is attached only to SOAP protocols. It would be useful to extend it to other native protocols such as JMS, SQL*net/ODBC, or even Inter-ORB. Ideally, all SOA-protected resources should be able to leverage SAML tokens. These protected resources should also be able to use an identity management Single Sign-On (SSO) server to determine access rights based on the tokens. When a policy is changed in the SSO server, it would affect all of the components that use it for security decisions.


More Stories By Marc Chanliau

Marc Chanliau has been in the software industry for more than 20 years and is currently a director of product management at Oracle where he is responsible for Identity Management solutions and innovations. He is heavily involved in security and XML standards groups including serving as the first chair person of the OASIS Security Services Technical Committee (SSTC), which culminated in the adoption of SAML as an official OASIS standard, participating on the WS-Security Technical Committee, helping to define the Liberty Alliance 2.0 specifications, and participating in the Java Specification Request (JSR) committee.

More Stories By William Bathurst

William Bathurst is a senior product manager at Oracle with 18 years of industry experience. He is currently the product manager for J2EE security and web services management.

More Stories By Ramana Turlapati

Ramana Turlapati is a consulting member of the technical staff at Oracle with 12 years of industry experience. In his current role as the security architect for Oracle Web Services Manager, he contributes to Oracle's overall Web Services security strategies and solutions.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
From manual human effort the world is slowly paving its way to a new space where most process are getting replaced with tools and systems to improve efficiency and bring down operational costs. Automation is the next big thing and low code platforms are fueling it in a significant way. The Automation era is here. We are in the fast pace of replacing manual human efforts with machines and processes. In the world of Information Technology too, we are linking disparate systems, softwares and tool...
All organizations that did not originate this moment have a pre-existing culture as well as legacy technology and processes that can be more or less amenable to DevOps implementation. That organizational culture is influenced by the personalities and management styles of Executive Management, the wider culture in which the organization is situated, and the personalities of key team members at all levels of the organization. This culture and entrenched interests usually throw a wrench in the work...
There is a huge demand for responsive, real-time mobile and web experiences, but current architectural patterns do not easily accommodate applications that respond to events in real time. Common solutions using message queues or HTTP long-polling quickly lead to resiliency, scalability and development velocity challenges. In his session at 21st Cloud Expo, Ryland Degnan, a Senior Software Engineer on the Netflix Edge Platform team, will discuss how by leveraging a reactive stream-based protocol,...
DevOps sees the coming together of practices, philosophies, and tools that allow you to create services and applications very quickly. This means that you can improve on your apps and evolve them at a much faster rate than those developers who are using traditional software development processes. We’ve talked about DevOps, in general, a great deal, but today, we’re going to dig a little deeper and take a look at Java DevOps specifically.
In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, discussed how to use Kubernetes to set up a SaaS infrastructure for your business. Mike Johnston is an infrastructure engineer at Supergiant.io with over 12 years of experience designing, deploying, and maintaining server and workstation infrastructure at all scales. He has experience with brick and mortar data centers as well as cloud providers like Digital Ocean, Amazon Web Services, and Rackspace. H...
With continuous delivery (CD) almost always in the spotlight, continuous integration (CI) is often left out in the cold. Indeed, it's been in use for so long and so widely, we often take the model for granted. So what is CI and how can you make the most of it? This blog is intended to answer those questions. Before we step into examining CI, we need to look back. Software developers often work in small teams and modularity, and need to integrate their changes with the rest of the project code b...
"Outscale was founded in 2010, is based in France, is a strategic partner to Dassault Systémes and has done quite a bit of work with divisions of Dassault," explained Jackie Funk, Digital Marketing exec at Outscale, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
From personal care products to groceries and movies on demand, cloud-based subscriptions are fulfilling the needs of consumers across an array of market sectors. Nowhere is this shift to subscription services more evident than in the technology sector. By adopting an Everything-as-a-Service (XaaS) delivery model, companies are able to tailor their computing environments to shape the experiences they want for customers as well as their workforce.
If you read a lot of business and technology publications, you might think public clouds are universally preferred over all other cloud options. To be sure, the numbers posted by Amazon Web Services (AWS) and Microsoft’s Azure platform are nothing short of impressive. Statistics reveal that public clouds are growing faster than private clouds and analysts at IDC predict that public cloud growth will be 3 times that of private clouds by 2019.
"At the keynote this morning we spoke about the value proposition of Nutanix, of having a DevOps culture and a mindset, and the business outcomes of achieving agility and scale, which everybody here is trying to accomplish," noted Mark Lavi, DevOps Solution Architect at Nutanix, in this SYS-CON.tv interview at @DevOpsSummit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
SYS-CON Events announced today that Calligo has been named “Bronze Sponsor” of SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Calligo is an innovative cloud service provider offering mid-sized companies the highest levels of data privacy. Calligo offers unparalleled application performance guarantees, commercial flexibility and a personalized support service from its globally located cloud platfor...
"DivvyCloud as a company set out to help customers automate solutions to the most common cloud problems," noted Jeremy Snyder, VP of Business Development at DivvyCloud, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We focus on SAP workloads because they are among the most powerful but somewhat challenging workloads out there to take into public cloud," explained Swen Conrad, CEO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"As we've gone out into the public cloud we've seen that over time we may have lost a few things - we've lost control, we've given up cost to a certain extent, and then security, flexibility," explained Steve Conner, VP of Sales at Cloudistics,in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"Peak 10 is a hybrid infrastructure provider across the nation. We are in the thick of things when it comes to hybrid IT," explained , Chief Technology Officer at Peak 10, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I think DevOps is now a rambunctious teenager – it’s starting to get a mind of its own, wanting to get its own things but it still needs some adult supervision," explained Thomas Hooker, VP of marketing at CollabNet, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I will be talking about ChatOps and ChatOps as a way to solve some problems in the DevOps space," explained Himanshu Chhetri, CTO of Addteq, in this SYS-CON.tv interview at @DevOpsSummit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with...
If you are thinking about moving applications off a mainframe and over to open systems and the cloud, consider these guidelines to prioritize what to move and what to eliminate. On the surface, mainframe architecture seems relatively simple: A centrally located computer processes data through an input/output subsystem and stores its computations in memory. At the other end of the mainframe are printers and terminals that communicate with the mainframe through protocols. For all of its apparen...
DevOps at Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to w...