Welcome!

Microservices Expo Authors: John Rauser, Liz McMillan, Madhavan Krishnan, VP, Cloud Solutions, Virtusa, Jason Bloomberg, Pat Romanski

Related Topics: Microservices Expo

Microservices Expo: Article

Web Services and Federated Identity

Standards to better define a space

Since the advent of Web services, and other distributed computing standards for that matter, we've been wrestling with the notion of identity and how to manage it.

Truth-be-told identity management has been put on the back burner as organizations attempt to get their first Web services projects up and running. However, as Web services become more pervasive, this is an issue that is getting more attention.

With the increased interest in identity management so too has risen the need for standards to better define this space. These standards all aim to bind identity management systems within an organization together into a unified whole, allowing for everyone to be known to everyone else, securely. To that point, let's examine the emerging standards, along with the notion of federated identity management.

Who Are You?

So, why do we need identity management? Web services are not for internal use only anymore, and those who leverage Web services (consumers), or produce Web services (providers), need to be known to each other, else we risk invoking malicious or incorrect behavior, which could cost us dearly. This is clearly the case within trading communities that leverage Web services. Many outside organizations are binding to your services and you to theirs, and the potential for disaster increases, unless you know just who you're dealing with.

Identity is important in the growth of sensitive data and confidential relationships online. Lacking identities, there is no way to provide certain users with access to certain resources.

Today, we use managed identities, including different user names, passwords, and other identifying attributes. The same person may have links to many organizations, including frequent flyer sites, banking sites, employee benefit sites, etc. Perhaps you have a list of user names and passwords in your drawer today.

The number of identities that we have creates a challenge. We've all written down user IDs and passwords on sticky notes just to remember them. Moreover, IT organizations find it increasingly difficult to manage the profusion of identity databases, even within their own organizations. The problem becomes more of an issue as we extend our reach outside of the firewall, between organizations. Enter federated identity and a potential solution to this problem.

Federated identity, including supporting standards such as those from OASIS and the Liberty Alliance project, is a defining mechanism that organizations may employ to share identity information between domains. While most understand the value of an identity management system internal to an enterprise, federated identity presents a new set of problems, and an opportunity for solutions.

There are many benefits to employing federated identity solutions, including the ability to perform logging and audit functions centrally, cost reductions associated with password reset, and access to many existing heterogeneous application securely.

Standards and Identity

In order to support the notion of federated identity you need a loosely coupled architecture that allows for the exchange of identity information in and between entities. Thus, we must all get on the same channel as far as interfaces, messaging, security, and content standards, or we have no hope of solving this problem. There are three contenders:
  • Oasis and SAML
  • Microsoft, IBM, and the WS-Roadmap
  • Liberty Alliance
Security Assertion Markup Language (SAML)
SAML is an XML framework for exchanging security information over the Internet and enables disparate security systems to interoperate using a single security mechanism, thus providing federated identity management. SAML resides within a system's security mechanisms to enable exchange of identity and entitlement with other services. It defines the structure of the documents that transport security information among services.

SAML has the following components:

  • Assertions and request/response protocols
  • Bindings (the SOAP-over-HTTP method of transporting SAML requests and responses)
  • Profiles (for embedding and extracting SAML assertions in a framework or protocol)
  • Security considerations while using SAML (highly recommended reading)
  • Conformance guidelines and a test suite
  • Use cases and requirements
SAML provides technology that supports a single sign-on using XML. Using SAML authentication, you can sign-on and receive a SAML authentication assertion as a response to the request. This authentication assertion is simple XML and is transportable using SOAP.

WS-Roadmap
This is really just a white paper published by IBM and Microsoft outlining a roadmap for building a set of Web services security specifications. WS-Security was the first specification they published.

The WS-Security specification proposes a standard set of SOAP extensions that can be leveraged when building secure Web services to implement confidentiality, or the ability to leverage Web services without having to worry about others getting into your business.

WS-Security is designed as the base for the construction of a wide variety of security models, which include:

  • PKI
  • Kerberos
  • SSL
Moreover, WS-Security provides support for multiple security tokens, multiple trust domains, multiple signature formats, and multiple encryption technologies. This standard defines three main mechanisms:
  • Security token propagation
  • Message integrity
  • Message confidentiality
Each of these technologies does not provide a complete security solution; WS-Security is a building block that can be used in conjunction with other Web services extensions and higher-level application-specific protocols to leverage a wide range of security and encryption technologies. You may use these independently (e.g., to pass a security token) or tightly integrated - for example, signing and encrypting a message and providing a security token hierarchy associated with the keys used for signing and encryption.

The importance of leveraging this standard in the world of application integration is obvious: we seek ways to exchange messages between enterprises with the assurance that those outside the trading partners won't have access to them. The support for multiple security standards is an added value as well, considering the number of organizations that may be involved and the diverse security technologies that may be in place.

Liberty Alliance
The Liberty Alliance is really a consortium of about 170 companies that built a specification for federated identity management. The idea, at first, was to create a comprehensive federated identity specification. However, last year they also released a new blueprint describing three specifications. You can leverage the specifications together, or separately.

They include:

  • Identity Federation Framework (ID-FF): Allows single sign-on and account linking between entities with pre-established relationships
  • Identity Web Services Framework (ID-WSF): Allows groups of trusted partners to link to other groups, providing control over how their information is shared
  • Identity Services Interface Specifications (ID-SIS): Builds a set of interoperable services on top of the ID-WSF specification
As we move forward with service-oriented architectures (SOAs), and learn to extend them beyond the bounds of our firewalls, the need for identity management technology will increase. Security is sometimes an afterthought when building an SOA internally, but those looking to extend their SOA outside of the firewall are seeing the need now.

More Stories By David Linthicum

Dave Linthicum is Sr. VP at Cloud Technology Partners, and an internationally known cloud computing and SOA expert. He is a sought-after consultant, speaker, and blogger. In his career, Dave has formed or enhanced many of the ideas behind modern distributed computing including EAI, B2B Application Integration, and SOA, approaches and technologies in wide use today. In addition, he is the Editor-in-Chief of SYS-CON's Virtualization Journal.

For the last 10 years, he has focused on the technology and strategies around cloud computing, including working with several cloud computing startups. His industry experience includes tenure as CTO and CEO of several successful software and cloud computing companies, and upper-level management positions in Fortune 500 companies. In addition, he was an associate professor of computer science for eight years, and continues to lecture at major technical colleges and universities, including University of Virginia and Arizona State University. He keynotes at many leading technology conferences, and has several well-read columns and blogs. Linthicum has authored 10 books, including the ground-breaking "Enterprise Application Integration" and "B2B Application Integration." You can reach him at [email protected] Or follow him on Twitter. Or view his profile on LinkedIn.

Comments (1) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
Alan Karp 08/12/04 12:55:21 PM EDT

There''s a reason that "identity management has been put on the back burner". Federated identity management is a difficult problem. Fortunately, it is one that doesn''t need to be solved.

Knowing who someone is doesn''t tell you what you need to know to make an access decision. What you need to know is that the request is authorized. Who is making the request and how that person got the authorization is extraneous.

Making access decisions based on the identity of the requester has a number of problems. It makes delegation difficult, leading people to share identities by sharing passwords or private keys. It makes management more complex by requiring updates to access tables everytime someone changes jobs, even if these people work for other companies. It reduces security because the software people use gets all their authority even though it may not be acting in their best interest, which is what viruses do.

Properly separating identitification, authentication, authorization, and access control leads to systems that are more secure, more manageable, more scalable, and easier to use. An added bonus is that we don''t have to solve the difficult problem of distributed identity management.

@MicroservicesExpo Stories
Agile has finally jumped the technology shark, expanding outside the software world. Enterprises are now increasingly adopting Agile practices across their organizations in order to successfully navigate the disruptive waters that threaten to drown them. In our quest for establishing change as a core competency in our organizations, this business-centric notion of Agile is an essential component of Agile Digital Transformation. In the years since the publication of the Agile Manifesto, the conn...
"This all sounds great. But it's just not realistic." This is what a group of five senior IT executives told me during a workshop I held not long ago. We were working through an exercise on the organizational characteristics necessary to successfully execute a digital transformation, and the group was doing their ‘readout.' The executives loved everything we discussed and agreed that if such an environment existed, it would make transformation much easier. They just didn't believe it was reali...
The cloud revolution in enterprises has very clearly crossed the phase of proof-of-concepts into a truly mainstream adoption. One of most popular enterprise-wide initiatives currently going on are “cloud migration” programs of some kind or another. Finding business value for these programs is not hard to fathom – they include hyperelasticity in infrastructure consumption, subscription based models, and agility derived from rapid speed of deployment of applications. These factors will continue to...
"Opsani helps the enterprise adopt containers, help them move their infrastructure into this modern world of DevOps, accelerate the delivery of new features into production, and really get them going on the container path," explained Ross Schibler, CEO of Opsani, and Peter Nickolov, CTO of Opsani, in this SYS-CON.tv interview at DevOps Summit at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"We're developing a software that is based on the cloud environment and we are providing those services to corporations and the general public," explained Seungmin Kim, CEO/CTO of SM Systems Inc., in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Enterprises are adopting Kubernetes to accelerate the development and the delivery of cloud-native applications. However, sharing a Kubernetes cluster between members of the same team can be challenging. And, sharing clusters across multiple teams is even harder. Kubernetes offers several constructs to help implement segmentation and isolation. However, these primitives can be complex to understand and apply. As a result, it’s becoming common for enterprises to end up with several clusters. Thi...
"Codigm is based on the cloud and we are here to explore marketing opportunities in America. Our mission is to make an ecosystem of the SW environment that anyone can understand, learn, teach, and develop the SW on the cloud," explained Sung Tae Ryu, CEO of Codigm, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"CA has been doing a lot of things in the area of DevOps. Now we have a complete set of tool sets in order to enable customers to go all the way from planning to development to testing down to release into the operations," explained Aruna Ravichandran, Vice President of Global Marketing and Strategy at CA Technologies, in this SYS-CON.tv interview at DevOps Summit at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
The nature of test environments is inherently temporary—you set up an environment, run through an automated test suite, and then tear down the environment. If you can reduce the cycle time for this process down to hours or minutes, then you may be able to cut your test environment budgets considerably. The impact of cloud adoption on test environments is a valuable advancement in both cost savings and agility. The on-demand model takes advantage of public cloud APIs requiring only payment for t...
Cavirin Systems has just announced C2, a SaaS offering designed to bring continuous security assessment and remediation to hybrid environments, containers, and data centers. Cavirin C2 is deployed within Amazon Web Services (AWS) and features a flexible licensing model for easy scalability and clear pay-as-you-go pricing. Although native to AWS, it also supports assessment and remediation of virtual or container instances within Microsoft Azure, Google Cloud Platform (GCP), or on-premise. By dr...
Let's do a visualization exercise. Imagine it's December 31, 2018, and you're ringing in the New Year with your friends and family. You think back on everything that you accomplished in the last year: your company's revenue is through the roof thanks to the success of your product, and you were promoted to Lead Developer. 2019 is poised to be an even bigger year for your company because you have the tools and insight to scale as quickly as demand requires. You're a happy human, and it's not just...
Many enterprise and government IT organizations are realizing the benefits of cloud computing by extending IT delivery and management processes across private and public cloud services. But they are often challenged with balancing the need for centralized cloud governance without stifling user-driven innovation. This strategy requires an approach that fundamentally reshapes how IT is delivered today, shifting the focus from infrastructure to services aggregation, and mixing and matching the bes...
identify the sources of event storms and performance anomalies will require automated, real-time root-cause analysis. I think Enterprise Management Associates said it well: “The data and metrics collected at instrumentation points across the application ecosystem are essential to performance monitoring and root cause analysis. However, analytics capable of transforming data and metrics into an application-focused report or dashboards are what separates actual application monitoring from relat...
The benefits of automation are well documented; it increases productivity, cuts cost and minimizes errors. It eliminates repetitive manual tasks, freeing us up to be more innovative. By that logic, surely, we should automate everything possible, right? So, is attempting to automate everything a sensible - even feasible - goal? In a word: no. Consider this your short guide as to what to automate and what not to automate.
DevOps teams have more on their plate than ever. As infrastructure needs grow, so does the time required to ensure that everything's running smoothly. This makes automation crucial - especially in the server and network monitoring world. Server monitoring tools can save teams time by automating server management and providing real-time performance updates. As budgets reset for the New Year, there is no better time to implement a new server monitoring tool (or re-evaluate your current solution)....
While some developers care passionately about how data centers and clouds are architected, for most, it is only the end result that matters. To the majority of companies, technology exists to solve a business problem, and only delivers value when it is solving that problem. 2017 brings the mainstream adoption of containers for production workloads. In his session at 21st Cloud Expo, Ben McCormack, VP of Operations at Evernote, discussed how data centers of the future will be managed, how the p...
We just came off of a review of a product that handles both containers and virtual machines in the same interface. Under the covers, implementation of containers defaults to LXC, though recently Docker support was added. When reading online, or searching for information, increasingly we see “Container Management” products listed as competitors to Docker, when in reality things like Rocket, LXC/LXD, and Virtualization are Dockers competitors. After doing some looking around, we have decided tha...
High-velocity engineering teams are applying not only continuous delivery processes, but also lessons in experimentation from established leaders like Amazon, Netflix, and Facebook. These companies have made experimentation a foundation for their release processes, allowing them to try out major feature releases and redesigns within smaller groups before making them broadly available. In his session at 21st Cloud Expo, Brian Lucas, Senior Staff Engineer at Optimizely, discussed how by using ne...
While we understand Agile as a means to accelerate innovation, manage uncertainty and cope with ambiguity, many are inclined to think that it conflicts with the objectives of traditional engineering projects, such as building a highway, skyscraper or power plant. These are plan-driven and predictive projects that seek to avoid any uncertainty. This type of thinking, however, is short-sighted. Agile approaches are valuable in controlling uncertainty because they constrain the complexity that ste...
Digital transformation has changed the way users interact with the world, and the traditional healthcare experience no longer meets rising consumer expectations. Enterprise Health Clouds (EHCs) are designed to easily and securely deliver the smart and engaging digital health experience that patients expect today, while ensuring the compliance and data integration that care providers require. Jikku Venkat