Welcome!

Microservices Expo Authors: Elizabeth White, Pat Romanski, Harry Trott, Yeshim Deniz, Kevin Jackson

Related Topics: Microservices Expo

Microservices Expo: Article

Web Services and Federated Identity

Standards to better define a space

Since the advent of Web services, and other distributed computing standards for that matter, we've been wrestling with the notion of identity and how to manage it.

Truth-be-told identity management has been put on the back burner as organizations attempt to get their first Web services projects up and running. However, as Web services become more pervasive, this is an issue that is getting more attention.

With the increased interest in identity management so too has risen the need for standards to better define this space. These standards all aim to bind identity management systems within an organization together into a unified whole, allowing for everyone to be known to everyone else, securely. To that point, let's examine the emerging standards, along with the notion of federated identity management.

Who Are You?

So, why do we need identity management? Web services are not for internal use only anymore, and those who leverage Web services (consumers), or produce Web services (providers), need to be known to each other, else we risk invoking malicious or incorrect behavior, which could cost us dearly. This is clearly the case within trading communities that leverage Web services. Many outside organizations are binding to your services and you to theirs, and the potential for disaster increases, unless you know just who you're dealing with.

Identity is important in the growth of sensitive data and confidential relationships online. Lacking identities, there is no way to provide certain users with access to certain resources.

Today, we use managed identities, including different user names, passwords, and other identifying attributes. The same person may have links to many organizations, including frequent flyer sites, banking sites, employee benefit sites, etc. Perhaps you have a list of user names and passwords in your drawer today.

The number of identities that we have creates a challenge. We've all written down user IDs and passwords on sticky notes just to remember them. Moreover, IT organizations find it increasingly difficult to manage the profusion of identity databases, even within their own organizations. The problem becomes more of an issue as we extend our reach outside of the firewall, between organizations. Enter federated identity and a potential solution to this problem.

Federated identity, including supporting standards such as those from OASIS and the Liberty Alliance project, is a defining mechanism that organizations may employ to share identity information between domains. While most understand the value of an identity management system internal to an enterprise, federated identity presents a new set of problems, and an opportunity for solutions.

There are many benefits to employing federated identity solutions, including the ability to perform logging and audit functions centrally, cost reductions associated with password reset, and access to many existing heterogeneous application securely.

Standards and Identity

In order to support the notion of federated identity you need a loosely coupled architecture that allows for the exchange of identity information in and between entities. Thus, we must all get on the same channel as far as interfaces, messaging, security, and content standards, or we have no hope of solving this problem. There are three contenders:
  • Oasis and SAML
  • Microsoft, IBM, and the WS-Roadmap
  • Liberty Alliance
Security Assertion Markup Language (SAML)
SAML is an XML framework for exchanging security information over the Internet and enables disparate security systems to interoperate using a single security mechanism, thus providing federated identity management. SAML resides within a system's security mechanisms to enable exchange of identity and entitlement with other services. It defines the structure of the documents that transport security information among services.

SAML has the following components:

  • Assertions and request/response protocols
  • Bindings (the SOAP-over-HTTP method of transporting SAML requests and responses)
  • Profiles (for embedding and extracting SAML assertions in a framework or protocol)
  • Security considerations while using SAML (highly recommended reading)
  • Conformance guidelines and a test suite
  • Use cases and requirements
SAML provides technology that supports a single sign-on using XML. Using SAML authentication, you can sign-on and receive a SAML authentication assertion as a response to the request. This authentication assertion is simple XML and is transportable using SOAP.

WS-Roadmap
This is really just a white paper published by IBM and Microsoft outlining a roadmap for building a set of Web services security specifications. WS-Security was the first specification they published.

The WS-Security specification proposes a standard set of SOAP extensions that can be leveraged when building secure Web services to implement confidentiality, or the ability to leverage Web services without having to worry about others getting into your business.

WS-Security is designed as the base for the construction of a wide variety of security models, which include:

  • PKI
  • Kerberos
  • SSL
Moreover, WS-Security provides support for multiple security tokens, multiple trust domains, multiple signature formats, and multiple encryption technologies. This standard defines three main mechanisms:
  • Security token propagation
  • Message integrity
  • Message confidentiality
Each of these technologies does not provide a complete security solution; WS-Security is a building block that can be used in conjunction with other Web services extensions and higher-level application-specific protocols to leverage a wide range of security and encryption technologies. You may use these independently (e.g., to pass a security token) or tightly integrated - for example, signing and encrypting a message and providing a security token hierarchy associated with the keys used for signing and encryption.

The importance of leveraging this standard in the world of application integration is obvious: we seek ways to exchange messages between enterprises with the assurance that those outside the trading partners won't have access to them. The support for multiple security standards is an added value as well, considering the number of organizations that may be involved and the diverse security technologies that may be in place.

Liberty Alliance
The Liberty Alliance is really a consortium of about 170 companies that built a specification for federated identity management. The idea, at first, was to create a comprehensive federated identity specification. However, last year they also released a new blueprint describing three specifications. You can leverage the specifications together, or separately.

They include:

  • Identity Federation Framework (ID-FF): Allows single sign-on and account linking between entities with pre-established relationships
  • Identity Web Services Framework (ID-WSF): Allows groups of trusted partners to link to other groups, providing control over how their information is shared
  • Identity Services Interface Specifications (ID-SIS): Builds a set of interoperable services on top of the ID-WSF specification
As we move forward with service-oriented architectures (SOAs), and learn to extend them beyond the bounds of our firewalls, the need for identity management technology will increase. Security is sometimes an afterthought when building an SOA internally, but those looking to extend their SOA outside of the firewall are seeing the need now.

More Stories By David Linthicum

Dave Linthicum is Sr. VP at Cloud Technology Partners, and an internationally known cloud computing and SOA expert. He is a sought-after consultant, speaker, and blogger. In his career, Dave has formed or enhanced many of the ideas behind modern distributed computing including EAI, B2B Application Integration, and SOA, approaches and technologies in wide use today. In addition, he is the Editor-in-Chief of SYS-CON's Virtualization Journal.

For the last 10 years, he has focused on the technology and strategies around cloud computing, including working with several cloud computing startups. His industry experience includes tenure as CTO and CEO of several successful software and cloud computing companies, and upper-level management positions in Fortune 500 companies. In addition, he was an associate professor of computer science for eight years, and continues to lecture at major technical colleges and universities, including University of Virginia and Arizona State University. He keynotes at many leading technology conferences, and has several well-read columns and blogs. Linthicum has authored 10 books, including the ground-breaking "Enterprise Application Integration" and "B2B Application Integration." You can reach him at [email protected] Or follow him on Twitter. Or view his profile on LinkedIn.

Comments (1) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
Alan Karp 08/12/04 12:55:21 PM EDT

There''s a reason that "identity management has been put on the back burner". Federated identity management is a difficult problem. Fortunately, it is one that doesn''t need to be solved.

Knowing who someone is doesn''t tell you what you need to know to make an access decision. What you need to know is that the request is authorized. Who is making the request and how that person got the authorization is extraneous.

Making access decisions based on the identity of the requester has a number of problems. It makes delegation difficult, leading people to share identities by sharing passwords or private keys. It makes management more complex by requiring updates to access tables everytime someone changes jobs, even if these people work for other companies. It reduces security because the software people use gets all their authority even though it may not be acting in their best interest, which is what viruses do.

Properly separating identitification, authentication, authorization, and access control leads to systems that are more secure, more manageable, more scalable, and easier to use. An added bonus is that we don''t have to solve the difficult problem of distributed identity management.

@MicroservicesExpo Stories
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know that not all workloads are suitable for cloud. You know that you want the kind of ease of use and scalability that you get with public cloud, but your applications are architected in a way that makes the public cloud a non-starter. You’re looking at private cloud solutions based on hyperconverged infrastructure, but you’re concerned with the limits inherent in those technologies.
For organizations that have amassed large sums of software complexity, taking a microservices approach is the first step toward DevOps and continuous improvement / development. Integrating system-level analysis with microservices makes it easier to change and add functionality to applications at any time without the increase of risk. Before you start big transformation projects or a cloud migration, make sure these changes won’t take down your entire organization.
The margins of cloud products like virtual machines are still in the 50% range. In essence, price drops are going to be a regular feature for the foreseeable future. This begets the question - are hosted solutions becoming irrelevant today? Boston-based market research firm, 451 Research, has been publishing their ‘Cloud Price Index' for a few years now. The quarterly study looks into the pricing of various offerings in the cloud market to understand the shifting dynamics in the public, privat...
What's the role of an IT self-service portal when you get to continuous delivery and Infrastructure as Code? This general session showed how to create the continuous delivery culture and eight accelerators for leading the change. Don Demcsak is a DevOps and Cloud Native Modernization Principal for Dell EMC based out of New Jersey. He is a former, long time, Microsoft Most Valuable Professional, specializing in building and architecting Application Delivery Pipelines for hybrid legacy, and cloud ...
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
"Tintri focuses on the Ops side of the DevOps, which basically is pushing more and more of the accessibility of the infrastructure to the developers and trying to get behind the scenes," explained Dhiraj Sehgal of Tintri in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We do one of the best file systems in the world. We learned how to deal with Big Data many years ago and we implemented this knowledge into our software," explained Jakub Ratajczak, Business Development Manager at MooseFS, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
SYS-CON Events announced today that CA Technologies has been named "Platinum Sponsor" of SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business - from apparel to energy - is being rewritten by software. From planning to development to management to security, CA creates software that fuels transformation for companies in the applic...
Five years ago development was seen as a dead-end career, now it’s anything but – with an explosion in mobile and IoT initiatives increasing the demand for skilled engineers. But apart from having a ready supply of great coders, what constitutes true ‘DevOps Royalty’? It’ll be the ability to craft resilient architectures, supportability, security everywhere across the software lifecycle. In his keynote at @DevOpsSummit at 20th Cloud Expo, Jeffrey Scheaffer, GM and SVP, Continuous Delivery Busine...
Cloud Expo, Inc. has announced today that Andi Mann and Aruna Ravichandran have been named Co-Chairs of @DevOpsSummit at Cloud Expo Silicon Valley which will take place Oct. 31-Nov. 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. "DevOps is at the intersection of technology and business-optimizing tools, organizations and processes to bring measurable improvements in productivity and profitability," said Aruna Ravichandran, vice president, DevOps product and solutions marketing...
Managing mission-critical SAP systems and landscapes has never been easy. Add public cloud with its myriad of powerful cloud native services and this may not change any time soon. Public cloud offers exciting new possibilities for enterprise workloads. But to make use of these possibilities and capabilities, IT teams need to re-think everything they have done before. Otherwise, they will just end up using public cloud as a hosting platform for their workloads, aka known as “lift and shift.”
There's a lot to gain from cloud computing, but success requires a thoughtful and enterprise focused approach. Cloud computing decouples data and information from the infrastructure on which it lies. A process that is a LOT more involved than dragging some folders from your desktop to a shared drive. Cloud computing as a mission transformation activity, not a technological one. As an organization moves from local information hosting to the cloud, one of the most important challenges is addressi...
The reality of data ubiquity is here—data is buried in operational statistics, machine logs, stacks of overflowing tickets and customer details, among other things. How can any user get valuable information amid this rapid influx of data? Imagine a situation where your firm’s revenue takes a hit owing to an unexpected failure in some business process. It would be a nightmare for IT admins to sift through the interminable piles of data to deduce exactly why and where the problem occurred. To sav...
Hybrid IT is today’s reality, and while its implementation may seem daunting at times, more and more organizations are migrating to the cloud. In fact, according to SolarWinds 2017 IT Trends Index: Portrait of a Hybrid IT Organization 95 percent of organizations have migrated crucial applications to the cloud in the past year. As such, it’s in every IT professional’s best interest to know what to expect.
Both SaaS vendors and SaaS buyers are going “all-in” to hyperscale IaaS platforms such as AWS, which is disrupting the SaaS value proposition. Why should the enterprise SaaS consumer pay for the SaaS service if their data is resident in adjacent AWS S3 buckets? If both SaaS sellers and buyers are using the same cloud tools, automation and pay-per-transaction model offered by IaaS platforms, then why not host the “shrink-wrapped” software in the customers’ cloud? Further, serverless computing, cl...
In the decade following his article, cloud computing further cemented Carr’s perspective. Compute, storage, and network resources have become simple utilities, available at the proverbial turn of the faucet. The value they provide is immense, but the cloud playing field is amazingly level. Carr’s quote above presaged the cloud to a T. Today, however, we’re in the digital era. Mark Andreesen’s ‘software is eating the world’ prognostication is coming to pass, as enterprises realize they must be...
A common misconception about the cloud is that one size fits all. Companies expecting to run all of their operations using one cloud solution or service must realize that doing so is akin to forcing the totality of their business functionality into a straightjacket. Unlocking the full potential of the cloud means embracing the multi-cloud future where businesses use their own cloud, and/or clouds from different vendors, to support separate functions or product groups. There is no single cloud so...
In 2014, Amazon announced a new form of compute called Lambda. We didn't know it at the time, but this represented a fundamental shift in what we expect from cloud computing. Now, all of the major cloud computing vendors want to take part in this disruptive technology. In his session at 20th Cloud Expo, Doug Vanderweide, an instructor at Linux Academy, discussed why major players like AWS, Microsoft Azure, IBM Bluemix, and Google Cloud Platform are all trying to sidestep VMs and containers wit...
Companies have always been concerned that traditional enterprise software is slow and complex to install, often disrupting critical and time-sensitive operations during roll-out. With the growing need to integrate new digital technologies into the enterprise to transform business processes, this concern has become even more pressing. A 2016 Panorama Consulting Solutions study revealed that enterprise resource planning (ERP) projects took an average of 21 months to install, with 57 percent of th...
New competitors, disruptive technologies, and growing expectations are pushing every business to both adopt and deliver new digital services. This ‘Digital Transformation’ demands rapid delivery and continuous iteration of new competitive services via multiple channels, which in turn demands new service delivery techniques – including DevOps. In this power panel at @DevOpsSummit 20th Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, panelists examined how DevOps helps to meet the de...