Access Control Service Oriented ArchitectureSecurityYoon Jae Kim, yj1dreamer AT gmail.com (A project report written underthe guidance of Prof. Raj Jain)DownloadAbstractService Oriented Architecture (SOA) is one of the most popular concepts to implement computing systems.However it faces many challenges to security and many standards and frameworks come out to support it. Wefocus especially on the access control system using SOA and represent what are the SAML and XACML andhow they are applied for Portal and Web Services.KeywordsService Oriented Architecture, SOA, SOA Security, Web Service, Web Service Security, SAML, SecurityAssertion Markup Language, XACML, eXtensible Access Control Markup Language, access controlTable of Contents1. Introduction to Service Oriented Architecture Security2. SAML(Security Assertion Markup Language)2.1 What is the SAML?2.2 SAML Architecture2.3 The Advantage of SAML2.4 The Usage of SAML3. XACML(eXtensible Access Control Markup Language)3.1 What is the XACML?3.2 How does XACML work?3.3 XACML Context3.4 The Advantages of XACML4. Access Control using SAML and XACML4.1 SAML 2.0 Profile of XACML 2.04.2 SAML/XACML based Access Control between Portal and Web Service5. SummaryReferencesList of Acronyms1. Introduction to Services Oriented Architecture SecurityOne of the most popular IT trends is Service Oriented Architecture (SOA), which is defined as follows:Access Control Service Oriented Architecture Securityhttp://www.cse.wustl.edu/~jain/cse571-09/ftp/soa/index.html 1 of 13Service Oriented Architecture (SOA) is a design pattern which is composed of loosely coupled,discoverable, reusable, inter-operable platform agnostic services in which each of these services follow awell defined standard. Each of these services can be bound or unbound at any time and as needed.[Jamil08]However, as defined, SOA has a loosely-coupled feature, which makes SOA open to the challenges ofsecurity. It means that SOA must meet several requirements. The main requirements are asfollows[Candolin07]: service discovery, service authentication, user authentication, access control,confidentiality, integrity, availability, and privacy. To ensure security in a loosely-coupled SOA environment,the open standards communities that created Web services developed a number of security standards for Webservices which is one of the most active and widely adopted implementation of SOA. Figure 1 depicts anotional reference model for Web services security standards. This reference model maps the differentstandards to the different functional layers of a typical Web service implementation.Figure 1. The Web Services Security Stack[Singhal07]As described above, in the Web Services Security Stack the Security Assertion Markup Language (SAML)and the eXtensible Access Control Markup Language (XACML) are the standard for access control whichmeans that when the service is requested by a user the service must enforce the specified security policyrelated to access control. We focus on access control in the Web Services security and represent what SAMLand XACML are, how they work and where they are able to be applied together.2. SAML (Security Assertion Markup Language)SAML is an XML standard for exchanging authentication and authorization data between security domains.SAML has the feature like platform independent and is mainly applied to Single Sign-On (SSO).Access Control Service Oriented Architecture Securityhttp://www.cse.wustl.edu/~jain/cse571-09/ftp/soa/index.html 2 of 132.1 What Is SAML?[Madsen05]As many web sites are created and a lot of application systems are developed, federation is the prominentmovement in identity management. Federation is defined as the establishment of business agreements,cryptographic trust, and user identifiers across security and policy domains to provide seamless cross-domainbusiness interactions. As Web service based on XML turns up and provides integration between businessentities by loose coupling at the application and messaging layer, federation can do so without the relation tothe other's authentication and authorization infrastructure. To make this loose coupling possible at the identitymanagement layer the standardized mechanisms and formats for exchanging security information is necessaryand that is SAML.SAML, created by the Security Services Technical Committee of the Organization for the Advancement ofStructured Information Standards (OASIS), is a an XML-based framework for communicating userauthentication, entitlement, and attribute information. As its name suggests, SAML allows business entitiesto make assertions regarding the identity, attributes, and entitlements of a subject (an entity that is often ahuman user) to other entities, such as a partner company or another enterprise application. [Madsen05]SAML is a flexible and extensible protocol designed to be used - and customized if necessary - by otherstandards.2.2 SAML Architecture[Ragouzis08]SAML consists of six components as follows: assertions, protocols, bindings, profiles, metadata,authentication context. The relationship between these components is similar to building-blocks and whenthey are put together they allow a number of use cases to be supported such as web single sign-on use caseand identity federation use case. The components mainly enable to transfer secure information like identity,authentication, and authorization information between trusted entities.Figure 2. the relationship between basic SAML ConceptsSAML assertions contain identifying information made by a SAML authority. In SAML, there are threeassertions: authentication, attribute, and authorization. Authentication assertion validates that theAccess Control Service Oriented Architecture Securityhttp://www.cse.wustl.edu/~jain/cse571-09/ftp/soa/index.html 3 of 13specified subject is authenticated by a particular means at a particular time and is made by a SAMLauthority called an identity provider. Attribute assertion contains specific information about thespecified subject. And authorization assertion identifies what the specified subject is authorized to doSAML protocols define how SAML asks for and receives assertions and the structure and contents ofSAML protocols are defined by the SAML-defined protocol XML schema.SAML bindings define how SAML request-response message exchanges are mapped to communicationprotocols like Simple Object Access Protocol (SOAP). SAML works with multiple protocols includingHypertext Transfer Protocol