SecureSpan Gateway and SAML

Document Sample
SecureSpan Gateway and SAML Powered By Docstoc
					Solution Brief: Federated Web Services with SecureSpanTM GATEWAY and BRIDGE

SecureSpan™ Bridge

SecureSpan Gateway deployed alongside SecureSpan Bridge and Identity Federation Server to securely bridge Web services in


Web Service

Service Consumer

different identity domains.

SecureSpan Gateway Cluster Security Token Service

Security Token Service

The Problem:
Sharing applications over the Internet to external divisions and partners is a key driver for the adoption of Web services. However, establishing trust between two applications in different identity domains is difficult in user-machine interactions and harder still in machine-machine SOA environments. For a client application in one domain to request information from a Web service residing in a different domain, the client will need to present proof of its identity using a credentialing authority trusted by the Web service. Moreover, the receiving service will need to be able to understand and evaluate the presenting credentials to asses an identity’s validity while also having evidence that the credentials were not tampered or spoofed during transit. This Web services federation problem therefore requires a way to both federate identity and establish trust between machines in disparate identity domains. Layer 7 is the only XML security vendor to offer enterprises a code-free solution for implementing such a solution in Web services.

The Layer 7 Solution:
The SecureSpan XML Gateway working together with SecureSpan Bridge can manage the process of trust enablement and identity bridging between client applications and Web services without coding. The SecureSpan Bridge is a WS-Trust capable client proxy that can broker a Web service’s credential requests to a Secure Token Service and bind the resulting credential in a signed, WS-Security compliant SOAP message that can be transmitted by the Bridge to the SecureSpan Gateway without programmer intervention. Since the Bridge and Gateway automatically establish a PKI based trust relationship with one another, trust between machines in different domains is also achieved. Integration with leading identity access and federation products is provided by Layer 7 out of the box, and to further enhance security, session expiry or sign-out cookies provided by leading Single Sign-on products are automatically flowed through the Gateway to the Bridge where they can be seamlessly added to a client application’s service request.

Federated Web Services

with SecureSpan Gateway and Bridge

Innovations and Solution Features:
Drop-in client proxy (SecureSpan Bridge) for coordinating client-side federation and trust operations WS-Trust integration with leading identity federation products Integrated PKI signing of SOAP messages on client by SecureSpan Bridge Web SSO extension to Web services client applications using SecureSpan Bridge SAML support in SecureSpan Bridge and Gateway Automated WS compliance for all communication between SecureSpan Bridge and Gateway Advanced SAML processing

Supported Standards:
XML 1.0, SOAP 1.1, XPath 1.0, XSLT 1.0, WSDL 1.1, XML Schema & DTD, LDAP 3.0, SAML 1.1/2.0, Liberty, PKCS #10, X.509 v3 Certificates, W3C XML Signature 1.0, W3C XML Encryption 1.0, SSL TLS 2.0 / 3.0, SNMP, SMTP, HTTP/HTTPS, JMS 1.0, EMS 4.x, MQ Series, WS-Security 1.0, WS-Trust 1.0, WS-Secure Conversation, WS-MetadataExchange, WS-Policy, WS-SecurityPolicy, UDDI, WSIL, WS-I, WS-I BSP

General SecureSpan Features

- FTP, HTTP/S, HTTP Digest, HTTP Client-Side Certificate, WS- Security, XML Signature, SAML UserName Token, BinarySecurity Token for X.509 certificates, Security Token Reference, Browser Profile, XPath Credential Source, WS-Trust, and Requestor IP

Threat Protection
- Accelerated Schema Validation (in ASIC), Requestor Metering, Service Throttling, Requestor IP Restriction, Time-of-Day Restriction, and Attachment Virus Scanning - Protects against: XDoS, Message Replay, Man-in-the-Middle, WSDL Scanning, Routing Exploits, Payload Exploits, SQL Injection, XML Encapsulation, Buffer Overflow, Schema Poisoning, Recursive Payloads, and Reference Substitutions

- URI, URL, SOAP Action, SAML Authorization, SAML Attributes, WSDL Operation, Regex, and XPath

Audit and Logging
- Real-time SNMP and SMTP Alerts, SNMP Queries, Audit Signing, User-Specified Audit Trapping, CA WSDM, Message-Level Logging, and System-Level Logging

Identity Sources
- LDAP, IBM Tivoli Access Manager, IBM Tivoli Federated Identity Manager, Microsoft Kerberos, Microsoft Active Directory, Microsoft Active Directory Federation Services, CA SiteMinder, CA TransactionMinder and RSA ClearTrust

General Security
- Accelerated XPath (in ASIC), Regex Pattern Matching, Message Validation (Schema, Envelope, and Data Type), Content Inspection with Per-Element Filtering, XML Signature, XML Encryption, accelerated XSLT (in ASIC), SAML Attributes, WS-Security, SSL, PKI Lifecycle Control, Endpoint Address Translation, Session Management, Policy Publishing, Policy Branching, Bi-directional Security Enforcement and Application, Microsoft WSE Integration and Oracle OWSM

Standards Group Memberships

Service Discovery and Virtualization
- WSDL, WSIL, UDDI, WSDL Creation, WSDL Virtualization, Systinet Registry, and Operation-Level Masking

Web Site: Email: Phone: 604.681.9377 / 1.800.681.9377 Fax: 604.681.9387


Shared By:
Description: SecureSpan Gateway deployed alongside SecureSpan Bridge and Identity Federation Server to securely bridge Web services in different identity domains.
Vinothkumar Vinothkumar Engineer