Learning Center
Plans & pricing Sign in
Sign Out
Get this document free

SecureSpan for Federated Web Services


Federate identity and establish trust between machines in disparate identity domains The ability to share applications with external divisions and partners, via the Internet, is a key driver for adoption of Web services. However, establishing trust between two applications in different identity domains is difficult in user-machine interactions and harder still in machine-machine SOA environments.

More Info
									                                           Solution Brief:
                                           Federated Web Services with SecureSpanTM XML Firewall and VPN

                      SecureSpan™                                                                         SecureSpan XML Firewall
                        XML VPN Client
                                                                                                          deployed alongside SecureSpan
                                                                                                          XML VPN Client and Identity
                                                                                                          Federation Server to securely
                                                                               SAML     Web Service
                                                                                                          XML VPN Client Web services in
        Consumer                                                                                          different identity domains.

                                                       XML Firewall Cluster

                                                                                       Token Service
                           Token Service

The Problem:
Sharing applications over the Internet to external divisions and partners is a key driver for the adoption
of Web services. However, establishing trust between two applications in different identity domains is
difficult in user-machine interactions and harder still in machine-machine SOA environments. For a client
application in one domain to request information from a Web service residing in a different domain, the
client will need to present proof of its identity using a credentialing authority trusted by the Web service.
Moreover, the receiving service will need to be able to understand and evaluate the presenting
credentials to asses an identity’s validity while also having evidence that the credentials were not
tampered or spoofed during transit. This Web services federation problem therefore requires a way to
both federate identity and establish trust between machines in disparate identity domains. Layer 7 is the
only XML security vendor to offer enterprises a code-free solution for implementing such a solution in
Web services.

The Layer 7 Solution:
The SecureSpan XML Firewall working together with SecureSpan XML VPN Client can manage the
process of trust enablement and identity bridging between client applications and Web services without
coding. The SecureSpan XML VPN Client is a WS-Trust capable client proxy that can broker a Web service’s
credential requests to a Security Token Service and bind the resulting credential in a signed, WS-Security
compliant SOAP message that can be transmitted by the XML VPN Client to the SecureSpan XML Firewall
without programmer intervention. Since the XML VPN Client and Gateway automatically establish a PKI
based trust relationship with one another, trust between machines in different domains is also achieved.
Integration with leading identity access and federation products is provided by Layer 7 out of the box,
and to further enhance security, session expiry or sign-out cookies provided by leading Single Sign-on
products are automatically flowed through the Gateway to the XML VPN Client where they can be
seamlessly added to a client application’s service request.
                                            Federated Web Services with SecureSpanTM XML Firewall and VPN

Innovations and Solution Features:
      Drop-in client proxy (SecureSpan XML VPN Client) for coordinating client-side federation and trust operations
      WS*-Trust integration with leading identity federation products
      Integrated PKI signing of SOAP messages on client by SecureSpan XML VPN Client
      Web SSO extension to Web services client applications using SecureSpan XML VPN Client
      SAML support in SecureSpan XML VPN Client and Firewall
      Automated WS compliance for all communication between SecureSpan XML VPN Client and XML Firewall
      Advanced SAML processing

Supported Standards and Specifications:
      XML 1.0, SOAP 1.1, REST, AJAX, XPath 1.0, XSLT 1.0, WSDL 1.1, XML Schema & DTD, LDAP 3.0, SAML 1.1/2.0, PKCS #10, X.509
      v3 Certificates, W3C XML Signature 1.0, W3C XML Encryption 1.0, FIPS 140.2, SSL/TLS 2.0 / 3.0, SNMP, SMTP, FTP,
      HTTP/HTTPS, WS-Security 1.0, WS-Trust 1.0, WS-SecureConversation, WS-MetadataExchange, WS-Policy, WS-Security Policy,
      WS-Policy, WS-Secure Exchange, WSIL, WS-I, WS-I BSP, UDDI 3.0

Key Features
XML Threat Protection                                            Advanced Identity, Credentialing and PKI Support                  Policy Flexibility
- Infrastructural protections against XML parsing, XDoS and      - Onboard identity store for administrative identities and fast   - Support for XML, SOAP, POX, AJAX, REST and other
OS attacks, Application protection against XML content           staging of new services, Integration with multiple external       XML-based services, Configuration wizards simplify
tampering and viruses in SOAP attachments, Protection            identity, access, single sign-on and federation systems           policy creation and activation, Support for policy
against SQL and malicious script injection attacks,              including LDAP, Microsoft (Active Directory and Active            \
                                                                                                                                   branching based on identity or any message content
Allow / reject messages based on time of day, day of week        Directory Federated Services), Novell Access Manager,             or context, Support for multiple routing destinations
and IP address, Configurable throughput restrictions based       Oracle Access Manager, IBM Tivoli (Access Manager and             with configurable failover, Policies can be applied to
on requestor or destination prevents downstream XDoS             Federated Identity Manager), CA SiteMinder and                    request-only, response-only or both request and
                                                                 TransactionMinder, RSA ClearTrust, Sun Java Access Manager,       response messages
Administration Options                                           Credential chaining, credential remapping and support for
                                                                 federated identity, Comprehensive support for SAML                Standards Group Memberships
- GUI-based SecureSpan Manager deployed as either stand
                                                                 1.1/2.0 authentication, authorization and attribute based         WS-I, WS-I BSP, OASIS WS- Security, OASIS WS-RX,
alone application (Windows / Linux) or browser-based
                                                                 policies, Integrated PKI CA for automated deployment and          OASIS WS-SX, OASIS Security Services (SAML),
(Internet Explorer / Firefox), Centralized cluster management
                                                                 management of client-side certificates and RA ability for         OASIS-UDDI, OASIS SOA-RM, W3C WS-Policy WG
and configuration with delegated administratio, Drag and
drop policy-based policy configuration, Intelligent, real-time   external CA’s including Verisign
validation and testing of policies, Logging and audit trapping
of violations and system/user defined events via SNMP and
SMTP, Dashboard for graphical, real-time monitoring of
traffic profiles and security violations, Audit controls

                                                Web Site:                                                               R

                                                Phone: 800.681.9377

To top