SecureSpan for Federated Web Services
Federate identity and establish trust between machines in disparate identity domains The ability to share applications with external divisions and partners, via the Internet, is a key driver for adoption of Web services. However, establishing trust between two applications in different identity domains is difficult in user-machine interactions and harder still in machine-machine SOA environments.
Solution Brief: Federated Web Services with SecureSpanTM XML Firewall and VPN SecureSpan™ SecureSpan XML Firewall XML VPN Client deployed alongside SecureSpan Trust XML VPN Client and Identity Federation Server to securely SAML SAML Web Service XML VPN Client Web services in Service Consumer different identity domains. SecureSpan XML Firewall Cluster Security Token Service Security Token Service The Problem: Sharing applications over the Internet to external divisions and partners is a key driver for the adoption of Web services. However, establishing trust between two applications in different identity domains is difficult in user-machine interactions and harder still in machine-machine SOA environments. For a client application in one domain to request information from a Web service residing in a different domain, the client will need to present proof of its identity using a credentialing authority trusted by the Web service. Moreover, the receiving service will need to be able to understand and evaluate the presenting credentials to asses an identity’s validity while also having evidence that the credentials were not tampered or spoofed during transit. This Web services federation problem therefore requires a way to both federate identity and establish trust between machines in disparate identity domains. Layer 7 is the only XML security vendor to offer enterprises a code-free solution for implementing such a solution in Web services. The Layer 7 Solution: The SecureSpan XML Firewall working together with SecureSpan XML VPN Client can manage the process of trust enablement and identity bridging between client applications and Web services without coding. The SecureSpan XML VPN Client is a WS-Trust capable client proxy that can broker a Web service’s credential requests to a Security Token Service and bind the resulting credential in a signed, WS-Security compliant SOAP message that can be transmitted by the XML VPN Client to the SecureSpan XML Firewall without programmer intervention. Since the XML VPN Client and Gateway automatically establish a PKI based trust relationship with one another, trust between machines in different domains is also achieved. Integration with leading identity access and federation products is provided by Layer 7 out of the box, and to further enhance security, session expiry or sign-out cookies provided by leading Single Sign-on products are automatically flowed through the Gateway to the XML VPN Client where they can be seamlessly added to a client application’s service request. Federated Web Services with SecureSpanTM XML Firewall and VPN Innovations and Solution Features: Drop-in client proxy (SecureSpan XML VPN Client) for coordinating client-side federation and trust operations WS*-Trust integration with leading identity federation products Integrated PKI signing of SOAP messages on client by SecureSpan XML VPN Client Web SSO extension to Web services client applications using SecureSpan XML VPN Client SAML support in SecureSpan XML VPN Client and Firewall Automated WS compliance for all communication between SecureSpan XML VPN Client and XML Firewall Advanced SAML processing Supported Standards and Specifications: XML 1.0, SOAP 1.1, REST, AJAX, XPath 1.0, XSLT 1.0, WSDL 1.1, XML Schema & DTD, LDAP 3.0, SAML 1.1/2.0, PKCS #10, X.509 v3 Certificates, W3C XML Signature 1.0, W3C XML Encryption 1.0, FIPS 140.2, SSL/TLS 2.0 / 3.0, SNMP, SMTP, FTP, HTTP/HTTPS, WS-Security 1.0, WS-Trust 1.0, WS-SecureConversation, WS-MetadataExchange, WS-Policy, WS-Security Policy, WS-Policy, WS-Secure Exchange, WSIL, WS-I, WS-I BSP, UDDI 3.0 Key Features XML Threat Protection Advanced Identity, Credentialing and PKI Support Policy Flexibility - Infrastructural protections against XML parsing, XDoS and - Onboard identity store for administrative identities and fast - Support for XML, SOAP, POX, AJAX, REST and other OS attacks, Application protection against XML content staging of new services, Integration with multiple external XML-based services, Configuration wizards simplify tampering and viruses in SOAP attachments, Protection identity, access, single sign-on and federation systems policy creation and activation, Support for policy against SQL and malicious script injection attacks, including LDAP, Microsoft (Active Directory and Active \ branching based on identity or any message content Allow / reject messages based on time of day, day of week Directory Federated Services), Novell Access Manager, or context, Support for multiple routing destinations and IP address, Configurable throughput restrictions based Oracle Access Manager, IBM Tivoli (Access Manager and with configurable failover, Policies can be applied to on requestor or destination prevents downstream XDoS Federated Identity Manager), CA SiteMinder and request-only, response-only or both request and TransactionMinder, RSA ClearTrust, Sun Java Access Manager, response messages Administration Options Credential chaining, credential remapping and support for federated identity, Comprehensive support for SAML Standards Group Memberships - GUI-based SecureSpan Manager deployed as either stand 1.1/2.0 authentication, authorization and attribute based WS-I, WS-I BSP, OASIS WS- Security, OASIS WS-RX, alone application (Windows / Linux) or browser-based policies, Integrated PKI CA for automated deployment and OASIS WS-SX, OASIS Security Services (SAML), (Internet Explorer / Firefox), Centralized cluster management management of client-side certificates and RA ability for OASIS-UDDI, OASIS SOA-RM, W3C WS-Policy WG and configuration with delegated administratio, Drag and drop policy-based policy configuration, Intelligent, real-time external CA’s including Verisign validation and testing of policies, Logging and audit trapping of violations and system/user defined events via SNMP and SMTP, Dashboard for graphical, real-time monitoring of traffic profiles and security violations, Audit controls Web Site: www.layer7tech.com R Email: email@example.com Phone: 800.681.9377