To map security service type and SSM configuration and SOAP endpoints, each Web Services SSM process has its own separate Registry Service. The address of the Registry Service should be known to the web services client from its configuration. This service maps the SSM Configuration ID and the service type to the Web Services SSM and SOAP endpoints for the security services. The Configuration ID is defined in the default.properties file for the SSM instance. The Registry Service makes it possible to distinguish between the supported service types (auditing, authentication, authorization, credential mapping, and role mapping). Registry Service operations on a particular machine are limited to the local machine (see Figure 5-1). The Web Services client learns about the Registry Service from its configuration file.
Figure 5-1 Registry Service Function
The following topics provide or more information on the Registry Service.
The Registry Service works as follows (Figure 5-2):
Figure 5-2 How the Registry Service Works
If a web services client asks the Registry Service about the existence of a particular security service type, the Registry Service responds with a true or false answer.
If a web services client asks for the URL of a valid security service type for the local host, the Registry Service returns the fully qualified URL of the endpoint for the requested service type that is provided by the SSM configuration. The Configuration ID is defined in the default.properties file.
If a web services client asks the registry for a URL for a security service type that has an invalid security service type for Web Services SSM identified by the Configuration ID, the Registry Service returns a RegistryFailure SOAP Fault.
Note:
The Registry Service does not provide lifecycle management functions for the Web Services.
Registry Service Methods
The Registry Service supports two methods: locateService() and doesServiceExist(). Both methods accept the requested service type of the Web Server SSM or Web Services SSM that provides the service. The supported service types are: ALES_AUDIT, ALES_AUTHENTICATION, ALES_AUTHORIZATION, ALES_CREDENTIAL, and ALES_ROLE. The type for all service types is string.
For the locateService() method, the Registry Service returns the fully qualified URL for the endpoint of the requested service. For the doesServiceExist() method, the service returns a Boolean value (true or false) that indicates whether the service exists and can be requested.
Methods Common to All Web Services Interfaces
The following methods are supported by all Web Services interfaces, except for the Registry Service interface.
getServiceType()—This method takes an empty request and returns a structure that contains the service. The Web Services SSM supports these security service types: ALES_AUDIT, ALES_AUTHENTICATION, ALES_AUTHORIZATION, ALES_CREDENTIAL, and ALES_ROLE. The type for all service types is string.
getServiceVersion()—This method takes an empty request and returns a structure that contains the version of the service. The Web Service SSM supports these version types: MajorVersion (type int), MinorVersion (type int), PatchLevel (type string), and Version (type long).
isCompatible()—This method accepts service version information and returns compatibility information. The method accept these values: MajorVersion (type int), MinorVersion (type int), PatchLevel (type string), and Version (type long). It returns these compatibility responses: ALES_NOT_COMPATIBLE, ALES_COMPATIBLE, ALES_COMPATIBLE_DEPRECATED, ALES_COMPATIBLE_UNKNOWN. All compatibility responses are returned as strings. You use this method to determine whether the version of the service interface specified in the web services client is compatible with the current version of the service interface in the instance of the Web Services SSM.
Authentication Service Interface
The Authentication Service provides security functions to an application so as to establish, verify, and transfer a person or process identity. Thus, the Authentication Service provides two main security functions: authentication and identity assertion.
The Authentication Service accepts user credentials and/or identity assertion tokens and verifies that they match the user identity stored in the existing user profile. The following types of identity assertion tokens are supported:
Username/password
Signed Security Assertion Markup Language (SAML) 1.1 assertions
OES cookie
The Extensible Markup Language (XML) structures used by the Authentication Service for transmitting identity assertion tokens and other credential types are defined the WSDL interface.
To ensure secure handling of credentials, all credentials presented to the Web Services SSM must satisfy the following requirements:
All SAML 1.1 identity assertions must be signed by a trusted entity, as determined by the SAML IdentityAsserter. The signature must be attached to the identity assertion and cover the entire assertion. An identity assertion that is not signed or signed by an unknown authority is rejected and the processing is stopped.
The caller should verify the validity of server credentials prior to invoking the Web Service. In particular, the caller should verify its validity by examining its expiration date, certification path, and revocation status.
The Web Services SSM only accepts clear-text passwords. However, the credentials presented are always be protected by SSL, either one-way or two-way. The Web Services SSM returns credentials to clients over SSL as well.
The SOAP authentication interface enables the Web Services SSM to return challenges to clients if they fail to provides the information necessary to complete the authentication process. In such cases, the client can respond with the requested information. In order to avoid expensive round trips, however, the web services client should pass in all available credentials information with the initial SOAP request.
The following topics provide more information on the Authentication Service interface:
The authentication process is as follows (see Figure 5-3):
Figure 5-3 Authentication Service Process
The web services client connects to the Web Services SSM over HTTP and the Web Services SSM responds by presenting a digital certificate to prove its identity to the client. The Web Services SSM authenticates itself to the web services client using its server X.509 certificate. If the Web Services SSM presents a certificate that is not valid (for instance, the certificate has expired or has a subject name mismatch), the client should break the connection.
The web services client verifies the SSMs digital certificate and submits a certificate signed by a recognized certificate authority (CA) to the Web Services SSM.
The Web Services SSM verifies the clients certificate and establishes an SSL connection.
The web services client submits credentials to Web Services SSM to login. Web services clients present user credentials with each login request. Use credential can be username/password, a SAML assertion, or an OES cookie.
The Authentication Service verifies the client credentials.
If the credentials authenticate, the Authentication Service returns an identity assertion token to the web services client.
If the credentials do not authenticate, the Authentication Service submits the credentials for checking. The Authentication Service does one of two things:
Validates the user credentials, grants the login, and returns a success message to the Web Services SSM.
Invalidates the user credentials, blocks the login, and returns a failure message to the Web Services SSM.
If an authentication decision cannot be made with the parameters included in the initial client request, the request fails.
If authentication is successful, the Web Services SSM returns the default identity assertion token representing the user. The type of the default identify assertion token is configurable. If the type is not specified, SAML assertions are used.
If authentication fails, the Web Services SSM returns an AuthenticationFailure SOAP Fault to the caller.
Authentication Service Methods
To support authentication functions the authentication provides the following methods:
This method accepts any credential type supported by the authentication provider or a response to an earlier authentication challenge, and, optionally, the type of requested identity assertion that represents the identity and application context of the authenticated user. In response, it returns either the requested identity assertion token and status information or an authentication challenge.
Note:
In addition to the identity assertion types, the Web Services SSM supports user credentials in form of usernames with passwords.
Table 5-1 describes the authenticate() method parameters.
Table 5-1 authenticate() Method Parameters
Parameter
Description
Supported Values/Types
Input Parameters
Identity Credential
Specifies the identity credential that is to be used to authenticate the caller.
ssm:IdentityCredential Type
RquestCredential Type
Specifies the identity credential type.
ssm:CredentialTypeType
AppContext
Specifies the application context in which authentication is being requested.
ssm:"ContextType"
Where ssm:ContextType can be one of the following: StringValue/string, BoolValue/boolean, DateTimeValue/dateTime, TimeValue/time, IntValue/integer IpValue/ssm:IpType
Return Parameters
IdentityAssertion
Returns the identity assertion token.
type="ssm:Identity AssertionType"
Challenge
Returns an authentication challenge to the caller.
type="ssm:ChallengeType"
StatusInfo
Returns status information.
type="xsd:string"
assertIdentity() Method
This method accepts any supported identity assertion type or a response to an earlier authentication challenge, and, optionally, the type of requested identity assertion that represents the identity and application context of the authenticated user. In response, it returns either the requested identity assertion token and status information or an authentication challenge.
Table 5-2 describes the assertIdentity() method parameters.
Table 5-2 assertIdentity() Method Parameters
Parameter
Description
Supported Values/Types
Input Parameters
IdentityAssertion
An identity assertion token that represents the authenticated identity of the user.
type="ssm:IdentityAssertion Type"
Requested CredentialType
Specifies the type of credential being submitted for authentication.
type="ssm:CredentialTypeType"
AppContext
Specifies the application context in which authentication is being requested.
ssm:ContextType
Where ssm:ContextType can be one of the following: StringValue/string, BoolValue/boolean, DateTimeValue/dateTime, TimeValue/time, IntValue/integer IpValue/ssm:IpType
Return Parameters
IdentityAssertion
Returns the identity assertion token.
An acceptable user's identity assertion token.
type="ssm:Identity AssertionType"
Challenge
Returns an authentication challenge to the caller.
type="ssm:ChallengeType"
StatusInfo
Returns status information.
type="xsd:string"
isAssertionTokenSupported() Method
This method accepts an identity assertion credential type that represents the authenticated user’s identity. It returns a Boolean value (true or false) to indicate whether this token type is supported by this instance of the Web Services SSM.
Table 5-3 describes the isAssertionTokenSupported() method parameters.
Specifies the identity assertion credential type. The type specified can be any type supported by the OES Credential Mapping provider. The Authentication Service may also return an authentication challenge to the caller requesting other assertion token types. If the caller fails to specify an assertion token type supported by the Authentication Service even after challenges, the Authentication Service returns CredentialMappingFailure to the caller.
AssertionCredentialType
type="ssm:CredentialTypeType"
Return Parameter
isAssertionToken SupportedResponse
Specifies whether the assertion token is supported.
true/false
type="xsd:boolean"
validateIdentity() Method
This method is DEPRECATED.
This method accepts any supported identity assertion type that represents the identity of the authenticated user. It returns a structure with a Boolean value (true or false) that indicates whether the token is valid.
Table 5-4 describes the validateIdentity() method parameter.
Table 5-4 validateIdentity() Method Parameters
Parameter
Description
Supported Values/Types
Input Parameter
IdentityAssertion
An identity assertion token that represents the authenticated identity of the user.
IdentityAssertion
type="ssm:Identity AssertionType"
Return Parameter
validateIdentity Response
Specifies whether the identity is valid.
true/false
type="xsd:boolean"
Authorization Service Interface
The Authorization Service is a service that allows an application to determine if a specific identity is permitted to access a specific resource. This decision may then be enforced in the application directly at the policy enforcement point.
The Authorization Service is primarily based on a single method: isAccessAllowed(). This method accepts a supported type of user credential or an identity token, a runtime resource, and a runtime action. Optionally, this method can accept the type of the requested identity assertion token that represents the identity of the authenticated user, the application context, and direction parameters. The isAccessAllowed() method requires that a valid, authenticated identity or a null identity token (representing an anonymous identity) be present when requesting an access decision. The following topics provide more information on the Authorization Service.
The authorization process is as follows (see Figure 5-4):
Figure 5-4 Authorization and Role Mapping Process
The authorization process begins when the web services client calls the Web Services SSM to answer the question "Is this user allowed to perform this particular action on the specified resource?" Identity assertion token types supported include OES cookies and signed SAML 1.1 assertions.
If the token matches a credential in the cache, the SSM sets the user identity to the internal identity representation, which includes the user identity and the list of roles the user has been granted.
If the token does not match any of the credentials in the cache, the SSM calls the Authorization Service and the Role Mapping Service to determine whether the user is authorized to access resources and to get the list of roles the user has been granted. If the user is authorized, the user identity is set to the internal identity representation, which includes the user identity and the list of roles the user has been granted.
The Authorization Service then compares the user identity to the resource security policy to determine whether the user is in a role that has been granted the access privilege that is necessary to perform the requested action on the particular resource.
If the authorization process fails due to parameter-related problems, an AuthorizationFailure SOAP Fault is returned to the caller.
In the absence of an error, the authorization decision that is returned to the web services client contains a clear and unambiguous true or false statement that allows or disallows access to the resource in question. A negative authorization decision is a valid result and does not result in a SOAP Fault.
Authorization Service Methods
The Authorization Service supports the following methods:
This method accepts a supported type of an identity assertion token and runtime resource and action structures. Optionally, it can accept the requested identity assertion credential type, application context, and authorization direction parameters. In response, this method returns the authorization decision and authorization data, or, if required by the authorization provider, additional context requests.
Table 5-5 describes the isAccessAllowed() method parameters.
Table 5-5 isAccessAllowed() Method Parameters
Parameter
Description
Supported Values/Types
Input Parameters
IdentityAssertion
An identity assertion token that represents the authenticated identity of the user. The token type must be supported by the OES Credential Mapping provider; otherwise, the service returns CredentialMappingFailure to the caller.
IdentityAssertion/ ssm:IdentityAssertionType
RuntimeResource
Specifies the runtime resource that the caller is requesting.
ResourceString, AuthorityName
type="ssm:Runtime ResourceType"
RuntimeAction
Specifies the runtime action that the caller is requesting.
ActionString, AuthorityName
type="ssm:Runtime ActionType"
Request CredentialType
Specifies the identity assertion credential type. The type specified can be any type supported by the OES Credential Mapping provider. The Authentication Service may also return an authentication challenge to the caller requesting other assertion token types. If the caller fails to specify an assertion token type supported by the Authentication Service even after challenges, the Authentication Service returns CredentialMappingFailure to the caller.
AssertionCredentialType/ ssm:CredentialTypeType
AppContext
Specifies the application context in which access to the resource is being requested.
ssm:"ContextRecordType"
Where ssm:ContextRecordType is one of the following: StringValue/string, BoolValue/boolean, DateTimeValue/dateTime, TimeValue/time, IntValue/integer IpValue/ssm:IpType
AtzDirection
Specifies authorization direction parameters.
ALES_ONCE, ALES_POST, ALES_PRIOR
type="ssm:AtzDirectionEnum"
Return Parameters
isAccessAllowed Response
Indicates whether access is allowed.
true/false
type="xsd:boolean"
AtzDecisionData
Information about the access decision.
type="ssm:AtzDecisionDataType"
"ContextRequests"
Requests additional context if required by the ASI Authorization provider.
type="ssm:ContextRequestsType"
isAuthenticationRequired() Method
The Authorization Service interface also supports the isAuthenticationRequired() method. This method accepts a runtime resource and a runtime action. It returns a Boolean value (true or false) that indicates whether authentication is require to access this resource. The web services client uses this method to test whether privileges are required to access a particular resource.
Table 5-6 describes the isAuthenticationRequired() method parameters.
Specifies the runtime resource that the caller is requesting.
ResourceString, AuthorityName
type="ssm:Runtime ResourceType"/
RuntimeAction
Specifies the runtime action that the caller is requesting.
ActionString, AuthorityName
type="ssm:Runtime ActionType"
Return Parameter
isAuthentication RequiredResponse
Indicates whether authentication is required.
true/false
type="xsd:boolean"
Auditing Service Interface
The Auditing Service logs events based on activity related to enterprise security. The Web Services SSM runtime uses the Auditing Service to log appropriate data when events occur. The Auditing Service is based on an event model. When something of note occurs, an auditing event is automatically logged. A user or a application that wants notification when a particular event occurs can derive a new class from the AuditRecord class.
The following topics provide more information on the Auditing Service.
During the auditing process, the Web Services SSM audit logging function supports automated, centralized logging of audit messages. To capture a particular event for notification purposes an auditing user can use the recordEvent() method to specify the name of the audit record to be captured, and, optionally, the identity assertion token of the auditing user, and the application context.
If the auditing provider requires application context that is not included in the recordEvent() method, the Auditing Service returns requests for additional application context.
If parameter-related audit logging failures occur, including passing in an invalid identity assertion token for the user, an AuditingFailure SOAP Fault is returned to the caller.
If no errors occur during the auditing process, an empty response is returned to the auditing user as an event notification and the audit event is logged by the auditing provider.
Auditing Service Method
The Auditing Service passes the audit event to the Web Services SSM runtime. Based on its configuration, the SSM runtime routes the event to the proper auditing providers so that it can be recorded.
The Auditing Service supports a single method, recordEvent(). This method accepts an audit record, and, optionally, an identity assertion token, representing the auditing user, and an application context.
Table 5-7 describes the recordEvent() method parameters.
Table 5-7 recordEvent() Method Parameters
Parameter
Description
Supported Values/Types
Input Parameters
AuditRecord
Specifies the type of the audit record that encapsulates the logging information.
type="ssm:AuditRecord Type"
IdentityAssertion
An identity assertion token that represents the authenticated identity of the auditing user.
type="ssm:Identity AssertionType"
AppContext
Specifies the application context in which request for an auditing record is being made.
ssm:ContextType
Where ssm:ContextType can be one of the following: StringValue/string, BoolValue/boolean, DateTimeValue/dateTime, TimeValue/time, IntValue/integer IpValue/ssm:IpType
Role Mapping Service Interface
The Role Mapping Service allows an application to extract role information about specific identities and resources within the context of the application. These roles can then be used for customizing an interface or for other purposes.
Note:
Do not use roles by themselves for authorization, because many policies, allowing or disallowing access to a resource, may be written against a role. Use the Authorization Service to determine actual access rights.
The Role Mapping Service evaluates an interaction of an identity with a resource within an application context and returns a list of role names associated with the configuration of that identity. These roles can change with every resource or be static for the identity across all resources. The roles assigned to an identity are determined by the security policy.
The Web Services SSM is capable of retrieving the roles that a user may have for the given resource and action combination. The user identity is passed as an identity assertion token, instead of a Java object. To obtain roles, authenticated users must be authorized to obtain their roles for the given resource/action combination.
The Role Mapping Service requires that the application pass in a valid identity, a valid resource, and a valid action. The application context is optional and may be set to null if no context is passed in.
The following topics provide more information on the Role Mapping Service.
The role mapping process is as follows (see Figure 5-4):
During the role mapping process, the Web Services SSM provides a mechanism for optionally specifying the application context to support role mapping.
If parameter-related role mapping failures occur, including passing in an invalid identity assertion token for the user, a RoleMappingFailure SOAP Fault is returned to the caller.
If no errors occur during the role mapping process, a list of zero or more roles, configured in the policy for the provided user/resource/action combination, is returned to the caller. An empty list is a valid response and does not result in a SOAP Fault.
Role Mapping Service Method
The Role Mapping Service interface supports one method, getRoles(). This method gets the roles for an authenticated user identity in reference to a RuntimeResource, RuntimeAction, and an optional Context.
The getRoles() method accepts a supported type of an identity token, and, optionally, runtime resource and action structures, and an application context. It returns either a list of user roles associated for the identity and a time-to-live parameter for user roles.
Table 5-8 describes the getRoles() method parameters.
Table 5-8 getRoles Method Parameters
Parameter
Description
Supported Values/Types
Input Parameters
IdentityAssertion
An identity assertion token that represents the authenticated identity of the user. The token type must be supported by the Role Mapping provider; otherwise, the service returns RoleMappingFailure to the caller.
IdentityAssertion
type="ssm:IdentityAssertion Type"
RuntimeResource resource
Specifies the runtime resource that the caller is requesting.
ResourceString, AuthorityName
type="ssm:RuntimeResource Type"
RuntimeAction action
Specifies the runtime action that the caller is requesting.
ActionString,
AuthorityName
type="ssm:Runtime ActionType"
AppContext
Specifies the application context in which access to the resource is being requested.
type="ssm:ContextType"
Where ssm:ContextType can be one of the following: StringValue/string, BoolValue/boolean, DateTimeValue/dateTime, TimeValue/time, IntValue/integer IpValue/ssm:IpType
Return Parameters
Roles
Specifies a list roles granted to the user.
type="ssm:IdentityRoleType"
RolesTtlAdvice
Specifies time to live for user roles.
type="xsd:positiveInteger
Credential Mapping Service Interface
The Credential Mapping Service allows an client application to fetch credentials of certain types that are associated with a specific identity for a specific resource. These credentials can then be used on behalf of that identity to execute some privileged function, such as logging into a database or sending e-mail.
The following topics provide more information on the Credential Mapping Service.
The credential mapping process is as follows (see Figure 5-6):
Figure 5-6 Credential Mapping Process
The client presents a get credentials request to the Web Services SSM. The request includes a supported type of an identity assertion token and a list of requested credential types. Optionally, the request can include a runtime resource, runtime action, and an application context.
In response, the Web Services SSM returns a list of requested user credentials and identity assertion tokens or, if required by the Credential Mapping provider, additional context requests.
The Web Services SSM returns the following types of credentials in response to the client’s request:
Username/password pairs
Signed SAML 1.1 assertions
OES cookies
If parameter-related credential mapping failures occur, the Web Service returns a CredentialMappingFailure SOAP Fault to the caller.
If no errors occur during the credential mapping process, the Web Services SSM returns a list of zero or more credentials that are configured in the security policy for the specified user/resource/action combination. An empty list is a valid response and does not result in a SOAP Fault. Also, if some of the requested credential types are not available for specified user/resource/action combination, a SOAP Fault does not result.
Credential Mapping Method
The Credential Mapping Service supports one method: getCredentials(). This method accepts a supported type of an identity assertion token and a list of requested credential types. Optionally, this method can accept an identity assertion token that represents the identity of a different user and a runtime resource structure, which includes the requested resource and action and the application context. In response, the getCredentials() method returns either a list of requested user credentials, identity assertion tokens, and a list of any missing credential types.
Note:
Since password credentials need to be returned in clear text to the caller in order to be usable for authentication in external systems, you should pay particular attention to providing channel and message security to protect messages in transit between clients and the Web Service. At a minimum, you must use a channel security protocol, such as SSL or TLS, for all communication.
Authenticated users are always authorized to obtain their own credentials for the given resource/action combination. However, authenticated user cannot requests credentials on behalf of another user.
Credential mapping process involves issuing new types of credentials to the specified combination of user, resource, and action. The user identity is passed as an identity assertion token, instead of a Java object.
Table 5-9 describes the getCredentials() method parameters.
Table 5-9 getCredentials Method Parameters
Parameter
Description
Supported Values/Types
Input Parameters
IdentityAssertion
An identity assertion token that represents the authenticated identity of the user. The type used must be supported by the OES Credential Mapping provider; otherwise, the service returns CredentialMappingFailure to the caller.
IdentityAssertion
ssm:"IdentityAssertion Type"
Requested CredentialTypes
Specifies a list of the types of credentials being requested. The Web Services SSM supports the following types of credentials:
Username/password pairs
Signed SAML 1.1 assertions
OES proprietary cookie
type="ssm:CredentialTypes Type"
Any non-empty string consisting of any number of alphanumeric characters and these separators: period (“.”), comma (“,”), and underscore (“_”).
RuntimeResource
Specifies the runtime resource that the caller is requesting.
ResourceString, AuthorityName
type="ssm:RuntimeResource Type"
RuntimeAction
Specifies the runtime action that the caller is requesting.
ActionString, AuthorityName
type="ssm:Runtime ActionType"
AppContext
Specifies the application context in which access to the resource is being requested. Specified as a name/value pair.
ssm:"ContextType"
Where ssm:ContextType can be one of the following: StringValue/string, BoolValue/boolean, DateTimeValue/dateTime, TimeValue/time, IntValue/integer IpValue/ssm:IpType
Return Parameters
MissingTypes
List of missing credential types.
type="xsd:string"
Identity Credential
List of user credentials.
type="ssm:IdentityCredentialType"
IdentityAssertion
Identity assertion tokens that represent the authenticated identity of the user.
