XWSS.org Home
Last Updated: Mar 18, 2007
Bookmark XWSS.org!
and stay current
Home » Articles » Federated Identity for Services-Oriented Architecture

Dev Java
Federated Identity for Services-Oriented Architecture


Federated identity is an important requirement for services-oriented architecture (SOA) environments. The ability to enforce, leverage, manage, and control identities across different organizations, while also performing functions such as Single Sign-On with Web services, are driving standards and supporting tools such as Security Assertion Markup Language (SAML), Liberty Alliance, WS-Security, and WS-Federation.

However, as SOA environments are typically highly decentralized in nature, federated identity becomes a significant challenge for Web services. Identities can be stored in many directories as well as many different types of directories, including proprietary username/password repositories, LDAP, Active Directory, and X.509 certificate stores.

In addition, services may require authenticating and authorizing different "types" of users. Unlike the Web portal world, where identities are almost always users based, Web services messages may have credentials related to both users and application programs. A user initiating a transaction through a Web portal, which may initiate one of many Web services transactions to one or many back-end services, is a common use case. Oftentimes, the user credentials may travel with the message along with the machine credential. In this case, the application initiating the transaction may also need to be authenticated and authorized by the service.

An additional challenge is that SOA may have requests that result in additional requests to many different applications at once. An SOA-ready service may be composed of many service operations from many different services that each have their own identity. As part of a single transaction, many different services may be touched whether in parallel or in serial. Being able to authenticate and be authorized across all of these systems seamlessly improves the user/developer experience as well as improves performance—driving the need for a federated identity solution for SOA environments.

While the challenge is significant, this solution is what federated identity is designed to address. Whether the need is connecting partners, customers, and suppliers or communicating with a newly acquired company, leveraging identities located throughout different organizations is critically important for improving security, reducing redundancy, and increasing interoperability. Messages can travel across physical, organizational, legal, and security domains.

Promising Standard
SAML has been a promising standard that supports federated identity. SAML is an XML-based specification driven by OASIS and provides standards related to authentication and authorization across many different systems. Standards-based assertions can be issued by a SAML authority, a capability that many identity management vendors are integrating. This token, which is digitally signed, can then travel with the message. Reauthentication for any domain that trusts the issuer of the token is not required. This feature is particularly useful as this message gets transmitted from application to application and through various proxies such as XML firewalls for security enforcement.

Security is one of the cornerstone requirements for SOA enablement. Because applications are being "opened up" as services across many different organizations, having a shared security infrastructure is critically important to keep SOA environments loosely coupled.

This article was authored by Andrew Yang, Senior Director of Marketing of Westbridge Technology. If you would like a PDF version of this document, please contact info@westbridgetech.com.


Advertise with Us | Privacy Statement Copyright 2002-2007 XWSS.org All Rights Reserved
Terms of Use