Web Service and wireless application security (SAML)

Source: Internet
Author: User
Web services and wireless applications Security Sex
Web services will play an important role in the development of mobile commerce and wireless security. Standardizes and integrates key security solutions (such as Kerberos authentication and authorization, digital certificates, digital signatures, and public/private key encryption) through XML message transmission, web services can be used to provide wireless security solutions. XML message transmission is considered the first choice for wireless communication protocols. There are multiple security protocols used for its-based wireless applications. These include the following protocols:
1. Security Assertion Markup Language (SAML) is a protocol used to transmit authentication and authorization information in XML messages. It can be used to provide single sign-on Web Services.
Ii. XML Digital Signature defines how to digitally sign part or all of the content of an XML document to ensure data integrity. The XML Key Management Specification (XKMS) format can be used to encapsulate the public key that uses the XML Digital Signature distribution.
3. XML encryption allows applications to reference pre-agreed symmetric keys to encrypt part or all of the content of an XML document.
4. WS-Security is a complete solution approved by IBM and Microsoft to provide web services with security. It is based on XML Digital Signature, XML encryption, and SAML-like authentication and authorization solutions.
All the preceding security protocols can be bound to the Web Service Message Passing protocol. For example, we can embed the SAML segment into the SOAP message header to authenticate and authorize access to the requested service. We can also embed the XML Digital Signature segment into the SOAP header to authenticate the credit card number in the message.
  
Now we will discuss the benefits of Combining location information with SAML security specifications and how it enhances the security of wireless applications. In particular, we should discuss how location-based authentication is incorporated into the single-point login architecture.
  
   Location Information for cooperation with SAML
SAML is a vendor-neutral XML framework for exchanging security information over the Internet. SAML enables completely different security service systems to communicate with each other by exchanging security-related information (called "assertions. User authentication, authorization, summary, and preferences are all transmitted from the original source service provider selected by the user during the session to the subsequent destination service provider. SAML is designed to work with HTTP, Simple Mail Transfer Protocol, file transfer protocol, and several XML frameworks (including Simple Object Access Protocol (SOAP) work with e-commerce XML. It provides a standard way to define user authentication, authorization, and attribute information in XML documents. The main components of SAML include:
1. assertions. SAML defines three types of assertions, which are statements about one or more facts of a user (person or computer. Authentication assertions require the user to confirm his/her identity. Attribute assertions contain specific details about a user, such as his credit limit. Authorization determination assertions identify what a user can do (for example, whether to authorize the user to buy a product ).
2. Request/response protocol. This Protocol defines how SAML requests and receives assertions. For example, SAML currently supports soap over HTTP. In the future, SAML request and response formats will be bound to other communication and transmission protocols.
3. Bind. This component exactly describes how SAML requests are mapped to transmission protocols such as SOAP message exchange over HTTP.
4. Summary. These components dictate how SAML assertions are embedded in a communication system or transmitted between communication systems. Although SAML asserted the credential, it does not actually authenticate or authorize the user. This is done by the authentication server and the Lightweight Directory Access Protocol directory. SAML creates a link to the actual authentication and asserted it based on the result of the event. To put it simply, SAML supports Web-based open and interoperable design and single sign-on service features. The architecture of SAML-based applications is as follows.
  

  
Figure 2. SAML Architecture
  
In a typical SAML architecture, a SAML-compliant service called a trusted party sends a SAML request to the issuing authority, which returns the SAML asserted response. All requests and responses are transmitted through HTTP and soap encapsulation, but applications can use various request/response protocols to define and exchange assertions. However, these extensions limit interoperability. For example, when a mobile device client requests access to a backend application, it sends authentication information to the issuing authority. Then, the issuing authority can send positive or negative authentication Assertions based on the creden。 provided by the mobile device client. Although the user still has a session with the wireless application, the issuer can use an earlier reference to send authentication assertions, declaring that the user actually authenticates using a special method within a specific period of time. As previously mentioned, location-based authentication can be performed on a regular basis, which means that as long as the authentication of user creden。 is positive, the issuer will regularly publish location-based assertions. Study the following SAML authentication requests. It contains the user creden( (such as the user name and encrypted password), authentication method, Response Request, credential type and location information.
  
<Samlp: Request majorversion = "1" minorversion = "0"
Requestid = "<Request ID>">
<Samlp: respondwith> authenticationstatement </samlp: respondwith>
<Samlp: authenticationquery>
<SAML: Subject>
<SAML: nameidentifier name = "<User Name>"/>
<SAML: subjectconfirmation>
<SAML: confirmationmethod>
Http://www.oasis-open.org/committies/security/docs/
Draft-sstc-core-5/Password
</SAML: confirmationmethod>
<SAML: subjectconfirmationdata>
<Password>
</SAML: subjectconfirmationdata>
</SAML: subjectconfirmation>
<SAML: nameidentifier name = "<location>"/>
<SAML: subjectconfirmation>
<SAML: confirmationmethod>
<Locationuri> <-- for authenticating location information using
A saml binding profile -->
</SAML: confirmationmethod>
<SAML: subjectconfirmationdata>
<Latitude>, <; longpolling>, <timestamp>,
</SAML: subjectconfirmationdata>
</SAML: subjectconfirmation>
</SAML: Subject>
</Samlp: authenticationquery>
</Samlp: Request>
  
The response to the above request (as shown below) contains the authentication assertions with attributes/conditions for the specified authentication validity period. If the authentication information provided in the request leads to successful authentication, a status code indicating successful is returned to the authentication requester.
  
<Samlp: Response Inresponseto = "<Request ID>"
Majorversion = "1" minorversion = "0"
Responseid = "upusgdmqx7ov01mexylt + 6 bdcwe =">
<Samlp: Status>
<Samlp: statuscode value = "samlp: Success"/>
</Samlp: Status>
<SAML: assertion assertionid = "+ 1 uyxjdbuza + AO + lqmre98wmhai ="
Issueinstant = "2002-10-03t14: 33: 58.456" issuer = "SunONE"
Majorversion = "1" minorversion = "0">
<SAML: conditions notbefore = "2002-10-03t14: 33: 58.466"
Notonorafter = "2002-10-03t15: 03: 58.466"/>
<SAML: authenticationstatement
Authenticationinstant = "2002-10-03t14: 33: 55.201"
Authenticationmethod = "http://www.oasis-open.org/committies/security/
Docs/draft-sstc-core-25/password ">
<SAML: Subject>
<SAML: nameidentifier name = "<user>"/>
<SAML: subjectconfirmation>
<SAML: confirmationmethod>
Http://www.oasis-open.org/committies/security/docs/
Draft-sstc-core-25/Password
</SAML: confirmationmethod>
</SAML: subjectconfirmation>
</SAML: Subject>
</SAML: authenticationstatement>
<SAML: authenticationstatement
Authenticationinstant = "2002-10-03t14: 33: 55.205"
Authenticationmethod = "<locationuri>">
<SAML: Subject>
<SAML: nameidentifier name = "<location>"/>
<SAML: subjectconfirmation>
<SAML: confirmationmethod>
<Locationuri>
</SAML: confirmationmethod>
</SAML: subjectconfirmation>
</SAML: Subject>
</SAML: authenticationstatement>
</SAML: assertion>
</Samlp: Response>

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.