Web Services Authentication

As in standard web traffic, service requestors need to be authenticated by the service provider before information is sent. Standard web technologies using passwords, certificates, Kerberos, LDAP and Active Directory can be used to authenticate service requestors. However, Web service consumers need also to authenticate the service provider. Valuable information can be sent not only in the reply but in the request and it is paramount for Web service to ensure that the Web service provider is who they think it is. For example, an ecommerce site may wish to authorize a credit card purchase and send a credit card number to a third party service for authorization. A WSDL file can be tampered with causing a service requestor to communicate with a spoofed Web Service. The WSDL file in this case should be signed to ensure it has data integrity.

Sensitive information can be in the request. Services can be more easily spoofed. Hence the need for Web services authorization and authentication

Web Services Access Control (Authorization)

Authorization is critically important because Web services can introduce complex levels of access. In addition to authorizing what information users/applications have access to, there also needs to be authorization of which operations an application or user has access rights to perform. Web services are programmatic interfaces and thus can be harder to monitor for suspicious activity. For instance, many HR applications have Web Service interfaces. Whereas a request for Bob's salary would raise immediate suspicion from an HR representative, accesses to an improperly protected SOAP interface can easily go undetected. Because employees will have access to more and more services (and therefore information) and without human checkpoints, access rights should be actively managed using "least privilege" principles in order to improve control.

In addition, multiple administrators with different access rights should be considered. Having a single administrator with all access rights is a single point of failure, and will be very hard to detect if the administrator is the compromise. Having multiple administrators can help spread risk and provide further checks and balances. In addition, ensuring that administrators have view-only access to logging and audit data on their activities provides accountability.

Single Sign On

Because Web services enables much easier integration with third parties, including suppliers, customers and partners (that may also be competitors), authentication and access rights must be tightly controlled and kept up-to-date. However, because multiple parties are involved, it is often difficult or impossible to standardize on one authentication and access control scheme. In particular, B2B exchanges have the extra challenge of managing multiple formats. In the extreme case, every service would need a separate credential for each service accessed. Single sign on and credential mapping solutions can help make these environments easier to administrate and easier for participants to use.

Each service in a network may use different Web services authorization, authentication, encryption and signing schemes

Single sign-on plays an important role in Web services environments. Diverse systems need to communicate with each other and it is impractical for each system to maintain each other's authentication rights and access control lists. One solution is to give everybody the same credential, however, that presents a serious problem when one member becomes untrusted. New credentials must be sent to all remaining valid members. Requiring a separate credential for each service is difficult to administer when a user needs to be revoked. Each system the user needs to be revoked from, can have different authentication and authorization implementations. In addition, it is difficult to fully ensure that the user no longer has access to all of the systems. Single sign-on solutions help solve this problem by allowing credential mapping among many diverse systems. Each Web Service may then deal with the credential system that they are accustomed to. This can lower administration cost and help ensure data protection.

SAML Standard: Power and Vendor Support

SAML (Security Access Markup Language) is a promising standard that encodes authentication and authorization information in XML format. A Web Service interface can thus request and receive SAML Assertions from a SAML compliant authority to authenticate and authorize a service requestor. Many authentication and authorization vendors are planning SAML compatibility for their products.

Growth of Identity Management

The field of identity management has grown in recent years – to encompass key elements of Web services security, including: authentication, authorization and single sign-on. The SAML standard is a promising security enabler – and seems to be enjoying substantial vendor support.

For More Information

Find out more about Web services authorization – and how to prevent tampering with your services: read the free white paper, Web Services Risks: Threats and Security