Imagine a fresh business relationship between ACME Corporation and Partner.
As a result of this relationship, ACME wants to grant Partner limited access
to one of its core internal applications. They do this, naturally, by
exposing a Web service.
Why Identity Federation?
Boris (an employee at Partner) sends a SOAP request to the ACME Web service
along with some password or proof-of-possession type credentials. Because
Boris's identity is managed outside of ACME, those credentials cannot be
authenticated using ACME's authentication infrastructure.
To circumvent this issue, one could imagine a setup where the ACME Web
service authenticates Boris's credentials by connecting to Partner's
authentication services. Another alternative might involve some sort of
directory replication. These strategies were attempted in the '90s when
distributed LDAP references appeared in t... (more)
I often get asked about ‘REST to SOAP’ transformation use cases these
days. Using an SOA gateway like SecureSpan to perform this type of
transformation at runtime is trivial to setup. With SecureSpan in front of
any existing web service (in the DMZ for example), you can virtualize a REST
version of this same service. Using an example, here is a description of the
steps to perform this conversion.
Imagine the geoloc web service for recording geographical locations. It has
two methods, one for setting a location and one for getting a location. See
below what this would look like i... (more)
It has been fascinating to witness how the use for SOA gateways evolved over
time. In 2010, we saw an explosion of market demand for our gateway appliance
product. Here are my thoughts for what I expect to see this year and beyond.
Recent use cases for these types of devices largely focused on B2B
interactions and internal enterprise integration. Many enterprise architects
realized the benefits of using the lightweight ESB-in-a-box deployment model
and gateway-based integration. I don’t think we’ve hit the peak of this
type of use case. I expect the demand for quickly deployed int... (more)
Tokens are at the center of API access control in the Enterprise. Token
management, the process through which the lifecycle of these tokens is
governed emerges as an important aspect of Enterprise API Management.
OAuth access tokens, for example, can have a lot of session information
associated to them:
scope; client id; subscriber id; grant type; associated refresh token; an
SAML assertion or other token the oauth token was mapped from; how often
it’s been used, from where.
While some of this information is created during OAuth handshakes, some of it
continues to evolve througho... (more)
In the article "The importance of threat protection for restful web
services", I presented a number of content-based threats for XML. When
protecting an endpoint from XML based attacks, not only are payloads scanned
for code injections, malicious entity declarations and parser attacks, XML
documents are actually validated against strict schemas that clearly describe
expected document structures. Enforcing this type of compliance at the edge,
in a SOA gateway for example, minimizes the risk of attacks of the Web
service endpoint. Structure definition languages such as XML Schema ... (more)