The Department of Defense and others need a standardized means to authenticate RESTful Web services users against SAML-compliant attribute stores and authorize user access based on those attributes. Previous attempts at bridging RESTful web services to SAML have included cookies, binary representation in HTTP headers, and proprietary options. Some of these approaches work but have limitations such as string length. In Phase I, we propose to prototype a SAML-RESTful bridge that incorporates Central Authentication Service (CAS), OpenID Authentication (OpenID), and OpenID Attribute Exchange (OpenID AE) with select Jericho Systems products, including EnterSpace® and SAML Attribute Responder (SAR).
Benefit: In our prototype, Central Authentication Service (CAS) serves as both OP (OpenID Provider)/IDP (Identity Provider) as well as a RP (Relying Party). This makes it much simpler to modify the CAS (as OP) to support OpenID AX by getting user attributes from Jericho Systems SAML Attribute Responder (simulating JEDS). CAS provides an abstraction layer to isolate the various services from authentication protocol changes that might occur in SAML / OpenID / WS-Federation. The benefit of this approach is that in a system with 10 web servers, protocol or configuration changes can be made in one place (CAS) instead of at all 10 web servers. The CAS-as-a-relying-party solution also makes it easier to implement the stateful "smart" mode of OpenID 2.0. This also makes implementation on multiple web servers simpler. We will use CAS from Jerichos EnterSpace® Decisioning Service, because it is compliant and includes a FIPS 140-2 certified cryptography module. Jerichos EnterSpace® Decisioning Service will also serve as the PDP (policy decision point) to achieve ABAC for the prototype. CAS is open source and widely used, so incorporating it into the solution would enable multiple vendors to participate in future implementations. CAS is compatible with the Ozone Widget Framework (OWF), a cloud computing technology that has been increasingly adopted by the DoD. This approach provides a method for DoD user attribute stores (e.g., LDAP directories) that presently provide SAML attribute assertions to obtain security information using OpenID Attribute Exchange. DoD could leverage new standards and specifications (e.g., OpenID) within the present operating environment to foster the use of light weight transaction protocols. REST has become the preferred approach to developing Web 2.0 services and is widely adopted in social networking and other online domains. Successful development of a SAML-RESTful bridge that is compliant with open source standards would facilitate commercial interoperability of a wide range of enterprises and services. The proposed Phase I prototype would reduce time to market and facilitate commercialization because it is built on a foundation of open standards and products that are now commercially available.
Keywords: Openid, Restful, Security, Web Service Security, Saml, Information Assurance, Authentication, Authorization,
