Summary

Identity management is certainly becoming critical to preventing identity theft and addressing new security risks related to Java-based applications and Web services. Given the nature of distributed systems and Web-based applications, architects and developers need to secure the network identity in multiple tiers and across different security domains, not just in the Web tier. OASIS has published a set of identity management security standards, including SAML and XACML. The purpose of these security specifications is to address single sign-on, federated identity management, and access control issues.

SAML has become the definitive protocol for exchanging assertions that enable single sign-on and global logout. This security protocol allows different security infrastructures to exchange identity information without locking in specific-vendor architecture. SAML has gained wide industry support, including Liberty Alliance, which has reused and extended SAML for federated identity management.

XACML is a policy language for use in controlling access to XML documents or other resources. It provides a flexible and extensible mechanism for policy management and is consistent with the policy framework laid down by IETF and DMTF. XACML 2.0 is aligned with SAML 2.0 to allow the encapsulation and transmission of XACML attributes, policies, decision requests, and decisions in SAML assertions. It can also serve as a policy engine for many security infrastructures or vendor products.

Designing identity management using Java technology and Web services is complicated because multi-tier and multiple security domains are involved. Using J2EE design patterns for identity management would be helpful. In Chapter 12, "Securing the Identity," and Chapter 13, "Secure Service Provisioning," we will discuss design patterns that address SAML assertions, single sign-on, credential tokens, and security provisioning.