"Traditional application security is "ineffective and unwieldy in a SOA" because identity and access rights -- including passwords and privileges -- vary widely among applications, West of Saugatuck Technology writes in a research paper released last year.
Single sign-on has not proved scalable in large organizations and is complicated by privacy and competitive issues when applied to SOA environments that range across business partners, West writes.
Less problematic is a federated identity management approach that works by trusting the source of assertions and uses Security Assertion Markup Language. Requests for access control information can be coded in browser requests or included in Web services transactions, West writes.
"In this way, an identity management server produces assertions about the identity and rights of users that an application responds to," West writes. "An application, a service or a 'wrapped' services interface wouldn't need to have access to a directory or trust an individual user, because it only needs to know and trust the assertion and the assertion's source."