"Traditional application security is "ineffective and unwieldy in a
SOA" because identity and access rights — including passwords and
privileges — vary widely among applications, West of Saugatuck
Technology writes in a research paper released last year.
Single sign-on has not proved scalable in large organizations
and is complicated by privacy and competitive issues when applied to
SOA environments that range across business partners, West writes.
Less problematic is a federated identity management approach
that works by trusting the source of assertions and uses Security
Assertion Markup Language. Requests for access control information can
be coded in browser requests or included in Web services transactions,
West writes.
"In this way, an identity management server produces
assertions about the identity and rights of users that an application
responds to," West writes. "An application, a service or a 'wrapped'
services interface wouldn't need to have access to a directory or trust
an individual user, because it only needs to know and trust the
assertion and the assertion's source."
Article Link: http://www.techworld.nl/idgns/3776/soas-6-burning-questions.html
