1. The Field of the Invention
The present invention relates to computerized authentication and, more particularly, to trusted third party authentication for Web services.
2. Background and Relevant Art
Computer systems and related technology affect many aspects of society. Indeed, the computer system's ability to process information has transformed the way we live and work. For example, computer systems typically include software applications for performing a host of tasks (e.g., word processing, scheduling, and database management) that prior to the advent of the computer system were performed manually. A computer system can also include maintenance, diagnostic, and security applications (e.g., backup applications, health checkers, anti-virus applications, firewalls, etc.) that help to insure that the computer system remains, or can be returned to, an appropriate operating state. For example, an anti-virus application can detect and eliminate computer viruses before any harm is done to the computer system.
Many computer systems are also typically coupled to one another and to other electronic devices to form both wired and wireless computer networks over which the computer systems and other electronic devices can transfer electronic data. As a result, many tasks performed at a computer system (e.g., voice communication, accessing electronic mail, controlling home electronics, Web browsing, and printing documents) include the exchange of electronic messages between a number of computer systems and/or other electronic devices via wired and/or wireless computer networks.
Networks have in fact become so prolific that a simple network-enabled computer system may communicate with any one of millions of other computing systems spread throughout the globe over a conglomeration of networks often referred to as the “Internet”. Such computing systems may include desktop, laptop, or tablet personal computers; Personal Digital Assistants (PDAs); telephones; or any other computer or device capable of communicating over a digital network.
Further, application functionality can be spread or “distributed” across a number of different networked computer systems. That is, a first portion of an application can reside at a first computer system, a second portion of the application can reside at a second computer system, etc., that are all connected to a common network. These types of applications are commonly referred to as “distributed applications.” Distributed applications are particularly prevalent on the World Wide Web (“the Web”).
To promote interoperability across different platforms, distributed applications on the Web are often developed in accordance with one or more industry specifications. In particular, Web services describes a standardized way of integrating Web-based applications using the eXtensible Markup Language (“XML”), Simple Object Access Protocol (“SOAP”), Web Services Description Language (“WSDL”), and Universal Description, Discovery and Integration (“UDDI”) open standards over the Internet. XML is used to tag the data, SOAP is used to transfer the data, WSDL is used for describing the services available and UDDI is used for listing what services are available.
Often used as a means for businesses to communicate with each other and with clients, Web services allow organizations to communicate data without intimate knowledge of each other's IT systems. Web services share business logic, data and processes through a programmatic interface across a network. Web services allow different applications from different sources to communicate with each other without time-consuming custom coding, and because communication is in XML, Web services are not tied to any one operating system or programming language.
However, since Web services communicate with one another over, often public, networks, there are security risks associated with transferring data between Web services. For example, malicious users can attempt to intercept Web services data as the data is transferred across a network and can implement programs that impersonate the identity of one Web service in an attempt to have other Web services send Web services data to the impersonating programs. Accordingly, a number of Web Services specifications, such as, for example, WS-security, WS-SecureConversation, and WS-Trust, provide building blocks for addressing some of these security issues, such as, for example, signing and encrypting SOAP messages and requesting and receiving security tokens.
However, Web services specifications do not constitute an end-to-end security protocol that Web services can rely on to meet all of their security requirements. That is, there is no prescriptive way that describes how different Web service specifications can be used together to enable common application security requirements. For example, there are limited, if any, mechanisms that allow a group of Web services to trust and delegate user authentication responsibility to a trusted third party that acts as an identity provider for the trusting Web services. Further, there are limited, if any, mechanisms that allow a trusted third party to authenticate users through common authentication mechanisms, such as, for example, username/password and X.509 certificates and use initial user authentication to bootstrap subsequent secure sessions with Web services. Additionally, there are limited, if any, mechanisms that allow Web services to construct user identity context using a service session token issued by a trusted third party and to reconstruct security states without having to use a service-side distributed cache.
Therefore systems, methods, and computer program products that facilitate trusted third party authentication for Web services would be advantageous.