A few weeks back I was discussing some requirements a few teams had within Oracle and I thought it would be a good topic to address on this blog. One of the most common scenarios that customers seem to run into is the following:
Let's say you have a Web Service. The Web Service supports SAML. Now if Web Service Clients are able to support SAML you are in good shape and they can talk to your Web Services. However if a Web Service Client cannot support SAML then you have a problem. Let's assume for a second that the Web Service Client can support Kerberos but not SAML.
This mismatch in security capabilities is a fairly common occurrence.
Before I talk about the specific feature of Dynamic Policy Selection that is supported in OWSM - let's see what are the various ways to solve this problem:
a) Option#1: Use Oracle STS to do Token Exchange/Conversion
b) Option#2: Build SAML capability in the Web Service Client or use Web Services Security technology that supports SAML
c) Option#3: Add Kerberos support to the Web Service.
Here we have two scenarios:
Scenario#3.1: Expose two Web Service Ports one using SAML and the other
Scenario#3.2: Dynamic Policy Selection on the Service
d) Option#4: Use Oracle Enterprise Gateway or Oracle Service Bus
I will describe briefly each of the options and the advantages and disadvantages of each option.
So a customer has four options. Different options have different implications on different parties.
Option#1: Use Oracle STS to do Token Exchange/Conversion
As I mentioned in a previous blog post - you can use a Oracle STS. Just to reiterate - this will look as follows:
a) The Security story on the Web Service side is fairly simple - you can standardize on one particular token - ex: SAML that all clients need to adhere to...
a) The onus is on the Client to bridge the difference b/w what the Web Service supports and what the client supports.
b) The Client needs to have the capability to be able to talk to an STS.
Option#2: Build SAML capability in the Web Service Client or use Web Services Security technology that supports SAML
Well this fairly self evident - if you can add the SAML support on the client - then there is not mismatch! Ex: use OWSM for example to secure your Web Service client and viola problem solved
a) The Security story on the Web Service side is fairly simple - you can
standardize on one particular token - ex: SAML that all clients need to
b) No new components into the mix - ex: Oracle STS
a) It may not always be possible to add SAML support - depending on the technology stack being used on the Web Service Client side! Option#3: Add Kerberos support to the Web Service
In this approach instead of client changing, the service side is modified to add Kerberos support. There are two ways to address this:
Scenario#3.1: Expose two Web Service Ports one using SAML and the other using Kerberos.
This is shown in the figure below (click for larger image).
a) The advantage of this approach is the clients are not impacted.
a) The Web Service has to support multiple web services - one for each security token or security requirement.
b) More overhead in terms of maintaining, testing.
c) If a technology stack does not support adding Web Service Ports dynamically - then the application has to go back to the Development and so the administrator cannot address this requirement.
d) Assumes the Web Service/Web Service Security stack on the service side can support Kerberos.
Scenario#3.2: Dynamic Policy Selection on the Service
In this model the Web Service is configured with a policy that basically supports both SAML "OR" Kerberos . When the Web Service Client invokes the Web Service - based on the contents of the message the appropriate option is selected. So if the Desktop application sends Kerberos Token - then the Kerberos Option in the policy is executed. If the On Premise App sends the SAML token in the SOAP message the SAML Option in the policy is executed.
High level Description:
So the way to achieve this in OWSM is by constructing an ExactlyOne Policy which contains two assertions - one is a SAML authentication assertion and the other is the Kerberos Authentication assertion.
You can author such a policy using Enterprise Manager Fusion Middleware Control as described in the OWSM documentation here.
a) No changes to the Web Service/Application itself. So a customer does not have to go back to the Development teams to add new Web Service Port every time the security requirement changes.
b) Administrator can make the changes by creating new combinations based on requirements
c) Web Service Clients are not impacted
a) The customer hosting the Web Service has to still test two security models! So there is still some testing, maintenance overhead.
b) Assumes the Web Service/Web Service Security stack on the service side can support Kerberos and Dynamic Policy Selection.
 For purposes of simplicity - I use the terminology "OR" above but "OR" operator and ExactlyOne are not identical in semantics.
 OWSM currently ships a few policies Out of the box (OOTB) that have this capability. Ex: See here and here. This section in the OWSM doc - describes the client policy and service policy compatibility which provides you a good overview.
Option#4: Use Oracle Enterprise Gateway or Oracle Service Bus
In this option OEG or OSB will act as an intermediary and do the token conversion - potentially in conjunction with an STS.
a) No impact for Client or the actual backend Web Service. The onus shifts to the intermediary in this case OEG or OSB.
b) If the Client cannot be modified or the backend Web Service cannot be modified - this is pretty much becomes the only option!
a) You need a new component - OSB or OEG in the mix
b) The intermediary has to easily support Scenario#3.1 or Scenario#3.2 itself - otherwise we have just shifted the problem to a different layer!
In this blog post - I took a concrete example - i.e. Kerberos and SAML - but the concept applies in general to any mismatch in security capabilities that customers may find between a Web Service Client and Web Service.