Most organizations will have at least two entry points to the organization - browser/portal interfaces and web services. The same sets of identities, SSO, federated identity attributes access control and other policies need to be applied in a consistent fashion across both these technologies. Leveraging deployed IAM technologies including directories for Web Services is a fundamental requirement.
In most architectures, the presentation and user interface handling (including challenge response protocols for authentication and SSO) will be handled by a portal. Different user credential schemes have been deployed over the years including passwords, tokens, smart cards, X.509 certificates and many others. To reduce complexity and improve performance, reduction of the number of credential types used within a web services framework is highly desirable. To that end, either SAML or Kerberos tickets are the most likely contenders. The advantage of SAML as the choice for this "single" token type is that it is extremely flexible and offers the opportunity to provide secondary authentication support by carrying the appropriate credentials necessary to interact with the legacy systems that Web Services must integrate with at some point.
Dig Deeper on Topics Archive
Related Q&A from Andrew Nash
In this expert response, Andrew Nash discusses ways to protect against threats to Web Services specific attacks. Continue Reading
Web services security expert, Andrew Nash, explains the difference between data validation and Web services and Web applications. Continue Reading