Ping Identity has reached something of a milestone in the quest to combine identity management and Web services technologies.
The Denver-based company, one of the last independent single sign-on software makers on the market, rolled out PingTrust, a WS-Trust Security Token Server.
PingTrust is an important step along the path to secure Web services and distributed computing paradigms such as service-oriented architectures (SOA), where disparate applications may be reused to execute business processes.
Why does the industry need such a technology combination?
Ping Vice President Mike Donaldson said applications typically employ user identities to protect resources and create audit trails to keep in step with regulatory compliance rules such as HIPAA and Sarbanes-Oxley.
If someone makes a purchase transaction on the Web, their identity is used as the linchpin of the billing process.
To this point, Web services and SOAs have lacked standard mechanisms for safely using peoples’ identities, making Web transactions tough or impossible to implement.
“There has not been a way with SOAP to communicate who the user is who made the original request,” Donaldson said.
For example, an employee at a bank or hospital that needs to contact another organization can use a Web service to call out for information. The problem is the organization cannot recognize the user in the SOAP-based transaction.
To skirt this issue, users have injected user identity into the body of a SOAP message, which involves proprietary extensions that create a tight coupling between the Web service provider and the client.
In the end, this raises security issues and violates the core tenets of Web service information exchange.
“Any time you have proprietary extensions, you are forcing requirements on people,” Donaldson said.
PingTrust solves this problem by creating and validating security tokens that are bound into SOAP messages based on the Web Services Security (WSS) standard. PingTrust leverages OASIS WSS 1.0 to embed security tokens in SOAP messages. WS-Trust establishes a mechanism for validating tokens from PingTrust, which supports Java and .NET applications, Web-based clients and rich clients. PingTrust can operate on the client side, provider side or both sides of a Web service transaction.