78
Cop
sd Trusted Domains Alternativ e 2
Doamin A Domain B
Security Gateway Client
STS A PEP
STS B
Required Token: •
SAML Trusted Issuer:
• STS B
Required Token: •
SAML Trusted Issuer:
• STS A
Required Token: •
Username OWSRequest
GetMetadataWS-Policy WS-Policy
GetMetadataWS-Policy WS-PolicyB
GetMetafataWS-Policy WS-PolicyA
RequestSecurityTokenCredentials SAMLTokenA
RequestSecurityTokenSAMLTokenA SAMLTokenB
WS-SecurityRequestSAMLTokenB
Figure 33: Trusted Domains, alternative 2
13.4 Between Un-trusted Security Domains Trust Establishment
Secure communication between domains not being within a trust relationship requires trust establishment. Thus, a chain of trust relationships has to be created which provides a
transitive trust relationship between the communication partners.
Figure 34 shows three security domains, with a trust relationships between Domain A and Domain B as well as between Domain B and Domain C, but no direct trust relationship
between Domain A and Domain C.
yright © 2009 Open Geospatial Consortium, Inc.
Cop
sd Non-Trusted Domains
Domain A Domain B
Domain C Security Gateway
Client STS-A
STS-B STS-C
PEP
Required Token: •
SAML Trusted Issuer:
• STS-C
Required Token: •
SAML Trusted Issuer:
• STS-B
Required Token: •
SAML Trusted Issuer:
• STS-A
Required Token: •
Username OWSRequest
GetMetadataWS-Policy WS-Policy
GetMetadataWS-Policy WS-Policy
GetMetadataWS-Policy WS-Policy
GetMetadataWS-Policy WS-Policy
RequestSecurityTokenCredentials SAMLTokenA
RequestSecurityTokenSAMLTokenA SAMLTokenB
RequestSecurityTokenSAMLTokenB SAMLTokenC
WS-SecurityRequestSAMLTokenC
Figure 34: Trust Establishment between Non-Trusted Domains
13.5 Between Un-trusted Security Domains Forwarding
Certain circumstances concerning network security aspects of the sponsors, the use case ‘Between Un-trusted Security Domains’ could not be realized as described in section
13.4, since no direct access between un-trusted networks can be accepted. Thus, Figure 35 shows an alternative which – strictly speaking – is not real communication between
un-trusted domains but rather is a cascaded communication between trusted domains, based on the assumption that there are trust relationships between Domain A and B and
between Domain B and C, but not between Domain A and C.
Since the Security Gateway offers a pure OWS interface, it is possible to protect this Gateway in Domain B with a PEP once more. Thus, Domain C only has to allow access
to its OWS to Domain B, acting on behalf of Domain A.
yright © 2009 Open Geospatial Consortium, Inc.
79
80
Copyright © 2009 Open Geospatial Consortium, Inc.
sd Untrusted Domains - Forw arding
Domain A Domain B
Domain C Client
Security Gateway STS A
PEP Security Gateway
STS B PEP
opt Authorization
Required Token •
SAML Trusted Issuer
• ST S A
Required Token •
Username
Required T oken •
SAML Trusted Issuer
• ST S B
Required T oken •
Username OWSRequest
GetMetadataWS-Policy WS-Policy
GetMetadataWS-Policy WS-Policy
RequestSecurityTokenCredentials SAMLTokenA
WS-SecurityRequestSAML T oken A OWSRequest
GetMetadataWS-Policy WS-Policy
GetMetadataWS-Policy WS-Policy
RequestSecurityTokenCredentials SAMLTokenB
WS-SecurityRequestSAMLToken B
Figure 35: Un-trusted Domains - Forwarding 14
RFQ Use Cases
The sections that follow provide the use cases contained in the Request for Quotation RFQ that served as the basis for developing the actual security architecture and
implementations produced in the GPW thread as part of the OWS-6 testbed.
Copyright © 2009 Open Geospatial Consortium, Inc.
81
14.1 Within One Security Domain