| Abstract: | ABSTRACT Over the past 20 years, software has evolved from monolithic, stove-piped applications to services that communicate with other distributed components over communications networks. The rise in popularity of Service-oriented Architecture (SOA) and web services has presented unique challenges for securely conveying the identity of end users at every point, especially when mashups, Web service composition and orchestration solutions combine multiple distributed components throughout a network, and where each component may need to know the identity of the end user. Over the past decade, many U.S. government projects have embraced SOA, have identified security risks with certain types of identity propagation, and have built solutions for mitigating the risks. This paper focuses on identity propagation in Web service transactions and describes how several early SOA-based projects utilized “transitive trust” approaches. We categorize the security risks found and describe how these projects minimized or mitigated the risks. Finally, we discuss approaches used in current projects and provide guidance for future implementations. |
