RealTime IT News

Ping Big on Transaction Safety

Ping Identity has reached something of a milestone in the quest to combine identity management and Web services technologies.

The Denver-based company, one of the last independent single sign-on software makers on the market, rolled out PingTrust, a WS-Trust Security Token Server.

PingTrust is an important step along the path to secure Web services and distributed computing paradigms such as service-oriented architectures (SOA) , where disparate applications may be reused to execute business processes.

Why does the industry need such a technology combination?

Ping Vice President Mike Donaldson said applications typically employ user identities to protect resources and create audit trails to keep in step with regulatory compliance rules such as HIPAA and Sarbanes-Oxley.

If someone makes a purchase transaction on the Web, their identity is used as the linchpin of the billing process.

To this point, Web services and SOAs have lacked standard mechanisms for safely using peoples' identities, making Web transactions tough or impossible to implement.

"There has not been a way with SOAP to communicate who the user is who made the original request," Donaldson said.

For example, an employee at a bank or hospital that needs to contact another organization can use a Web service to call out for information. The problem is the organization cannot recognize the user in the SOAP-based transaction.

To skirt this issue, users have injected user identity into the body of a SOAP message, which involves proprietary extensions that create a tight coupling between the Web service provider and the client.

In the end, this raises security issues and violates the core tenets of Web service information exchange.

"Any time you have proprietary extensions, you are forcing requirements on people," Donaldson said.

PingTrust solves this problem by creating and validating security tokens that are bound into SOAP messages based on the Web Services Security (WSS) standard.

PingTrust leverages OASIS WSS 1.0 to embed security tokens in SOAP messages. WS-Trust establishes a mechanism for validating tokens from PingTrust, which supports Java and .NET applications, Web-based clients and rich clients.

PingTrust can operate on the client side, provider side or both sides of a Web service transaction.

For example, Donaldson said a Web service client can use PingTrust to exchange the security token being used in the local security domain, such as a Kerberos ticket, for a SAML assertion that represents the original user's identity in other federated security domains, including those at other companies.

After being tucked into a SOAP message and delivered to a Web service provider, the provider will know who originated the request and will be able to use that information in determining how to process the request.

PingTrust is now available and can be downloaded directly from Ping Identity. The first 100,000 transactions are free, but Ping also offers software subscriptions and other licenses.

PingTrust, which the company will formally announce Tuesday, is part of an avalanche of news geared to touch off the RSA Security conference in San Francisco this week.

HP, CA, IBM, Oracle and a raft of other software providers will have news at the show.

Some of those vendors have a capability like PingTrust in their repertoire, but don't offer it as a standalone option, Donaldson said.