Ping Big on Transaction Safety

Ping Identity has reached something of a milestone in the quest
to combine identity management and Web services technologies.

The Denver-based company, one of the last independent single sign-on
software makers on the market, rolled out PingTrust, a WS-Trust Security
Token Server.

PingTrust is an important step along the path to secure Web services and
distributed computing paradigms such as service-oriented architectures (SOA)
, where disparate applications may be reused to execute business
processes.

Why does the industry need such a technology combination?

Ping Vice President Mike Donaldson said applications typically employ user
identities to protect resources and create audit trails to keep in step with
regulatory compliance rules such as HIPAA and Sarbanes-Oxley.

If someone makes
a purchase transaction on the Web, their identity is used as the linchpin of
the billing process.

To this point, Web services and SOAs have lacked standard mechanisms for
safely using peoples’ identities, making Web transactions tough or impossible
to implement.

“There has not been a way with SOAP to communicate who the user is who made the
original request,” Donaldson said.

For example, an employee at a bank or hospital that needs to contact another
organization can use a Web service to call out for information. The problem
is the organization cannot recognize the user in the SOAP-based transaction.

To skirt this issue, users have injected user identity into the body of a
SOAP message, which involves proprietary extensions that create a tight
coupling between the Web service provider and the client.

In the end, this
raises security issues and violates the core tenets of Web service
information exchange.

“Any time you have proprietary extensions, you are forcing requirements on
people,” Donaldson said.

PingTrust solves this problem by creating and validating security tokens that
are bound into SOAP messages based on the Web Services Security (WSS)
standard.

PingTrust leverages OASIS WSS 1.0 to embed security tokens in SOAP
messages. WS-Trust establishes a mechanism for validating
tokens from PingTrust, which supports Java and .NET applications, Web-based
clients and rich clients.

PingTrust can operate on the client side, provider side or both sides of a
Web service transaction.

For example, Donaldson said a Web service client can use PingTrust to
exchange the security token being used in the local security domain, such as
a Kerberos ticket, for a SAML assertion that represents the
original user’s identity in other federated security domains, including
those at other companies.

After being tucked into a SOAP message and delivered to a Web service
provider, the provider will know who originated the request and will be able
to use that information in determining how to process the request.

PingTrust is now available and can be downloaded directly from Ping
Identity. The first 100,000 transactions are free, but Ping also offers
software subscriptions and other licenses.

PingTrust, which the company will formally announce Tuesday, is part of an
avalanche of news geared to touch off the RSA Security conference in San
Francisco this week.

HP, CA, IBM, Oracle and a raft of other software
providers will have news at the show.

Some of those vendors have a capability like PingTrust in their repertoire,
but don’t offer it as a standalone option, Donaldson said.