Manage Learn to apply best practices and optimize your operations.

Review: RSA ClearTrust 5.5 secure federated identity management system

RSA ClearTrust 5.5 eases the administration of securing Web services identity management across business partners' systems.

Secure (SSO) single sign-on to multiple websites is the ultimate draw for emerging Web services. Security managers want to leverage architecture to save costs and increase user productivity. That means extending digital identities across applications that reside on multiple platforms and domains inside and outside the enterprise. RSA Security's ClearTrust 5.5 is designed to deliver SSO through federated identity, user management support and dynamic transactional authorization for multipartner Web services.

ClearTrust 5.5 provides SAML-based identity and authentication via a Federated Identity Management (FIM) module. Its API allows developers to bundle authentication and authorization requests from legacy and new applications. The release also features user management enhancements and automated workflow to authorize account creation, group assignment, profile updates and password resets. It includes transactional Smart Rules, which enable dynamic look up in databases and LDAP directories to support authorization decisions.

While ClearTrust's federated identity is a no-brainer for developing real-time SSO authorization for Web services, security managers will be distracted by having to toggle across the application's three interfaces.

Simple SSO
ClearTrust 5.5's FIM module provides access to multiple Web sites with a single logon -- meaning a Web service user can authenticate once and benefit from a distributed SSO to other Web sites that have a trusted relationship. FIM enables SAML 1.1-compliant identity management by generating and processing SAML assertions, which provide XML-based authentication and authorization.

FIM makes it easy to manage SAML Asserting and Relying Parties. The Asserting Party is the one who requests access to a resource on a Relying Party's site. The Relying Party accepts SAML assertions, which are statements that declare that the identity of a user has been authenticated. Trust relations, established by defining the Asserting Party and Relying Party, enable one identity to be mapped to multiple identities on other sites to eliminate the constant toggling of names and passwords. ClearTrust maintains a local store of relationship data (user names and aliases).

Security managers use ClearTrust 5.5's Federated Identity Management module to manage SAML Asserting and Relying Parties, and enable SSO access to distributed Web services.

We configured an associated Relying Party for our Web service, a remote user identity and the authentication methods allowed, and mapped our local identity to a different remote identity to fully test the SSO federated identity capabilities.

We set the Asserting Party issuer and source identity, Asserting Party policy and trusted Relying Parties. The issuer and source identity -- the equivalent of a user ID for a Web service consumer -- is a 40-character randomly generated string that's similar to a shared key in a site-to-site security relationship. ClearTrust binds this identity string to a SOAP transport service URL, which acts as a broker for requests to a Web service. We used the FIM interface to configure length assertion lifetime policy, which defines how long the session is allowed, and custom authentication and Relying Party verification methods, such as digital certificate or basic authentication.

We authenticated to the Web service hosted on our system via the local client domain. An encrypted cookie identified us as a trusted authenticated party, and our request was directed via an SSL-secured connection to the remote Web service domain associated with our Relying Party. The SAML assertion essentially mapped our local identity to the remote identity. The remote Web service, which was configured to display the entire SAML assertion upon successful authentication and authorization, accepted our assertion, and the comprehensive display verified the receipt and accuracy in processing the SAML assertion.

Along with the standard SAML fields, ClearTrust allows for the enumeration of additional attributes, which can be used to pass information to other Web services. For example, we were able to pass metadata in the form of name/value pairs for an affinity program to the remote domain. It accepted our identity and authentication assertions, but relied on remote site authorization to control what we were able to access.

Streamlining Web Services Security
RSA includes its ClearTrust API in version 5.5 as a "One Call" Web service for enhanced integration and to extend its reach to enterprise applications. For example, developers can bundle authentication and authorization requests from legacy and new applications such as Microsoft's .NET into a single Web service API call. ClearTrust can respond to the Web services calls with a single response that answers the packaged requests. This reduces the number of conversations between systems and improves performance considerably. For example, providing the API as a standards-based Web service allows enterprises to integrate Microsoft's BizTalk and Sun Microsystems' J2EE to use the same authentication and authorization scheme.

ClearTrust employs a Web Services Description Language interface, which uses an XML-based language to describe various Web services calls, their related functions and how to access them.

We installed our Web archive file, which is used for deploying Web applications, on a BEA WebLogic server to test the ClearTrust API, and made several test calls to the ClearTrust Web service API requesting authentication and authorization. Our simple Web service client sent the packaged request seeking authorization to three URLs (/secure, /test and /accounts). The ClearTrust Web service API bundled its answer, and following policy, returned three "allow" responses.

ClearTrust compares the user ID, authentication secret and URL requested with the local ClearTrust security policy to issue allowance decisions. We removed our user's entitlements to the three URLs to test ClearTrust's ability to deny access, and resent our packaged request. The Web service API responded by bundling three "deny" responses.

Transactional Authorizations
ClearTrust has extended its standard Smart Rules in 5.5 to enable a dynamic lookup of authorization decision data stored in databases, LDAP directories, Web services and XML files.

We created an XML file with a user ID for dynamically checking a value, and a file with a field called "credit card approval" and an assigned value of 0,1 to toggle between. We set the rule to deny access if the value for the user was 0, and allow access to a resource if the value was 1. The ACL resource was defined as our Web server directory containing a collection of analyst reports that were for paying subscribers only. Our transactional rule performed a credit card validation lookup, and issued file access pending the charge acceptance.

The transactional smart rule denied us when we tried to access the directory with the value set to 0, and with the value set to 1 allowed our access to see pages within the protected directory. ClearTrust's pairing of dynamic data and business logic for driving security decisions is an important functionality. In the case where a user's access to downloadable software is based on available credit, ClearTrust could check the user's credit to dynamically deny or authorize access.

Empowered Users
ClearTrust 5.5 has eased the sting of managing end users with its Advanced User Management (AUM) module. With AUM's built-in workflow, security managers can preapprove a series of actions for authorized users, including account creation, group assignment, profile update and password reset requests.

We completed the username, password, e-mail address, full name and zip code to authorize account creation. Three questions were selected from a pull-down menu to authorize future unassisted password resets. Questions are configurable, but we applied the RSA templates for "favorite teacher," "first pet's name" and "name of your elementary school." A receipt was issued, and we were notified by e-mail when the account was approved.

The AUM module provides a list of approval tasks, and we clicked to endorse the account. An e-mail message was issued to our end user that the account activation had been approved. We tested the password reset by entering our user name in the text field and providing our three previously validated responses to the psychographic questions. Our verified responses allowed us to replace our forgotten password.

A Good Marriage
RSA ClearTrust 5.5 has introduced useful features that support the emerging Web services SAML 1.1 standard. Its self-service eases user administration. Dynamic transaction rules marry business logic to security authorization decisions, with the ability to query both internal and external partner Web services for dynamic decision support. These features, when combined with the ability to expose the API as Web service, create a centralized security architecture with intelligent and distributed capabilities.

While accessing three administrative interface links from a browser-based dashboard served our purposes, combining the consoles into a single interface would make ClearTrust a more efficient tool for security managers. But given the robust and intuitive feature set in ClearTrust 5.5, we can't complain.


RSA ClearTrust 5.5
RSA Security
Price: Starts at $26/user

PURPOSE: ClearTrust 5.5 provides access and federated identity management for Web services.

REQUIREMENTS: Requires Microsoft Windows 2000/2003, Red Hat Linux Enterprise or SuSE Linux, Sun Solaris 8/9, IBM AIX or HP-UX; Oracle, Microsoft SQL Server 2000, Sybase, Microsoft Active Directory or Sun One Directory Server; Sun One Webserver, Microsoft IIS 5.0/6.0 or Apache; BEA WebLogic 8.1, IBM WebSphere or Tomcat.

- Provides SAML 1.1-based Web service authentication.
- Comprehensive API Web service integration.
- Dynamic transaction authorization based on business logic.

- Federated identity maps user IDs across Web services and sites.
- Automated user account management and workflow.

- Three separate administrative GUI's.

VERDICT: RSA ClearTrust 5.5 delivers key components that target the need for federated identity with support for emerging Web service standards. User self-service eases the administrative burden for authorizing Web services authentication. RSA offers a robust feature set and practical solution.

George Wrenn, CISSP, is a technical editor for Information Security, a graduate fellow at the Massachusetts Institute of Technology and a director of security at a financial services firm.

Dig Deeper on Secure SaaS: Cloud application security