Last week at Microsoft Hospitality suite in Burton Catalyst conference I showed a demo showing the roles smartcards could play in Webservices security & federation. Demo comprised of 2 webservices - AirTicketService & CarRentalService, a company portal (TravelPortal) and .NET SmartCard hosting Security Token Service (STS) , Pseudonym Service. Also used was my WS-Federation implementation from Plumbwork workspace at GDN.
Objectives of the demo were :
Following were the steps of the demo :
-
User goes to the company Travel portal and presents the pin to authenticate to the smartcard.
-
Travel portal on successful authentication to the card send RST (Request Security Token message) to STS residing in smartcard to get the token for AirTicketService. I used a custom token with has a symmetric key encrypted with public key of the requestor.
-
Travel portal then signs and encrypt the request to airticket service with the token retrived from card.
-
Airticket service after receiving the signed and encrypted makeReservation request, sends the GetPseudonym message to the pseudonym service residing in smart card
-
GetPseudonymResponse is returned by the smartcard containg the attributes of the principal.
-
Similar steps happen for the CarRental service.
The demo basically depicts figure 6 of the IBM/Microsoft paper on federarion.
