Technical Documents Technical Documents

EMI technical documents, reports and specifications are available on the in the EMI section on the CERN Document Server.

Articles Articles

Security Token Services

The European Middleware Initiative to support Security Token Services

Towards simplification of the authentication procedures

Until the early 1990s, computing research was very much about the networks themselves, but nowadays much of the work is about services that are offered via the network and about middleware. Middleware, an area that first came up in the United States in the final years of the 20th century, it is part of what stands between users and the actual machines that deal with the huge amount of data produced by the scientific community worldwide. This is why, today more than ever, remote access to shared resources is a delicate challenge for IT.

Significant amounts of computing power, storage capacity and set of many, sometime very specific, applications allow users to perform powerful, complicated time-consuming calculations and simulations. In the interests of security, users cannot be anonymous, but must be authenticated and authorized with appropriate certificates before gaining access to resources. Middleware traditionally bases its authentication infrastructure on Public Key Infrastructure and X.509 certificates (an ITU-T1[1] standard), i.e. procedures which enable users of a basically unsecure public network such as the Internet to securely and privately exchange data through the use of a public and a private cryptographic key pair, a value provided by some designated authority as an encryption. This encryption allows the conversion of data into a form that can identify an individual or an organization, through a digital signature. Authentication and authorization procedures became quite efficient but still they may be sometimes inconvenient and require extra steps from users. IT aims at facilitating an even more user friendly approach to distributed computing infrastructures, by lowering the barriers typically preventing mass adoption of e-Infrastructures. On the other hand, the explosion of the social networks has made popular an alternative, simplified, access mechanism, allowing the possibility to authenticate with multiple systems through what is called a "Single Sign-On" (SSO), which in other words means only one login action via a username and password, granting access to multiple systems in the same environment. This is indeed the case of scientists who, having a single account in some federations (sets of cooperating organizations reciprocally trusting each other), can be authenticated with multiple systems within such federations via SSO. Indeed one of the goals of the software web-based services, called "Security Token Service" (STS), is to enable users to obtain authentication tokens in an easy, transparent way through centralized security services, STS enables also transformation of security tokens from one format into another, for example from an open standard, such as SAML (Security Assertion Markup Language), on which most of SSO relies, to a specific certificate like X.509.

As the leading platform for scientific Grid computing, the European Middleware Initiative (EMI) will support and implement such a process through STS implementation, and its support by the other EMI computing and data services. The EMI upcoming common authentication library (CANL, Common AuthenticatioN Library), will ensure that these evolutions will be uniformly supported by all EMI services and consolidate the different tools used by the EMI services set, streamlining their structure and insuring full service interoperability. Secure methods for authenticating a request for a service in a computer network, like Kerberos tickets, will be also supported as incoming security token formats for users' authentication. STS will be implemented in Java and will be compatible with the Web services trust interoperability profile. The overall architecture of the STS implementation is shown on the picture below.

STS overall architecture implementation

In the yellow boxes there are the components in the responsibility of EMI (SOAP[2] Client: any Web service client capable of producing and communicating compatible  RST[3] messages, and understanding RTSR[4] messages produced by the STS; WS-TPH[5]: component responsible for orchestrating the process for handling a profile request before generating the response; Token Authority: support for different kinds of token generators; Token Generator: system of several token generators (SAML, X.509, etc.). 

The components described in the green boxes are provided off the shelf (Authentication Engine authenticates the user from the incoming security token; Attribute Decoder decodes the attributes from the incoming security token; Attribute Authority resolves the required attributes for the outgoing security tokens; Request Dispacther provides service endpoint interacting with client).

The red box is a remote source possibly exploited in the security token issuance process.


[1] ITU-T: International Telecommunication Union-Telecommunication Standardization Sector.

[2] SOAP: Simple Object Access Protocol

[3] RST: Request Security Token

[4] RSTR: Request Security Token Response

[5] WS-TPH: Web Services Trust Profile Handler


Contributed by Beatrice Bressan, February 2012