Automated Security Service Orchestration for the Identity Management in Web Service Based Systems

Today, there is a huge amount of security services that can be used to implement different security requirements in Web Service based systems. For example, identity management services are required for authentication and authorization whereas message logging services are necessary to achieve non-repudiation. However, the deployment and configuration of these security services usually requires expert knowledge about the systems and expert knowledge about security requirements and implementations which a person can only learn by experience. Furthermore, today´s Web Service based systems become increasingly complex. Thus, implementing security requirements is a complex and error prone task, even for experts. For this paper, we analysed several service-based implementations for identity management and their differences in the service orchestration. We present an approach to derive the needed security services, their configuration, and their connections to the functional services, based on defined security requirements for a Web Service based system. Therefore, we evaluate the UML use case model of the system and apply service security pattern derived during the analysis of the identity management implementations.