The following is a complete transcipt of the question-and-answer session that followed ebizQ's "Web Services Single Sign-on: Securing Web Services in a Federated World" Webinar.

David Linthicum: Ok, go ahead and get the questions now and like to, basically hit the first one. How to extend WS Security environment. Any of you guys like to take that question on from Sun?.

Daniel Raskin: Sure, this is Daniel Raskin, and again, Product Line Manager for Access Manager and Federation Manager and basically when you're talking about extending in a WS Security, your STS, or your gateways to simplify management of silos, what you're really talking about is now the technology that you're applying to federation and so really, the way I look at this questions what we're going back and asking what's the value proposition of what federated single sign-on is valid.

And, you know, I think traditionally organizations have looked at that as to how do you actually create a single customer view of your applications to your customer, your consumer typically within a single security domain and so what we're really talking about with federation is how do you do that across multiple security domains. So, essentially, what we're talking about here is you want to leverage federation to actually break down those silos, break down those barriers to create that single view for the customer and whether that's within your own internal organization, breaking down those silos to create a single view for your employees whether it's jumping across multiple security domains to actually tie multiple applications together to extend customer value, for example, presenting more content to a user that they wouldn't necessarily have access to through your applications, that's really what federation is about.

So, again, things like WS Security, the STS, the gateways, those are all technologies to enable that and to ensure that you have secure communication when doing it but really what you want to be looking at also is what's the business need that you have around federation, what are you trying to do and that's also typically one of the biggest challenges that I find as a vendor talking to customers that often times people are looking at the technologies but they don't necessarily understand what they're trying to do with it and so, again, taking a look at the business value, are we trying to consolidate internally all of our applications to make it simpler for the customer, are we trying to track revenue, are we trying to drive more content to users, those are the types of things that you need to be thinking about. So, holistically, you don't want to just look at you're Web services security story but you also want to be looking at what your single sign-on story, what's your federation story, what's your access management story, and again, what's your identity solution, your identity infrastructure that you're trying to drive across your organization.

DL:Great. What kind of security do you provide? Is it encryption based?

DR: We do have encryption based security and I definitely encourage you to swing by our booth to talk to the folks that are manning that to talk about all the different options that are there but we also do have partnerships as well with other organizations that offer additional security on top of what Access Manager can provide, so for example, if you're looking for a PKI solution or some mechanism of using Smart Cards to do strong authentication, we can do that. The other thing that we do is we focus heavily on the standards, so what are the standards-based ways for handling communication so keeping track of things like WS Star and WS Security are really important to us and are supported in our product.

DL: Great. Another question. What happens if my security model is not identity centric?

DR: OK, so if it's an information-based security model, basically where I focus primarily is within identity so we're typically looking at user-centric based models for supporting this information but, again, within Access Manager and in terms of how you actually enforce policy, the things that you're enforcing don't necessarily have to be individuals so that's, you know, if you're looking at an access management solution, you need to look at how you're actually supporting what people have access to once they actually go into different realms or different areas of your application and so you need to look at it in the context of not just the user but also where that user's going and what kind of information they support. So, again, my area of focus is typically on an identity and user-centric identity but, again, I would encourage you to stop by our booth and ask about information-based solutions, as well.

DL: Is there a standard way to propagate identity when the service provider acts as a service consumer?

DR: So, when you want to actually handle an identity so is there a standard way to propagate identity when the service provider acts as a service consumer? So, yes, I mean, everything that we're talking about within access and federation is about standardization, how do you actually build these solutions to make sure that they scale and do these things in a repeatable way so when you're implementing these solutions, basically what you should be looking at is how to actually do it in a way that's repeatable. How do you actually not just support one service provider but actually support many service providers across your information model and so what you actually want to do is with access managers is you want to ensure that when you're handling an identity that you can actually have it consumed in a way that is repeatable, is scalable, is supported in a very, in a way that allows your organization to scale. So, yes.

DL: Great. Is the security token service a third-party app that provides both token issuing and token validation?

DR: It's not a third-party service, and, in fact, I just came back from Catalyst Europe which is handled by the Burton Group where we were actually demonstrating our security token service and that's actually it's in an Open SSO today so Open SSO is the open source code base of Access Manager that you can actually freely download and use as an open source product and essentially, it's embedded within the Access Manager solution so you get access to your access management federation web services security technologies all within one Java EE application and so, in fact, what we did at Catalyst Europe was we demonstrated the security token service using Microsoft's Hard Space which is a user-centric based technology and had that communicate back to an IDP service provider translating that card space information card into SAML. So essentially it's within the product and it's available in Open SSO and it will be available in the next supported release of our Access Manager solution.

DL: I have a question. When considering Service Oriented Architecture when should you consider security modeling and is it systemic to the entire life cycle or is it something we can do it one phase of the design and development?

DR: Kevin, do you want to jump in with that?

Kevin Schmidt: It's really something you wan to think about from the beginning. If you build your Service Oriented Architecture and then develop many different services and then try to determine after the fact where you want to apply security and how, it can cause some problems just because you may have to go back and make some changes so it's something you do want to think about from the beginning. Having said that, Service Oriented Architecture and the whole notion of having decoupled services does provide some benefits if you built a Service Oriented Architecture in the right way, in that you do have decoupled services and if you do want to insert a gateway or apply security in between some of the services that you built, you can do so without having to make changes in those services but it's still much better to think about it from the start and plan appropriately so that you don't have to make changes later.

DL: Well, great. I think we've pretty much covered it. I think that's the end of the questions. Anything you guys want to add before we conclude?

Kevin Schmidt: I would just certainly welcome people to go take a look at our online booth. We have reps standing by to help answer additional questions that you might have about our solutions and products for building applications as well as securing applications so go take a look and let us know if you have any questions.

DL:Yeah, I appreciate that and this is Dave Linthicum and I appreciate the gentlemen from Sun; you did an excellent job in explaining not only their technology but a good tutorial of the technologies space in general and how security's very important and systemic to those who are building Service Oriented Architectures including my client. I want to thank everybody for listening and all those who asked a question. And, I appreciate you attending the SOA in Action event and I urge you to go out to the Sun booth and learn more about their products and technologies. Thank you very much.