Vordel has announced an Early Access program for its forthcoming release of the VordelSecure 1.1 XML Security product, allowing participating organizations to "integrate a wide variety of technologies for passing authentication and authorization data in SOAP messages -- including SAML, digital certificates, and WS-Security. VordelSecure is deployed at the perimeter of an organization, intercepting incoming SOAP requests at the Web server and validating them against security rules configured for the requested SOAP service. Depending on the outcome of the rules, the XML messages are either routed to the service or blocked. In this way it ensures that requests, containing unwanted data or received from unauthorized users, do not reach the business logic on an application server or interfere with internal systems. VordelSecure can examine the integrity, structure, and content of XML requests using industry standards such as XML Signature, XML Schema, and XPath; VordelSecure ensures the authenticity of X.509 certificates used, by integrating with PKI directories and local and global trust services, including XKMS based services."

From the White Paper, Executive Summary:

Web services introduce new security risks, which are not addressed by traditional security solutions that provide security at the network and transport layers. To ensure that yourWeb services are not compromised, they must be secured at the application layer. VordelSecure 1.1 provides full protection for your XML and Web services deployments against internal abuse and external attack. It enables security at the application layer by supporting the new and emerging XML and SOAP security standards.

VordelSecure offers broad security support that provides for content inspection as well as authentication, authorization, and accountability. It is deployed at the perimeter of your organization, intercepting incoming SOAP requests at the Web server and validating them against the security rules configured for the requested service. An intuitive management wizard is provided that allows you to easily apply security rules on a per-service basis.The following security rules can be enabled:

• VordelSecure can examine the integrity, structure, and content of XML requests using industry standards - XML Signature, XML Schema, and XPath -- to ensure that unwanted or malicious data does not reach yourWeb services.
• VordelSecure can verify the authenticity of X.509 certificates used, by integrating with PKI directories and local and global trust services to ensure that no invalid or revoked certificates are used.
• VordelSecure can delegate authorization of users to existing access control software using SAML to ensure that unauthorized requests are blocked. Alternatively for less fine-grained access control VordelSecure can authorize incoming requests using the issuing CA policy or the certificate profile.

VordelSecure also provides audit trails for all transactions processed to enable you to account for usage of yourWeb services. You can locate and view these signed audit trails using the VordelSecure report generator. A monitoring console is provided to track activity in real-time.

SAML support to achieve fine-grained access control: "VordelSecure can authorize incoming requests by verifying the requester using SAML (Security Assertions Mark-up Language). SAML provides a standard way for exchanging authentication and authorization information about users over the Internet using XML messages called assertions. Using SAML you can leverage corporate investment in access management tools. These tools store user profiles and permissions and can act as SAML PDPs (Policy Decision Points), to which VordelSecure can interface using SAML. There are a large number of use cases to be considered with SAML and the scenarios supported by VordelSecure are described below. If a Web service request contains a SAML assertion,VordelSecure can use this assertion to determine if the requester is a valid user of the Web service. An assertion may contain only authentication information or it may contain information about the resources that the user has permission to access.VordelSecure can process both authentication and authorization assertions. If the request contains an authorization assertion,VordelSecure will examine it to see if the Web service requested is listed as a resource. Since a SAML Authority will typically sign the SAML assertions it issues,VordelSecure can validate the assertion by verifying the signature to ensure the assertion has not been modified since it was issued. VordelSecure can also verify that the SAML Authority is trusted to issue assertions for yourWeb service. The certificates for the SAML Authorities you want to trust must be imported into the VordelSecure certificate store and then assigned to the Web service..." [from the White Paper]