CSIV2 Security Attribute Service (CSIV2 SAS)
The Common Security Interoperability version 2 specification is defined by the OMG. The specification defines the CSIV2 Security Attribute Service (CSIV2 SAS) protocol to address the requirements of CORBA security for interoperable authentication, delegation and privileges.
Do not confuse the term IBM's SAS (Secure Authentication Service) and CSIV2 SAS (Security Attribute Service). The CSIV2 SAS protocol is designed to exchange its protocol elements in the service context of a General Inter-ORB Protocol (GIOP) request and reply messages that are communicated over a connection-based transport. The protocol provides client authentication, delegation, and privilege functionality that may be applied to overcome corresponding deficiencies in an underlying transport. The CSIV2 SAS protocol facilitates interoperability by serving as the higher-level protocol under which secure transports may be unified.
The CSIV2 SAS protocol is divided into two layers:
- The authentication layer is used to perform client authentication where sufficient authentication could not be accomplished in the transport.
- The attribute layer may be used by a client to deliver security attributes, such as identity and privilege, to a target where they may be applied in access control decisions.
The attribute layer also provides the means for a client to assert identity attributes that differ from the client's authentication identity (as established in the transport or CSIV2 SAS authentication layers). This identity assertion capability is the basis of a general-purpose impersonation mechanism that makes it possible for an intermediate to act on behalf of some identity other than itself. This can improve the performance of a system since the authentication of a client is relatively expensive. The server can validate the request by checking its trust rules.