![Page 1: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/1.jpg)
WS-Federation 1.1Overview
OASIS WSFED TC inaugural meeting
June 6-7, 2007
![Page 2: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/2.jpg)
2
1. Introduction
2. WS-Trust extensions for federations
3. STS service model extensibility
4. Federation metadata
5. Federated sign-out and Web requestors
6. Summary
Agenda
![Page 3: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/3.jpg)
3
Introduction
• Vision and Goals
• Basic Terminology and Components
• Sample Federation Scenarios
Agenda Part 1
![Page 4: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/4.jpg)
4
Vision: Extend WS-Trust
• Flexible identity federation architecture– Clean separation between trust mechanisms, security
token formats, and token protocol
– Infrastructure supports browser & SOAP requestors
• Simplified configuration– Federation metadata to fill gaps in policy
– Federation partners can automate configuration
• Reusable token service model– Common claims interface for attributes, pseudonyms
& authorization data
![Page 5: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/5.jpg)
5
Promise: Finish the Roadmap
• Federation vision declared 5 years ago
• Web Services security stack roadmap– Set of composable specifications to enable broad range
of secure Web Services solutions
– All specifications to be ratified by industry through open
standards process
• WS-Federation completes the promise to
finish the roadmap
![Page 6: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/6.jpg)
6
Goals and Requirements• Promote identity federation
– Enhance WS-Trust STS support for distributed authentication and
authorization across realm boundaries
– Make identity mapping optional (for privacy or personalization)
– Enable different levels of privacy for different types of personally
identifying information
• Reduce operational friction in federations– Support mix & match of trust topologies and token types
– Enable automated configuration using Federation Metadata
– Allow single infrastructure to serve both SOAP and Web requesters
• Reuse the WS-Trust STS model – Offer common interface for broad range of federation services
– Allow identity, authentication, and authorization data to be shared
as claims without requiring a specific token type
![Page 7: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/7.jpg)
7
Basic Terminology• Requestor – A programmatic agent for obtaining information or service
• Subject – The entity on whose behalf a Requestor operates
• Claims – Statements made about a subject
• Security Token – A data structure for expressing collections of claims
• Security Token Service (STS) - A Web service that provides issuance and management of security tokens
• Identity Provider (IP) – An entity, typically a trusted third party authority, that provides claims about a set of Subjects
• IP/STS – STS operated by an IP to issue claims using tokens
• Replying Party (RP) – An entity that provides information or services to Requestors based on claims they present
• Target Service – A web service (or application) operated by an RP
• RP/STS – STS operated by a RP to issue claims using tokens
![Page 8: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/8.jpg)
8
Basic Components
IP/STS
Identity Provider Realm Relying Party Realm
RequestorTarget
Service
RP/STSTrust Relation
Claims
Security
Token
Token T1
Claims
Security
Token
Token T1
Claims
Security
Token
Token T2
![Page 9: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/9.jpg)
9
Federation Scenarios
• The following are sample federation scenarios depicting trust topologies and claims flow
• They are not comprehensive or prioritized
• There are other valid scenarios
![Page 10: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/10.jpg)
10
Federation Scenarios
Direct Trust & Token Push
IP/STS
Target Service
RP/STS
Requestor
![Page 11: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/11.jpg)
11
Federation Scenarios
Direct Trust & Token Pull
IP/STS
Target Service
RP/STS
Requestor
![Page 12: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/12.jpg)
12
Federation Scenarios
Indirect Trust
IP/STS
Target Service
RP/STS
Requestor
IP/STS
![Page 13: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/13.jpg)
13
Federation Scenarios
Multiple Tokens with Direct Trust
IP/STS Target Service
Requestor
IP/STS
![Page 14: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/14.jpg)
14
Federation Scenarios
Delegation with Indirect Trust
IP/STS
Target Service 1
RP/STS 1
Requestor
RP/STS 2
Target Service 2
![Page 15: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/15.jpg)
15
Federation Scenarios
Delegation with Direct Trust
IP/STS
Target Service 1
RP/STS 1
Requestor
RP/STS 2
Target Service 2
![Page 16: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/16.jpg)
16
WS-Trust Extensions for Federations
• Token and Protocol Extensions– Reference tokens
– Identifying Federations
– Validation & Proof Tokens
– Client-Based Pseudonyms
– Token Freshness
• Privacy
Agenda Part 2
![Page 17: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/17.jpg)
17
WS-Trust Extensions
• STSs that participate in multiple
federations need a way to distinguish the
federation for which a request applies– Could use different endpoints
– Can provide a parameter to the RST using new
extension
Indicating Federations
![Page 18: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/18.jpg)
18
WS-Trust Extensions
• Indicates where to obtain actual tokens
• Can be used with WS-Security
• Assertion for use with WS-SecurityPolicy
• Allows multiple locations for the token
• Allows verification information about the
token
Reference Tokens
![Page 19: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/19.jpg)
19
WS-Trust Extensions
• Often trust between federated partners is
actually between the corresponding STSs
• Target Services don’t know the key-
transfer-key
• Extension formalizes how Target Services
get the session key from their STS
Proof Tokens from Validation
![Page 20: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/20.jpg)
20
WS-Trust Extensions
“A” “B”
Request
token
for “B”
{SK}PUB
SK
{Request}SK
{Response}SK
{SK}PUB SK
Proof Tokens from Validation
IP/STS
Target Service
RP/STS
Requestor
![Page 21: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/21.jpg)
21
WS-Trust Extensions
• RP may have policy indicating that an STS
should only accept credentials of a specific
age when issuing tokens for the RP
• Extension can specify this limit in the RST,
and if cached credentials can be used
Freshness Requirement
![Page 22: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/22.jpg)
22
WS-Trust Extensions
• RP may have policy that an STS should only accept credentials of specific authentication types when issuing tokens for the RP
• WS-Trust provides a mechanism, but no defined values
• Extension defines several commonly used values
Authentication Types
![Page 23: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/23.jpg)
23
Privacy
• WS-Federation addresses three specific
areas of concern for privacy in federated
scenarios:1) Confidential tokens
2) Parameter confirmation
3) Obtaining privacy statements
![Page 24: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/24.jpg)
24
Privacy
• WS-Trust does not define specific rules for
mandating claim confidentiality
• WS-Federation defines a parameter to
RST that indicates which claims are
requested to be protected
• Any claim dialect can be used
Confidential Tokens
![Page 25: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/25.jpg)
25
Privacy
• WS-Trust does not request that RST parameters
be honored or that selected values be returned
in RSTR
• These extensions (when used) require the STS
to:– Include in the RSTR the values used for specified parameters
– Fault if a parameter in the RST is not used
– Return claims put in the issued token
Parameter Confirmation
![Page 26: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/26.jpg)
26
Privacy
• The specification does not define the
contents; only the mechanism– How to use WS-Transfer
– How to use WS-MetadataExchange
– How to use HTTP
Obtaining Privacy Statements
![Page 27: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/27.jpg)
27
STS Service Model Extensions
• Extended Token Service Model
• Attribute Service
• Authorization Service
• Pseudonym Service
Agenda Part 3
![Page 28: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/28.jpg)
28
Identity
STS
Application /
Web ServiceClient
Identity Provider Realm
Extended Token Service Model
Federation
STS
Identity
STS
Identity
Selector
(2) { WS-MEX }
{ WS-SecurityPolicy}
Relying Party Realm
(4) { WS-Trust }
{ WS-Federation}
Claim
Store
(1) { WS-MetadataExchange } { WS-SecurityPolicy }
(6) { WS-Security } { Application Request }
(5) { WS-Trust }
{ WS-Federation }
(3) { WS-MEX }
{ WS-SecurityPolicy}
Pseudonym
Token
Service
Pseudonym Service
(7) { WS-Trust }
“OnBehalfOf”
Agent
Claim
StoreAttribute
Token
Service
Authorization Service
Attribute Service
Authorization
Token
Service
Claim
Store
(8) { WS-Security } { Application Response }
![Page 29: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/29.jpg)
29
Attribute Service
• An IP/STS or RP/STS can function as an
Attribute Service– Attributes are claims
– Tokens carry claims
– STS can provide normalized I/F to any repository
• Attributes obtained based on policy or
explicit request– Inline claim transformation
– Explicit claim transformation
STS as Attribute Service
![Page 30: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/30.jpg)
30
Attribute Service
• WS-Security Policy– Target Service policy:
• RP/STS as issuer with Application claim types
– RP/STS policy:
• IP/STS as issuer with Federation claim types
• Requestor automatically delivers correct
claims– IP/STS issues token with Federated claim types
– RP/STS issues token with Application claim types
Inline Claim Transformation
![Page 31: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/31.jpg)
31
Attribute Service
Inline Claim Transformation
IP/STS
Target Service
RP/STS
Requestor
![Page 32: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/32.jpg)
32
Attribute Service
• Attribute service interfaces– RST Issue to Target Service policy:
– RST Issue to Target Service OnBehalfOf user
• Simplifies application programming– Target Service gets claims without
• Writing LDAP, SQL or special repository code
• Mapping from repository schema and namespace
• Maintaining credentials for repositories
• Being authorized for direct access to repositories
Explicit Claim Transformation
![Page 33: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/33.jpg)
33
Attribute Service
Explicit Claim Transformation
IP/STS
Target Service
RP/STS
Requestor
Attribute Service Attribute Service
![Page 34: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/34.jpg)
34
Pseudonym Service
• Pseudonyms are different “personas” of an
identity
• Pseudonym Service– Performs mapping between personas
– Logically just a special type of Attribute Service
– Can be invoked by client, IP, or RP
• Supports different usages of personas– Global, Pair wise, Random, …
![Page 35: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/35.jpg)
35
Pseudonym Service
Operations– Create pseudonyms for target
– Get pseudonyms matching filter
– Update pseudonyms for target
– Delete pseudonyms for target
• Filters– Specify subset of pseudonyms for operations
– Pass filters in WS-ResourceTransfer
– Pass filters in EPR reference properties
Pseudonym Management Operations
![Page 36: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/36.jpg)
36
Pseudonym Service
• Pseudonym service often part of STS
• Request pseudonyms– fed:RequestPseudonym/@Lookup
– fed:RequestPseudonym/@SingleUse
RST Extensions for Pseudonym Retrieval
![Page 37: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/37.jpg)
37
Pseudonym Service
RP-managed Pseudonym (Identity Mapping)
IP/STS
Target Service
Pseudonyms
Requestor
RP/STS
Create/Get
![Page 38: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/38.jpg)
38
Pseudonym Service
Pre-registered Pseudonym for RP
IP/STS
Target Service
Pseudonyms
Requestor
RP/STS
Create
![Page 39: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/39.jpg)
39
Pseudonym Service
Random, Single-use Pseudonyms
IP/STS
Target Service
Pseudonyms
Requestor
RP/STS
RST fed:RequestPseudonym/@SingleUse
![Page 40: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/40.jpg)
40
Pseudonym Service
• Clients can specify PII to use as basis for
pseudonyms
• Clients can specify PII to include in token– ID
– Display Name
– …
RST Extensions for Client-Based Pseudonyms
![Page 41: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/41.jpg)
41
Authorization Service
• An Authorization Service may be implemented as a dedicated STS– Configured with detailed knowledge of the access
policy requirements of Target Services
• WS-Federation defines the following to facilitate federated authorization– A common processing model & requirements
– An authorization context
– A common claim dialect
– Associated policy assertions
![Page 42: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/42.jpg)
42
Authorization Service
• Logical Requirements Table:– EPR for the target service
– Reference properties from the target service EPR
– Parameters of the RST
– External access control policies
• Logical Claim Table:– Proven claims bound to RST
– Supplemental context information
– External authorization policies
Processing Model
![Page 43: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/43.jpg)
43
Authorization Service
• Must accept AppliesTo
• Must specify AppliesTo in RSTR
• Should encode AppliesTo in issued tokens– AppliesTo in token may be broader than requested
• Must accept reference properties
• Must accept common claim dialect
• Must accept additional context
• May ignore context items it doesn’t recognize
STS Processing Requirements
![Page 44: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/44.jpg)
44
Authorization
• A set of <ContextItem> elements, each
has:– URI name of the item
– Optional URI scope of the item
• E.g. Requestor, Target, Action, …
– Optional string value
Authorization Context
![Page 45: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/45.jpg)
45
Authorization
• A syntax for constructing/parsing claims– Does not specify claim semantics or namespace
• A set of <ClaimType> elements, each has:– URI indicating type of claim
– Mandatory/optional flag
– Optional string value
Common Claim Dialect
![Page 46: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/46.jpg)
46
Authorization
• RequiresGenericClaimDialect
• AdditionalContextProcessed
Policy Assertions
![Page 47: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/47.jpg)
47
Federation Metadata
• Metadata documents
• Metadata statements
• Obtaining metadata documents
Service-specific Metadata
• Dynamic request retry
Agenda Part 4
![Page 48: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/48.jpg)
Federation Metadata
<fed:FederationMetadata xmlns:fed="..." ...>
<fed:Federation [FederationID="..."] ...>
<mex:MetadataReference>
</mex:MetadataReference>
</fed:Federation>
<fed:Federation [FederationID="..."] ...>
[Federation Metadata Statements]
</fed:Federation>
[Signature]
</fed:FederationMetadata>
Metadata Documents
![Page 49: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/49.jpg)
49
MetadataSimple Metadata Document
![Page 50: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/50.jpg)
50
MetadataCompound Metadata Document
![Page 51: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/51.jpg)
51
Federation Metadata
• TokenSigningKeyInfo
– The key/token used to sign issued tokens
• TokenKeyTransferKeyInfo
– The key/token to use when transferring keys/secrets
• IssuersNamesOffered
– List of logical names with which a STS is associated
• TokenIssuerName
– Logical name of the associated STS
• TokenIssuerEndpoint
– Endpoint of the associated STS
• PseudonymServiceEndpoint
– Endpoint of the associated pseudonym service
Metadata Statements
![Page 52: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/52.jpg)
52
Federation Metadata
• AttributeServiceEndpoint– Endpoint of the associated attribute service
• SingleSignOutSubscriptionEndpoint– Endpoint to which sign-out notification subscription requests are sent
• SingleSignOutNotificationEndpoint– Endpoint to which manual Sign-out messages should be sent
• TokenTypesOffered– List of token types a STS can issue
• UriNamedClaimTypesOffered– List of claims types a STS can issue, display name and description
• AutomaticPseudonyms– STS automatically applies pseudonyms
Metadata Statements
![Page 53: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/53.jpg)
53
Federation Metadata
• Several ways to obtain metadata documents– HTTP/S GET from well-known URLs
– DNS SRV records
– WS-Transfer/WS-ResourceTransfer
– WSDL embedding
– WS-MetadataExchange
• Secure request methods are preferred
Obtaining Metadata Documents
![Page 54: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/54.jpg)
54
Federation MetadataMetadata Embedded in Target Service EPR
“A”“A”
Target ServiceRequestor
Target Service Endpoint Reference
![Page 55: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/55.jpg)
“A”
55
Federation MetadataMetadata Service Publishes Target Service Metadata
“A”
“B”
Target Service
Requestor
“B”
Metadata Service
Metadata Service Endpoint Reference
![Page 56: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/56.jpg)
56
Service-specific Metadata
• Not all policy/metadata can be expressed
statically
• WS-Federation introduces a SOAP Fault to
indicate policy/metadata specific to a request
• This Fault formalizes returning WS-
MetadataExchange structures
• IssuesSpecificMetadataFault assertion allows
indication of support in policy
Dynamic Request Retry
![Page 57: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/57.jpg)
57
Service-specific Metadata
MetadataExchange structures in SOAP Fault
IP/STS
Target ServiceRequestor
![Page 58: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/58.jpg)
58
Federated Sign-Out• Sign-Out concepts
• Federated sign-out
Web Requestors• General model
• HTTP binding
• Message flows
• Request & result references
• Home realm discovery
• Interoperability baseline
Agenda Part 5
![Page 59: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/59.jpg)
59
Sign-out
• Sign-in establishes an identity used to obtain
credentials for a set of target sites
• Sign-out terminates the use of the identity and
the associated target site credentials (and
optionally cached state)
• The sign-out process is optional since
credentials have limited life-times
• Sign-out is different from canceling since it
applies to all tokens obtained for the target sites
Concepts
![Page 60: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/60.jpg)
60
Federated Sign-out
• Initial Sign-out message– Sent by Requestor
– Sent to IP STS or RP
• Federated Sign-out messages– RP forwards to IP STS if necessary
a) IP STS sends explicit msgs to all RPs where the
credentials apply
b) IP STS publishes sign-out notification
Mechanisms
![Page 61: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/61.jpg)
61
Web Requestors
• WS-Federation defines a serialization for
use with Web Browsers– Functionally equivalent to SOAP bindings
– Optimizations for Web browser usage
• Supports push and pull models
• Supports GET and POST
• Basic home realm discovery
• Defines a base functionality set
![Page 62: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/62.jpg)
62
Web Requestors
• Mappings defined for parameters to RST
parameters
• A “ctx” parameter is defined to save
context between parties
• Parameters allow pointers (URLs) to RST
and RSTR values allowing them to be
pulled not pushed
Drilldown
![Page 63: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/63.jpg)
63
SOAP Requestor Msg FlowWS-SecurityPolicy drives request routing
SOAP Requestor IP/STS Target Service RP/STS
Fetch IP policy
Request token
Return token
Request token
Return token
Send secured request
Return secured response
Fetch SP policy
Fetch service policy
![Page 64: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/64.jpg)
64
Web Requestor Msg FlowBrowser Requestor IP/STS Target Server RP/STS
Detect user’s home realm
Authenticate User
302 appURL [HttpResponseHeader=SetCookie]
GET appURL
302 fs-rURL?wa=…&wreply=AppURL&wctx=appURL
302 fs-aURL?wa=...&wtrealm=fs-rURI&wctx=AppURL/appURL
200 <FORM ACTION=AppURL METHOD=POST <INPUT…NAME=wresult VALUE=[fs-r token]>…>
200 <FORM ACTION=fs-rURL METHOD=POST <INPUT…NAME=wresult VALUE=[fs-a token]>…>
![Page 65: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/65.jpg)
65
Web Requestors
• Different choices– Fixed– Based on Requestor IP– Passed in– Prompt– Discovery service
• Redirection through service
• Allows for service-specific discovery proccess
• Result returned in separate parameter
– Shared cookie (not covered)
Home Realm Discovery
![Page 66: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/66.jpg)
66
Summary
• Goals & Requirements recap
Agenda Part 6
![Page 67: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/67.jpg)
67
Goals and Requirements Recap
• Promote identity federation– Enhance WS-Trust STS support for distributed
authentication and authorization across realm
boundaries
– Make identity mapping optional (for privacy or
personalization)
– Enable different levels of privacy for different types of
personally identifying information
• WS-Federation coverage– Section 2. Federation Model
– Section 8. Additional WS-Trust Extensions
– Section 12. Privacy
![Page 68: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/68.jpg)
68
Goals and Requirements Recap
• Reduce operational friction in federations– Support mix & match of trust topologies and token types
– Enable automated configuration using Federation Metadata
– Allow single infrastructure to serve both SOAP and Web requesters
• WS-Federation coverage– Section 2. Federation Model
– Section 3. Federation Metadata
– Section 10. Indicating Specific Policy/Metadata
– Section 4. Sign-Out
– Section 13. Web (Passive) Requestors
![Page 69: WS-Federation 1.1 Overview - OASIS · Federation metadata 5. Federated sign-out and Web requestors 6. Summary Agenda 3 Introduction •Vision and Goals •Basic Terminology and Components](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1c3e93459f8a53e925fcbf/html5/thumbnails/69.jpg)
69
Goals and Requirements Recap
• Reuse the WS-Trust STS model – Offer common interface for broad range of federation
services
– Allow identity, authentication, and authorization data to
be shared as claims without requiring a specific token
type
• WS-Federation coverage– Section 2. Federation Model
– Section 5. Attribute Service
– Section 6. Pseudonym Service
– Section 7. Security Tokens and Pseudonyms
– Section 9. Authorization