30 Part I: The Web Services Architecture
Security Policies
WS-SecurityPolicy [WS-SecurityPolicy] complements WS-Security by specifying security pol-
icy assertions in a language conformant to WS-Policy. Its six assertions relate to security
tokens, message integrity, message confidentiality, message visibility to SOAP intermediaries,
constraints on the security header, and the age of a message. For example, a policy assertion
might require that all messages be signed using public keys from a given authority or require
that authentication be based on Kerberos tickets.
System Federations
Application security requires additional mechanisms beyond what we have presented so far.
Identities, for example, are valid within a trust domain but most likely meaningless in other
trust domains. Federation starts with a notion of identity—that is, the requestor or the
requestor’s delegate asserts an identity and the Identity Provider verifies this assertion. For
services in different trust domains to be able to validate identities, appropriate mechanisms
are needed. WS-Federation defines mechanisms to enable identity, account, attribute, authen-
tication, and authorization information sharing across trust domains. By using these mecha-
nisms, multiple security domains can federate by allowing and brokering trust of identities,
attributes, and authentication among participating Web services. The specification extends
the WS-Trust model to allow attributes and pseudonyms to be integrated into the token issu-
ance mechanism, resulting in a multidomain identity-mapping mechanism. These mecha-
nisms support single sign on, sign out, and pseudonyms and describe the role of specialized
services for attributes and pseudonyms.
In Figure 4-2, a requestor (1) obtains an identity security token from its identity provider and then
(2) presents/proves this to the security token services for the desired resource. If successful and if
trust exists and authorization is approved, the security token services (2) returns an access token
to the requestor. The requestor (3) then uses the access token on requests to the Web service.
Figure 4-2 Roles of identity providers and security token services. WS-Federation allows for a vari-
ety of topologies, for which the one described in Figure 4-2 is just one.
Identity
Provider
Requestor
Web Service
with Resources
Identity Provider/
Security Token
Service
Trust
Obtain identity
security token
2
3
1
Present/prove identity
and obtain access token
Present/prove
access in messages