Section 13.4. WS-Federation


13.4. WS-Federation

The term federated identity has various meanings. To an individual user, it means the ability to associate his various application and system identities with one another. To an enterprise, federated identity provides a standardized means for directly providing services for trusted third-party users, or those that the business doesn't manage directly. An enterprise associates with others in a federation, such that the identities from one enterprise domain (or identity provider) are granted access to the services of the other enterprises (or service providers).

Federated Identity Management refers to the set of business agreements, technical agreements, and policies that enable companies to become partners. This lowers their overall identity management costs, improves the user experience, and mitigates security risks in Web services-based interactions.

WS-Federation builds on this specification to define mechanisms for brokering and federating trust, identity, and claims. Federation is the overall term for a set of distinct, heterogeneous enterprises that want to provide an easy-to-use, single sign-on identity model to their users. Single sign-on means that after a user signs on with one member of the federation, he can interact with other members without reauthentication. Enterprises can be corporate entities, Internet Service Providers (ISPs), or associations of individuals.

A federated environment differs from a traditional single sign-on environment in that there are no established rules limiting how enterprises transfer information about a user. However, there might be an established business policy for an enterprise's participation in the federation, much like there is today when companies decide to do business together.

WS-Federation describes how to use the existing Web services security building blocks to provide federation functionality, including trust, single sign-on (and single sign-off), and attribute management across a federation. WS-Federation is really a family of three specifications: WS-Federation, WS-Federation Passive Client, and WS-Federation Active Client.

WS-Federation itself describes how to implement a federation in a Web services world. In particular, WS-Federation focuses on the relationships between parties, and the high-level architecture that supports these relationships. The two individual documents, WS-Federation Active and WS-Federation Passive, describe how to implement individual federation solutions.

WS-Federation Active describes how to implement federation functionality in the active client environment. Active clients are those that are Web services-enabled. That is, they can issue Web service requests and react to a Web service's response. Leveraging the Web services security stack, WS-Fed Active describes how to implement the advantages of a federation relationship, including single sign-on, in an active client environment.

WS-Federation Passive describes how to implement federation functionality in a passive client environment. A passive client is one that is not Web services-enabled. The most common passive client is a plain old HTTP browser. WS-Fed Passive describes how to leverage the advantages of a federation relationship, such as single sign-on, in a passive client environment. Because this solution uses the WS-Security foundation of the infrastructure support, the same components used to provide a passive client solution might be utilized for an active client solution as well.

The logical architecture described in WS-Federation, together with the functionality described in the Web services security stack, supports both the active and passive client scenarios. The complete family of WS-Security specifications provides companies with a standards-based, interoperable, secure digital identity and trust platform for Web services-based architecture. Furthermore, these specifications promote reusability of existing IT security investments, enabling companies to work with multiple security token types and multiple scenarios, including HTTP browsers, enhanced browsers, active clients, and application-to-application connectivity.



    Web Services Platform Architecture(c) SOAP, WSDL, WS-Policy, WS-Addressing, WS-BP[.  .. ] More
    Web Services Platform Architecture(c) SOAP, WSDL, WS-Policy, WS-Addressing, WS-BP[. .. ] More
    ISBN: N/A
    EAN: N/A
    Year: 2005
    Pages: 176

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net