2.2.1.1 WS-Federation

  • Article

A user will often need to use several resources or services that are available through the Internet, potentially in different security realms, in the course of a task or a day. One method to obtain access to these resources and services is for the user to sign in to each of the resource and service providers separately, but in doing so, the user is exposing himself or herself to increased security risks, to say nothing of fatigue and irritation. To help alleviate the potential security problems and to provide the user with a more convenient environment, security token services (STSs) can be implemented and deployed such that the user needs to sign in only once, after which all authentication and authorization is taken care of automatically.

  • WS-Federation (Web Services Federation Language) and WSFedPRP (WS-Federation: Passive Requestor Profile)

    WS-Federation provides the general language and mechanism to connect users and resources across security boundaries, typically in disparate security realms, thereby providing for the creation of a federation of security realms.

    Whereas the specification at [WSFederation] provides for federation language and mechanisms in a broad variety of scenarios, the specification for WS-Federation: Passive Requestor Profile ([WSFederation1.2] section 13) provides more specific details for the scenario in which the requester of security services is passive; that is, the requester is not actively aware of the federation processes that occur. The passive requester is typically a web browser.

  • MWBF (Microsoft Web Browser Federated Sign-On Protocol)

    The STS is described in [WSFederation] and [WSFederation1.2], but considerations to make the STS more interoperable are implemented in the Microsoft Web Browser Federated Sign-On Protocol, which is described in [MS-MWBF] and its companion documents: [MS-MWBE] and [MS-ADFSWAP]. This increased interoperability is gained by restricting the protocol options and the variations of security tokens that would otherwise be allowed under WSFedPRP.

  • MWBE (Microsoft Web Browser Federated Sign-On Protocol Extensions)

    A fundamental requirement for WS-Federation-style single sign-on (SSO) that is defined in [WSFederation1.2] section 13 and [MS-MWBF] is for the passive requestor, that is, the web browser, to be able to run scripts for form submittal during an HTTP POST (see section 3.1). However, not all web browsers support this scripting. The extensions defined in [MS-MWBE] accommodate older web browsers by providing a means to substitute a single HTTP POST message (as is used in MWBF) with a series of HTTP GET messages with query string parameters.

    In addition to support for nonscripting web browsers, the extensions defined in [MS-MWBE] provide an extension to the SAML 1.1 language that allows security identifiers (SIDs) to be passed in SAML 1.1 assertions [SAMLCore]. By enabling this behavior, applications that require SIDs for full authorization can be accommodated.

  • ADFSWAP (Active Directory Federation Service (AD FS) Web Agent Protocol)

    The Microsoft Web Browser Federated Sign-On Protocol, given in [MS-MWBF], defines a highly-interoperable form of single sign-on based on WS-Federation. If order for relying parties to participate in the MWBF protocol, they need to have additional information about an STS such as URL endpoints, X.509 certificates for security token validation, identifiers for the STS, the security realms that an STS operates in, and the types of claims that an STS can emit. The Active Directory Federation Service (AD FS) Web Agent Protocol defined in [MS-ADFSWAP] allows relying parties to obtain this information.