1.3 Overview
The [MS-MWBF] specification defines a standard mechanism that can be used by a client to acquire a security token from a security token service (STS). Acquiring a security token is designed to address two problems related to communicating user information to remote applications and services.
First, in order to properly control access to information or resources in remote Web service (WS) resources, those WS resources have to have information about the users that are accessing them. Previous solutions required the WS resource to identify the user and use that identity to access further information about the user. Second, users were forced to be prompted multiple times to supply credentials (for example, user names and passwords) to securely identify themselves and authenticate to multiple WS resources.
Implementations of [MS-MWBF] solve these problems by moving the responsibility for authenticating the user away from the remote WS resource to an STS that already has an account for the user. This STS issues security tokens that contain information about the user in the form of claims. When accessing a WS resource, the user's web browser presents a security token obtained from an STS to the WS resource. The signature in the security token allows the WS resource to verify its validity, and the claims in the security token convey relevant user information to the WS resource. These claims can then be used for making authorization decisions by the WS resource.
In order for the protocol defined in [MS-MWBF] to work correctly, the WS resource has to obtain configuration information from the STS. This configuration information has to be obtained for the WS resource to send and receive [MS-MWBF] protocol messages. In addition to the information required prior to participating in [MS-MWBF], WS resources often need information about the STS configuration in order to enable WS resource users to understand the access control capabilities of the STS.
This specification defines a protocol that enables the WS resource to obtain the necessary information to configure the WS resource to participate in [MS-MWBF]. This protocol also allows for messages that enable the WS resource to obtain configuration information that is helpful for WS resource users, though not strictly necessary for participation in [MS-MWBF] exchanges.
The protocol is based on SOAP as defined in [SOAP1.1] and [SOAP1.2-1/2007]. The protocol defines the following operations:
A GetFsTrustInformation operation that enables the WS resource to obtain configuration data from the STS that is necessary to participate in [MS-MWBF] exchanges, including URL endpoints, X.509 certificates for security token validation, and identifiers for the STS.
A GetTrustedRealmUri operation that enables the WS resource to obtain configuration data from the STS that indicates to the security realms from which the STS accepts security tokens using [MS-MWBF].
A GetClaims operation that enables the WS resource to obtain configuration data from the STS that indicates the security token claims that the STS can emit.
In section 3, the protocol specification describes the message processing model for the client and the STS to successfully emit or consume protocol messages that are created in accordance with section 2.