1.3 Overview

The following documents specify a standard set of SOAP extensions that provide client/server authentication and content integrity and confidentiality for SOAP messages when building secure Web services clients and servers. The Lightweight Web Services Security Profile specifies a profile for performing lightweight client authentication and security token exchange based on the protocols described in these documents:

  • Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1 [SAMLCore]

  • Basic Security Profile Version 1.0 [BSP]

  • Web Services Secure Conversation Language (WS-SecureConversation) [WSSC]

  • WS-SecureConversation 1.3 [WSSC1.3]

  • Web Services Security Kerberos Token Profile 1.1 [WSSKTP1.1]

  • Web Services Security: SAML Token Profile 1.1 [SAMLToken1.1]

  • Web Services Security: SOAP Message Security 1.0 (WS-Security 2004) [WSS1]

  • Web Services Security: SOAP Message Security 1.1 (WS-Security 2004) [WSS]

  • Web Services Security UsernameToken Profile 1.0 [WSSUTP]

  • Web Services Security UsernameToken Profile 1.1 [WSSUTP1.1]

  • WS-Trust V1.0 [WSTrust]

  • WS-Trust 1.3 [WSTrust1.3]

  • XML-Signature Syntax and Processing (Second Edition) [XMLDSig/2008]

  • XML Encryption Syntax and Processing [XMLENC]

Section 2 specifies clarifications and restrictions on these specifications to increase interoperability when implementing client authentication and security context establishment using username/password, Kerberos ticket, and SAML token, and acquiring a security token from a security token service (STS).

The protocols used by this specification can be categorized as follows.

[XMLDSig/2008] and [XMLENC] specify basic XML signature and encryption functionality. These protocols are referred to as XML Extension protocols.

[WSS1], [WSS], and [SAMLCore] specify the building blocks needed to provide client authentication in SOAP messages. Those building blocks include security tokens, security token references, signatures, and timestamps. These protocols are referred to as Core Security protocols.

The [BSP], [WSSUTP], [WSSUTP1.1], [WSSKTP1.1], and [SAMLToken1.1] profiles specify restrictions on and clarifications to [WSS1], [WSS], and [SAMLCore] to promote interoperability among different implementations of those protocols. These protocols are referred to as Security Profiles.

[WSTrust], [WSTrust1.3], [WSSC], and [WSSC1.3] specify additional security elements as well as message exchange patterns used to create and exchange security tokens in SOAP messages. These documents are referred to as Token Exchange protocols.

The parts of the above documents that specify server authentication, message integrity, and message protection are not specified by this document and are assumed to be provided by underlying transport protocol.