1.3 Overview
The requestor profile described in [WSFederation1.2] section 13 is designed to address two problems related to communicating user information to web service (WS) resources.
First, in order to properly control access to information in WS resources, those WS resources have to have information about the users who are accessing them. Previous solutions required the application to identify the user and to use that identification information to access information about the user. Second, users were forced to be prompted multiple times for user names and passwords to securely identify themselves across multiple WS resources.
The profile described in [WSFederation1.2] section 13 addresses these two problems by enabling the user to securely communicate account information across security realms to multiple WS resources without requiring multiple prompts for user names and passwords.
The profile described in [WSFederation1.2] section 13 solves these problems by moving the responsibility for authenticating the user away from the WS resource application to an identity provider/security token service (IP/STS) that already has an account for the user. This IP/STS issues security tokens that contain information about the user. When accessing a WS resource, the user's web browser requestor presents a security token obtained from an IP/STS to the WS resource application. The signature of the security token allows the WS resource to verify its validity, and the content of the security token contains claims about the authentication with the IP/STS as well as the relevant user account information for the WS resource. These claims can then be used for authorization decisions by the WS resource. A sequence diagram describing the detailed exchange can be found in [WSFederation1.2] section 13.3.
The Microsoft Web Browser Federated Sign-On Protocol increases interoperability of the profile described in [WSFederation1.2] section 13 by restricting the protocol options and the variations of security tokens that can be included in [WSFederation1.2] section 13. The following list outlines restrictions to [WSFederation1.2] section 13:
The HTTP verbs are restricted for different message types.
The allowable message types are scoped down to message types directly related to sign-on or sign-out operations, as specified in [WSFederation1.2] sections 13.1.1 and 13.1.2.
The parameters specified in [WSFederation1.2] section 13 are restricted for each message type.
This protocol also adds optional parameters to address existing limitations to the protocol.
In section 2.1, this document specifies restrictions on the choice of message transport allowed in [WSFederation1.2] section 13. The [WSFederation1.2] specification allows wsignin1.0 (section 2.2.4), wsignout1.0 (section 2.2.5), and wsignoutcleanup1.0 (section 2.2.6) operations to be transmitted using either GET or POST methods, as specified in [RFC2616]. This specification restricts wsignin1.0, wsignout1.0, and wsignoutcleanup1.0 requests to use only the GET method. This protocol also restricts wsignin1.0 responses to be transmitted to relying parties using the POST method.
Parameter removals, restrictions, and additions are specified in section 2.2. The parameter restrictions and removals are designed to aid interoperability by reducing the possible variations in the protocol. The parameter additions address issues such as communicating the expected authentication method and communicating a user's requestor IP/STS. The Microsoft Web Browser Federated Sign-On Protocol restricts the content of the wresult parameter (using the standards as specified in [WSTrust] and [SAMLCore]) to enable interoperable communications of security tokens. The restrictions on the wresult parameter are specified in sections 2.2.4.1 and 2.2.4.2. The semantics and protocol details of these changes are addressed in section 3.