What does WS-Federation really do (in depth and by a simple & understandable example)?

3.3k views Asked by At

I have read some text about WS-Fedaration but i can not understand it. I have some questions :

  1. What would happen if there were no WS-Federation?
  2. How does it help to Single Sign-on?
  3. What is the difference between WS-Trust and WS-Federation?

I just want answers in a very very simple and understandable samples in the real world! I have read a lot but i can not understand it deeply

Thanks

2

There are 2 answers

2
Wiktor Zychla On BEST ANSWER

The relationship between ws-trust and ws-federation is that ws-federation is built on top of ws-trust. This is very technical and frankly, despite using ws-federation for years, I still am not sure where ws-trust ends and ws-federation starts. I believe this is not very important.

http://www.empowerid.com/learningcenter/standards/ws-trust-fed

To understand the idea of tokens and trust, think of an airport (which would be an application) and you as its user. You want to authenticate there. Normally, you'd have to somehow prove that you are yourself. A dna test perhaps?

But, wait, you were authenticated before, in a passport office. They somehow validated that you are yourself and issued a passport to you. The passport office would be the authentication server and the passport would be a SAML token.

By presenting the passport at the airport (by showing the saml token to the application) and by the trust relationship (airport trusts that legitimate passports truly identify people; the application trusts that saml token signed with a correct certificate prove that the user has been authenticated) the airport (the application) can authenticate you much easier.

This idea of trust and federated authentication means that more services can be built around the same authentication authority - and surely your passport issued by the passport office can be used not only at the airport but also at the hotel etc.

Normally the trust is established formally to specific passport issuers and specific document formats but in the digital world the trust is established easily - the authentication provider just signs the user information (the saml token) digitally and the integrity of the sign can be validated at the application side easily.

There is a great free book on that by Microsoft Patterns & Practices group available here:

http://claimsid.codeplex.com

0
Amir Jalilifard On

i found some good resources that can help a lot. Firs have a look on the below article.It is a little complicated it expatiate the WS-Federation in depth . http://msdn.microsoft.com/en-us/library/bb498017.aspx

The second one is a resource that "Wiktor Zychla" helped me to find it. There is a great and legitimate source code alongside very detailed description. It can be pretty useful for understanding this issue.You can download it from this link : http://claimsid.codeplex.com/releases/view/68061

At the end, i perceived there is no cross-cut way for understanding WS-Federation, rather you should read it profoundly since it is such a very technical and abstract issue. Hope to be helpful for you.