I have read some text about WS-Fedaration but i can not understand it. I have some questions :
- What would happen if there were no WS-Federation?
- How does it help to Single Sign-on?
- What is the difference between WS-Trust and WS-Federation?
I just want answers in a very very simple and understandable samples in the real world! I have read a lot but i can not understand it deeply
Thanks
The relationship between ws-trust and ws-federation is that ws-federation is built on top of ws-trust. This is very technical and frankly, despite using ws-federation for years, I still am not sure where ws-trust ends and ws-federation starts. I believe this is not very important.
http://www.empowerid.com/learningcenter/standards/ws-trust-fed
To understand the idea of tokens and trust, think of an airport (which would be an application) and you as its user. You want to authenticate there. Normally, you'd have to somehow prove that you are yourself. A dna test perhaps?
But, wait, you were authenticated before, in a passport office. They somehow validated that you are yourself and issued a passport to you. The passport office would be the authentication server and the passport would be a SAML token.
By presenting the passport at the airport (by showing the saml token to the application) and by the trust relationship (airport trusts that legitimate passports truly identify people; the application trusts that saml token signed with a correct certificate prove that the user has been authenticated) the airport (the application) can authenticate you much easier.
This idea of trust and federated authentication means that more services can be built around the same authentication authority - and surely your passport issued by the passport office can be used not only at the airport but also at the hotel etc.
Normally the trust is established formally to specific passport issuers and specific document formats but in the digital world the trust is established easily - the authentication provider just signs the user information (the saml token) digitally and the integrity of the sign can be validated at the application side easily.
There is a great free book on that by Microsoft Patterns & Practices group available here:
http://claimsid.codeplex.com