Geeks With Blogs
Pradeep Loganathan Distributed

A SOAP message using WS-Security is protected by security tokens. These security tokens can be obtained in a variety of ways such as username/password or x509 certificate, Kerberos e.t.c. Even though the SOAP message is now protected the recipient may not be able to use the token due to

1. Security token format incompatibility: The recipient may find the token format incompatible.

2. Security token trust: Even if the recipient can understand and process the token the recipient may be unable to map the trust hierarchy of the token to its own.

3. Namespace: The recipient may be unable to understand the claims within the token.

 

WS-trust aims to address these issues by defining a request/response protocol and by introducing a security token service. WS-Trust defines standard mechanisms for

Security token creation, management, exchange and also for establishing trust relationships.  WS-Trust thus builds upon WS-Security.

 

The Security Token Service (STS) is responsible for Token Issuance, Validation, Renewal & exchange. The requests are sent as RequestSecurityToken (RST) message specifying the operation type (Issue, Validate e.t.c) and the token type can also be specified optionally. WS-Trust defines further extensions to the RST message specifying delegation, forwarding and proxy requirements for the tokens. In addition lifetime and renewal requirements can also be specified.

The request structure is as follows

 

<RequestSecurityToken>                                 àRequest Header

        <TokenType>...</TokenType>                àDefines the security token type(X509…)

        <RequestType>...</RequestType>           àDefines the request type( Issue , cancel ..)

        <Base>...</Base>                                    àReference tokens

        <Supporting>...</Supporting>                  àsupporting tokens

 </RequestSecurityToken>

 


 

A sample RequestSecurityToken(RST) message is as follows

 

<wst:RequestSecurityToken>

<wst:TokenType>

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1

</wst:TokenType>

<wst:RequestType>

http://schemas.xmlsoap.org/ws/2005/02/trust/Issue

</wst:RequestType>

</wst:RequestSecurityToken>

 

 

 

The response is returned as RequestSecurityTokenResponse(RSTR) containing the security token. The response structure is as follows

 

<RequestSecurityTokenResponse>                   àResponse Header.

        <TokenType>...</TokenType>                àThe token type returned.

        <KeyType>...</KeyType>                       àThe Key used in the token.

        <KeySize>...</KeySize>              àThe key size.

        <wsp:AppliesTo>...</wsp:AppliesTo>      àThe scope to which the token applies

        <RequestedSecurityToken>...                   àThe security token

           </RequestedSecurityToken>                  

        <RequestedProofToken>...                      àProof of possession token

            </RequestedProofToken>

</RequestSecurityTokenResponse>

 

A sample RSTR message is given below

<wst:RequestSecurityTokenResponse>

<wst:TokenType>

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1

</wst:TokenType>

<wst:RequestedSecurityToken>

<saml:Assertion...>...</saml:Assertion>

</wst:RequestedSecurityToken>

<wst:RequestedProofToken>

<xenc:EncryptedKey>...</xenc:EncryptedKey>

</wst:RequestedProofToken>

</wst:RequestSecurityTokenResponse>

Posted on Friday, August 25, 2006 12:11 PM WCF , WS-Security | Back to top

Copyright © Pradeep Loganathan | Powered by: GeeksWithBlogs.net