The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

LibertyWSFIntro

Owned by Scott Cantor
Last updated: Jan 02, 2007 by Former user (Deleted)Version comment
2 min read

The goal of the ID-WSF specifications is to aggregate and where necessary profile existing public/standard specifications for developing web service (i.e. SOAP) applications so that interoperable implementations (commercial and open source) are possible. There is a particular focus on securing web services, in a manner composable with the capabilities of SAML, so that it becomes possible to deploy secure web services irrespective of the security and policy boundaries between web service consumers and providers.

<soapbox>
Most of the specifications emerging in the web services arena, particularly the ones related to security, are extremely complex and general. If multiple developers designed a project using them, it's more likely they'd win a lottery than produce solutions that would even resemble each other, let alone interoperate. This is great if you sell consulting services, not so great if you're looking for real standards.
</soapbox>

The goal here is to provide a roadmap to understanding the capabilities of the ID-WSF 2.0 specifications. The full set of documents is large, complex, and in a few places somewhat rough, but they can be understood as a set of building blocks that can be recombined into a usable solution for a variety of requirements. They may also be useful as input into solutions in other problem domains outside of web services, particular those based around SAML. ID-WSF is a good way to see how SAML can be applied to problems beyond just web single sign-on.

Before getting into specifics, it's helpful to understand the general solution space and some of the terminology. ID-WSF is about enabling a web service consumer (WSC) to locate and securely invoke a web service provider (WSP). Multiple web services may be involved in the execution of a single activity.

Services may also be tailored around the identity of users that may be interacting with the WSC, and ID-WSF security mechanisms based on SAML have the expressiveness to model the presence of users and support authorization policies based on delegation between a user and a WSC that is accessing services on the user's behalf.

ID-WSF is also designed to compose with the IdP-managed privacy features in SAML 2.0, such as pseudonymous user identifiers, and avoids introducing opportunities for correlation of user activity.