Whiteboard discussion of WS-Fed and WS-Trust WS-* Metasystem Protocol Client Application Identity Selector WS-MEX GetMetadata Request Identity Provider Policy WS-MEX GetMetadata Response 3 Relying Party WS-Security Policy GetToken(RP Policy) 4 Select Identity Identity needs credentials WS-MEX GetMetadata Request WS-MEX.
Download
Report
Transcript Whiteboard discussion of WS-Fed and WS-Trust WS-* Metasystem Protocol Client Application Identity Selector WS-MEX GetMetadata Request Identity Provider Policy WS-MEX GetMetadata Response 3 Relying Party WS-Security Policy GetToken(RP Policy) 4 Select Identity Identity needs credentials WS-MEX GetMetadata Request WS-MEX.
Whiteboard discussion of
WS-Fed and WS-Trust
WS-* Metasystem Protocol
Client
Application
1
Identity
Selector
WS-MEX GetMetadata Request
Identity
Provider
Policy
WS-MEX GetMetadata Response
2
3
Relying
Party
WS-Security Policy
GetToken(RP Policy)
4 Select Identity
Identity needs credentials
5
WS-MEX GetMetadata Request
WS-MEX GetMetadata Response
6
7
WS-Trust RST Request (user credentials)
8
9
10
Return security token
Access Resource with security token (WS-Security)
WS-Trust RSTR Response (security token)
Token
Browser Metasystem Protocol
Client
Browser
1a
Identity
Selector
2c
2b
Click
3
Identity
Provider
HTTP/GET to protected page
HTTP/redirect to login page
1b
2a
Relying
Party
HTTPS/GET to login page
HTTPS login page
GetBrowserToken(RP Policy)
Policy
HTML information card tag
4 Select Identity
5
Identity needs credentials
6
7
9
10
11
8
Return security token
WS-MEX GetMetadata Request
WS-MEX GetMetadata Response
WS-Trust RST Request (user credentials)
WS-Trust RSTR Response (security token)
HTTPS/POST with security token
HTTP/redirect with session cookie
Token
Token Encrypted to RP
May have established a relationship out-of-band
CardSpace
Express desire to convey
RP’s identity to the IP
Identity Provider
Include RP’s identity
in the request
RP’s key is known
to IP
Generate a message
IP encrypts the token
with RP’s key
Relying Party
<tokenParameters>
<xmlElement>
<wsp:Policy>
<ic:RequireAppliesTo />
</wsp:Policy>
</xmlElement>
…
</tokenParameters>
app.config
Generate a response message
Encrypt
to the client
Token not Encrypted to RP
CardSpace
Token requirements
Identity Provider
Relying Party
Request security
token
RP’s key is not known
to IP
Encrypt token
with RP’s key
Token is not encrypted
Generate message
Generate a response message
Encrypt
to the client
Proof Token: Symmetric Key
Relying Party
CardSpace
Request for security token
Identity Provider
verify
token requirements signature
keyType: Symmetric
keySize: 128
tokenType: SAML1.1
Generate a message
Generate a key
Generate a token
include key
in the token
include key as part
of proof token
in the message
Generate a response message
encrypt
to the client
Sign with the
proof
key
Proof Token: Asymmetric Key
Relying Party
CardSpace
Request for security token
Identity Provider
Generate key-pair
token requirements
keyType: Asymmetric
keySize: 2048
tokenType: SAML1.1
include the key in
the request
include key
in the token
Generate a token (SAML)
Generate a message
Sign with
the other key
Generate a response message
Encrypt
to the client
verify
signature
ADFS WS-Fed
Browser
Client
FS-A
STS
Web
Server
FS-R
STS
GET appURL
302 fs-rURL?wa=…&wreply=AppURL&wctx=appURL
Detect user’s home realm
302 fs-aURL?wa=...&wtrealm=fs-rURI&wctx=AppURL/appURL
Authenticate User
200 <FORM ACTION=fs-rURL METHOD=POST <INPUT…NAME=wresult VALUE=[fs-a token]>…>
200 <FORM ACTION=AppURL METHOD=POST <INPUT…NAME=wresult VALUE=[fs-r token]>…>
302 appURL [HttpResponseHeader=SetCookie]
Requestor
Client
Identity
Provider STS
Target
Service
Relying
Party STS
HTTPS GET
HTTPS 302 – Redirect to RP STS
HTTPS GET Home Realm Discovery Page
HTTPS 200 (CardSpace Icon)
CardSpace Selection
WS-Trust RST
WS-Fed
WS-Trust RSTR
HTTPS POST Security Token
HTTP 200 (javascript to send token to Target Service)
HTTPS POST Security Token
Authenticat
e token.
extract
claims,
create,
encrypt and
sign new
token