Whiteboard discussion of WS-Fed and WS-Trust WS-* Metasystem Protocol Client Application Identity Selector WS-MEX GetMetadata Request Identity Provider Policy WS-MEX GetMetadata Response 3 Relying Party WS-Security Policy GetToken(RP Policy) 4 Select Identity Identity needs credentials WS-MEX GetMetadata Request WS-MEX.
Download ReportTranscript Whiteboard discussion of WS-Fed and WS-Trust WS-* Metasystem Protocol Client Application Identity Selector WS-MEX GetMetadata Request Identity Provider Policy WS-MEX GetMetadata Response 3 Relying Party WS-Security Policy GetToken(RP Policy) 4 Select Identity Identity needs credentials WS-MEX GetMetadata Request WS-MEX.
Whiteboard discussion of WS-Fed and WS-Trust WS-* Metasystem Protocol Client Application 1 Identity Selector WS-MEX GetMetadata Request Identity Provider Policy WS-MEX GetMetadata Response 2 3 Relying Party WS-Security Policy GetToken(RP Policy) 4 Select Identity Identity needs credentials 5 WS-MEX GetMetadata Request WS-MEX GetMetadata Response 6 7 WS-Trust RST Request (user credentials) 8 9 10 Return security token Access Resource with security token (WS-Security) WS-Trust RSTR Response (security token) Token Browser Metasystem Protocol Client Browser 1a Identity Selector 2c 2b Click 3 Identity Provider HTTP/GET to protected page HTTP/redirect to login page 1b 2a Relying Party HTTPS/GET to login page HTTPS login page GetBrowserToken(RP Policy) Policy HTML information card tag 4 Select Identity 5 Identity needs credentials 6 7 9 10 11 8 Return security token WS-MEX GetMetadata Request WS-MEX GetMetadata Response WS-Trust RST Request (user credentials) WS-Trust RSTR Response (security token) HTTPS/POST with security token HTTP/redirect with session cookie Token Token Encrypted to RP May have established a relationship out-of-band CardSpace Express desire to convey RP’s identity to the IP Identity Provider Include RP’s identity in the request RP’s key is known to IP Generate a message IP encrypts the token with RP’s key Relying Party <tokenParameters> <xmlElement> <wsp:Policy> <ic:RequireAppliesTo /> </wsp:Policy> </xmlElement> … </tokenParameters> app.config Generate a response message Encrypt to the client Token not Encrypted to RP CardSpace Token requirements Identity Provider Relying Party Request security token RP’s key is not known to IP Encrypt token with RP’s key Token is not encrypted Generate message Generate a response message Encrypt to the client Proof Token: Symmetric Key Relying Party CardSpace Request for security token Identity Provider verify token requirements signature keyType: Symmetric keySize: 128 tokenType: SAML1.1 Generate a message Generate a key Generate a token include key in the token include key as part of proof token in the message Generate a response message encrypt to the client Sign with the proof key Proof Token: Asymmetric Key Relying Party CardSpace Request for security token Identity Provider Generate key-pair token requirements keyType: Asymmetric keySize: 2048 tokenType: SAML1.1 include the key in the request include key in the token Generate a token (SAML) Generate a message Sign with the other key Generate a response message Encrypt to the client verify signature ADFS WS-Fed Browser Client FS-A STS Web Server FS-R STS GET appURL 302 fs-rURL?wa=…&wreply=AppURL&wctx=appURL Detect user’s home realm 302 fs-aURL?wa=...&wtrealm=fs-rURI&wctx=AppURL/appURL Authenticate User 200 <FORM ACTION=fs-rURL METHOD=POST <INPUT…NAME=wresult VALUE=[fs-a token]>…> 200 <FORM ACTION=AppURL METHOD=POST <INPUT…NAME=wresult VALUE=[fs-r token]>…> 302 appURL [HttpResponseHeader=SetCookie] Requestor Client Identity Provider STS Target Service Relying Party STS HTTPS GET HTTPS 302 – Redirect to RP STS HTTPS GET Home Realm Discovery Page HTTPS 200 (CardSpace Icon) CardSpace Selection WS-Trust RST WS-Fed WS-Trust RSTR HTTPS POST Security Token HTTP 200 (javascript to send token to Target Service) HTTPS POST Security Token Authenticat e token. extract claims, create, encrypt and sign new token