WS-Federation version 1.1 is out, 3 years after...
By hubertsblog on Dec 20, 2006
So, it seems Microsoft, IBM & al. have decided to release a new version of WS-Federation, more than 3 years after their first version. I've done a quick read on it and listed some of the most noticeable changes below:
- Structurally there is now only one document. The passive, active and various interoperability profiles have all been combined in this single document. I tend to think this is a good thing since all these profiles were certainly creating confusion. IMHO they were also showing a certain lack of testing before the first publication hence leading to the need for additional interoperability profiles (but I'm being controversial here...).
- All the protocols have been combined in a single big section (13)
- The focus seems to be more on the active requestor rather than the passive profile which is mainly addressed in section 13.6
There are some new features in this spec too:
- Federation metadata: with the concept of context to describe the fact of belonging to one or more federation (what SAML or Liberty Alliance calls Circle of Trust (CoT))
- Authorization service & Pseudonym service: these are basically specialized versions of an STS in order to be able to include either attributes or pseudonyms along with the token that's being issued.
At this point it really looks like WS-Federation 1.1 is mimicking most of SAML2.0 functionalities although I think there are a few differences that I'll explore in a forthcoming post.
Finally, can someone tell me why in a world they decided to expand SSO as single sign-out when everyone else in the industry understands it as single sign-on ?! Talk about confusing people...