WS-Federation version 1.1 is out, 3 years after...

So, it seems Microsoft, IBM & al. have decided to release a new version of WS-Federation, more than 3 years after their first version. I've done a quick read on it and listed some of the most noticeable changes below:

  • Structurally there is now only one document. The passive, active and various interoperability profiles have all been combined in this single document. I tend to think this is a good thing since all these profiles were certainly creating confusion. IMHO they were also showing a certain lack of testing before the first publication hence leading to the need for additional interoperability profiles (but I'm being controversial here...).
  • All the protocols have been combined in a single big section (13)
  • The focus seems to be more on the active requestor rather than the passive profile which is mainly addressed in section 13.6


There are some new features in this spec too:

  • Federation metadata: with the concept of context to describe the fact of belonging to one or more federation (what SAML or Liberty Alliance calls Circle of Trust (CoT))
  • Authorization service & Pseudonym service: these are basically specialized versions of an STS in order to be able to include either attributes or pseudonyms along with the token that's being issued.


At this point it really looks like WS-Federation 1.1 is mimicking most of SAML2.0 functionalities although I think there are a few differences that I'll explore in a forthcoming post.
Finally, can someone tell me why in a world they decided to expand SSO as single sign-out when everyone else in the industry understands it as single sign-on ?!  Talk about confusing people...


 

Comments:

1. You are correct to note the unusual use of "single sign-out" for "SSO". However, a "single sign-on" use case is given in App. III.1, but "SSO" is not used in that context. 2. My primary objection to wording in this document is the unqualified use of "Federation". Perhaps this document should be titled "WS-SecurityFederation" or something along those lines. Federation itself is much broader than security. [I'm guessing that the simple math question uses base 10...? :]

Posted by Bob Natale on December 27, 2006 at 03:38 AM PST #

Not sure you actually read the document correctly as if you read the first sentence of section 4.1 you will see "The sign-out mechanism allows requestors to send a message to its IP/STS indicating that the requester is initiating a termination of the SSO" and if you look in the glossary you will see that there is a definition for SSO (and guess what its not single sign out) Also there is a definition of Federation there so the use of "Federation" is not unqualified

Posted by guest on January 08, 2007 at 12:04 PM PST #

Hello, thanks for the comments.

Not that it is an essential point (although I find it a bit controversial) but SSO is indeed defined as Single Sign-Out in the aforementioned document; see section 1.6 page 12 in the Terminology section. There's no other glossary section that I could find in this document.
I agree the use of the acronym in the first section of section 4.1 is contradictory to its subsequent uses in section 4.2 where SSO does seem to imply single sign-out.

I guess even the author had a hard time to convince himself that SSO stands for Single Sign-Out ;-)

 

Cheers,
Hubert

PS: Yes Bob, it is in base 10 - not sure those tests are all that effective though...
 

Posted by Hubert on January 08, 2007 at 01:31 PM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

hubertsblog

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today