Web Services Security Specifications Index Page

Article
10/08/2007

Updated October 2007

Brief

The Web Services Security (WS-Security) roadmap describes Microsoft's strategy for addressing security within a Web service environment. It defines a comprehensive Web service security model that supports, integrates, and unifies several popular security models, mechanisms, and technologies (including both symmetric and public key technologies) in a way that enables a variety of systems to securely interoperate in a platform- and language-neutral manner. It describes scenarios that show how the following specifications might be used together. This family of specifications delivers on this roadmap.

White Papers

Security Roadmap

This document describes a strategy for addressing security within a Web Service environment. It defines a comprehensive Web service security model that supports, integrates and unifies several popular security models, mechanisms, and technologies (including both symmetric and public key technologies) in a way that enables a variety of systems to securely interoperate in a platform- and language-neutral manner. It also describes a set of specifications and scenarios that show how these specifications might be used together.

Federation Whitepaper

This document describes the issues around federated identity management and describes a comprehensive solution based on the Web services specifications outlined in the WS-Security Roadmap and other related Web services specifications.

Federation Identity Management Interoperability

This document addresses the need for enterprises to extend internal systems to external users to ensure that the systems can interoperate with other organizations' applications. Leading Identity Management Solution providers demonstrated their solutions that meet this need in a recent Interoperability Workshop.

Specifications

WS-Security: SOAP Message Security
WS-Security describes enhancements to SOAP messaging to provide quality of protection through message integrity, message confidentiality, and single message authentication.
WS-Security also provides a general-purpose, but extensible, mechanism for associating security tokens with messages.
Additionally, WS-Security describes how to encode binary security tokens—specifically X.509 certificates and Kerberos tickets, as well as how to include opaque encrypted keys.

WS-Security: UsernameToken Profile
This document describes the use of the UsernameToken with the WS-Security specification.

WS-Security: X.509 Certificate Token Profile
This specification describes the use of the X.509 authentication framework with the WS-Security specification.

WS-SecurityPolicy
WS-SecurityPolicy indicates the policy assertions for use with WS-Policy that apply to WS-Security, WS-Trust, and WS-SecureConversation.

WS-Trust
WS-Trust defines extensions that build on WS-Security to request and issue security tokens and to manage trust relationships.

WS-SecureConversation
WS-SecureConversation defines extensions that build on WS-Security to provide secure communication. Specifically, we define mechanisms for establishing and sharing security contexts, and deriving session keys from security contexts.

WS-Trust, WS-SecureConversation, and WS-SecurityPolicy were contributed to the OASIS WS-SX Technical Committee in December 2005.

WS-SX TC Web site

WS-Trust, WS-SecureConversation, WS-SecurityPolicy specifications at OASIS

WS-Federation
WS-Federation defines mechanisms that are used to enable identity, attribute, authentication, and authorization federation across different trust realms.

WS-Federation Active Requestor Profile
WS-Federation Active Requestor Profile defines how the cross trust realm identity, authentication and authorization federation mechanisms defined in WS-Federation are used by active requestors such as SOAP-enabled applications.

WS-Federation Passive Requestor Profile
WS-Federation Passive Requestor Profile describes how the cross trust realm identity, authentication, and authorization federation mechanisms defined in WS-Federation can be utilized used by passive requestors such as Web browsers to provide Identity Services. Passive requestors of this profile are limited to the HTTP protocol.

WS-Security: Kerberos Binding WS Security: Kerberos Binding describes how to use Web Services security specifications with Kerberos.

Web Single Sign-On Interoperability Profile
Web Single Sign-On Interoperability Profile defines an interoperability profile of the Web Single Sign-On Metadata Exchange Protocol that allows using either Liberty Identity Federation or WS-Federation-based Identity Providers to interact with a service.

Web Single Sign-On Metadata Exchange Protocol
Web Single Sign-On Metadata Exchange Protocol defines how a service can query an identity provider for metadata that describes the identity-processing protocol suites supported by that provider.

Related Link See the WS-Policy Specification Index Page.

Status

Feedback and Interoperability Workshops are now being conducted for the WS-Security family of specifications.

Web Services Security: SOAP Message Security was published as an OASIS Standard in March of 2004.

Web Services Security: UsernameToken Profile 1.0 was published as an OASIS Standard in March of 2004.

Web Services Security: X.509 Certificate Token Profile was published as an OASIS Standard in March of 2004.

WS-Trust was published as a public specification on 28 Feb 2005. This is the third joint publication of the specification.

WS-SecureConversation was published as a public specification on 28 Feb 2005. This is the third joint publication of the specification.

WS-SecurityPolicy was published as a public specification on 13 July 2005. This is the third joint publication of the specification.

WS-Federation and the Federation profiles were published as public specifications on 8 July 2003. This is the first joint IBM/Microsoft/VeriSign/BEA/RSA Security publication of these specifications.

Web Services Security Kerberos Binding was published as a public specification on 19 December 2003. This is the first joint IBM/Microsoft publication of the specification.

Web Single Sign-On Interoperability Profile was published as a public specification on 13 May 2005. This is the first joint publication of the specification.

Web Single Sign-On Metadata Exchange Protocol was published as a public specification on 13 May 2005. This is the first joint publication of the specification.

Web Services Security Application Notes

WS-Security AppNotes - provides guidance and additional examples to implementers of the WS-Security specification.

Using WS-Trust for Simple and Protected Negotiation Protocol - describes usage of WS-Trust binary negotiation framework for Simple Protected Negotiation Protocol defined in RFC 2478 [2478] to securely establish a common security mechanism as well as a shared security context between two GSS peers.

Using WS-Trust for TLS Handshake - describes usage of WS-Trust binary negotiation framework for the TLS Handshake protocol defined in RFC2246 to securely establish recipient’s identity, securely establish a shared security context between two SOAP nodes, and to optionally establish authenticity of the sender using sender’s WS-Security credentials.

Web Services Addressing Endpoint References and Identity - provides a mechanism to describe security-verifiable identity for endpoints by leveraging extensibility of the WS-Addressing specification.