Total Pageviews

Monday, December 15, 2014

federation protocols and their differences

Federation Protocols

In building a federated architecture that addresses interoperability, assurance, and trust concerns across security domains, the following protocols have emerged as useful building blocks for identity management integration:
  • SAML 1.0 and 1.1, which define a format for security data exchange known as an assertion, and profiles which provide the means for using the assertions
  • SAML 2.0, which extends SAML 1.1 to provide additional profiles.
  • WS-Federation, which enables different security realms to federate by brokering trust of identities, user attributes, authentication between participating Web services

SAML 1.x

SAML 1.0 defines two key concepts:
  1. a security token format, known as an assertion, which associates a given identity with specific access rights
  2. profiles that describe ways to package these assertions to provide single sign-on
SAML 1.1 updates SAML 1.0 with feedback and corrections. Specifically, SAML 1.1 introduces XML Digital Signatures changes that greatly improve interoperabilty. Because of these XML Digital Signature changes, Oracle recommends that you use the SAML 1.1 protocol over SAML 1.0 whenever possible as it greatly reduces issues when verifying signatures.

SAML 2.0

SAML 2.0 includes support for single sign-on based largely on the framework developed by the Liberty Alliance ID-FF specifications.
Although the concept of identity federation is not present in the specifications, SAML 2.0 promotes the existence of a name identifier for a specific use. SAML 2.0 supports a number of named profiles that largely mirror the functionality of the Liberty ID-FF 1.2 profiles, on top of the name identifiers inherited from SAML 1.x.

WS-Federation



The WS-Federation specification is "an integrated model for federating identity, authentication, and authorization across different trust realms and protocols." WS-Federation is a Web services-oriented standard which supports profiles for passive requestors, such as Web browsers, as well as active requestors such as SOAP-enabled applications.


No comments:

Post a Comment