Let's take a break from the visionary stuff (but I'll get back on that, especially now that Jon chimed in ) and get some good old WS-* action. One of the things I didn't cover in the WS-Trust video (I know, it doesn't work right now. I notified the channel9 guys) is how ProofTokens work; and since you are a very attentive audience, I get questions on the matter pretty often. Another video would probably be the best format, as Planky suggested months ago, but let's see if we manage to do something even with a static media. So, prooftokens. In the most classic case, the prooftoken is what allows the requestor to use a key that's locked in a token encrypted for somebody else. Crystal clear, right? ..NOOT :-) Ok, let's go a step at a time. Let's say that you have an RP, implemented by a web service. Your RP requires to be invoked via calls secured by a token in SAML1.1 format, issued by STS A and containing the claim http://whatever . Let's express in a picture the situation described. It seems complicated, but in fact it is pretty easy. The picture shows the message that is being sent to the RP. The cyan rectangle encloses the token being used for securing the call: As requested by the RP's policy, the token is signed by STS A: the outermost couple of brackets shows the signature operation, made with STS A's private key (the red triangle key). The inner couple of brackets represent an encryption operation, made with the public key of the RP (blue rectangular key). The token is encrypted
Read More...