The fundamental purpose of federated identity is to enable subjects to use identities managed in one realm to gain authorized access to resources managed in other realms. Requests to access resources are authenticated and authorized by the exchange of security tokens and the claims they contain. Before seamless federated access can be granted, Identity Providers and Service Providers must configure their servers to agree on the types of tokens and claims that will be exchanged, and the keys that will be used to sign and encrypt them. This configuration data is generically referred to as “federation metadata”; early implementations required this metadata to be manually entered on both sides of the relationship, which can be extremely error prone due to the lengthy URIs involved.
A huge improvement in administrative efficiency can be gained by automating this configuration. The key to automation is enabling IPs and SPs to publish their federation metadata in a standard format which can be exchanged between potential partners. The Shibboleth community has demonstrated the effectiveness of this approach. The SAML 2.0 standard includes the Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0 specification [Samlv2Meta] that is devoted to standardization of a federation metadata format.
Federation metadata has also been a critical component of the WS-Federation specification that was submitted to OASIS. A key goal has been to develop a single specification that can support both passive web application and active web service requestors. In the interests of promoting engineering efficiencies for developers, and interoperability enhancements for deployers, the WSFED TC decided to make a substantive change to its federation metadata document structure during the first Public Review cycle. WS-Federation has been revised to take a normative dependency on the SAML 2.0 federation metadata document structure. The original format has been deprecated, although it is supported for backwards compatibility with early implementations. The preferred format must be rooted in either the <md:EntityDescriptor> element or <md:EntitiesDescriptor> element from [Samlv2Meta]. The WS-Federation specification defines extensions for web services constructs (such as Endpoint References) that are required for WS-* protocols.
This work could not have been accomplished without the help of numerous SAML experts. In particular I would personally like to thank Scott Cantor, Bob Morgan and Steven Carmody from the Shibboleth community, and Eve Maler and Pat Patterson from Sun Microsystems. I believe this joint effort will significantly improve interoperability and reduce cost of ownership for enterprise class customers who typically deploy products from multiple vendors. The harmonization dialogue between the WS-* and SAML communities has begun. We can expect more to come.