1.3 Overview

The Microsoft Web Browser Federated Sign-On Protocol specified in [MS-MWBF] defines a standard mechanism that can be used by a client to acquire a security token from a security token service (STS). Acquiring a security token is designed to address the following problem related to communicating user information to remote applications and services.

To properly control access to information or resources in remote web service (WS) resources, those WS resources have to have information about the users that are accessing them. Previous solutions required the WS resource to identify the user and use that identity to access further information about the user. Users were prompted multiple times to supply credentials (for example, user names and passwords) to securely identify themselves and authenticate to multiple WS resources.

Implementations of the Microsoft Web Browser Federated Sign-On Protocol solve this problem by moving the responsibility for authenticating the user away from the remote WS resource to an STS that already has an account for the user. This STS issues security tokens that contain information about the user in the form of claims. When accessing a WS resource, the user's web browser presents a security token obtained from an STS to the WS resource. The signature in the security token allows the WS resource to verify its validity, and the claims in the security token convey relevant user information to the WS resource. These claims can then be used for making authorization decisions by the WS resource.

Often an STS has to be placed on an internal corporate network, but has to also be accessible from external networks such as the Internet. In order to provide service to client requests coming from external networks, an organization can deploy a proxy component for the STS. If the organization authenticates users using SSL client certificate authentication, then a trusted channel has to be used to communicate the identity of the user back to the STS. Existing HTTP proxies cannot do this without using a custom protocol.

This specification defines a protocol that enables the proxy to communicate the credentials of a user to an STS for the purpose of generating a security token to participate in a Microsoft Web Browser Federated Sign-On Protocol exchange. In addition, the protocol enables the proxy to assist users in selecting a security realm from which to obtain a security token for the STS. This enables the proxy to reduce the number of requests from external networks that have to be serviced by the STS.

The protocol is based on SOAP as defined in [SOAP1.1] and [SOAP1.2-1/2007]. The protocol defines the following operations:

  • A <GetProxyTrustConfiguration> operation that enables the STS proxy to obtain configuration data from the STS that is necessary to assist users in selecting an acceptable security realm from which to obtain a security token.

  • An <LsRequestSecurityToken>, <RequestSecurityTokenWithToken>, and <LsRequestSecurityTokenWithCookie> operations that enable the STS proxy to forward Microsoft Web Browser Federated Sign-On Protocol requests back to the STS, and convert the responses from the STS into Microsoft Web Browser Federated Sign-On Protocol responses.

The protocol specification describes the message processing model in section 3 for the client and the STS to successfully emit or consume protocol messages that are created in accordance with section 2.