For more that one time, I’ve been asked for a list of references regarding security in SOAP-based services. This time, I’ve decided to blog it so that I can find it/link to it in the future:
- Security in a Web Services World: A Proposed Architecture and Roadmap.
A whitepaper, co-authored by IBM and Microsoft, on the proposed web services security model. This whitepaper predates most of the WS-* specifications.
- The Laws of Identity
Introduces the concepts of an identity meta-system and of claims-based digital identities.
Also contains a set of laws, describing requirements that an digital identity system should possess.
- Design Rationale behind the Identity Metasystem Architecture
Describes the identity meta-system architectural elements, the rational behind them, and how they can be mapped to concrete technologies and specifications.
- Web Services Security: SOAP Message Security 1.1 (also known as WS-Security)
The base WS-* security specification. It defines how to protect SOAP messages protection (confidentiality, authentication), using XML-Signature, XML-Encryption and the security token concept.
- WS-Trust 1.3
Introduces the concept of Security Token Services (STS) as a service for the issuance of security tokens. It also defines a request-response protocol for interacting with the STS.
An STS concretizes the claims transformer abstract concept, which is a key element in the identity meta-system.
This specification builds upon the WS-Security specification.
- WS-SecureConversation 1.3
Defines how to optimize conversations comprised by more that one message interaction, by defining the concept of a security context and a security context token that refers to it.
This specification builds upon the WS-Security and WS-Trust specifications.
- Assertions and Protocols for the OASIS Security Assertion Markup Language(SAML) V2.0
Includes the the XML syntax and processing semantics for security assertions, which are generic security tokens.
- Web Services Policy 1.5
Defines a model and associated XML syntax for describing service’s requirements and capabilities. It is based on the abstract concept of policy assertion, which defines one requirement or capability.
- WS-SecurityPolicy 1.2
This specification defines several concrete policy assertions for the security domain.
- An Implementer’s Guide to the Identity Selector Interoperability Profile V1.0
A guide describing the Information Card model and the identity selector concept.