For more that one time, I’ve been asked for a list of references regarding security in SOAP-based services. This time, I’ve decided to blog it so that I can find it/link to it in the future: 

• Security in a Web Services World: A Proposed Architecture and Roadmap.
  A whitepaper, co-authored by IBM and Microsoft, on the proposed web services security model. This whitepaper predates most of the WS-* specifications.

• The Laws of Identity
  Introduces the concepts of an identity meta-system and of claims-based digital identities.
  Also contains a set of laws, describing requirements that an digital identity system should possess.
  
• Design Rationale behind the Identity Metasystem Architecture
  Describes the identity meta-system architectural elements, the rational behind them, and how they can be mapped to concrete technologies and specifications.

• Web Services Security: SOAP Message Security 1.1 (also known as WS-Security)
  The base WS-* security specification. It defines how to protect SOAP messages protection (confidentiality, authentication), using XML-Signature, XML-Encryption and the security token concept.

• WS-Trust 1.3
  Introduces the concept of Security Token Services (STS) as a service for the issuance of security tokens. It also defines a request-response protocol for interacting with the STS.
  An STS concretizes the claims transformer abstract concept, which is a key element in the identity meta-system.
  This specification builds upon the WS-Security specification.

• WS-SecureConversation 1.3
  Defines how to optimize conversations comprised by more that one message interaction, by defining the concept of a security context and a security context token that refers to it.
  This specification builds upon the WS-Security and WS-Trust specifications.

• Assertions and Protocols for the OASIS Security Assertion Markup Language(SAML) V2.0
  Includes the the XML syntax and processing semantics for security assertions, which are generic security tokens.

• Web Services Policy 1.5
  Defines a model and associated XML syntax for describing service’s requirements and capabilities. It is based on the abstract concept of policy assertion, which defines one requirement or capability.

• WS-SecurityPolicy 1.2
  This specification defines several concrete policy assertions for the security domain.

• An Implementer’s Guide to the Identity Selector Interoperability Profile V1.0
  A guide describing the Information Card model and  the identity selector concept.