In the web service world, C demonstrates that the SAML
token was actually issued to it by being able to use the token for
securing its request to S. In doing to, C is showing off that it
knows a certain key that could have been acquired only from
the RSTR that contained the token. There is no need to understand
the details of that exchange. The bottom line is that S has
cryptographic proof that C is the legitimate holder of the token,
so the token cannot be fraudulently repurposed by others.
In summary, WS-Trust de?¬?nes entities and messages for issuing
WS-Security tokens via web services. The preceding example
explored the scenario in which a client requests that an STS
issue a token. However, the speci?¬?cation covers many other
cases, such as issuance requests coming from services and token
management beyond pure issuance (token renewal and validation
being two examples). We concentrated on that scenario
because, as we observed, it exhibits striking similarities with
WS-* Web Services Speci?¬?cations: The Rei?¬?cation of the Identity Metasystem 153
identity-related transactions we encountered elsewhere in the
text. In the section ???WS-* Implementation of the Identity
Metasystem,??? we further clarify the parallel.
Pages:
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263