If S were to use a browser for performing Step 6 from Figure 2-7, and
RP were a website as opposed to a web service, there would be no way of using
WS-Security for applying the token to the invocation.
The case is easily addressed by using the same trick employed by WSFederation
(that is, using transport-based security in the segments of the schema
that are not WS-* capable). Note that all the WS-Trust calls do not necessarily
have to go through the browser; in fact, in the sequence in ???The Canonical
Scenario,??? those operations go through the S agent, which may be WS-* capable
even if the main transaction is being handled by a browser.
WS-* is great, but
what about human
integration?
Presenting Windows CardSpace 163
how all the negotiations and low-level protocol interactions
were performed by an agent. The subject examined the data
summarized by the agent and directed its behavior for executing
the subject??™s behavior (for example, disclosing a certain claim to
a speci?¬?c RP). The agent decoupled the subject from the complexities
of the underlying system, leveraging all the good properties
of the protocols for acquiring as much data as possible
and presenting information to the subject in the best way for
enabling truly informed decisions.
Pages:
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278