locked
Active Vs Passive Authentication (WS Federation vs WS Trust) RRS feed

  • Question

  • Hi All,

    I have been reading about WS-Federation and WS-Trust for SSO recently and need someone to help make it clear to me please.

    So far, what I know is that passive clients are those who do not have any sort of login capabilities but they are simply configured to be redirected to a security token service through HTTP redirects.

    Active clients are those who have a login form (for e.g. Win Forms) that cannot use HTTP redirection and need to use web services for individual token request process steps.

    I also understand that it is possible for web applications to do active authentication (if the requirements state so) but client applications (like Winforms) are unable to do passive authentication out of the box.

    My question is - where do WS-Federation and WS-Trust fit into this active and passive authentication process?

    For e.g. ADFS is able to support both active and passive authentication.

    It also supports WS-Federation and WS-Trust.

    But what protocol of these two is used for each type of authentication?

    Regards,

    Ajay Suri

    PS. I also so far understand that ADFS also supports SAML-P but since SAML-P supports only passive authentication, it is not possible to do active authentication using SAML-P. I hope this understanding is correct.


    Thursday, June 12, 2014 9:11 AM

Answers

  • Hi,

    Sorry for the delay reply.

    Passive federation scenarios are based on the WS-Federation specification. This describes how to request security tokens and how to publish and acquire federation metadata documents, which makes establishing trust relationships easy. WS-Federation also describes single sign-on and sign-out procedures and other federation implementation concepts.

    While WS-Federation discusses many details about federation, there are sections devoted to browser-based federation that rely on HTTP GET and POST, browser redirects and cookies to accomplish the goal.

    http://msdn.microsoft.com/en-us/magazine/ff872350.aspx

    Regards.


    Vivian Wang

    Thursday, June 26, 2014 8:47 AM

All replies

  • Hi,

    Please refer to the following article:

    http://msdn.microsoft.com/en-us/library/bb498017.aspx#wsfedver1_topic2

    Regards.


    Vivian Wang


    Monday, June 16, 2014 6:38 AM
  • Thanks Vivan,

    I had a brief look and it looks quite relevant.

    I will come back if I have any queries.

    Regards,

    Ajay Suri

    Monday, June 16, 2014 7:50 AM
  • Hi Vivian,

    I had a brief read of the link you sent and also the actual OASIS specifications.

    This is what I understood at a very high level.

    WS-Trust provides a framework for how to set up a STS and details on how to request, renew, cancel and validate tokens. This seems an ideal specification for clients that want to control the token process. In other words, client gets user credentials and uses them to request a security token and therefore has full control over the whole process. Both browser and winforms applications will be able to use this for setting up active authentication process.

    I must admit I am still trying to put my head around the WS-Federation but at a very high level, this seems to provide specification for setting up federations by defining standards for federation metadata. All participants in a federation will be able to provide this metadata and let others know about the federation capabilities it has for e.g. types of tokens offered, claim types requested and offered and others.

    In addition, WS-Federation also seem to provide details on how HTTP protocol can be used for browser type clients in order to redirect them automatically to an STS that the resource trusts for claims. I believe under the hood, they are still WS-Trust type RST and RSTR type messages. So, in a way they kind of support passive authentication.

    Am I right in thinking that passive is only for browsers. I dont think WinForms in any way can do passive authentication, or may be they can if they can make HTTP requests internally using the security context of logged in user. What do you say?

    Once again, thanks for getting back!

    I know I am not fully there yet but I am certainly better than I was yesterday :)

    Regards,

    Ajay Suri


    Tuesday, June 17, 2014 9:06 AM
  • Hi,

    Sorry for the delay reply.

    Passive federation scenarios are based on the WS-Federation specification. This describes how to request security tokens and how to publish and acquire federation metadata documents, which makes establishing trust relationships easy. WS-Federation also describes single sign-on and sign-out procedures and other federation implementation concepts.

    While WS-Federation discusses many details about federation, there are sections devoted to browser-based federation that rely on HTTP GET and POST, browser redirects and cookies to accomplish the goal.

    http://msdn.microsoft.com/en-us/magazine/ff872350.aspx

    Regards.


    Vivian Wang

    Thursday, June 26, 2014 8:47 AM
  • Hi,

    Any update about the issue?

    Regards.


    Vivian Wang

    Tuesday, July 1, 2014 8:02 AM
  • Thanks Vivian,

    I now have a better understanding of the difference between the protocols.

    Regards,

    Ajay Suri

    Tuesday, July 1, 2014 8:05 AM
  • Hello, 

    this question is old but i struggled finding a correct answer online. 

    A lot of online posts say, that 'passive / browser' clients use WS-Fed and 'active / smart' use WS-Trust. That is probably because the active use case uses by default a url like '/ws-trust/2005' or '/ws-trust/v1.x/'. This does not seem to be 100% accurate. The great and free book: Claims-based Identity, Second Edition helped me with the issue and I finally found a satisfying answer:

    The goal of many of these architectures is to enable federation with either a browser or a smart client. Federation with a smart client is based on WS-Trust and WS-Federation Active Requestor Profile.

    These protocols describe the flow of communication between smart clients (such as Windows-based applications) and services (such as WCF services) to request a token from an issuer and then pass that token to the service for authorization.

    Federation with a browser is based on WS-Federation Passive Requestor Profile, which describes the same communication flow between the browser and web applications. It relies on browser redirects, HTTP GET, and POST to request and pass around tokens.


    Thursday, November 23, 2017 9:08 AM