What's the difference between WS-Trust, OpenID, and SAML Passive?

halfbit picture halfbit · Aug 24, 2010 · Viewed 12.8k times · Source

Seems that Microsoft ADFSv2 supports WS-Trust, and SAML Passive, but the WIF stack it's built upon doesn't support SAML.

What is the difference between WS-Trust and SAML-P? Do they share the same security vulnerabilities, if so what are they?

Note: There is a similar, but different question here:

SAML vs OAuth

Answer

Martin Strandbygaard picture Martin Strandbygaard · Sep 1, 2010

I assume you're referring to [the newly released] ADFS v2?

Yes, ADFS v2 supports WS-Trust (and WS-Federation) and SAML2 passive, and WIF only supports WS-Trust (and WS-Federation) and not SAML2 (neither passive nor active).

WS-Federation uses WS-Trust to perform [browser based] passive federation, and is in many ways similar to SAML2 passive - and in many ways not. A significant difference between WS-Federation and SAML2 passive is that WS-Federation v1.1 (the new version supported by ADFS v2) supports automatic metadata discovery. You only need to provide a metadata endpoint (an URL) in WS-Federation, whereas in SAML you have to exchange metadata documents by some chose method (usb stick, mail, etc.).

I don't know of any actual security vulnerabilities in either protocol, but the approach to metadata exchange can be debated forever. The WS-Federation approach makes many things much easier, such as certificate roll-over, automatic updates, "for-free" automatic provisioning of new members in a federation, etc. However, the "manual" exchange procedure in SAML2 can at least in theory be made more secure.

As to why SAML support is not included in WIF, I can only speculate. A decent guess could be that someone wants sites using WIF to federate with an ADFS, and not directly with some other [third party] IdP :-)