Introduction, Integration and Securing Web Services Part 3

Alright, as I promised this is the third part of the summary describing what we are currently working on to help people developing distributed applications using Web services using WSE 3.0. This time we are going to drill down into the Security Token Service quickstart that I mentioned before.

  1. Web Service Security: Scenarios, Patterns and Implementations – Releasing on December 7th! A guide that demystifies web service security. For a full description see: 
  2. WS-I Basic Security Profile Reference Implementation – A WSE 3.0 version of the age old classic demonstration of cross platform interoperability. We should have an interim build available on our GDN workspace in the next couple of days. For a full description see: 
  3. Security Token Service Quickstart for WSE 3.0 – As we were talking to customers whilst developing the “Web Service Security” guide we heard a lot of customers asking how to develop an STS using either WSE 2.0 or more recently WSE 3.0. In particular customers were looking to issue XML tokens – often using the SAML token format. For those who have taken a look at our October release you will probably notice that we have the design pattern for Brokered Authentication using a Security Token Service – but no implementation pattern. So what gives? Good news! We are currently working on a quickstart (sample) that will demonstrate how to develop a custom Security Token Service using WSE 3.0. Here is a brief summary of features that the quickstart will be demonstrating:

    1. How to implement a custom STS that issues SAML v1.1 XML tokens using extensibility points of WSE 3.0
    2. XML tokens are populated with authentication and attribute statements for identity & role information from either AD or a custom database
    3. How to use the STS to broker key exchange between the client and the service so that the client can sign and encrypt messages to the service (and v.v.) using a key within the SAML token to provide proof of possession.
    4. Quickstart will of course include full source code so if you want to incorporate custom statements etc then you can do that.

This Quickstart will form the basis for the Implementation pattern for our “Web Service Security” guide (see #1) and will be released on the community site for that asset. However, if you are interested in finding out more about our STS Quickstart please join our GotDotNet workspace ( where you can download a draft release – be sure to read the additional instructions on the workspaces section to get the application working… Also – most importantly – as we are currently doing the dev work on this project PLEASE post a note on the workspace’s discussion board summarizing your requirements and then let us know after you have played around with the code how useful this solution is.

I should also mention that we have a couple of other very exciting projects in the pipeline, but we are waiting on our Connected System survey results before we kick those off. If you havne’t already completed the survey please complete our Connected System Survey. The survey will probably take you about 10 minutes to complete – but is going to dictate where we focus our energies over the next 6 – 9 months. So help us to help you…