Kim answers my question on confusion regarding Identity metasystem architecture here.
My question was how Liberty based systems which use different protocol (other than WS-Trust) to exchange security tokens would be suppoed in Identity metasystem (mostly to take advantage of InfoCard system Microsoft has put in place).
Kim points out the problem is not only for Liberty enabled providers but for existing islands of identity systems if they want to use the metasystem.
“The truth is, to get to a metasystem, it wouldn't only be Liberty or SAML implementors who would have add the token exchange capability -changes would be required in all the systems asserting corporate and government identities; in operating systems, mobile devices, online services, smartcards; and in every other technology mentioned in our whitepaper. No one, including Microsoft, has WS-Trust rolled out at this point in time, so everyone would have to take the plunge.”
This is exactly true.
As a solution to this he proposes
“I was really trying to point out that everything SAML users and vendors already had in place could continue to work just as it does now, while with a small incremental effort their systems could embrace the metasystem. Sure, it would mean supporting WS-Trust - a protocol designed for metasystem purposes: exchanging one security token for another different security token. But the people who've built SAML systems will have little difficulty going this extra step. “
So basically the problem can be approached in 2 ways.
-
Liberty or SAML systems move to WS-Trust protocol completely (which I do not think they will do) or
-
Liberty or SAML systems add translators (protocol translators WS-Trust to SAML Request and vice versa) at the server side.