Learning Center

WS-Trust and WS-Federation

WS-Trust, short for Web Services Trust Language, is an important specification which provides extensions to WS-Security (Web Services Security), a protocol used for securing SOAP (Simple Object Access Protocol) communication.


“WS-“is a prefix used to indicate specifications associated with Web Services and there exist many WS* standards including WS-Addressing, WS- Discovery, WS-Federation, WS-Policy, WS-Security, and WS-Trust.


WS-Trust deals with managing software security tokens, examples of which include SAML tokens and UsernameTokens. Specifically, WS-Trust defines protocols to issue, renew and cancel WS-Security tokens, thereby enabling secure message exchange through Web Services.


A Security Token Service (STS) is a key concept in WS-Trust as it is the software responsible for issuing and converting tokens. The STS converts locally issued tokens (in the WS-Trust model, a SAML assertion is a type of token) into a format (e.g. SAML) that can be shared with web services providers and also for converting incoming tokens into a format that can be used by local applications.


WS-Federation describes the management and brokering of trust relationships and security token exchange across web services and organizational boundaries. WS-Federation can be difficult to understand but it is also a part of the larger WS-Security framework and an extension to the functionality of WS-Trust. For example, WS-Federation builds on the Security Token Service (STS) model defined in WS-Trust by providing mechanisms that facilitate interactions. Through WS-Federation protocol extensions, WS-Trust enables integrating attribute, pseudonym, and claims authorization services with Security Token Services.


Like SAML 2.0, WS-Trust and WS-Federation are OASIS open standards with primary corporate backing from Microsoft and IBM.