From: Marc Goodner
[mailto:mgoodner@microsoft.com]
Sent: Friday, April 25, 2008 11:16 AM
To: wsfed@lists.oasis-open.org
Subject: [wsfed] New Issue: TokenIssuerMetadata Element
Since the
WS-Trust endpoints of a service are already described thoroughly in WSDL, it is
desirable to reference WSDL for a description of the token issuer endpoints.
WSDL/MEX may be referenced from within the existing structure of EPRs, or with
a new element specifically intended for token issuer metadata. The existing
TokenIssuerEndpoints uses a list of EPRs and requires listing at least one
token issuer endpoint address. Endpoint addresses in these EPRs are duplicates
of the endpoint addresses specified in the linked WSDL, so this method
unnecessarily duplicates information that may already be found in the WSDL.
This analysis presumes that
given a WSDL, it is relatively easy to disambiguate the token issuer endpoints
from the other services and endpoints in the WSDL. If an implementation assumes
that the WS-Trust Issue endpoints represent the token issuer endpoints, then
the WS-Trust endpoints may be discerned based on standardized names and
namespaces. Current definition allows use of EPRs with metadata references or
locations. The mex:Location element may be used to specify a reference within
another MEX section.
Proposal:
Add new section following
section 3.1.6 TokenIssuerEndpoints Element
3.1.x TokenIssuerMetadata
Element
The optional <fed:TokenIssuerMetadata> element allows a federation metadata
provider to specify the metadata corresponding to its token issuing service (or
addresses for functionally equivalent security token services) which can be
referenced by federated partners when requesting tokens from it. This element
populates the [Federation Metadata] property. This is specified by token
issuers and security token services. This is a service-level statement.
The schema for this optional
element is shown below.
<fed:TokenIssuerMetadata>
<mex:Metadata> …
</mex:metadata>
</fed:TokenIssuerMetadata>
The
content of this element is Metadata element as defined by [WS-MetadataExchange]
providing a representation of the metadata for the issuer STS (or functionally
equivalent STS endpoints).
This element
allows attributes to be added so long as they do not alter the semantics
defined in this specification.
The following example
illustrates using this optional element to specify a metadata address for the
token issuing STS of an organization. This address may be used to look up the
endpoint address for the STS.
<fed:TokenIssuerMetadata>
<mex:Metadata>
<mex:MetadataSection Dialect="http://schemas.xmlsoap.org/ws/2004/09/mex">
<wsx:MetadataReference>
<wsa:Address> https://fabrikam.com/identityserver/trust/mex </wsa:Address>
</wsx:MetadataReference>
</mex:MetadataSection>
</mex:Metadata>
</fed:TokenIssuerMetadata>