Travis Spencer - Software Engineer

RSA Conference 2010 -- Day 5

2010-03-06T17:04:29Z

What a conference! In case you missed it, I've blogged about RSA all week long:

Like last year, I finished the conference by attending Richard Howard's talk on cyber threats and trends. Howard is the director of the iDefense Lab. In his talks, he lays out new security disruptors that will drastically change the information security landscape over the next 5 to 10 years. He warned of the following disruptors last year and this:

2009	2010
Cyber terrorism Mobile threats IPv6 Arbitrary TLDs and multilingual URLs Virtual worlds	Shift in attacks to government targets (i.e., cyber terrorism) Smart phones (i.e., mobile threats) Cloud computing

Then, I went to a talk on cross-domain identity and access control presented by Tom Winnenberg, principal security engineer at Raytheon. In it, he talked about federation and centralized authorization using XACML. Centralized authorization, especially using XACML, is something I heard a lot about during the week actually. Last year, that protocol was only mentioned once in a presentation given by Sun and Burton. This year, I heard about it in a half dozen different sessions, a couple vendors on the show floor, and one other conference goer that I talked with. I think people are starting to wrap their heads around centralized authentication, and are now beginning to wonder about how to also centralize authorization. So I think the attention paid to XACML will increase this year, especially if Microsoft begins supporting it their products (which won't happen in 2010).

All in all, it was a great show. If you missed it, I would certainly recommend that check out those blog posts I listed above and try to attend next year if you can.

RSA Conference 2010 -- Day 4

2010-03-05T00:56:35Z

Cloud computing, virtualization, cyber-crime, and compliance were predicted to be the big themes of RSA. After four days, I've been to about 20 sessions in 7 tracks, 7 keynotes, and heard from more than 30 corporate representatives from a half dozen industries. Cloud computing has certainly come up, but almost exclusively in the keynotes. It seems that the conference organizers want to talk about it, but the information security community has other things on its mind. What have been the themes I've heard after attending all these sessions? Identity and as corollaries to that authentication (as I said last night) and PKI.

I heard from Joshua Powers, CTO of Securboration and formerly of the US Air Force. He talked about the difficulty of modeling identities and how semantic Web technologies can be used to create graphs to represent identities more effectively. Then I heard from G&D and EISST about how they have been working to harder Web browsers and ensure that they haven't been patched by malware. They called this technique Dynamic Application Authentication (DAA), and they used PKI and smart cards to do it.

Then I attended a panel discussion chaired by a representative from Adobe which included a registrar in higher ed, a lawyer, and an auditor. They talked about how there is a resurgence of interest in PKI. Unlike ten years ago, they said, this new buzz is coming from business and not from crypto geeks going on and on about Alice, Bob, and Eve. The result is a market pull rather than a push as was the case a decade ago. The fundamental reason they said was because businesses of the twenty-first century are information companies. Data doesn't remain neatly within the silos we've created in our organization -- it flows across them. In order to comply with regulations, avoid leakages, and use data to provide customers with value, companies have to find a way to secure it. PKI is an increasing way in which they're doing so, the panelist said. They sited a number of examples:

Verification of hundred year old legal contracts
Digitally signing transcripts
Federation
Verifying the identity of doctors

All of these examples come down to authenticating the identity of different entities.

BTW, when the layer, Randy Sabett, was asked by a Brazilian audience member about when America would get a national ID system like his country's, Sabett said it was a "long way off." In light of this, perhaps my predication last night was a bit naive :-)

The last session I attended today was a P2P discussion about Identity Management (IdM). The group was made up of folks reporting to CIOs, CSOs, and CTOs. They talked about the huge disarray that their organizations are in with regard to identity. From the sound of it, it seemed that their IdM systems were not working very well for them.

So cloud computing is important, but it seems that the information security community thinks identity, authentication, and PKI are more important. Have you been hearing other things at the conference? Are other issues more important to your organization than these? Are these issues hot topics for you company as well? I'd love to hear about it. Leave a comment below or shoot me a note. I've got one more day here at RSA, so keep an eye on my Twitter stream for real-time updates and check back tomorrow for my final post.

RSA Conference 2010 -- Day 3

2010-03-04T00:55:35Z

I can't believe it's only day three! It already feels like day 10. Today, I attended sessions presented by representatives from the Brazilian banking industry, Yahoo!, Google, Cisco, Bank of America, Qualys, and the US government. There was a red threads that wove through all of these speakers' words that really caught my ear. It was a topic I also heard while speaking with a German exhibitor on the show floor and other conference goers who I ate lunch with. Any guesses as to what it was? Readers of my blog, especially those familiar with this year's theme for RSA, will certainly think it was cloud computing. It wasn't though. It was authentication.

The Brazilian banking representatives who worked for the first and eighth largest financial institutions spoke about the PKI that Brazil has recently launched. The root of this trust hierarchy is the government itself. When citizens are born, their fingerprints are taken at birth and placed in a government database. At some later point, they are issued national identity cards. Their fingerprints are encoded on the smart card of the ID and signed by the Brazilian root CA.

Banks in Brazil apply to be intermediate CAs under the government's root. When a citizen comes to one of them for a bank account, they must present their national ID card. With this, they can authenticate the person using the biometric data on the card, the person's finger, and the signature of the root CA. There are surely many factors that have led to the adoption of this technology in Brazil, but one is no doubt the scale of crime confronting the country.

Richard Clarke, Chairman of Good Harbor Consulting, asked rhetorically in his keynote, if America must get to similar level of crisis before taking more drastic measure to protect its citizens online. An American gentleman that I had lunch with (who's name I unfortunately did not get) said that he wants a national ID, in order to protect his privacy. He argued that by being able to positively identify himself using such an ID, he could avoid intrusive searches in cases where the government suspects him of crimes perpetrated by someone that looks like him. While searching his computer, house, car, etc. to determine who he really is, the government may find things that are actually illegal. Once they are convinced he is not the suspect they originally believed him to, they would then have the evidence necessary to convict him of other crimes. Authentication initially would have prevented this, he argued.

Google, Yahoo!, B of A, and Cisco talked about how phishing is bombarding their users, and preventing the banks from using that channel to communicate to the full extent desired. Due to a lack of authentication, email can not be trusted to deliver more value to customers. In fact, the phishing attacks are discrediting the financial institution's brand and reputation, B of A said. The solution the Web mail providers are employing is the same one the Brazilian banks are using to guard the online banking and ATM channels: PKI. Unlike the South American organizations, however, Google and Yahoo! are not authenticating the end users; rather, they are only, initially, verifying the identity of the servers which are sending them email. Email from unauthenticated servers are scrutinized more intensly than those from authenticated senders.

In her keynote, Secretary of the Department of Homeland Security, Janet Napolitano, said that what is needed is "privacy enhancing authentication." CEO of Qualys, Philippe Courtot, said that it is the job of security professionals to "verify and to be on the lookout." Bruno Quint of CORISECIO, a Germany service provider in the telco industry, told me about how his company is providing 2+ factor authentication using a national PKI (like Brazil's but without biometry) combined with Information Cards on on mobile devices to provide strong authentication that is easy to use.

From all of this, I will go out on a limb and make the following predictions about authentication:

America will inevitably role out a national ID card that uses PKI; it will not use biometry at first.
The creation of this PKI will be lobbied for by the financial industry.
It will be rolled out in 10 years or less.
It will eventually be used to securely authenticate online banking, e-commerce, voting, and other applications.

Disagree? Have other predictions? Share your opinion in a comment below or let me know. Also, be sure to check back tomorrow for a summary of day 4 and watch my Twitter stream for live updates.

RSA 2010 -- Day 2 Part 2

2010-03-03T08:24:12Z

I attended three sessions this afternoon:

One on cloud computing with a panelist from JPMorgan Chase,
One on authentication presented by the CIISP of Bradesco, a Brazilian bank, and
One that was a P2P discussion of identity facilitated by a SVP at Bank of America.

All of those are issues that I wrestle with all day long in the industry in which I work, so it was fantastic. Perhaps it's the marketing class I'm in ATM that has attuned my ears to the voice of the customer (VoC) because I heard them loud and clear. This is my interpretation of what they said about those topics.

What the Financial Institutions Said	My Interpretation
Cloud computing is a new name for things we've been doing for a long time.	Be careful and cautious about cloud computing. Scrutinize new cloud-based offerings using our established practices and procedures. Do not get sucked into the hype.
Once data gets out the door, it's gone forever.	You only get one chance. Cloud computing is still too new and unproven. Mistakes are bound to happen, and we can't afford for them to be made by us.
Everything is about risk management.	Be cautious and slow to adopt cloud computing. Let the early adopters go out of business trying to figure it out. Once they have worked out the technical, social, political, and legal kinks, consider it pursuant to our established practices, policies, and procedures.
The biggest risk is loss of reputation; the brand name must be upheld. You can't outsource your reputation.	Loosing the competitive advantage that a distinguishable and trustworthy brand offers is not worth the potential cost savings offered by cloud computing, especially considering that we have already invested in the computing infrastructure that IaaS and cloud computing offers.
Online banking will never be done in the cloud.	Public clouds such as Amazon's are not appropriate places to host online banking solutions. Host them on private or hybrid clouds instead.
Positively identifying legitimate users has been a long hard battle that has forced us to invest tons of money and effort; it has even forced us to do things we didn't want to do (e.g., biometry).	We are in an arms race. If you can help us make it cheaper and more cost effective, we're all ears.
Technology is not enough.	We need technological help in this war, but we will be especially interested if you can also help us with the people- and process-related problems.
Banks, governments/police, and customers must work together.	Your offerings need to be interoperable, UX tested, and compliant with government regulations.
We will constantly be confronted with new security challenges.	We need vendors who we can trust and that will continually provide products that are one step ahead of the fraudsters.
Users adopted biometrics much quicker and with less pushback then we expected.	We value solution providers that are willing to think outside the box; we know from past experience that it pays off.
Our customers love mobile devices.	We expect a whole host of new attacks and problems, so help, advice, and guidance is welcome.
Facebook can't be blown off.	Social networking Web sites represent a real opportunity given the mass adoption, but we're unsure how to capitalize on them.

If you disagree with my interpretations, are aware of other needs that these organizations have, or would like to ask me a question about other things they said about cloud computing, authentication, and digital identity, leave a comment here or let me know. Also, keep an eye on my Twitter stream for more frequent updates from the RSA Conference.

RSA Conference 2010 -- Day 2 Part 1

2010-03-02T18:40:24Z

The keynotes this year at RSA were really good. The same guys that spoke last year spoke again this year:

Art Coviello, Executive Vice President of EMC Corp. and President of RSA, The Security Division of EMC
Scott Charney, Corporate Vice President for Trustworthy Computing, Microsoft Corp.
Enrique Salem, President and CEO, Symantec Corp.

The theme repeated over and over and over again in the address of all three was cloud computing. They said that cloud computing represents both a challenge and an opportunity. As others said yesterday, cloud computing is a chance for the information security industry to redo the IT infrastructure with security at its core. Even more so than last year, these men stressed the inevitability of cloud computing's adoption and Coviello said its transformative impact on society and business will be like that of the Internet itself. It wasn't that they were crying uncle; it was more like they were saying if we (the information security community) can't deter them, let's lead them. To this end, Coviello laid out a strategy for businesses:

Begin moving non-critical services to the cloud
Move critical business applications to the cloud
Build internal clouds
Combine your internal and external cloud infrastructures to create a hybrid cloud

In making that first step, he advised attendees to ensure that SaaS providers are able to address GRC, SLA, policy, identity, and multitenancy needs (the last being the hardest he said). Through these, the cloud goes from being a nebulous black box to a transparent one:

Which seems like something your business wants to invest in? Startups looking to attract enterprise customers and acquisition should ensure that their offerings are like the later, something that I imagine will be hard for many of them due to a lack of experience working in and with large enterprises.

Coviello closed with a helpful analogy in which he compared cloud computing to the finical system. Initially, we traded chickens for grain; then we used coins; then we "virtualized" our finances and began using paper money -- an act that places trust on the issuer of the notes; then, we created stocks and bonds to allow us to distribute wealth in a more "elastic" manner.

To make this happen, Charney picked up after him, identity is going to be a fundamental obstacle that we must overcome. Including wording on his slides, Charney said identity over 25 times in his short address. Microsoft, all the other speakers, and myself believe that identity is key in the adoption of cloud computing which is the future of all organizations. To this end, Microsoft just released a public beta of U-Prove, a technology that is built on top of WIF, ADFS, and CardSpace; it provides the least amount of information necessary to conducting one's business online in the cloud. I've had early access to an alpha of this software and talked to Christian Paquin, one of its creators, last year at RSA. It is a really compeling technology and the release of the public beta, free use of its crypto, and open source reference code is an important step in overcome the identity barrier.

There's a lot more to see and here today, so I'll post again this evening if I have time. Keep an eye on my Twitter stream for real-time updates and drop me a line if you have any questions/comments about the keynotes or U-Prove.

RSA Conference 2010 -- Day 1

2010-03-02T04:34:13Z

This year, I'm attending my second consecutive RSA Conference. Just like last year 's show, I will be blogging about each day's happenings. Today, I started things off by attending the day-long Kantara workshop. Like I mentioned last year, Kantara is a grassroots effort to bring together the OpenID, Information Card, and SAML communities to find a way to provide digital identity solutions in both the enterprise and consumer space.

During the workshop, various folks from CA, Google, PayPal, MEDecisions, NTT, Ping Identity, et al. spoke about what the group has been doing since its kick off last year at RSA. Trent Adams, of the Internet Society, started by explaining what Kantara is, ways to get involved, etc. Four important things that he said were:

Any individual can become a participant for free and become a voting member for a nominal fee (~$100/year) -- more for companies
Kantara is not a standards body but an incubator for them
The User-Managed Access (UMA) working group, chaired by Eve Maler of PayPal, is the most active of all groups
Kantara has been granted provisional status by the US government as a Trust Framework Provider (or something) that basically means that Uncle Sam thinks they're doing pretty important stuff ;-)

Andrew Nash of PayPal spoke next about how we as an industry are a couple billionths of a second after the "big bang" of identity, meaning we are on the absolute forefront of creating an identity metasystem for the Internet. Given its early days, it's helpful to use the framework presented by Matthew Gardiner of CA to see what initial identity-related capabilities are needed to enable cloud computing:

By these labels, Gardiner means thus:

Enterprise to Cloud Providers - Needs of enterprises who are trying to leverage SaaS or cloud services
For Cloud Providers - Needs of cloud/SaaS providers themselves
Cloud Providers for Enterprise - Needs of cloud/SaaS providers who are targeting large enterprises

As a market researcher, I would be jazzed to know that this industry leader believes that what big businesses who are trying to adopt cloud computing need right now is data loss prevention, user authentication and federation, and log management services. Good time to be an aspiring entrepreneur who knows a bit about cloud computing, SAML, WS-Trust, and WS-Federation :-)

Paul Madsen (@paulmadsen), of NTT, then explained about what's been happening in the identity space with regard to the various specs and protocols. He said that most of the work these days is on creating new profiles for the various protocols (e.g., the XSPA profiles for WS-Trust, SAML, etc.). He also mentioned OAuth WRAP which Eric Sachs of Google also talked about. Not surprisingly Sachs was very positive about it, but so was Madsen. It was notable to me because I got the impression that the community was in a tissy about WRAP, but those of the community that I heard from today weren't. I caught up with Sachs on the exhibition floor and we chatted over a messy sandwich about how WRAP's purpose was to make OAuth simple to implement. I've never tried, but Sachs said that OAuth is just too difficult for many developers to do right.

Also in the exhibitor hall, I met up with Sridhar Muppidi and Craig Forster of IBM. This architect and engineer told me about how their STS, which is a part of Tivoli Security Policy Manager (TSPM), has implemented the XSPA profile. Muppidi also said that their STS conforms to WS-Trust 1.3 but that 1.4 is on their road map. He said that most of their customers are still using 1.2, so 1.3 is still relatively new and that customers aren't even thinking about 1.4 yet. When they do implement the new versions though, he said that they intend to support not only ActAs but also the new challenge and response stuff. Awesome! They do challenge/response now in their STS in a proprietary way, Muppidi went on to say. What they do is fault and include a subcode and info about the challenge that the user needs to answer to continue the token issuance process.

There's more I could say. Unfortunately, I left my time stopper and a person replicator at home though, so I have to leave it here for now. You can get all the slides from all the presentation from my stash. If you have questions about anything I've written, add a comment below or get in touch with me. Also, if you're at RSA and want to hook up, call, text, or DM/mention me on Twitter.

Pros and Cons of WIF

2010-02-18T23:36:59Z

I got a message from Sidar Ok on Twitter the other day asking about the pros and cons of Windows Identity Foundation (WIF). I put together the following list when replying to him, but wanted to share it with the community as well

Pros

Makes it much simpler to implement an STS then it is with just .NET and WCF
Unified programming model across multiple platforms including WCF and ASP.NET
Support for WS-Trust
Support for WS-Federation
Support for SAML 1.1 and 2 tokens
Large amount of docs, books, mags, blogs, docs and community relative to its age
Good tool support (e.g., Visual Studio and and FedUtil)

Cons

No support for SAML 1.1 or 2 protocols
Can't be installed on Windows XP
Unpolished support for other platforms (e.g, Silverlight, ASP.NET MVC, etc.)

Did I miss any? Do you disagree? Which of those benefits are the most compelling to you and your company? Which of those drawbacks are the biggest hindrances to your adoption? Let me know in a comment below or get in touch with me directly.

Claims-based Identity Book Published

2010-01-30T15:16:46Z

As Eugenio Pace mentioned on his blog, the new book A Guide to Claims-Based Identity and Access Control has been released in its entirety online. The published version will be out some time this spring IINM. I served as a technical editor on this book, and I certainly recommend it. It was really great working with Eugenio and the group.

BTW, I got involved in this this project by engaging with Matias Woloski on Twitter. He forwarded my contact info to Eugenio, and the rest is history. I have had similar experiences due to my use of other social media such as LinkedIn, Facebook, and blogging. So, if you're not using on-line social networking, I encourage you to begin. It is a fun way to connect with your peers.

OWASP Presentation Slides

2010-01-20T04:44:25Z

I presented to the Portland chapter of the OWASP Foundation this afternoon on SAML, digital identity, and federation. It went really well, and it was very enjoyable. Thanks to all who attended and to the group's organizers, AJ Dexter and Tim Morgan. I've uploaded my slides, and anyone is free to use them. Check out the OWASP Web site for upcoming events. If you have topics you'd like to suggest or are interested in speaking to the group about something related to Web application security, I'm sure they would love to hear from you.

If you're confused by something in the slides, have feedback, or would like me to present to your group about this or other topics, please let me know.

Animated Explanation of the Identity Provider Discovery Profile

2010-01-11T21:35:30Z

I've gotten a lot of positive feedback on the last two presentations I've uploaded about SAML:

Thanks to all those who shared their thoughts. You're why I write this blog :-)

In preparation for my upcoming talk at the Portland OWASP group about federation and SAML, I decided to dig in a bit more to the Identity Provider Discovery Profile. This profile loosely defines a way to do home realm discovery. It lays out a solution that is probably only used by really big organizations, but I feel that it's good to know it just in case I need it one day. If you're like me and want to understand the details of SAML and federation, download this intuitive, animated presentation showing one way to implement this profile. Note that I said one way. This part of the spec is pretty open and allows for a lot of variation. Also, unlike the other PowerPoints I've done recently, this one includes notes on each slide to help explain what all the arrows mean.

If you would like to use this PPT to explain SAML to your friends and family, feel free. Ditto for more professional uses ;-) I just ask that you give me credit and leave my name on the deck.

As always, if you have thoughts, comments, or questions, feel free to leave them here or by getting in touch with me. Happy federating and see you at OWASP next week.

ADFS and OpenID

2010-01-07T17:00:00Z

The other day, Travis Nielsen wrote an article about how to use ADFS in conjunction with an OpenID provider (OP) to authenticate users accessing a SharePoint 2010 site. His article is really good and definitely worth reading. As he says in it, he based his work on Matias Woloski's which is also a must read. Travis proposes a solution that, if implemented exactly, will include five token services. Something like this:

I like this stuff a lot, but that's too many STSs if you ask me. Instead, I would suggest doing away with the the protocol transition STS (as Matias called it) and instead customize ADFS's login app to thunk between WS-Federation and OpenID. Building a proof of concept (PoC) to demonstrate this using Matias' code was short work. Here's how I did it:

1. I changed IIS, so ADFS would use my own login app rather than the one that it comes with. I did so by modifying the IIS "ls" application to point to some other directory. You can also do this by modifying the Windows Internal Database (WID), but I wouldn't recommend that.

2. Then I dumped Matias' code into this directory and modified it a tiny bit. (My code can be found in this ZIP file.)

3. I didn't have SharePoint 2010 set up, so I used one of the passive RPs that come with the WIF SDK as a substitute. I changed the issuer URI to that of ADFS's passive endpoint (i.e., https://.../adfs/ls). Then, I pulled it up in my browser. I was redirected to ADFS's new login app.

4. Once there, I entered my OP's endpoint.

5. This redirected me to my OP, and I logged in.

6. I was redirected back to the ADFS login app (passive STS) which thunked the OpenID response to a WS-Federation response. I was then redirected to the RP (which would be the SharePoint RP-STS in the actual case). The RP displayed the claims which included the name and ID issued by the OP.

I know what you're thinking. Surely there's stuff in ADFS's login app that can't just be thrown out like this. Definitely. This isn't a finished product in any sense. It's just a demonstration of how you can protect a SharePoint 2010 site using 4 STSs instead of 5.

Presenting on Federation, Identity, and SAML

2010-01-06T17:18:22Z

On the 19th of January at 4 PM, I will be presenting to the Portland OWASP chapter on federated identity management and the protocols used to implement such systems. I'll talk talk about the problem space in general, and I'll drill into SAML in particular. Once I have the slides done, I'll upload them to slideshare and post a link here. In the meantime, you can download an iCalandar file with the event in it to help you remember when and where it is.

If you have questions, suggestions, or thoughts about what you'd like to discuss or hear more about, leave a comment here or get in touch with me.

See you there!

Animated Explanation of Single Sign-On (SSO)

2009-12-30T05:48:51Z

A couple of weeks ago, I uploaded an animated PowerPoint presentation showing how the SAML and WS-Federation protocols work. I thought this format would also be helpful to see how Single Sign-On (SSO) works. It may be obvious to many, but it wasn't to me at first. So, I hope that this presentation will prove useful to others who are also learning about federation.

The PowerPoint deck is available in my stash. As always, please post a comment or drop me a line if you have any thoughts or questions.

Animated Explanation of SAML

2009-12-10T17:23:13Z

With the impending release of ADFS, all Microsoft shops will soon have a very powerful tool for establishing federation relationships with their partners using the SAML protocol. To do so, many of these organizations will require the use of SAML not WS-Federation (especially in industries where federation has broad adoption). Support for SAML is new in version two of ADFS, so many experienced ADFS administrator or developer are new to the protocol. I was, so I went digging in the standards to try to figure things out.

The standards are surprisingly easy to read, but, if you're a visual learner, you'd probably rather watch paint dry then read them. For this reason, I've put together a PowerPoint slide deck that uses animations to demonstrate the various profiles defined by SAML 1 and SAML 2. I've also compared it to the way in which I've typically seen WS-Federation implemented. At the end, I have some suggestions on how to pick the appropriate profile.

You can get the deck from my stash. If you have feedback or find mistakes, please post a comment or drop me a line.

Cross-Realm Service Calls

2009-10-25T06:48:21Z

In a previous post, I talked about candidate architectures for federated identity systems. My current favorite includes a single IP-STS that issues identity-only claims that are globally unique across all security realms. Because most applications will require more than just identity claims to make an access control decision, the architecture includes an RP-STS per realm. These token services translate globally unique user attributes into ones that are specific to him/her in each of these fiefdoms. The additional claims allow the applications in these realms to determine if the subject should be allowed access to their resources. A diagram of this arrangement doesn't have many boxes or arrows (as you can see in the first figure); however, it gets more complicated when you think about what it would require to solve some fairly common use cases. For instance, how does a Web application in one realm call a Web service in another? This need may arise when one BU owns the Web front-end and another owns the back-end service. Each application in these two BUs (i.e., security realms) would trust different RP-STSs. So, how (on paper) can this use case be solved with the previously described candidate architecture?

In order for this to work, the Web front-end RP 1 needs to trust RP-STS 1; RP-STS 1 must trust the IP-STS. Also, the Web service RP 2 trusts RP-STS 2. The RP-STSs must trust each other. These relationships can be seen in the second figure.

That's a few more lines, and we still haven't shown the information flows ;-)

Given these trusts, the chain of events that result is as follows: When an unauthenticated user accesses RP 1, he is redirected to RP-STS 1 (via WS-Federation). From there, he is redirected again to the IP-STS (also on the front-channel). The user authenticates, and the IP-STS issues him a security token ST0 containing identity-only claims. It redirects him back to RP-STS 1. That STS accepts ST0 as proof of the callers identification (because it trusts the IP-STS), and issues him a new token ST1 which contains application-specific claims that RP 1 will need authorize his access. It is very important to note that at this point ST0 is gone. RP-STS 1 may have copied the identity claims into ST1, but for all practical purposes ST0 with its signature, claims, and whatnot is completely gone. ST1 is returned to the user, and relayed to RP 1.

Now, our Web front-end RP 1 wants to call the back-end Web service RP 2 to get some additional resource. To do so, RP 1 needs a token for the user that is specific to RP 2. This RP only trusts RP-STS 2, so RP 1 must request an ActAs token from RP-STS 2 (using WS-Trust). To get this, RP 1 must be able to authenticate (e.g., using an X.509 cert) and send it ST1 that it got from an issuer that RP-STS 2 trusts, namely, RP-STS 1. RP-STS 2 does some verification of the token and authorization to ensure that RP 1 and ST1 can be used to get an ActAs token for RP 2. If so, RP-STS 2 transforms ST1 into an ActAs token ST2 that contains application-specific claims for the user accessing RP 2 (via RP 1). ST2 is returned to RP 1 who includes it with the request sent to RP 2. RP 2 trusts the issuer, so it accepts the claims in it and uses them to determine if the user is allowed access.

This sequence of events is shown in the final figure:

I know what you're thinking: This is maddening. Anyone that does this is psycho. You're right that this is complicated stuff. (Anyone who tells you differently is trying to sell you something.) If you're dealing with financial data, healthcare records, government secrets, or other sensitive information, however, what alternatives do you have? Let me know if you can think of a better way.