WSS defines XML extensions used to secure web service invocations, providing a standard way for partners to add message integrity and confidentiality to web service interactions. The WSS-defined token profiles describe standard ways of binding security tokens to these messages, enabling a variety of additional capabilities. Defined profiles include SAML assertions, Username, Kerberos, X.509, and other existing security tokens. SSL/TLS is often used in conjunction with deployments of WSS. For more information see


The implementation of WSS in the deployment of web services identity federations is outside the scope of PingFederate, which provides a standalone, standard means of handling the tokens needed for such federations. See WS-Trust.

WSS token transfer
Diagram illustrating the WSS token transfer flow.

Processing steps

  1. A user requests content from an application.
  2. The web service client sends a web service request to the WSP, including the SAML assertion in a WSS header.
  3. The WSP responds to the request and sends an SSL/TLS token back to the application.
  4. The web service client returns an HTML page to the user.