Web Services Security (WSS or WSSE) is a set of specifications defined by the OASIS Web Services Security (WSS) Technical Committee..
WSS defines XML extensions used to secure web service invocations, providing a standard way for partners to add message integrity and confidentiality to web service interactions. The WSS-defined token profiles describe standard ways of binding security tokens to these messages, enabling a variety of additional capabilities. Defined profiles include SAML assertions, Username, Kerberos, X.509, and other existing security tokens. SSL/TLS is often used in conjunction with deployments of WSS. For more information see https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss.
The implementation of WSS in the deployment of web services identity federations is outside the scope of PingFederate, which provides a standalone, standard means of handling the tokens needed for such federations. See WS-Trust.
- A user requests content from an application.
- The web service client sends a web service request to the WSP, including the SAML assertion in a WSS header.
- The WSP responds to the request and sends an SSL/TLS token back to the application.
- The web service client returns an HTML page to the user.