File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Web Services and the fly likes SAML and WS-Trust Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "SAML and WS-Trust" Watch "SAML and WS-Trust" New topic

SAML and WS-Trust

Aryan Khan
Ranch Hand

Joined: Sep 12, 2004
Posts: 290

Hi all,

Wondering what is the difference between SAML and WS-Trust or how they fit together.

Here is my understanding:
WS-Trust can issue, validate, renew and assess trust relationships. We have an STS which can issue validate or exchange these tokens, a requester and service provider.

SAML also has a service provider and an identity provider. A service requester is enrolled with at least one identity provider that the service provider trusts. The specification states that it resolves the problem with web browser SSO.

They have STS and identity provider, service requestor and provider, standar message syntax for requesting tokens,
But how do they differ and what they address specifically?

The Google SSO Google SSO can be implemented using WS-Trust as following:

1. User gets a token for Google mail from the STS in this case the partner.
2. User sends the request to Google Mail with the token
3. Google mail validates/exchanges it with STS

[ December 05, 2008: Message edited by: Aryan Khan ]

Dan Drillich
Ranch Hand

Joined: Jul 09, 2001
Posts: 1183

WS-Trust 1.3 Interoperability Profile: SAML 2.0 Token Profile says -

1 Introduction

This profile provides the semantics for the use of a SAML 2.0 security token within messages that comply with the WS-Trust Interoperability Profile.

Based on that it seems to me that SAML can be used by messages, which adhere to the WS-Trust Interoperability Profile.


William Butler Yeats: All life is a preparation for something that probably will never happen. Unless you make it happen.
Aryan Khan
Ranch Hand

Joined: Sep 12, 2004
Posts: 290

Hi Dan,

Thanks for the reply.

I have been reading about them lately as well.

I concluded that WS-Trust is used to renew , exchange and validate Security tokens which could be SAML assertions as well.

So a WS may send a SAML token to a STS for exchange to some other token format.

I agree. Here's the link:
subject: SAML and WS-Trust
It's not a secret anymore!