Most organizations will have at least two entry points to the organization - browser/portal interfaces and web services. The same sets of identities, SSO, federated identity attributes access control and other policies need to be applied in a consistent fashion across both these technologies. Leveraging deployed IAM technologies including directories for Web Services is a fundamental requirement.
In most architectures, the presentation and user interface handling (including challenge response protocols for authentication and SSO) will be handled by a portal. Different user credential schemes have been deployed over the years including passwords, tokens, smart cards, X.509 certificates and many others. To reduce complexity and improve performance, reduction of the number of credential types used within a web services framework is highly desirable. To that end, either SAML or Kerberos tickets are the most likely contenders. The advantage of SAML as the choice for this "single" token type is that it is extremely flexible and offers the opportunity to provide secondary authentication support by carrying the appropriate credentials necessary to interact with the legacy systems that Web Services must integrate with at some point.
This was first published in April 2006