Recently the WS-Federation 1.1 specification was submitted to OASIS with the intent to have it ratified. The spec is long and I have not yet had a chance to actually understand. But our experience at Safewhere with WS-Federation and WS-Trust is obviously a shared one; that is, you basically only need a passive profile whereas the active profile used for web services is already covered by WS-Trust. SOAP based federation may be viewed as simply chaining together Security Token Services as specified by WS-Trust and as such does not need its own seperate spec.

Don Schmidt of Microsoft has started to blog about some of these things and as one of the authors of the specs he should know.

Sorry for the delay, but here is the source for the WSE 3.0 and Azman authorization sample that went with my MSDN Magazine article on service authorization using WSE 3.0 custom policy assertions and Microsoft Authorization Manager, Azman.

It has been updated to use the released versions of .Net 2.0, WSE 3.0 and Enterprise Library 2.0.

Please download from here, and follow the steps of the README file (40,1 KB, RTF). Note though, that the current sample runs on Windows 2003 only, as it is based on Kerberos which is much easier to make work on IIS 6. (Network Service is the default account for IIS 6.0 App pools, and has access to AD).  The README file has a comment on what it will take to make it work on XP with IIS 5.

The source may be downloaded from here (237,5 KB).

Disclaimer: This code has not been thoroughly tested and is meant as inspiration and illustration only.  Our company, Safewhere, makes the industrial scale version which includes a different modeling approach and support for multiple types of credentials - among other things.

Just came across Vibro's weblog which includes a post on an informal graphic notation for illustrating the concepts involved in WS-Security and a small part of WS-Trust (communicating with an Security Token Service). 

I might just pick up on his notation which should be useful, as he points out, for communicating the complexities of message security.  So thanks to Vibro.