Abstract
This paper identifies
the main security requirements for
Web services and it describes how such security requirements are ad-
dressed by standards for Web services security recently developed or
under development by various standardizations bodies. Standards are
reviewed according to a conceptual framework that groups them by the
main functionalities they provide. Standards that are covered include
most of the standards encompassed by the WSS roadmap [2]; the Secu-
rity Assertion Markup Language -SAML-, WS-Policy, XACML, that is
related to access control and has been recently extended with a profile
for Web services access control; XKMS and WS-Trust; WS-Federation,
LibertyAlliance and Shibboleth, that address the important problem of
identity management in federated organizations. Finally, issues related
to the use of the standards are discussed and open research issues in the area of access control for Web services and innovative digital identity management techniques are outlined.