Securing a web service

We build web services that are for consumption by known third-parties.

We tend to implement very basic security that involves:

A known token ID which we communicate to both parties
Restrict access to known subset of IP addresses
Secure the transport layer via SSL

I'm not comfortable with this, but implementing Federated Security (using WIF/ADFS 2) is VERY complex! How can I justify using this tech - what is fundamentally wrong with the above approach?

I realise that the web service (which might expose sensitive data) is now only as secure as the token, but so would a username/password combo.

Thanks Duncan

Solution

To improve or replace the common token i would use some client/server certificate authentification. You will use SSL anyway and client certificate gives some more features

What status code should I use when session token is invalid?
Is it a good praxis to secure an webservice endpoint with a simple token string?
How to run unit tests (MSTest) in parallel?
Postman Chrome: What is the difference between form-data, x-www-form-urlencoded and raw
Amazon Product Advertising API (ItemSearch with ItemPage)
Google goggles with Intent OR Amazon API?
Update asp.net WebService reference from wsdl file?
send and receive SMS and developing a SMS panel
How to Create Secure(TLS/SSL) Websocket Server
How set Response body in javax.ws.rs.core.Response
Unauthorized with client authentication scheme NTLM
cxf webclient call api using TLSV1
Webservice connecting do database with IOS, PHP, REST API, JSON
How to show image from JSON in table view
How does a server respond to a iOS device?
Login in to a Web Service with Mobile App
Facebook Java Server
Integrating with TERYT - Polish Government web service
How does Google Maps secure their API Key? How to make something similar?
App getting crash in consuming API using swift?
Retrieving Soap Header on JAXWS Server Side
Web Application Architecture?
Jax-rs apache-cxf:No resource methods have been found for resource class
Sorting And Merging Data Returned From Web Service
Service Oriented Architecture suggestions
How Are References Handled in a VS2008 Website?
Can I specify the rabbitmq-server version when installing on a linux box?
Return result of create method and 201 status code
WSDL file not generating while creating SOAP web service
$_POST failed in web services?