Sun OpenSSO Enterprise 8.0 Administration Guide

Discovery Service

The Discovery Service is a framework for describing and discovering identity web services. It allows a requesting entity, such as a web service client, to dynamically determine a principal's registered web services provider (WSP), such as an attribute provider. Typically, a service provider queries the Discovery Service, which responds by providing a resource offering that describes the requested WSP. (A resource offering defines associations between a piece of identity data and the service instance that provides access to the data.) The implementation of the Discovery Service includes Java and web-based interfaces. The service is bootstrapped using SAMLv2, Liberty ID-FF single sign-on or the Liberty ID-WSF Authentication Web Service. .


Note –

By definition, a discoverable service is assigned a service type URI, allowing the service to be registered in Discovery Service instances. The service type URI is typically defined in the Web Service Definition Language (WSDL) file that defines the service.


Discovery Service Attributes

The Discovery Service attributes are global attributes whose values are applied across the OpenSSO Enterprise configuration and inherited by every configured organization. The Discovery Service attributes are:

Provider ID

This attribute takes a URI that points to the Discovery Service. Use the format protocol://host:port/opensso/Liberty/disco. This value can be changed only if other relevant attributes values are changed to match the new pointer.

Supported Authentication Mechanisms

This attribute specifies the authentication methods supported by the Discovery Service. These security mechanisms refer to the way a web service consumer authenticates to the web service provider or provides message-level security. By default, all available methods are selected. If an authentication method is not selected and a WSC sends a request using that method, the request is rejected.

Supported Directives

This attribute allows you to specify a policy-related directive for a resource. If a service provider wants to use an unsupported directive, the request will fail. The following table describes the available options. .

Table 9–2 Policy-Related Directives

Directive 

Purpose 

AuthenticateRequester

The Discovery Service should include a SAML assertion containing an AuthenticationStatement in its query responses to enable the client to authenticate to the service instance hosting the resource.

AuthenticateSessionContext

The Discovery Service should include a SAML assertion containing a SessionContextStatement in its query responses that indicate the status of the session.

AuthorizeRequestor

The Discovery Service should include a SAML assertion containing a ResourceAccessStatement in its responses that indicate whether the client is allowed to access the resource.

EncryptResourceID

The Discovery Service should encrypt the resource identifier in responses to all clients. 

GenerateBearerToken

For use with Bearer Token Authentication, the Discovery Service should generate a token that grants the bearer permission to access the resource. 

Policy Evaluation for Discovery Lookup

If enabled, the service will perform a policy evaluation for the DiscoveryLookup operation. By default, the check box is not selected.

Policy Evaluation for Discovery Update

If enabled, the service will perform a policy evaluation for the DiscoveryUpdate operation. By default, the check box is not selected.

Authorizer Plug-in Class

The value of this attribute is the name and path to the class that implements the com.sun.identity.liberty.ws.interfaces.Authorizer interface used for policy evaluation of a WSC. The default class is com.sun.identity.liberty.ws.disco.plugins.DefaultDiscoAuthorizer.

Entry Handler Plug-in Class

The value of this attribute is the name and path to the class that implements the com.sun.identity.liberty.ws.disco.plugins.DiscoEntryHandler interface. This interface is used to set or retrieve a principal’s discovery entries. To handle discovery entries differently, implement the com.sun.identity.liberty.ws.disco.plugins.DiscoEntryHandler interface and set the implementing class as the value for this attribute. The default implementation for the Discovery Service is com.sun.identity.liberty.ws.disco.plugins.UserDiscoEntryHandler.

Classes For ResourceIDMapper Plug-in

The value of this attribute is a list of classes that generate identifiers for a resource offering configured for an organization or role. com.sun.identity.liberty.ws.interfaces.ResourceIDMapper is an interface used to map a user identifier to the resource identifier associated with it. The Discovery Service provides two implementations for this interface:

Different implementations may also be developed with the interface and added as a value of this attribute by clicking New and defining the following attributes:

Authenticate Response Message

If enabled, the service authenticates the response message. By default, the function is not enabled.

SessionContextStatement for Bootstrapping

If enabled, this attribute specifies whether to generate a SessionContextStatement for bootstrapping. A SessionContextStatement conveys the session status of an entity. By default, this function is not enabled.

Encrypt NameIdentifier in Session Context for Bootstrapping

If enabled, the service encrypts the name identifier in a SessionContextStatement. By default, this function is not enabled.

Implied Resource

If enabled, the service does not generate a resource identifier for bootstrapping. By default, this function is not enabled.

Name Identifier Mapper

Defines the class and path that implements the NameIdentifierMapper interface. It is used to map user's Name Identifier from one provider to another.

Global Entry Handler Plug-in Class

Defines the class and path that implements the DiscoEntryHandler interface. It is used to get and set Disco Entries for a user stored in a realm. When an implied resource is used in a discovery service request, this implementation is used to perform the operation.

Resource Offerings for Bootstrapping

This attribute defines a resource offering for bootstrapping a service. After single sign-on (SSO), this resource offering and its associated credentials will be sent to the client in the SSO assertion. Only one resource offering is allowed for bootstrapping. The value of the Resource Offerings for Bootstrapping attribute is a default value configured during installation. If you want to define a new resource offering, you must first delete the existing resource offering, then click New to define the attributes for a new resource offering. If you want to edit an existing resource offering, click the name of the existing Service Type to modify the attributes.

Storing Resource Offerings

A resource offering defines an association between a type of identity data and a URI to the WSDL file that provides information about obtaining access to the data. In OpenSSO Enterprise, a resource offering can be stored as a user attribute or as a dynamic attribute. Storing resource offerings within a user profile supports both DiscoveryLookup and DiscoveryUpdate operations. Storing resource offerings within a service and assigning that service to a realm supports only the DiscoveryLookup operation using the discovery protocol. (Updates can still be done using the OpenSSO Enterprise Console.) More information is provided in the following sections:

Storing Resource Offerings as User Attributes

Resource offerings can be stored as an attribute under a user’s profile using the Lightweight Directory Access Protocol (LDAP). Storing resource offerings within a user profile supports both DiscoveryLookup and DiscoveryUpdate operations. The following procedure explains how to access and create a user’s resource offerings.

ProcedureTo Store a Resource Offering as a User Attribute

  1. In the OpenSSO Enterprise Console, click the Access Control tab.

  2. Select the name of the realm that contains the user profile you want to modify.

  3. Select Subjects to access user information.

  4. Select the name of the user profile that you want to modify.

  5. Select Services to access the user's services.

  6. Click Discovery Service.

  7. Click Add.

  8. (Optional) Type a value for the Resource ID Attribute.

    This field defines an identifier for the resource offering.

  9. Type the Resource ID Value.

    This field defines the resource identifier. A resource identifier is a URI registered with the Discovery Service that point to a particular discovery resource. It is generated by the profile provider. The value of this attribute must not be a relative URI and should contain a domain name that is owned by the provider hosting the resource. If a discovery resource is exposed in multiple Resource Offerings, the Resource ID Value for all of those resource offerings would be the same. An example of a valid Resource ID value is http://profile-provider.com/profiles/14m0B82k15csaUxs.


    Tip –

    urn:libery:isf:implied-resource can be used as a Resource ID Value when only one resource can be operated upon at the service instance being contacted. The URI only implicitly identifies the resource in question. In some circumstances, the use of this resource identifier can eliminate the need for contacting the discovery service to access the resource.


  10. (Optional) Enter a description of the resource offering in the Description field.

  11. Type a URI for the value of the Service Type attribute.

    This URI defines the type of service.


    Tip –

    It is recommended that the value of this attribute be the targetNamespace URI defined in the abstract WSDL description for the service. An example of a valid URI is urn:liberty:id-sis-pp:2003-08.


  12. Type a URI for the value of the Provider ID attribute.

    This attribute contains the URI of the provider of the service instance. This information is useful for resolving trust metadata needed to invoke the service instance. A single physical provider may have multiple provider IDs. An example of a valid URI is http://profile-provider.com.


    Note –

    The provider represented by the URI in the Provider ID attribute must also have a class entry in the ResourceIDMapper attribute.


  13. Click New Description to define the Service Description.

    For each resource offering, at least one service description must be created.

    1. Select the values for the Security Mechanism ID attribute to define how a web service client can authenticate to a web service provider.

      This field lists the security mechanisms that the service instance supports. Select the security mechanisms that you want to add and click Add. To prioritize the list, select the mechanism and click Move Up or Move Down.

    2. Type a value for the End Point URL.

      This value is the URL of the SOAP-over-HTTP endpoint. The URI scheme must be HTTP or HTTPS as in https://soap.profile-provider.com/soap.

    3. (Optional) Type a value for the SOAP Action.

      This value is the equivalent of the wsdlsoap:soapAction attribute of the wsdlsoap:operation element in the service's concrete WSDL-based description.

    4. Click OK to complete the configuration.

  14. Check the Options box if there are no options or add a URI to specify options for the resource offering.

    This field lists the options that are available for the resource offering. Options provide hints to a potential requestor about the availability of certain data or operations to a particular offering. The set of possible URIs are defined by the service type, not the Discovery Service. If no option is specified, the service instance does not display any available options.

  15. Select a directive for the resource offering.

    Directives are special entries defined in SOAP headers that can be used to enforce policy-related decisions. You can choose from the following:

    • GenerateBearerToken specifies that a bearer token be generated.

    • AuthenticateRequester must be used with any service description that use SAML for message authentication.

    • EncryptResourceID specifies that the Discovery Service encrypt the resource ID.

    • AuthenticateSessionContext is specified when a Discovery Service provider includes a SAML assertion containing a SessionContextStatement in any future QueryResponse messages.

    • AuthorizeRequester is specified when a Discovery Service provider wants to include a SAML assertion containing a ResourceAccessStatement in any future QueryResponse messages.

    If you want to associate a directive with one or more service descriptions, select the check box for that Description ID. If no service descriptions are selected, the directive is applied to all description elements in the resource offering.

  16. Click Save to save the configuration.

Storing Resource Offerings as Dynamic Attributes

Due to the repetition inherent in storing discovery entries as user attributes, OpenSSO Enterprise has established the option of storing a discovery entry as a dynamic attribute within a realm. The realm can then be assigned to an identity-related object, making the entry available to all users within the object. Unlike storing a discovery entry as a user attribute, this scenario only supports the DiscoveryLookup operation.

ProcedureTo Store Resource Offerings as Dynamic Attributes in a Realm

To create a discovery entry as a dynamic attribute in a realm, the Discovery Service must first be added and a template created.

  1. In the OpenSSO Enterprise Console, click the Access Control tab.

  2. Select the name of the realm you want to modify.

  3. Select Services to access the realm's services.

  4. Click Add to add the Discovery Service to the realm.

    A list of available services is displayed.

  5. Select Discovery Service.

  6. Click Next.

  7. Click Discovery Service to add a resource offering to the service.

  8. Click Add to add a resource offering.

  9. (Optional) Enter a description of the resource offering in the Description field.

  10. Type a URI for the value of the Service Type attribute.

    This URI defines the type of service. It is recommended that the value of this attribute be the targetNamespace URI defined in the abstract WSDL description for the service. An example of a valid URI is urn:liberty:id-sis-pp:2003-08.

  11. Type a URI for the value of the Provider ID attribute.

    The value of this attribute contains the URI of the provider of the service instance. This information is useful for resolving trust metadata needed to invoke the service instance. A single physical provider may have multiple provider IDs. An example of a valid URI is http://profile-provider.com.


    Note –

    The provider represented by the URI in the Provider ID attribute must also have an entry in the ResourceIDMapper attribute.


  12. Click New Description to define the Service Description.

    For each resource offering, at least one service description must be created.

    1. Select the values for the Security Mechanism ID attribute to define how a web service client can authenticate to a web service provider.

      This field lists the security mechanisms that the service instance supports. Select the security mechanisms that you want to add and click Add. To prioritize the list, select the mechanism and click Move Up or Move Down.

    2. Type a value for the End Point URL.

      This value is the URL of the SOAP-over-HTTP endpoint. The URI scheme must be HTTP or HTTPS as in https://soap.profile-provider.com/soap.

    3. (Optional) Type a value for the SOAP Action.

      This value is the equivalent of the wsdlsoap:soapAction attribute of the wsdlsoap:operation element in the service's concrete WSDL-based description.

    4. Click OK to complete the configuration.

  13. Check the Options box if there are no options or add a URI to specify options for the resource offering.

    This field lists the options that are available for the resource offering. Options provide hints to a potential requestor about the availability of certain data or operations to a particular offering. The set of possible URIs are defined by the service type, not the Discovery Service. If no option is specified, the service instance does not display any available options.

  14. Select a directive for the resource offering.

    Directives are special entries defined in SOAP headers that can be used to enforce policy-related decisions. You can choose from the following:

    • GenerateBearerToken specifies that a bearer token be generated.

    • AuthenticateRequester must be used with any service description that use SAML for message authentication.

    • EncryptResourceID specifies that the Discovery Service encrypt the resource ID.

    • AuthenticateSessionContext is specified when a Discovery Service provider includes a SAML assertion containing a SessionContextStatement in any future QueryResponse messages.

    • AuthorizeRequester is specified when a Discovery Service provider wants to include a SAML assertion containing a ResourceAccessStatement in any future QueryResponse messages.

    If you want to associate a directive with one or more service descriptions, select the check box for that Description ID. If no service descriptions are selected, the directive is applied to all description elements in the resource offering.

  15. Click OK.

  16. Click Close to close the Discovery Resource Offering window.

  17. Click Save to save the configuration.

Storing a Resource Offering for Discovery Service Bootstrapping

Before a WSC can contact the Discovery Service to obtain a resource offering, the WSC needs to discover the Discovery Service. Thus, an initial resource offering for locating the Discovery Service is sent back to the WSC in a SAML assertion generated during authentication. The following procedure describes how to configure a global attribute for bootstrapping the Discovery Service. For more information on bootstrapping the Discovery Service, see Resource Offerings for Bootstrapping.

ProcedureTo Store a Resource Offering for Discovery Service Bootstrapping

  1. In the OpenSSO Enterprise Console, select the Web Services tab.

  2. Under Web Services, click the Discovery Service tab.

  3. Choose New under the Resource Offerings for Bootstrapping Resources attribute.

    By default, the resource offering for bootstrapping the Discovery Service is already configured. In order to create a new resource offering, you must first delete the default resource offering.

  4. (Optional) Type a description of the resource offering.

  5. Enter a URI for the value of the Service Type attribute.

    This field defines the type of service. It is recommended that the value of this attribute be the targetNamespace URI defined in the abstract WSDL description for the service. An example of a valid URI is urn:liberty:disco:2003-08.

  6. Enter a URI for the value of the Provider ID attribute.

    This attribute contains the URI of the provider of the service instance. This is useful for resolving trust metadata needed to invoke the service instance. A single physical provider may have multiple provider IDs. An example of a valid URI is http://sample_disco.com.


    Note –

    The provider represented by the URI in the Provider ID attribute must also have an entry in the Classes for ResourceIDMapper Plugin attribute.


  7. Click Add Description to define a security mechanism ID.

    For each resource offering, at least one service description must be created.

    1. Select the values for the Security Mechanism ID attribute to define how a web service client can authenticate to a web service provider.

      This field lists the security mechanisms that the service instance supports. Select the security mechanisms you wish to add and click the Add button. To arrange the priority of the list, select the mechanism and use the Move Up or Move Down buttons.

    2. Type a value for the End Point URL.

      This value is the URL of the SOAP-over-HTTP endpoint. The URI scheme must be HTTP or HTTPS as in https://soap.profile-provider.com/soap.

    3. (Optional) Type a value for the SOAP action.

      This field contains the equivalent of the wsdlsoap:soapAction attribute of the wsdlsoap:operation element in the service's concrete WSDL-based description.

    4. Click OK to save the configuration.

  8. Check the Options box if there are no options or add a URI to specify options for the resource offering.

    This field lists the options that are available for the resource offering. Options provide hints to a potential requestor about the availability of certain data or operations to a particular offering. The set of possible URIs are defined by the service type, not the Discovery Service. If no option is specified, the service instance does not display any available options. .

  9. Select a directive for the resource offering.

    Directives are special entries defined in SOAP headers that can be used to enforce policy-related decisions. You can choose from the following:

    • GenerateBearerToken specifies that a bearer token be generated.

    • AuthenticateRequester must be used with any service description that use SAML for message authentication.

    • EncryptResourceID specifies that the Discovery Service encrypt the resource ID.

    • AuthenticateSessionContext is specified when a Discovery Service provider includes a SAML assertion containing a SessionContextStatement in any future QueryResponse messages.

    • AuthorizeRequester is specified when a Discovery Service provider wants to include a SAML assertion containing a ResourceAccessStatement in any future QueryResponse messages.

    If you want to associate a directive with one or more service descriptions, select the check box for that Description ID. If no service descriptions are selected, the directive is applied to all description elements in the resource offering.

  10. Click OK to complete the configuration.