|
| |
| Sun Java Systems Access Manager 6 2005Q1 Federation Management Guide | |
Chapter 4
Authentication Web ServiceThe Sun Java™ System Access Manager contains an implementation of the Liberty ID-WSF Authentication Service Specification of the Liberty Alliance Project. The Authentication Web Service defines how to perform authentication using SOAP. This chapter contains the following topics:
OverviewThe implementation of the Access Manager Authentication Web Service is based on the Liberty ID-WSF Authentication Service Specification. The specification defines a protocol that adds authentication functionality to the SOAP binding discussed in the Liberty ID-WSF SOAP Binding Specification (and Chapter 7, “SOAP Binding Service.”) The Simple Authentication and Security Layer (SASL) is the method used to add this authentication support to the SOAP transport layer. The Access Manager Authentication Web Service is for service-to-service (non-user) authentication.
Note
On the Liberty Alliance Project Web site, the Liberty ID-WSF Authentication Service Specification can be found at http://www.projectliberty.org/specs/liberty-idwsf-authn-svc-v1.0.pdf.
XML Service File
The Access Manager Liberty Personal Profile Service is configured using the XML service file amAuthnSvc.xml. amAuthnSvc.xml defines the attribute for the Authentication Web Service which can be managed through the Access Manager console or the XML file itself.
Note
More information on XML service files can be found in the section on XML Service Files in the Sun Java System Access Manager 6 2005Q1 Developer’s Guide (http://docs.sun.com/doc/817-7649).
The Liberty ID-WSF Authentication Service Specification also contains an XML schema that defines the authentication protocol. This XML Schema Defintion (XSD) file can be found on the LAP Web site. Version 1.0 is also reproduced in Appendix B, "Service Schema Files."
Application Programming Interfaces
The Access Manager Authentication Web Service includes two Java programming packages: com.sun.identity.liberty.ws.authnsvc.protocol and com.sun.identity.liberty.ws.authnsvc. The former listed package contains classes that represent the SASL request and response while the latter package is a client API for external Java applications to send SASL requests and receive SASL responses. They are used to initiate the authentication process and communicate authentication credentials to the Authentication Web Service.
Authentication Web Service ProcessThe exchange of authentication information between a Web service consumer (WSC) and the Web service provider (WSP) is accomplished using SOAP-bound messages. The messages are a series of client requests and server responses specific to the defined SASL mechanism (or mode of authentication).
Note
The authentication exchange can involve an arbitrary number of round trips, dictated by the particular SASL mechanism employed. The WSC may have knowledge of the supported SASL mechanisms, or it may send the server its own list and allow the server to choose one from among them. The list of supported mechanisms can be found at http://www.iana.org/assignments/sasl-mechanisms.
After receiving a request for authentication (or any response from the WSC), the WSP may issue additional challenges, or indicate authentication failure or success. The following steps detail the sequence between the WSC and the Authentication Web Service (a WSP).
- The authentication exchange begins with a WSC sending an SASL authentication request to the Authentication Web Service on behalf of a principal.
The request message contains an identifier for the principal and indicates one or more SASL mechanisms from which the service can choose.
- The Authentication Web Service responds by asserting the method to use and, if applicable, initiating a challenge.
If the Authentication Web Service does not support any of the cited methods, it responds by aborting the exchange.
- The WSC responds with the necessary credentials for the chosen method of authentication.
- The Authentication Web Service replies by approving or disproving the authentication.
If approved, the response includes the credentials the WSC needs to invoke other Web services (like the Discovery Service).
Caution
The Liberty-based Authentication Web Service is not to be confused with the proprietary Access Manager Authentication Service discussed in the Sun Java System Access Manager 6 2005Q1 Developer’s Guide (http://docs.sun.com/doc/817-7649).
Authentication Web Service AttributeThe Authentication Web Service attribute is a global attribute. The value of this attribute is carried across the Sun Java System Access Manager configuration and inherited by every organization.
Note
For information on the types of attributes used in Access Manager, see the Service Management chapter of the Sun Java System Access Manager 6 2005Q1 Developer’s Guide (http://docs.sun.com/doc/817-7649).
The attribute for the Authentication Web Service is defined in the amAuthnSvc.xml service file and is called the Mechanism Handler List.
Mechanism Handler List
The Mechanism Handler List attribute stores information about the SASL mechanisms supported by the Authentication Web Service. It displays entries that contain key/value pairs separated by a pipe (“|”) as in:
key=PLAIN|class=com.sun.identity.liberty.ws.authnsvc.mechanism.PlainMechanismHandler
key Parameter
The required key parameter defines the SASL mechanism supported by the Authentication Web Service.
class Parameter
The required class parameter specifies the name of the implementation class for the SASL mechanism. The Authentication Web Service layer provides a handler interface that needs to be implemented in order for each SASL mechanism to process the requested message and return a response.
Authentication Web Service InterfacesThe Authentication Web Service provides programmatic interfaces to allow clients to interact with the Authentication Web Service. They are:
com.sun.identity.liberty.ws.authnsvc
This package provides Web service clients with a method to request authentication credentials from the Authentication Web Service and receive responses back from it using the Simple Authentication and Security Layer (SASL).
com.sun.identity.liberty.ws.authnsvc.protocol
This package provides classes that correspond to the request and response elements defined in the Liberty XSD schema that accompanies the Liberty ID-WSF Authentication Service Specification. This schema is reprod
Authentication Web Service SampleA sample authentication client is included with Access Manager. It is located in the AccessManager_base/SUNWam/samples/phase2/authnsvc directory. The client uses the PLAIN SASL authentication mechanism. It first authenticates against the Authentication Web service, then extracts a resource offering to bootstrap the Discovery Service. It looks for SAML Bearer token credential, issues a discovery query request with SAML assertion included, and gets back a response.