The Web Services Stack

In Access Manager, the Federation framework enables the secure exchange of authentication and authorization information by providing an interface for creating, modifying, and deleting authentication domains and configuring service and identity providers (both remote and hosted types) as entities. Additionally, the implemented web services define a stack to support the Federation framework. The following figure illustrates the architecture of the web services stack and how a web service consumer communicates with the web service provider (Access Manager).

Figure 5–2 Web Services Architecture

Implemented Services

Access Manager includes the following web services based on the Liberty Alliance Project specifications:

Authentication Web Service

Provides authentication to a WSC, allowing the WSC to obtain security tokens for further interactions with other services at the same provider. Upon successful authentication, the final Simple Authentication and Security Layer (SASL) response contains the resource offering for the Discovery Service.

Discovery Service

A web service that allows a requesting entity, such as a service provider, to dynamically determine a principal's registered attribute provider. Typically, a service provider queries the Discovery Service, which responds by providing a resource offering that describes the requested attribute provider. The implementation of the Discovery Service includes Java and web-based interfaces.

SOAP Binding

A set of Java APIs used by the developer of a Liberty-enabled identity service. The APIs are used to send and receive identity-based messages using SOAP, an XML-based messaging protocol.

Liberty Personal Profile Service

A data service that supports storing and modifying a principal's identity attributes. Identity attributes might include information such as first name, last name, home address, and emergency contact information. The Liberty Personal Profile Service is queried or updated by a WSC acting on behalf of the principal.

Web Services Process

The following figure provides a high-level view of the process between the various components in the web services stack. In this example:

• The web browser represents a user.

• The service provider also acts as a web services consumer (WSC), invoking a web service on behalf of the user. The service provider relies on the identity provider for authentication.

• The identity provider acts as an authentication provider by authenticating the user. It also acts as a trusted authority, issuing security tokens through the Discovery Service.

• The web services provider (WSP) serves requests from web services clients such as the Liberty Personal Profile Service.

Figure 5–3 Web Services Stack Process

The following process assume that the user, the identity provider, and the service provider have already been federated.

1. The user attempts to access a resource hosted on the service provider server.

2. The service provider redirects the user to the identity provider for authentication.

3. The identity provider authenticates the user successfully and sends the single sign-on assertion to the requesting service provider.

4. The service provider verifies the assertion and the user is issued a session token.

5. The service provider redirects the user to the requested resource.

6. The user requests access to another service hosted on the WSC server.

   For example, it might need that value of an attribute from the user’s Liberty Personal Profile Service.

7. The WSC sends a query to the Discovery Service to determine where the user’s Liberty Personal Profile Service instance is hosted.

   The WSC bootstraps the Discovery Service with the resource offering from the assertion obtained earlier.

8. The Discovery Service returns a response to the WSC containing the endpoint for the user’s Liberty Personal Profile Service instance and a security token that the WSC can use to access it.

9. The WSC sends a query to the Liberty Personal Profile Service instance.

   The query asks for the user’s personal profile attributes, such as home phone number. The required authentication mechanism specified in the Liberty Personal Profile Service resource offering must be followed.

10. The Liberty Personal Profile Service instance authenticates and validates authorization for the requested user or the WSC, or both.

    If user interaction is required for some attributes, the Interaction Service will be invoked to query the user for consents or for attribute values. The Liberty Personal Profile Service instance returns a response to the WSC after collecting all required data.

11. The WSC processes the Liberty Personal Profile Service response, and renders the service pages containing the information.

For detailed information about all these components, see the Sun Java System Access Manager 7.1 Federation and SAML Administration Guide.