Liberty Identity Web Services Framework

The Liberty ID-FF defines how to implement single sign-on and identity federation to solve problems related to network identity. The Liberty Identity Web Services Framework (Liberty ID-WSF) builds on this by providing specifications for identity-based web services to work in tandem with the Liberty ID-FF. (An identity-based web service, or identity service, is a type of web service that acts upon a resource to retrieve information about an identity, update information about an identity, or perform some action for the benefit of an identity.) The Liberty ID-WSF can be used to develop web services that retrieve, update, or perform an action on identity data in a federated network environment using a SOAP-based invocation. The web services include, among others, a calendar service, a wallet service, and an alert service. A scenario that implements these specifications includes the following subjects:

• A web service consumer (WSC) invokes the functions provided by a web service by making a request to the web service's provider.

• A web service provider (WSP) implements a web service based on a request from a WSC.

For more information about the process between a WSC and WSP, see Discovery Service Process.

The following sections contain brief explanations of the Liberty ID-WSF 1.1 specifications.

• SOAP Binding Specification

• Discovery Service Specification

• Security Mechanisms Specification

• Data Services Template Specification

• Interaction Service Specification

• Authentication Service Specification

• Client Profiles Specification

• Additional Liberty ID-WSF Documents

More detailed information about the Liberty ID-WSF specifications can be found on the Liberty Alliance Project web site.

SOAP Binding Specification

The Liberty ID-WSF SOAP Binding Specification provides a transport layer framework for handling the request and response messages used by the Liberty ID-WSF services. It defines a mapping for the messages onto SOAP, an extensible XML-based messaging protocol by specifying, for example, how to:

• Correlate a particular SOAP request with its response.

• Indicate that Principal consent was obtained to carry out a given operation.

• Express additional context for a request.

For more information, see the Liberty ID-WSF SOAP Binding Specification.

Discovery Service Specification

The Liberty ID-WSF Discovery Service Specification defines a framework that enables a client to locate the appropriate web service for retrieving, updating, or modifying a particular piece of identity data. Typically, there are one or more services on a network that allow entities to perform an action on identity data. To keep track of these services or to know which can be trusted, clients require access to a discovery service. A discovery service is an identity service that acts as a registry of resource offerings. A resource offering defines an association between a particular piece of identity data and the instance of a web service that provides access to the data. With access to the discovery service, the client is able to discover which web service must be contacted to then access the desired identity data. A common use case is when personal profile or calendar data is placed within a resource offering so that the data can be located by other entities. For more information, see the Liberty ID-WSF Discovery Service Specification.

Security Mechanisms Specification

To access an identity service, an entity must interact with a discovery service to locate the appropriate identity service as well as the specific identity service instance that exposes the resource. The Liberty ID-WSF Security Mechanisms Specification describes mechanisms (providing authentication, signing and encryption operations) that can be used to ensure the integrity and confidentiality of the authorization messages exchanged when evaluating the entity's authorization to access the discovery service and identity service instance. These mechanisms consider:

• Authentication of the sender.

• Proxy rights for a third party to make a request as identity services may be accessed directly or through the assistance of an intermediary.

• Authentication of the response.

• Authentication context and session status of the interacting entity.

• Authorization of invocation identity to access service or resource.

For more information, see the Liberty ID-WSF Security Mechanisms Specification.

Data Services Template Specification

A data service is a web service that supports the query and modification of identity data. (An example of a data service is an identity service, such as an online corporate directory.) The Liberty ID-WSF Data Services Template Specification provides a protocol for the query and modification of the data attributes stored in a data service. The service interface specifications defined by the Liberty Alliance Project are based on this Data Services Template. For more information, see the Liberty ID-WSF Data Services Template Specification. For more information on the service interface specifications, see Liberty Identity Service Interface Specifications.

Interaction Service Specification

The Liberty ID-WSF Interaction Service Specification provides communication protocols for identity services to use when they must obtain permission from a principal (or someone who owns a resource on behalf of that principal) to allow the principal's identity data to be shared with requesting services. For more information, see the Liberty ID-WSF Interaction Service Specification.

Authentication Service Specification

The Liberty ID-WSF Authentication Service Specification defines how to authenticate parties communicating via SOAP request and response messages. It leverages widely used authentication services and mechanisms, and facilitates selection of these services and mechanisms at deployment time. The specification defines:

• An authentication protocol based on the Simple Authentication and Security Layer (SASL).

• An authentication service that Liberty-enabled clients can use to authenticate with identity providers.

• A single sign-on service that Liberty-enabled providers can use to interact with each other.

The specification also defines an identity-based authentication security token service, complementing the more general security token service as discussed in the section, Discovery Service Specification. For more information, see the Liberty ID-WSF Authentication Service Specification.

Client Profiles Specification

The Liberty ID-WSF Client Profiles Specification describes the requirements for Liberty-enabled clients that interact with the SOAP-based Authentication Service. Client profiles can enable browsers to perform an active role in transactions, in addition to the functions of a standard browser. For more information, see the Liberty ID-WSF Client Profiles Specification.

Additional Liberty ID-WSF Documents

For additional information about the Liberty ID-WSF specifications, the following documents are available on the Liberty ID-WSF 1.1 specification page.

• Liberty ID-WSF Architecture Overview

  Provides an architectural description of the Liberty ID-WSF framework including basic usage scenarios. It also highlights how the Liberty ID-WSF interacts with an identity management framework (such as the Liberty ID-FF).

• Liberty ID-WSF Security and Privacy Overview

  Provides an overview of security and privacy issues in the Liberty ID-WSF.

• Liberty ID-WSF Implementation Guidelines

  Provides guidelines on how the Liberty ID-WSF specifications should be implemented.

• Liberty ID-WSF Static Conformance Requirements

  Defines the mandatory and optional features for implementations conforming to this version of the specifications.

• Liberty ID-WSF Implementation Guidelines

  Describes the Liberty ID-WSF architecture, including examples, lessons learned, and best practices.