test

Sun Java System Access Manager 7 2005Q4 Federation and SAML Administration Guide

Liberty Identity Web Services Framework

The Liberty ID-FF defines how to implement single sign-on and identity federation to solve problems related to network identity. The Liberty Identity Web Services Framework (Liberty ID-WSF) builds on this by providing specifications to develop web services that retrieve, update, or perform an action on identity data in a federated network environment. The specifications outline the technical components needed to build web services that operate with identity data, such as a calendar service, a wallet service, or an alert service. A scenario that implements these specifications includes the following subjects:

Web services are the basis of distributed computing across the Internet. A WSC locates a web service and invokes the operations the web service provides. The WSP is the application that implements a web service. The web service can be on the same Java virtual machine as the WSC, or it can be thousands of miles away. When a WSC needs to retrieve identity attributes from a WSP, the WSC must first contact a discovery service to locate where the particular attributes are stored. When this information is returned, the WSC then contacts the WSP (for example, a personal profile service) to retrieve the necessary attributes.

For more information about the process between a WSC and WSP, see Discovery Service Process.

Liberty ID-WSF Specifications

The Liberty ID-WSF includes these specifications:

SOAP Binding Specification

The Liberty ID-WSF SOAP Binding Specification provides a transport layer for handling SOAP messages. It defines SOAP header blocks and processing rules that enable the invocation of identity services using SOAP requests and responses. It also specifies how to 1) configure messages for optimum message correlation, assuring the relationship between a SOAP request and its response, 2) consent claims (permission to perform a certain action), and 3) usage directives (data handling policies). For more information, see the Liberty ID-WSF SOAP Binding Specification.

Discovery Service Specification

The Liberty ID-WSF Discovery Service Specification defines a framework that enables a client to locate the appropriate web service for retrieving, updating, or modifying a particular piece of identity data. Typically, there are one or more services on a network that allow entities to perform an action on identity data. To keep track of these services or to know which can be trusted, clients require a discovery service. A discovery service is essentially a web service interface for a registry of resource offerings. A resource offering defines an association between a piece of identity data and the service instance that provides access to the data. A common use case is when a personal profile or calendar data is placed within a discovery resource so that the data can be located by other entities. For more information, see the Liberty ID-WSF Discovery Service Specification.

Security Mechanisms Specification

The Liberty ID-WSF Security Mechanisms Specification describes the requirements for securing authorization decisions that are sent for the discovery and use of identity services. The specified mechanisms provide for authentication, signing, and encryption operations to ensure integrity and confidentiality of the messages. For more information, see the Liberty ID-WSF Security Mechanisms Specification.

Data Services Template Specification

The Liberty ID-WSF Data Services Template Specification defines how to query and modify the identity data attributes that are stored in a data service (a web service that holds data). The specification also provides common attributes for data services. For more information, see the Liberty ID-WSF Data Services Template Specification.

Interaction Service Specification

The Liberty ID-WSF Interaction Service Specification provides communication protocols for identity services to obtain permission from a principal (or someone who owns a resource on behalf of that principal) that allows the service to share the principal's identity data with requesting services. For more information, see the Liberty ID-WSF Interaction Service Specification.

Authentication Service Specification

The Liberty ID-WSF Authentication Service Specification defines how to authenticate parties communicating via SOAP-based messages. It leverages widely used authentication services and mechanisms, and facilitates selection of these services and mechanisms at deployment time. The specification defines the following:

The specification also defines an identity-based authentication security token service, complementing the more general security token service as discussed in the section, Discovery Service Specification. For more information, see the Liberty ID-WSF Authentication Service Specification.

Client Profiles Specification

The Liberty ID-WSF Client Profiles Specification describes the requirements for Liberty-enabled clients that interact with the SOAP-based Authentication Service. Client profiles can enable browsers to perform an active role in transactions, in addition to the functions of a standard browser. For more information, see the Liberty ID-WSF Client Profiles Specification.

Additional Liberty ID-WSF Documents

For additional information about the Liberty ID-WSF specifications, see the following documents: