Discovery Service Overview

The initial step in accessing identity data (as discussed in Chapter 6, Data Services) is to determine where the information is located. For example, you must determine which identity service holds the principal’s credit card information or which server stores the principal’s calendar service. Typically, there are one or more services on a network that allow other entities to perform an action on identity data. Because clients are not expected to keep track of these services or to know which can be trusted, they require a discovery service. The Liberty ID-WSF Discovery Service Specification defines the framework that enables a client to locate the appropriate web service for retrieving, updating, or modifying a specific piece of identity data.

For more information, see the Liberty ID-WSF Discovery Service Specification.

Discovery Service Concepts

A discoverable web service is assigned a service type unique resource identifier (URI) in the specification that defines it. This URI points to the Web Services Description Language (WSDL) file that describes the service’s data, the operations that can be performed on it, and a protocol to perform the operations. The discoverable service specification itself adds the available ways the data can be exchanged. A discovery service is essentially a web service interface for discovery resources. A discovery resource is a registry of resource offerings. A resource offering defines an association between a piece of identity data and the service instance that provides access to that data. A resource identifier is a URI registered with the discovery service that points to a particular discovery resource.

When a client sends a request for some type of data, it includes a resource identifier that the Discovery Service uses to locate the web services provider (WSP) for the requested attributes. The Discovery Service returns a resource offering that contains the information necessary to locate the data.

Because a provider hosting the Discovery Service can also be fulfilling other roles for an identity (such as a Policy Decision Point or an Authentication Authority), a query response also functions as a security token service. It provides a requester with the means of obtaining security tokens that can be used to invoke service instances returned.

Discovery Entries

One user account has one discovery resource. This discovery resource can include zero or more resource offerings. Storing resource offerings within a user profile supports both entry lookups and updates. Another option is to store discovery entries within a service, and assign that service to an organization or a role. This scenario supports only entry lookups using the discovery protocol although you can still update the entries using the console. For more information about discovery entries, see Discovery Entries and Resource Offerings.

XML Service Files

The Discovery Service is defined using the XML service file amDisco.xml. This file defines the attributes for the Discovery Service. All of the attributes in the Discovery Service can be managed through either the Access Manager Console or this file.

For more information about service files, see the Sun Java System Access Manager 7 2005Q4 Administration Guide.

A second XML file, amDisco_add.xml is in /AccessManager-base/SUNWam/upgrade/services50_sunIdentityServerDiscoveryService/10_20/data. This file is used for upgrading Identity Server 6.2 to Access Manager 6.3. It lists the changes to the amDisco.xml file since the Identity Server release.

Discovery Service APIs

Access Manager contains several Java packages that are used by the Discovery Service. They include:

• com.sun.identity.liberty.ws.disco Package

• com.sun.identity.liberty.ws.disco.plugins Package

• com.sun.identity.liberty.ws.interfaces Package

Additional information is in Discovery Service APIs and the Java API Reference in /AccessManager-base/SUNWam/docs or on docs.sun.com. Information about the com.sun.identity.liberty.ws.common package is in Common Service Interfaces in Chapter 10, Application Programming Interfaces.

com.sun.identity.liberty.ws.disco Package

This package includes a client API that provides interfaces developers can use to communicate with the Discovery Service.

com.sun.identity.liberty.ws.disco.plugins Package

This package includes an interface that can be used to develop plug-ins. The package also contains some default plug-ins.

com.sun.identity.liberty.ws.interfaces Package

This package includes interfaces that can be used to implement functionality common to all Liberty-enabled identity services. Several implementations of these interfaces have been developed for the Discovery Service.