Authentication Web Service
The SOAP specifications define an XML-based messaging paradigm, but do not specify any particular security mechanisms. Particularly, they do not describe user authentication using SOAP messages. To rectify this, the Liberty-based Authentication Web Service was implemented based on the Liberty ID-WSF Authentication Service and Single Sign-On Service Specification. The specification defines a protocol that adds the Simple Authentication and Security Layer (SASL) authentication functionality to the SOAP binding described in the Liberty ID-WSF SOAP Binding Specification and SOAP Binding Service. The Liberty-based Authentication Web Service is for provider-to-provider authentication.
Note –
The specification also contains an XML schema that defines the authentication protocol. More information can be found in Schema Files and Service Definition Documents.
Authentication Web Service Default Implementation
The Authentication Web Service attributes are global; the value of this attribute is carried across the OpenSSO Enterprise configuration and inherited by every realm. The attributes for the Authentication Web Service are defined in the amAuthnSvc.xml service file. The Mechanism Handlers List attribute stores information about the SASL mechanisms that are supported by the Authentication Web Service and contains two parameters.
key Parameter
The required key defines the SASL mechanism supported by the Authentication Web Service.
class Parameter
The required class specifies the name of the implemented class for the SASL mechanism. Two authentication mechanisms are supported by the following default implementations:
Table 9–3 Default Implementations for Authentication Mechanism|
Class |
Description |
|---|---|
|
com.sun.identity.liberty.ws.authnsvc.mechanism.PlainMechanismHandler |
This class is the default implementation for the PLAIN authentication mechanism. It maps user identifiers and passwords in the PLAIN mechanism to the user identifiers and passwords in the LDAP authentication module under the root organization. |
|
com.sun.identity.liberty.ws.authnsvc.mechanism.CramMD5MechanismHandler |
This class is the default implementation for the CRAM-MD5 authentication mechanism. |
The Authentication Web Service layer provides an interface that must be implemented for each SASL mechanism to process the requested message and return a response.
Authentication Web Service Packages
The Authentication Web Service provides programmatic interfaces to allow clients to interact with it. The following sections provide short descriptions of these packages. For more detailed information, see the Sun OpenSSO Enterprise 8.0 Java API Reference. The authentication-related packages include:
com.sun.identity.liberty.ws.authnsvc Package
This package provides web service clients with a method to request authentication credentials from the Authentication Web Service and receive responses back from it using the Simple Authentication and Security Layer (SASL).
com.sun.identity.liberty.ws.authnsvc.mechanism Package
This package provides an interface that must be implemented for each different SASL mechanism to enable authentication using them. Each SASL mechanism will correspond to one implementation that will process incoming SASL requests and generate outgoing SASL responses.
com.sun.identity.liberty.ws.authnsvc.protocol Package
This package provides classes that correspond to the request and response elements defined in the Liberty XSD schema that accompanies the Liberty ID-WSF Authentication Service Specification.
Access the Authentication Web Service
The URL to gain access to the Authentication Web Service is:
http://SERVER_HOST:SERVER_PORT/SERVER_DEPLOY_URI/Liberty/authnsvc |
This URL is normally used by the OpenSSO Enterprise client API to access the service. For example, the OpenSSO Enterprise public client, com.sun.identity.liberty.ws.authnsvc.AuthnSvcClient uses this URL to authenticate principals with OpenSSO Enterprise.
- © 2010, Oracle Corporation and/or its affiliates