Liberty Personal Profile Service

The Liberty ID-SIS Personal Profile Service Specification (Liberty ID-SIS—PP) describes a data service which provides an identity's basic profile information. It is intended to be the least common denominator for holding consumer-based information about a principal. Federation Manager has implemented this specification and developed the Liberty Personal Profile Service. The Liberty Personal Profile Service can be queried for identity data or this data can be updated.

In order for access to occur, the hosting provider of the Liberty Personal Profile Service needs to be registered with the Discovery Service on behalf of each identity principal.

The following global attributes can be configured for your implementation of the Liberty Personal Profile Service.

• ResourceID Mapper

• Authorizer

• Attribute Mapper

• Provider ID

• Name Scheme

• Namespace Prefix

• Supported Containers

• PPLDAP Attribute Map List

• Require Query PolicyEval

• Require Modify PolicyEval

• Extension Container Attributes

• Extension Attributes Namespace Prefix

• Is ServiceUpdate Enabled

• Service Instance Update Class

• Alternate Endpoint

• Alternate Security Mechanisms

The following tasks are associated with configuring the Liberty Personal Profile Service:

• To Configure a Supported Container

• To Configure an Attribute Mapping

ResourceID Mapper

The value of this attribute specifies the implementation of the com.sun.identity.liberty.ws.interfaces.ResourceIDMapper interface. Although a new implementation can be developed, Federation Manager provides the default com.sun.identity.liberty.ws.idpp.plugin.IDPPResourceIDMapper which maps a discovery resource identifier to a user ID.

Authorizer

This functionality is not supported.

Before processing a request, the Liberty Personal Profile Service will verify the authorization of the WSC making the request. There are two levels of authorization check:

1. Is the requesting entity authorized to access the requested resource profile information?

2. Is the requested resource published to the requestor?

Authorization occurs via a plug-in to the Liberty Personal Profile Service: an implementation of the com.sun.identity.liberty.ws.interfaces.Authorizer interface. Although a new implementation can be developed, Federation Manager provides the default class, com.sun.identity.liberty.ws.idpp.plugin.IDPPAuthorizer. This plug-in defines four policy action values for the query and modify operations:

• Allow

• Deny

• Interact For Consent

• Interact For Value

The resource values for the rules are similar to x-path expressions defined by the Liberty Personal Profile Service. For example, a rule can be defined like the example below.

Example 9–1 Rules for Authorization

/PP/CommonName/AnalyzedName/FN    Query   Interact for consent
/PP/CommonName/*                  Modify  Interact for value
/PP/InformalName                  Query   Deny

Authorization can be turned off by deselecting one or both of the following attributes also defined in the Liberty Personal Profile Service:

• Require Query PolicyEval

• Require Modify PolicyEval

Attribute Mapper

This value of this attribute defines the class for mapping a Liberty Personal Profile Service attribute to an LDAP User attribute. By default, the class is com.sun.identity.liberty.ws.idpp.plugin.IDPPAttributeMapper.

Provider ID

The value of this attribute defines the unique identifier for this instance of the Liberty Personal Profile Service. The format is protocol://host:port/deloy-uri/Liberty/idpp.

Name Scheme

The value of this attribute defines the naming scheme for the Liberty Personal Profile Service common name. Choose First Last, or First Middle Last.

Namespace Prefix

The value of this attribute specifies the namespace prefix used for Liberty Personal Profile Service XML protocol messages. A namespace differentiates elements with the same name that come from different XML schemas. The Namespace Prefix is prepended to the element.

Supported Containers

The values of this attribute define a list of supported containers in the Liberty Personal Profile Service. A container, as used in this instance, is an attribute of the Liberty Personal Profile Service. For example, Emergency Contact and Common Name are two default containers for the Liberty Personal Profile Service.

To add a new container, click Add, and see To Configure a Supported Container.

Currently, this functionality is not supported.

To Configure a Supported Container

A container is an attribute that defines a holder for a piece of identity data. The following procedure is for adding new attributes to the Liberty Personal Profile Service. The starting point is the Liberty Personal Profile Service screen under Web Services.

1. In the Federation Manager Console, click the Web Services tab.

2. Under Web Services, select the Personal Profile tab.

3. Under Supported Containers, click New or choose the name of a configured container to modify its profile.

   The New Supported Container page is displayed.

4. Provide values for the New Supported Container attributes.

   Container Name

   Enter a name for the container such as CreditCard.

   Plugin

   Enter a class name to handle the whole container. This could be used to override the default implementation com.sun.identity.liberty.ws.idpp.plugin.IDPPContainer.

5. Click OK to complete the Container configuration.

6. Click Save on the Liberty Personal Profile Service page to complete the service configuration.

PPLDAP Attribute Map List

Each identity attribute defined in the Liberty Personal Profile Service maps one-to-one with an LDAP attribute. (For example, JobTitle=sunIdentityServerPPEmploymentIdentityJobTitle maps the Liberty JobTitle attribute to the sunIdentityServerPPEmploymentIdentityJobTitle attribute.) The value of PPLDAP Attribute Map List is a list that specifies the mappings. The list is used by the attribute mapper defined in the Attribute Mapper attribute which is, by default, com.sun.identity.liberty.ws.idpp.plugin.IDPPAttributeMapper.

In the following code sample, the Liberty Personal Profile Service informalName attribute mapping to the LDAP attribute uid is added to the mappings already present in the Liberty Personal Profile Service XML service file, amLibertyPersonalProfile.xml.

Attribute mappings are defined as global attributes under the name sunIdentityServerPPDSAttributeMapList in amLibertyPersonalProfile.xml. This attribute corresponds to that sunIdentityServerPPDSAttributeMapList global attribute.

Example 9–2 Attribute Mappings as Defined in XML Service File

<AttributeSchema name="sunIdentityServerPPDSAttributeMapList"
                      type="list"
                      syntax="string"
                      i18nKey="p108">
                      <DefaultValues>
                         <Value>CN=sunIdentityServerPPCommonNameCN</Value>
                         <Value>FN=sunIdentityServerPPCommonNameFN</Value>
                         <Value>MN=sunIdentityServerPPCommonNameMN</Value>
                         <Value>SN=sunIdentityServerPPCommonNameSN</Value>
                         <Value>InformalName=uid</Value>
              </AttributeSchema>

When adding new attributes to the Liberty Personal Profile Service or the LDAP data store, ensure that the new attribute mappings are configured in the PPLDAP Attribute Map List attribute. See To Configure an Attribute Mapping.

To Configure an Attribute Mapping

A mapping is an attribute that defines a holder for a piece of identity data. The following procedure is for adding new attributes to the Liberty Personal Profile Service. The starting point is the Liberty Personal Profile Service screen under Web Services.

1. In the Federation Manager Console, click the Web Services tab.

2. Under Web Services, select the Personal Profile tab.

3. Under PPLDAP Attribute Map List, click Add or click on the name of a configured mapping to modify it.

   The New LDAP Attribute Mapping page is displayed.

4. Provide values for the container attributes.

   Name Prefix

   Enter the name of the Liberty Personal Profile Service identity attribute to be mapped.

   LDAP Attribute

   Enter the name of the LDAP attribute to which the Name Prefix maps.

5. Click OK to complete the Mapping configuration.

6. Click Save on the Liberty Personal Profile Service page to complete the service configuration.

Require Query PolicyEval

If selected, this option requires a policy evaluation to be performed for Liberty Personal Profile Service queries.

Require Modify PolicyEval

If selected, this option requires a policy evaluation to be performed for Liberty Personal Profile Service modifications.

Extension Container Attributes

The Liberty Personal Profile Service allows you to specify extension attributes that are not defined in the Liberty Alliance Project specifications. The values of this attribute specify a list of extension container attributes. All extensions should be defined as:

    /PP/Extension/PPISExtension [@name=’extensionattribute’]

The following sample illustrates an extension query expression for creditcard, an extension attribute.

Example 9–3 Extension Query for creditcard

 /pp:PP/pp:Extension/ispp:PPISExtension[@name=’creditcard’]
Note: The prefix for the PPISExtension is different,
 and the schema for the PP extension is as follows:
<?xml version="1.0" encoding="UTF-8" ?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
  xmlns="http://www.sun.com/identity/liberty/pp"
  targetNamespace="http://www.sun.com/identity/liberty/pp">
  <xs:annotation>
      <xs:documentation>
      </xs:documentation>
  </xs:annotation>

  <xs:element name="PPISExtension">
     <xs:complexType>
        <xs:simpleContent>
           <xs:extension base="xs:string">
              <xs:attribute name="name" type="xs:string"
                use="required"/>
           </xs:extension>
        </xs:simpleContent>
     </xs:complexType>
   </xs:element>
</xs:schema>

Extension Attributes Namespace Prefix

The value of this attribute specifies the namespace prefix for the extensions defined in the Extension Container Attributes. This prefix is prepended to the element and is useful to distinguish metadata from different XML schema namespaces.

Is ServiceUpdate Enabled

The SOAP Binding Service allows a service to indicate that requesters should contact it on a different endpoint or use a different security mechanism and credentials to access the requested resource. If selected, this attribute affirms that there is an update to the service instance.

Service Instance Update Class

The value of this attribute specifies the default implementation class com.sun.identity.liberty.ws.idpp.plugin.IDPPServiceInstanceUpdate. This class is used to update the information for the service instance.

Alternate Endpoint

The value of this attribute specifies an alternate SOAP endpoint to which a SOAP request can be sent.

Alternate Security Mechanisms

This attribute allows you to choose a security mechanism. For more information on this functionality and the mechanisms, see the Liberty ID-WSF Security Mechanisms specification.