Sun Java System Access Manager 7.1 Federation and SAML Administration Guide

Liberty Identity Web Services Framework

The Liberty ID-FF defines how to implement single sign-on and identity federation to solve problems related to network identity. The Liberty Identity Web Services Framework (Liberty ID-WSF) builds on this by providing specifications for identity-based web services to work in tandem with the Liberty ID-FF. (An identity-based web service, or identity service, is a type of web service that acts upon a resource to retrieve information about an identity, update information about an identity, or perform some action for the benefit of an identity.) The Liberty ID-WSF can be used to develop web services that retrieve, update, or perform an action on identity data in a federated network environment using a SOAP-based invocation. The web services include, among others, a calendar service, a wallet service, and an alert service. A scenario that implements these specifications includes the following subjects:

Note –

For more information about the process between a WSC and WSP, see Discovery Service Process.

The following sections contain brief explanations of the Liberty ID-WSF 1.1 specifications.

More detailed information about the Liberty ID-WSF specifications can be found on the Liberty Alliance Project web site.

SOAP Binding Specification

The Liberty ID-WSF SOAP Binding Specification provides a transport layer framework for handling the request and response messages used by the Liberty ID-WSF services. It defines a mapping for the messages onto SOAP, an extensible XML-based messaging protocol by specifying, for example, how to:

For more information, see the Liberty ID-WSF SOAP Binding Specification.

Discovery Service Specification

The Liberty ID-WSF Discovery Service Specification defines a framework that enables a client to locate the appropriate web service for retrieving, updating, or modifying a particular piece of identity data. Typically, there are one or more services on a network that allow entities to perform an action on identity data. To keep track of these services or to know which can be trusted, clients require access to a discovery service. A discovery service is an identity service that acts as a registry of resource offerings. A resource offering defines an association between a particular piece of identity data and the instance of a web service that provides access to the data. With access to the discovery service, the client is able to discover which web service must be contacted to then access the desired identity data. A common use case is when personal profile or calendar data is placed within a resource offering so that the data can be located by other entities. For more information, see the Liberty ID-WSF Discovery Service Specification.

Security Mechanisms Specification

To access an identity service, an entity must interact with a discovery service to locate the appropriate identity service as well as the specific identity service instance that exposes the resource. The Liberty ID-WSF Security Mechanisms Specification describes mechanisms (providing authentication, signing and encryption operations) that can be used to ensure the integrity and confidentiality of the authorization messages exchanged when evaluating the entity's authorization to access the discovery service and identity service instance. These mechanisms consider:

For more information, see the Liberty ID-WSF Security Mechanisms Specification.

Data Services Template Specification

A data service is a web service that supports the query and modification of identity data. (An example of a data service is an identity service, such as an online corporate directory.) The Liberty ID-WSF Data Services Template Specification provides a protocol for the query and modification of the data attributes stored in a data service. The service interface specifications defined by the Liberty Alliance Project are based on this Data Services Template. For more information, see the Liberty ID-WSF Data Services Template Specification. For more information on the service interface specifications, see Liberty Identity Service Interface Specifications.

Interaction Service Specification

The Liberty ID-WSF Interaction Service Specification provides communication protocols for identity services to use when they must obtain permission from a principal (or someone who owns a resource on behalf of that principal) to allow the principal's identity data to be shared with requesting services. For more information, see the Liberty ID-WSF Interaction Service Specification.

Authentication Service Specification

The Liberty ID-WSF Authentication Service Specification defines how to authenticate parties communicating via SOAP request and response messages. It leverages widely used authentication services and mechanisms, and facilitates selection of these services and mechanisms at deployment time. The specification defines:

The specification also defines an identity-based authentication security token service, complementing the more general security token service as discussed in the section, Discovery Service Specification. For more information, see the Liberty ID-WSF Authentication Service Specification.

Client Profiles Specification

The Liberty ID-WSF Client Profiles Specification describes the requirements for Liberty-enabled clients that interact with the SOAP-based Authentication Service. Client profiles can enable browsers to perform an active role in transactions, in addition to the functions of a standard browser. For more information, see the Liberty ID-WSF Client Profiles Specification.

Additional Liberty ID-WSF Documents

For additional information about the Liberty ID-WSF specifications, the following documents are available on the Liberty ID-WSF 1.1 specification page.