Chapter 9 Identity Web Services

OpenSSO Enterprise implements the Liberty Identity Web Services Framework (Liberty ID-WSF) which defines a web services stack that can be used to support the Liberty Alliance Project business model. These web services leverage the Liberty ID-FF for principal authentication, federation, and privacy protections.

Web services are distributed applications developed using open technologies such as eXtensible Markup Language (XML), SOAP, and HyperText Transfer Protocol (HTTP). Enterprises use these technologies as a mechanism for allowing their applications to cross network boundaries and communicate with those of their partners, customers and suppliers. OpenSSO Enterprise implements the Liberty ID-WSF which is designed to operate in concert with a federated identity framework, such as the Liberty Identity Federation Framework (Liberty ID-FF). Federated includes the following Liberty ID-WSF web services:

Authentication Web Service

The Authentication Web Service adds authentication functionality to the SOAP binding. It provides authentication to a WSC, allowing the WSC to obtain security tokens for further interactions with other services at the same provider. These other services may include a discovery service or single sign-on service. Upon successful authentication, the final Simple Authentication and Security Layer (SASL) response contains the resource offering for the Discovery Service.

Do not confuse the Liberty-based Authentication Web Service with the proprietary OpenSSO Enterprise Authentication Service discussed in About Identity Web Services in Sun OpenSSO Enterprise 8.0 Technical Overview.

Authentication Web Service Attribute

The Authentication Web Service attributes are global attributes. The value is carried across the OpenSSO Enterprise configuration and inherited by every organization.

The attribute for the Authentication Web Service is defined in the amAuthnSvc.xml service file and is called the Mechanism Handlers List.

Mechanism Handlers List

The Mechanism Handler List attribute stores information about the SASL mechanisms that are supported by the Authentication Web Service.

key Parameter

The required key defines the SASL mechanism supported by the Authentication Web Service.

class Parameter

The required class specifies the name of the implemented class for the SASL mechanism. Two authentication mechanisms are supported by the following default implementations:

The Authentication Web Service layer provides an interface that must be implemented for each SASL mechanism to process the requested message and return a response.

Challenge Cleanup Interval

Specifies cleanup interval (in seconds) in the default CRAM-MD5 mechanism handler implementation class com.sun.identity.liberty.ws.authnsvc.mechanism.CramMD5MechanismHandler. The internal thread will start to cleanup the challenge map based on this value.

Transform Classes

Specifies the transform name to the implementation class mapping. Values are comma separated with a pipe (|) as delimiter for the transform name and implementation class name. For example, name1|class1, name2|class2.

PLAIN Mechanism Handler Authentication Module

Specifies the default authentication module used for the PLAIN mechanism handler. The default value is the Data Store authentication module.

CRAM-MD5 Mechanism Handler Authentication Module

This specifies the default authentication module used for the CRAM MD5 mechanism handler. The default value is the Data Store authentication module

Liberty Personal Profile Service

The Liberty Personal Profile Service is a data service that supports storing and modifying a principal's identity attributes. It maps attributes defined in a user's personal profile to LDAP attributes in a data store. These identity attributes might include the user's first name, last name, home address, or emergency contact information. The Liberty Personal Profile Service is queried or updated by a WSC acting on behalf of the principal. .

Liberty Personal Profile Service Attributes

The Liberty Personal Profile Service attributes are global attributes. The values of these attributes are carried across the OpenSSO Enterprise configuration and inherited by each configured organization.

The attributes are:

• ResourceID Mapper

• Authorizer

• Attribute Mapper

• Provider ID

• Name Scheme

• Namespace Prefix

• Supported Containers

• PPLDAP Attribute Map List

• Require Query PolicyEval

• Require Modify PolicyEval

• Extension Container Attributes

• Extension Attributes Namespace Prefix

• Service Update

• Service Instance Update Class

• Alternate Endpoint

ResourceID Mapper

The value of this attribute specifies the implementation of com.sun.identity.liberty.ws.interfaces.ResourceIDMapper. Although a new implementation can be developed, OpenSSO Enterprise provides the default com.sun.identity.liberty.ws.idpp.plugin.IDPPResourceIDMapper, which maps a discovery resource identifier to a user identifier.

Authorizer

Before processing a request, the Liberty Personal Profile Service verifies the authorization of the WSC making the request. There are two levels of authorization verification:

• Is the requesting entity authorized to access the requested resource profile information?

• Is the requested resource published to the requestor?

Authorization occurs through a plug-in to the Liberty Personal Profile Service, an implementation of the com.sun.identity.liberty.ws.interfaces.Authorizer interface. Although a new implementation can be developed, OpenSSO Enterprise provides the default class, com.sun.identity.liberty.ws.idpp.plugin.IDPPAuthorizer. This plug-in defines four policy action values for the query and modify operations:

• Allow

• Deny

• Interact For Consent

• Interact For Value

The resource values for the rules are similar to x-path expressions defined by the Liberty Personal Profile Service. For example, a rule can be defined like this:

/PP/CommonName/AnalyzedName/FN    Query   Interact for consent
/PP/CommonName/*                  Modify  Interact for value
/PP/InformalName                  Query   Deny

Authorization can be turned off by deselecting one or both of the following attributes, which are also defined in the Liberty Personal Profile Service:

• Require Query PolicyEval

• Require Modify PolicyEval

Attribute Mapper

The value of this attribute defines the class for mapping a Liberty Personal Profile Service attribute to an OpenSSO Enterprise user attribute. By default, the class is com.sun.identity.liberty.ws.idpp.plugin.IDPPAttributeMapper.

com.sun.identity.liberty.ws.idpp.plugin.IDPPAttributeMapper is not a public class.

Provider ID

The value of this attribute defines the unique identifier for this instance of the Liberty Personal Profile Service. Use the format protocol://hostname:port/deloy-uri/Liberty/idpp.

Name Scheme

The value of this attribute defines the naming scheme for the Liberty Personal Profile Service common name. Choose First Last or First Middle Last.

Namespace Prefix

The value of this attribute specifies the namespace prefix that is used for Liberty Personal Profile Service XML protocol messages. A namespace differentiates elements with the same name that come from different XML schemas. The Namespace Prefix is prepended to the element.

Supported Containers

The values of this attribute define a list of supported containers in the Liberty Personal Profile Service. A container, as used in this instance, is an attribute of the Liberty Personal Profile Service.

The term container as described in this section is not related to the OpenSSO Enterprise identity-related object that is also called container.

For example, Emergency Contact and Common Name are two default containers for the Liberty Personal Profile Service. To add a new container, click Add, enter values in the provided fields and click OK.

PPLDAP Attribute Map List

Each identity attribute defined in the Liberty Personal Profile Service maps one-to-one with a OpenSSO Enterprise LDAP attribute. For example, JobTitle=sunIdentityServerPPEmploymentIdentityJobTitle maps the Liberty JobTitle attribute to the OpenSSO Enterprise sunIdentityServerPPEmploymentIdentityJobTitle attribute.

The value of this attribute is a list that specifies the mappings. The list is used by the attribute mapper defined in Attribute Mapper, by default, com.sun.identity.liberty.ws.idpp.plugin.IDPPAttributeMapper.

When adding new attributes to the Liberty Personal Profile Service or the LDAP data store, ensure that the new attribute mappings are configured as values of this attribute.

Require Query PolicyEval

If selected, this option requires that a policy evaluation be performed for Liberty Personal Profile Service queries. For more information, see Authorizer.

Require Modify PolicyEval

If selected, this option requires that a policy evaluation be performed for Liberty Personal Profile Service modifications. For more information, see Authorizer.

Extension Container Attributes

The Liberty Personal Profile Service allows you to specify extension attributes that are not defined in the Liberty Alliance Project specifications. The values of this attribute specify a list of extension container attributes. All extensions should be defined as:

    /PP/Extension/PPISExtension [@name=’extensionattribute’]

The following sample illustrates an extension query expression for creditcard, an extension attribute.

Example 9–1 Extension Query for creditcard

 /pp:PP/pp:Extension/ispp:PPISExtension[@name=’creditcard’]
Note: The prefix for the PPISExtension is different,
 and the schema for the PP extension is as follows:
<?xml version="1.0" encoding="UTF-8" ?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
  xmlns="http://www.sun.com/identity/liberty/pp"
  targetNamespace="http://www.sun.com/identity/liberty/pp">
  <xs:annotation>
      <xs:documentation>
      </xs:documentation>
  </xs:annotation>

  <xs:element name="PPISExtension">
     <xs:complexType>
        <xs:simpleContent>
           <xs:extension base="xs:string">
              <xs:attribute name="name" type="xs:string"
                use="required"/>
           </xs:extension>
        </xs:simpleContent>
     </xs:complexType>
   </xs:element>
</xs:schema>

Type the new attribute and click Add.

Extension Attributes Namespace Prefix

The value of this attribute specifies the namespace prefix for the extensions defined in the Extension Container Attributes. This prefix is prepended to the element and helps to distinguish metadata from different XML schema namespaces.

Service Update

The SOAP Binding Service allows a service to indicate that requesters should contact it on a different endpoint or use a different security mechanism and credentials to access the requested resource. If selected, this attribute affirms that there is an update to the service instance.

Service Instance Update Class

The value of this attribute specifies the default implementation class com.sun.identity.liberty.ws.idpp.plugin.IDPPServiceInstanceUpdate. This class is used to update the information for the service instance.

Alternate Endpoint

The value of this attribute specifies an alternate SOAP endpoint to which a SOAP request can be sent.

Discovery Service

The Discovery Service is a framework for describing and discovering identity web services. It allows a requesting entity, such as a web service client, to dynamically determine a principal's registered web services provider (WSP), such as an attribute provider. Typically, a service provider queries the Discovery Service, which responds by providing a resource offering that describes the requested WSP. (A resource offering defines associations between a piece of identity data and the service instance that provides access to the data.) The implementation of the Discovery Service includes Java and web-based interfaces. The service is bootstrapped using SAMLv2, Liberty ID-FF single sign-on or the Liberty ID-WSF Authentication Web Service. .

By definition, a discoverable service is assigned a service type URI, allowing the service to be registered in Discovery Service instances. The service type URI is typically defined in the Web Service Definition Language (WSDL) file that defines the service.

Discovery Service Attributes

The Discovery Service attributes are global attributes whose values are applied across the OpenSSO Enterprise configuration and inherited by every configured organization. The Discovery Service attributes are:

• Provider ID

• Supported Authentication Mechanisms

• Supported Directives

• Policy Evaluation for Discovery Lookup

• Policy Evaluation for Discovery Update

• Authorizer Plug-in Class

• Entry Handler Plug-in Class

• Classes For ResourceIDMapper Plug-in

• Authenticate Response Message

• SessionContextStatement for Bootstrapping

• Encrypt NameIdentifier in Session Context for Bootstrapping

• Implied Resource

• Resource Offerings for Bootstrapping

Provider ID

This attribute takes a URI that points to the Discovery Service. Use the format protocol://host:port/opensso/Liberty/disco. This value can be changed only if other relevant attributes values are changed to match the new pointer.

Supported Authentication Mechanisms

This attribute specifies the authentication methods supported by the Discovery Service. These security mechanisms refer to the way a web service consumer authenticates to the web service provider or provides message-level security. By default, all available methods are selected. If an authentication method is not selected and a WSC sends a request using that method, the request is rejected.

Supported Directives

This attribute allows you to specify a policy-related directive for a resource. If a service provider wants to use an unsupported directive, the request will fail. The following table describes the available options. .

Policy Evaluation for Discovery Lookup

If enabled, the service will perform a policy evaluation for the DiscoveryLookup operation. By default, the check box is not selected.

Policy Evaluation for Discovery Update

If enabled, the service will perform a policy evaluation for the DiscoveryUpdate operation. By default, the check box is not selected.

Authorizer Plug-in Class

The value of this attribute is the name and path to the class that implements the com.sun.identity.liberty.ws.interfaces.Authorizer interface used for policy evaluation of a WSC. The default class is com.sun.identity.liberty.ws.disco.plugins.DefaultDiscoAuthorizer.

Entry Handler Plug-in Class

The value of this attribute is the name and path to the class that implements the com.sun.identity.liberty.ws.disco.plugins.DiscoEntryHandler interface. This interface is used to set or retrieve a principal’s discovery entries. To handle discovery entries differently, implement the com.sun.identity.liberty.ws.disco.plugins.DiscoEntryHandler interface and set the implementing class as the value for this attribute. The default implementation for the Discovery Service is com.sun.identity.liberty.ws.disco.plugins.UserDiscoEntryHandler.

Classes For ResourceIDMapper Plug-in

The value of this attribute is a list of classes that generate identifiers for a resource offering configured for an organization or role. com.sun.identity.liberty.ws.interfaces.ResourceIDMapper is an interface used to map a user identifier to the resource identifier associated with it. The Discovery Service provides two implementations for this interface:

• com.sun.identity.liberty.ws.disco.plugins.Default64ResourceIDMapper assumes the format to be providerID + / + the Base64 encoded userIDs.

• com.sun.identity.liberty.ws.disco.plugins.DefaultHexResourceIDMapper assumes the format to be providerID + / + the hex string of userIDs.

Different implementations may also be developed with the interface and added as a value of this attribute by clicking New and defining the following attributes:

• Provider ID takes as a value a URI that points to the Discovery Service. Use the format http://host:port/opensso/Liberty/disco. See Provider ID.

• ID Mapper takes as a value the class name and path of the implementing class.

Authenticate Response Message

If enabled, the service authenticates the response message. By default, the function is not enabled.

SessionContextStatement for Bootstrapping

If enabled, this attribute specifies whether to generate a SessionContextStatement for bootstrapping. A SessionContextStatement conveys the session status of an entity. By default, this function is not enabled.

Encrypt NameIdentifier in Session Context for Bootstrapping

If enabled, the service encrypts the name identifier in a SessionContextStatement. By default, this function is not enabled.

Implied Resource

If enabled, the service does not generate a resource identifier for bootstrapping. By default, this function is not enabled.

Name Identifier Mapper

Defines the class and path that implements the NameIdentifierMapper interface. It is used to map user's Name Identifier from one provider to another.

Global Entry Handler Plug-in Class

Defines the class and path that implements the DiscoEntryHandler interface. It is used to get and set Disco Entries for a user stored in a realm. When an implied resource is used in a discovery service request, this implementation is used to perform the operation.

Resource Offerings for Bootstrapping

This attribute defines a resource offering for bootstrapping a service. After single sign-on (SSO), this resource offering and its associated credentials will be sent to the client in the SSO assertion. Only one resource offering is allowed for bootstrapping. The value of the Resource Offerings for Bootstrapping attribute is a default value configured during installation. If you want to define a new resource offering, you must first delete the existing resource offering, then click New to define the attributes for a new resource offering. If you want to edit an existing resource offering, click the name of the existing Service Type to modify the attributes.

Storing Resource Offerings

A resource offering defines an association between a type of identity data and a URI to the WSDL file that provides information about obtaining access to the data. In OpenSSO Enterprise, a resource offering can be stored as a user attribute or as a dynamic attribute. Storing resource offerings within a user profile supports both DiscoveryLookup and DiscoveryUpdate operations. Storing resource offerings within a service and assigning that service to a realm supports only the DiscoveryLookup operation using the discovery protocol. (Updates can still be done using the OpenSSO Enterprise Console.) More information is provided in the following sections:

• Storing Resource Offerings as User Attributes

• Storing Resource Offerings as Dynamic Attributes

• Storing a Resource Offering for Discovery Service Bootstrapping

Storing Resource Offerings as User Attributes

Resource offerings can be stored as an attribute under a user’s profile using the Lightweight Directory Access Protocol (LDAP). Storing resource offerings within a user profile supports both DiscoveryLookup and DiscoveryUpdate operations. The following procedure explains how to access and create a user’s resource offerings.

To Store a Resource Offering as a User Attribute

1. In the OpenSSO Enterprise Console, click the Access Control tab.

2. Select the name of the realm that contains the user profile you want to modify.

3. Select Subjects to access user information.

4. Select the name of the user profile that you want to modify.

5. Select Services to access the user's services.

6. Click Discovery Service.

7. Click Add.

8. (Optional) Type a value for the Resource ID Attribute.

   This field defines an identifier for the resource offering.

9. Type the Resource ID Value.

   This field defines the resource identifier. A resource identifier is a URI registered with the Discovery Service that point to a particular discovery resource. It is generated by the profile provider. The value of this attribute must not be a relative URI and should contain a domain name that is owned by the provider hosting the resource. If a discovery resource is exposed in multiple Resource Offerings, the Resource ID Value for all of those resource offerings would be the same. An example of a valid Resource ID value is http://profile-provider.com/profiles/14m0B82k15csaUxs.

   ---

   Tip –

   urn:libery:isf:implied-resource can be used as a Resource ID Value when only one resource can be operated upon at the service instance being contacted. The URI only implicitly identifies the resource in question. In some circumstances, the use of this resource identifier can eliminate the need for contacting the discovery service to access the resource.

   ---

10. (Optional) Enter a description of the resource offering in the Description field.

11. Type a URI for the value of the Service Type attribute.

    This URI defines the type of service.

    ---

    Tip –

    It is recommended that the value of this attribute be the targetNamespace URI defined in the abstract WSDL description for the service. An example of a valid URI is urn:liberty:id-sis-pp:2003-08.

    ---

12. Type a URI for the value of the Provider ID attribute.

    This attribute contains the URI of the provider of the service instance. This information is useful for resolving trust metadata needed to invoke the service instance. A single physical provider may have multiple provider IDs. An example of a valid URI is http://profile-provider.com.

    ---

    Note –

    The provider represented by the URI in the Provider ID attribute must also have a class entry in the ResourceIDMapper attribute.

    ---

13. Click New Description to define the Service Description.

    For each resource offering, at least one service description must be created.

    1. Select the values for the Security Mechanism ID attribute to define how a web service client can authenticate to a web service provider.

       This field lists the security mechanisms that the service instance supports. Select the security mechanisms that you want to add and click Add. To prioritize the list, select the mechanism and click Move Up or Move Down.

    2. Type a value for the End Point URL.

       This value is the URL of the SOAP-over-HTTP endpoint. The URI scheme must be HTTP or HTTPS as in https://soap.profile-provider.com/soap.

    3. (Optional) Type a value for the SOAP Action.

       This value is the equivalent of the wsdlsoap:soapAction attribute of the wsdlsoap:operation element in the service's concrete WSDL-based description.

    4. Click OK to complete the configuration.

14. Check the Options box if there are no options or add a URI to specify options for the resource offering.

    This field lists the options that are available for the resource offering. Options provide hints to a potential requestor about the availability of certain data or operations to a particular offering. The set of possible URIs are defined by the service type, not the Discovery Service. If no option is specified, the service instance does not display any available options.

15. Select a directive for the resource offering.

    Directives are special entries defined in SOAP headers that can be used to enforce policy-related decisions. You can choose from the following:

    • GenerateBearerToken specifies that a bearer token be generated.

    • AuthenticateRequester must be used with any service description that use SAML for message authentication.

    • EncryptResourceID specifies that the Discovery Service encrypt the resource ID.

    • AuthenticateSessionContext is specified when a Discovery Service provider includes a SAML assertion containing a SessionContextStatement in any future QueryResponse messages.

    • AuthorizeRequester is specified when a Discovery Service provider wants to include a SAML assertion containing a ResourceAccessStatement in any future QueryResponse messages.

    If you want to associate a directive with one or more service descriptions, select the check box for that Description ID. If no service descriptions are selected, the directive is applied to all description elements in the resource offering.

16. Click Save to save the configuration.

Storing Resource Offerings as Dynamic Attributes

Due to the repetition inherent in storing discovery entries as user attributes, OpenSSO Enterprise has established the option of storing a discovery entry as a dynamic attribute within a realm. The realm can then be assigned to an identity-related object, making the entry available to all users within the object. Unlike storing a discovery entry as a user attribute, this scenario only supports the DiscoveryLookup operation.

To Store Resource Offerings as Dynamic Attributes in a Realm

To create a discovery entry as a dynamic attribute in a realm, the Discovery Service must first be added and a template created.

1. In the OpenSSO Enterprise Console, click the Access Control tab.

2. Select the name of the realm you want to modify.

3. Select Services to access the realm's services.

4. Click Add to add the Discovery Service to the realm.

   A list of available services is displayed.

5. Select Discovery Service.

6. Click Next.

7. Click Discovery Service to add a resource offering to the service.

8. Click Add to add a resource offering.

9. (Optional) Enter a description of the resource offering in the Description field.

10. Type a URI for the value of the Service Type attribute.

    This URI defines the type of service. It is recommended that the value of this attribute be the targetNamespace URI defined in the abstract WSDL description for the service. An example of a valid URI is urn:liberty:id-sis-pp:2003-08.

11. Type a URI for the value of the Provider ID attribute.

    The value of this attribute contains the URI of the provider of the service instance. This information is useful for resolving trust metadata needed to invoke the service instance. A single physical provider may have multiple provider IDs. An example of a valid URI is http://profile-provider.com.

    ---

    Note –

    The provider represented by the URI in the Provider ID attribute must also have an entry in the ResourceIDMapper attribute.

    ---

12. Click New Description to define the Service Description.

    For each resource offering, at least one service description must be created.

    1. Select the values for the Security Mechanism ID attribute to define how a web service client can authenticate to a web service provider.

       This field lists the security mechanisms that the service instance supports. Select the security mechanisms that you want to add and click Add. To prioritize the list, select the mechanism and click Move Up or Move Down.

    2. Type a value for the End Point URL.

       This value is the URL of the SOAP-over-HTTP endpoint. The URI scheme must be HTTP or HTTPS as in https://soap.profile-provider.com/soap.

    3. (Optional) Type a value for the SOAP Action.

       This value is the equivalent of the wsdlsoap:soapAction attribute of the wsdlsoap:operation element in the service's concrete WSDL-based description.

    4. Click OK to complete the configuration.

13. Check the Options box if there are no options or add a URI to specify options for the resource offering.

    This field lists the options that are available for the resource offering. Options provide hints to a potential requestor about the availability of certain data or operations to a particular offering. The set of possible URIs are defined by the service type, not the Discovery Service. If no option is specified, the service instance does not display any available options.

14. Select a directive for the resource offering.

    Directives are special entries defined in SOAP headers that can be used to enforce policy-related decisions. You can choose from the following:

    • GenerateBearerToken specifies that a bearer token be generated.

    • AuthenticateRequester must be used with any service description that use SAML for message authentication.

    • EncryptResourceID specifies that the Discovery Service encrypt the resource ID.

    • AuthenticateSessionContext is specified when a Discovery Service provider includes a SAML assertion containing a SessionContextStatement in any future QueryResponse messages.

    • AuthorizeRequester is specified when a Discovery Service provider wants to include a SAML assertion containing a ResourceAccessStatement in any future QueryResponse messages.

    If you want to associate a directive with one or more service descriptions, select the check box for that Description ID. If no service descriptions are selected, the directive is applied to all description elements in the resource offering.

15. Click OK.

16. Click Close to close the Discovery Resource Offering window.

17. Click Save to save the configuration.

Storing a Resource Offering for Discovery Service Bootstrapping

Before a WSC can contact the Discovery Service to obtain a resource offering, the WSC needs to discover the Discovery Service. Thus, an initial resource offering for locating the Discovery Service is sent back to the WSC in a SAML assertion generated during authentication. The following procedure describes how to configure a global attribute for bootstrapping the Discovery Service. For more information on bootstrapping the Discovery Service, see Resource Offerings for Bootstrapping.

To Store a Resource Offering for Discovery Service Bootstrapping

1. In the OpenSSO Enterprise Console, select the Web Services tab.

2. Under Web Services, click the Discovery Service tab.

3. Choose New under the Resource Offerings for Bootstrapping Resources attribute.

   By default, the resource offering for bootstrapping the Discovery Service is already configured. In order to create a new resource offering, you must first delete the default resource offering.

4. (Optional) Type a description of the resource offering.

5. Enter a URI for the value of the Service Type attribute.

   This field defines the type of service. It is recommended that the value of this attribute be the targetNamespace URI defined in the abstract WSDL description for the service. An example of a valid URI is urn:liberty:disco:2003-08.

6. Enter a URI for the value of the Provider ID attribute.

   This attribute contains the URI of the provider of the service instance. This is useful for resolving trust metadata needed to invoke the service instance. A single physical provider may have multiple provider IDs. An example of a valid URI is http://sample_disco.com.

   ---

   Note –

   The provider represented by the URI in the Provider ID attribute must also have an entry in the Classes for ResourceIDMapper Plugin attribute.

   ---

7. Click Add Description to define a security mechanism ID.

   For each resource offering, at least one service description must be created.

   1. Select the values for the Security Mechanism ID attribute to define how a web service client can authenticate to a web service provider.

      This field lists the security mechanisms that the service instance supports. Select the security mechanisms you wish to add and click the Add button. To arrange the priority of the list, select the mechanism and use the Move Up or Move Down buttons.

   2. Type a value for the End Point URL.

      This value is the URL of the SOAP-over-HTTP endpoint. The URI scheme must be HTTP or HTTPS as in https://soap.profile-provider.com/soap.

   3. (Optional) Type a value for the SOAP action.

      This field contains the equivalent of the wsdlsoap:soapAction attribute of the wsdlsoap:operation element in the service's concrete WSDL-based description.

   4. Click OK to save the configuration.

8. Check the Options box if there are no options or add a URI to specify options for the resource offering.

   This field lists the options that are available for the resource offering. Options provide hints to a potential requestor about the availability of certain data or operations to a particular offering. The set of possible URIs are defined by the service type, not the Discovery Service. If no option is specified, the service instance does not display any available options. .

9. Select a directive for the resource offering.

   Directives are special entries defined in SOAP headers that can be used to enforce policy-related decisions. You can choose from the following:

   • GenerateBearerToken specifies that a bearer token be generated.

   • AuthenticateRequester must be used with any service description that use SAML for message authentication.

   • EncryptResourceID specifies that the Discovery Service encrypt the resource ID.

   • AuthenticateSessionContext is specified when a Discovery Service provider includes a SAML assertion containing a SessionContextStatement in any future QueryResponse messages.

   • AuthorizeRequester is specified when a Discovery Service provider wants to include a SAML assertion containing a ResourceAccessStatement in any future QueryResponse messages.

   If you want to associate a directive with one or more service descriptions, select the check box for that Description ID. If no service descriptions are selected, the directive is applied to all description elements in the resource offering.

10. Click OK to complete the configuration.

SOAP Binding Service

The SOAP Binding Service is the method of transport used to convey identity data between web services. It includes a set of Java APIs used by the developer of a Liberty-enabled identity service. The APIs are used to send and receive identity-based messages using SOAP, an XML-based messaging protocol. The service invokes the correct request handler class (specified by a service endpoint) to handle the messages.

SOAP Binding Service Attributes

The SOAP Binding Service attributes are global attributes. The values of these attributes are carried across the OpenSSO Enterprise configuration and inherited by every organization.

The SOAP Binding Service attributes are as follows:

• Request Handler List

• Web Service Authenticator

• Supported Authentication Mechanisms

Request Handler List

The Request Handler List stores information about the classes implemented from the com.sun.identity.liberty.ws.soapbinding.RequestHandler interface. The SOAP Binding Service provides the interface to process requests and return responses. The interface must be implemented on the server side for each Liberty-based web service that uses the SOAP Binding Service.

To add a new implementation, click New and define values for the following parameters.

Key Parameter

The Key parameter is the last part of the URI path to a SOAP endpoint. The SOAP endpoint in OpenSSO Enterpriseis the SOAPReceiver servlet. The URI to the SOAPReceiver uses the format protocol://host:port/deloy-uri/Liberty/key. If you define disco as the Key, the URI path to the SOAPReceiver for the corresponding Discovery Service would be protocol://host:port/opensso/Liberty/disco.

Different service clients must use different keys when connecting to the SOAPReceiver.

Class Parameter

The Class parameter specifies the name of the class implemented from com.sun.identity.liberty.ws.soapbinding.RequestHandler for the particular web service. For example, class=com.example.identity.liberty.ws.disco.DiscoveryService.

SOAP Action Parameter

The optional SOAP Action can be used to indicate the intent of the SOAP HTTP request. The SOAP processor on the receiving system can use this information to determine the ultimate destination for the service. The value is a URI. No defined value indicates no intent.

SOAP places no restrictions on the format or specificity of the URI or that it is resolvable.

Web Service Authenticator

This attribute takes as a value the implementation class for the Web Service Authenticator interface. This class authenticates a request and generates a credential for a WSC.

This interface is not public. The value of the attribute is configured during installation.

Supported Authentication Mechanisms

This attribute specifies the authentication mechanisms supported by the SOAP Receiver. Authentication mechanisms offer user authentication as well as data integrity and encryption. By default, all available authentication mechanisms are selected. If a mechanism is not selected and a WSC sends a request using it, the request is rejected. Following is a list of the supported authentication mechanisms:

• urn:liberty:security:2003-08:ClientTLS:SAML

• urn:liberty:security:2003-08:ClientTLS:X509

• urn:liberty:security:2003-08:ClientTLS:null

• urn:liberty:security:2003-08:TLS:SAML

• urn:liberty:security:2003-08:TLS:X509

• urn:liberty:security:2003-08:TLS:null

• urn:liberty:security:2003-08:null:SAML

• urn:liberty:security:2003-08:null:X509

• urn:liberty:security:2003-08:null:null

• urn:liberty:security:2004-04:ClientTLS:Bearer

• urn:liberty:security:2004-04:TLS:Bearer

• urn:liberty:security:2004-04:null:Bearer

• urn:liberty:security:2005-02:ClientTLS:Bearer

• urn:liberty:security:2005-02:ClientTLS:SAML

• urn:liberty:security:2005-02:ClientTLS:X509

• urn:liberty:security:2005-02:TLS:Bearer

• urn:liberty:security:2005-02:TLS:SAML

• urn:liberty:security:2005-02:TLS:X509

• urn:liberty:security:2005-02:null:Bearer

• urn:liberty:security:2005-02:null:SAML

• urn:liberty:security:2005-02:null:X509

Enforce Only Known Providers

If enabled, this property will enforce the ProviderID header sent in a SOAP message to ensure that the provider exists in the system. If it does not, the request will be rejected. If this attribute is not enabled, the check will be skipped.

Certification Alias For SSL Client Authentication

Value is set during installation. Client certificate alias that will be used in SSL connection for Liberty SOAP Binding.

Time Limit for Stale Message

Default value is 300000. Determines if a message is stale and thus no longer trustworthy. If the message timestamp is earlier than the current timestamp by the specified number of milliseconds, the message the considered to be stale.

Message ID Cache Cleanup Interval

Default value is 60000. Specifies the number of milliseconds to elapse before cache cleanup events begin. Each message is stored in a cache with its own message ID to avoid duplicate messages. When a message's current time less the received time exceeds thestaleTimeLimit value, the message is removed from the cache.

Supported SOAP Actors

Default value is http://schemas.xmlsoap.org/soap/actor/next. Specifies supported SOAP actors. Each actor must be separated by a pipe character (|).

Namespace Prefix Mapping

Default value is:

=S=http://schemas.xmlsoap.org/soap/envelope/|sb=urn:liberty:sb:2003-08
|pp=urn:liberty:id-sis-pp:2003-08|ispp=http://www.sun.com/identity/
liberty/pp|is=urn:liberty:is:2003-08

Specifies the namespace prefix mapping used when marshalling a JAXB content tree to a DOM tree. The syntax is prefix=namespace|prefix=namespace|...

JAXB Package List

Specifies JAXB package list used when constructing JAXBContext. Each package must be separated by a colon (:).

Liberty Identity Web Service Version

This property determines the Liberty ID-WSF framework when the framework cannot determine from the in-bound message or from the resource offering when OpenSSO is acting as the WSC. Values can be 1.0 or 1.1. The default is 1.1.

Liberty Interaction Service

The Liberty Interaction Service allows the user to interact during web services communication for any authorization. .

The Liberty Interaction Service is configurable through the OpenSSO Enterprise console at Configuration>Global>Liberty ID-WSF Interaction Service. See Liberty Interaction Service in Sun OpenSSO Enterprise 8.0 Administration Reference for attribute definitions.

Liberty ID-WSF Security Service

The Liberty ID-WSF Security Service is configurable through the OpenSSO Enterprise console at Configuration>Global>Liberty ID-WSF Interaction Service. See Liberty ID-WSF Security Service in Sun OpenSSO Enterprise 8.0 Administration Reference for attribute definitions.