Chapter 9 Web Services

Liberty-based web services are those based on specifications in the Liberty ID-WSF and the Liberty ID-SIS. They are accessible from the Federation Manager Console by clicking the Web Services tab. The implemented web services include:

• Liberty Personal Profile Service

• Discovery Service

• SOAP Binding Service

• Authentication Web Service (Authentication Service)

• Creating a New Web Service

Liberty Personal Profile Service

The Liberty ID-SIS Personal Profile Service Specification (Liberty ID-SIS—PP) describes a data service which provides an identity's basic profile information. It is intended to be the least common denominator for holding consumer-based information about a principal. Federation Manager has implemented this specification and developed the Liberty Personal Profile Service. The Liberty Personal Profile Service can be queried for identity data or this data can be updated.

In order for access to occur, the hosting provider of the Liberty Personal Profile Service needs to be registered with the Discovery Service on behalf of each identity principal.

The following global attributes can be configured for your implementation of the Liberty Personal Profile Service.

• ResourceID Mapper

• Authorizer

• Attribute Mapper

• Provider ID

• Name Scheme

• Namespace Prefix

• Supported Containers

• PPLDAP Attribute Map List

• Require Query PolicyEval

• Require Modify PolicyEval

• Extension Container Attributes

• Extension Attributes Namespace Prefix

• Is ServiceUpdate Enabled

• Service Instance Update Class

• Alternate Endpoint

• Alternate Security Mechanisms

The following tasks are associated with configuring the Liberty Personal Profile Service:

• To Configure a Supported Container

• To Configure an Attribute Mapping

ResourceID Mapper

The value of this attribute specifies the implementation of the com.sun.identity.liberty.ws.interfaces.ResourceIDMapper interface. Although a new implementation can be developed, Federation Manager provides the default com.sun.identity.liberty.ws.idpp.plugin.IDPPResourceIDMapper which maps a discovery resource identifier to a user ID.

Authorizer

This functionality is not supported.

Before processing a request, the Liberty Personal Profile Service will verify the authorization of the WSC making the request. There are two levels of authorization check:

1. Is the requesting entity authorized to access the requested resource profile information?

2. Is the requested resource published to the requestor?

Authorization occurs via a plug-in to the Liberty Personal Profile Service: an implementation of the com.sun.identity.liberty.ws.interfaces.Authorizer interface. Although a new implementation can be developed, Federation Manager provides the default class, com.sun.identity.liberty.ws.idpp.plugin.IDPPAuthorizer. This plug-in defines four policy action values for the query and modify operations:

• Allow

• Deny

• Interact For Consent

• Interact For Value

The resource values for the rules are similar to x-path expressions defined by the Liberty Personal Profile Service. For example, a rule can be defined like the example below.

Example 9–1 Rules for Authorization

/PP/CommonName/AnalyzedName/FN    Query   Interact for consent
/PP/CommonName/*                  Modify  Interact for value
/PP/InformalName                  Query   Deny

Authorization can be turned off by deselecting one or both of the following attributes also defined in the Liberty Personal Profile Service:

• Require Query PolicyEval

• Require Modify PolicyEval

Attribute Mapper

This value of this attribute defines the class for mapping a Liberty Personal Profile Service attribute to an LDAP User attribute. By default, the class is com.sun.identity.liberty.ws.idpp.plugin.IDPPAttributeMapper.

Provider ID

The value of this attribute defines the unique identifier for this instance of the Liberty Personal Profile Service. The format is protocol://host:port/deloy-uri/Liberty/idpp.

Name Scheme

The value of this attribute defines the naming scheme for the Liberty Personal Profile Service common name. Choose First Last, or First Middle Last.

Namespace Prefix

The value of this attribute specifies the namespace prefix used for Liberty Personal Profile Service XML protocol messages. A namespace differentiates elements with the same name that come from different XML schemas. The Namespace Prefix is prepended to the element.

Supported Containers

The values of this attribute define a list of supported containers in the Liberty Personal Profile Service. A container, as used in this instance, is an attribute of the Liberty Personal Profile Service. For example, Emergency Contact and Common Name are two default containers for the Liberty Personal Profile Service.

To add a new container, click Add, and see To Configure a Supported Container.

Currently, this functionality is not supported.

To Configure a Supported Container

A container is an attribute that defines a holder for a piece of identity data. The following procedure is for adding new attributes to the Liberty Personal Profile Service. The starting point is the Liberty Personal Profile Service screen under Web Services.

1. In the Federation Manager Console, click the Web Services tab.

2. Under Web Services, select the Personal Profile tab.

3. Under Supported Containers, click New or choose the name of a configured container to modify its profile.

   The New Supported Container page is displayed.

4. Provide values for the New Supported Container attributes.

   Container Name

   Enter a name for the container such as CreditCard.

   Plugin

   Enter a class name to handle the whole container. This could be used to override the default implementation com.sun.identity.liberty.ws.idpp.plugin.IDPPContainer.

5. Click OK to complete the Container configuration.

6. Click Save on the Liberty Personal Profile Service page to complete the service configuration.

PPLDAP Attribute Map List

Each identity attribute defined in the Liberty Personal Profile Service maps one-to-one with an LDAP attribute. (For example, JobTitle=sunIdentityServerPPEmploymentIdentityJobTitle maps the Liberty JobTitle attribute to the sunIdentityServerPPEmploymentIdentityJobTitle attribute.) The value of PPLDAP Attribute Map List is a list that specifies the mappings. The list is used by the attribute mapper defined in the Attribute Mapper attribute which is, by default, com.sun.identity.liberty.ws.idpp.plugin.IDPPAttributeMapper.

In the following code sample, the Liberty Personal Profile Service informalName attribute mapping to the LDAP attribute uid is added to the mappings already present in the Liberty Personal Profile Service XML service file, amLibertyPersonalProfile.xml.

Attribute mappings are defined as global attributes under the name sunIdentityServerPPDSAttributeMapList in amLibertyPersonalProfile.xml. This attribute corresponds to that sunIdentityServerPPDSAttributeMapList global attribute.

Example 9–2 Attribute Mappings as Defined in XML Service File

<AttributeSchema name="sunIdentityServerPPDSAttributeMapList"
                      type="list"
                      syntax="string"
                      i18nKey="p108">
                      <DefaultValues>
                         <Value>CN=sunIdentityServerPPCommonNameCN</Value>
                         <Value>FN=sunIdentityServerPPCommonNameFN</Value>
                         <Value>MN=sunIdentityServerPPCommonNameMN</Value>
                         <Value>SN=sunIdentityServerPPCommonNameSN</Value>
                         <Value>InformalName=uid</Value>
              </AttributeSchema>

When adding new attributes to the Liberty Personal Profile Service or the LDAP data store, ensure that the new attribute mappings are configured in the PPLDAP Attribute Map List attribute. See To Configure an Attribute Mapping.

To Configure an Attribute Mapping

A mapping is an attribute that defines a holder for a piece of identity data. The following procedure is for adding new attributes to the Liberty Personal Profile Service. The starting point is the Liberty Personal Profile Service screen under Web Services.

1. In the Federation Manager Console, click the Web Services tab.

2. Under Web Services, select the Personal Profile tab.

3. Under PPLDAP Attribute Map List, click Add or click on the name of a configured mapping to modify it.

   The New LDAP Attribute Mapping page is displayed.

4. Provide values for the container attributes.

   Name Prefix

   Enter the name of the Liberty Personal Profile Service identity attribute to be mapped.

   LDAP Attribute

   Enter the name of the LDAP attribute to which the Name Prefix maps.

5. Click OK to complete the Mapping configuration.

6. Click Save on the Liberty Personal Profile Service page to complete the service configuration.

Require Query PolicyEval

If selected, this option requires a policy evaluation to be performed for Liberty Personal Profile Service queries.

Require Modify PolicyEval

If selected, this option requires a policy evaluation to be performed for Liberty Personal Profile Service modifications.

Extension Container Attributes

The Liberty Personal Profile Service allows you to specify extension attributes that are not defined in the Liberty Alliance Project specifications. The values of this attribute specify a list of extension container attributes. All extensions should be defined as:

    /PP/Extension/PPISExtension [@name=’extensionattribute’]

The following sample illustrates an extension query expression for creditcard, an extension attribute.

Example 9–3 Extension Query for creditcard

 /pp:PP/pp:Extension/ispp:PPISExtension[@name=’creditcard’]
Note: The prefix for the PPISExtension is different,
 and the schema for the PP extension is as follows:
<?xml version="1.0" encoding="UTF-8" ?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
  xmlns="http://www.sun.com/identity/liberty/pp"
  targetNamespace="http://www.sun.com/identity/liberty/pp">
  <xs:annotation>
      <xs:documentation>
      </xs:documentation>
  </xs:annotation>

  <xs:element name="PPISExtension">
     <xs:complexType>
        <xs:simpleContent>
           <xs:extension base="xs:string">
              <xs:attribute name="name" type="xs:string"
                use="required"/>
           </xs:extension>
        </xs:simpleContent>
     </xs:complexType>
   </xs:element>
</xs:schema>

Extension Attributes Namespace Prefix

The value of this attribute specifies the namespace prefix for the extensions defined in the Extension Container Attributes. This prefix is prepended to the element and is useful to distinguish metadata from different XML schema namespaces.

Is ServiceUpdate Enabled

The SOAP Binding Service allows a service to indicate that requesters should contact it on a different endpoint or use a different security mechanism and credentials to access the requested resource. If selected, this attribute affirms that there is an update to the service instance.

Service Instance Update Class

The value of this attribute specifies the default implementation class com.sun.identity.liberty.ws.idpp.plugin.IDPPServiceInstanceUpdate. This class is used to update the information for the service instance.

Alternate Endpoint

The value of this attribute specifies an alternate SOAP endpoint to which a SOAP request can be sent.

Alternate Security Mechanisms

This attribute allows you to choose a security mechanism. For more information on this functionality and the mechanisms, see the Liberty ID-WSF Security Mechanisms specification.

Discovery Service

The initial step in accessing identity data is to determine where the information is located. (For example, which identity service holds the principal's credit card information, or which server stores the principal's calendar service.) Typically, there are one or more services on a network that allow other entities to perform an action on identity data. Because clients are not expected to keep track of these services or to know which can be trusted, they require a discovery service.

A discoverable web service is assigned a service type URI in the specification that defines it. This URI points to the Web Services Description Language (WSDL) file that describes the service’s data, the operations that can be performed on it, and a protocol detailing how to perform an action. The discoverable service specification itself adds the available ways the data can be exchanged. A discovery service is essentially a web service interface for discovery resources. A discovery resource is a registry of resource offerings. A resource offering defines an association between a piece of identity data and the service instance that provides access to that data. A resource identifier is a unique resource identifier (URI) registered with the Discovery Service that points to a particular discovery resource.

When a client sends a request for some type of data, it includes a resource identifier that the Discovery Service uses to locate the web services provider (WSP) for the requested attributes. The Discovery Service returns a resource offering that contains the information necessary to locate the data.

In order for access to occur, the hosting provider of the Liberty Personal Profile Service needs to be registered with the Discovery Service on behalf of each identity principal.

The following Discovery Service global attributes can be configured for your implementation.

• Provider ID

• Supported Authentication Mechanisms

• Supported Directives

• Enable Policy Evaluation for DiscoveryLookup

• Enable Policy Evaluation for DiscoveryUpdate

• Authorizer Plugin Class

• Entry Handler Plugin Class

• Classes for ResourceID Mapper Plugin

• Authenticate Response Message

• Generate Session Context Statement for Bootstrapping

• Encrypt NameIdentifier in Session Context for Bootstrapping

• Use Implied Resource; don't generate ResourceID for Bootstrapping

• Resource Offerings for Bootstrapping

The following tasks are associated with configuring the Discovery Service:

• To Configure a ResourceID Mapper

• To Configure a Resource Offering for Bootstrapping

• To Configure a Service Description

Provider ID

This attribute takes a URI that points to the Discovery Service. Use the format protocol://host:port/amserver/Liberty/disco. This value can be changed as long as other relevant attributes values are changed to match the new location.

Supported Authentication Mechanisms

This attribute specifies the authentication methods supported by the Discovery Service. These security mechanisms refer to the way a web service consumer authenticates to the web service provider or provides message-level security. By default, all available methods that the service instance supports are selected. If an authentication method is not selected, and a web services consumer sends a request using that method, the request is rejected. See To Configure a Service Description.

Supported Directives

This attribute allows you to specify a policy-related directive for a resource. If a service provider wants to use an unsupported directive, the request will fail. The following table details the available options.

Enable Policy Evaluation for DiscoveryLookup

If enabled, the service will perform a policy evaluation for the DiscoveryLookup operation. By default, the option is not selected.

Enable Policy Evaluation for DiscoveryUpdate

If enabled, the service will perform a policy evaluation for the DiscoveryUpdate operation. By default, this option is not selected.

Authorizer Plugin Class

The value of this attribute is the name and path to the class that implements the com.sun.identity.liberty.ws.interfaces.Authorizer interface used for policy evaluation of a web services consumer. The default class is com.sun.identity.liberty.ws.disco.plugins.DefaultDiscoAuthorizer.

Entry Handler Plugin Class

The value of this attribute is the name and path to the class that implements the com.sun.identity.liberty.ws.disco.plugins.DiscoEntryHandler interface used to set or retrieve a principal's discovery entries. To handle this feature differently, you can implement the interface and set the implementing class as the value for this attribute. The default implementation for the Discovery Service is com.sun.identity.liberty.ws.disco.plugins.UserDiscoEntryHandler.

Classes for ResourceID Mapper Plugin

The value of this attribute is a list of classes that generate identifiers for a resource offering configured for an organization or role. com.sun.identity.liberty.ws.interfaces.ResourceIDMapper is an interface used to map a user identifier to the resource identifier associated with it. The Discovery Service provides two implementations for this interface:

• com.sun.identity.liberty.ws.disco.plugins.Default64ResourceIDMapper (format: providerID + "/" + the Base64 encoded userIDs)

• com.sun.identity.liberty.ws.disco.plugins.DefaultHexResourceIDMapper (format: providerID + "/" + the hex string of userID)

Different implementations may be developed with the implementing class and added as a value of this attribute by clicking New and using the format providerid=providerID|class_name_and_path. See To Configure a ResourceID Mapper.

To Configure a ResourceID Mapper

com.sun.identity.liberty.ws.interfaces.ResourceIDMapper is an interface used to map a user identifier to the resource identifier associated with it. Different implementations may be developed and added to the attribute. The following procedure is for adding a new resourceID mapper to the Discovery Service. The starting point is the Discovery Service screen under Web Services.

1. In the Federation Manager Console, click the Web Services tab.

2. Under Web Services, select the Discovery Service tab.

3. Under Classes for ResourceID Mapper Plugin, click New or click on the name of a configured mapper to modify it.

   The New Resource ID Mapping page is displayed.

4. Provide values for the mapper attributes.

   Provider ID

   A URI that points to the Discovery Service. Use the format http://host:port/amserver/Liberty/disco.

   ID Mapper

   The name of the implementing class.

5. Click OK to complete the mapper configuration.

6. Click Save on the Discovery Service page to complete the configuration.

Authenticate Response Message

If enabled, the service will authenticate the response message. By default, the function is not enabled.

Generate Session Context Statement for Bootstrapping

If enabled, this attribute specifies whether to generate a SessionContextStatement for bootstrapping. SessionConxtext in the SessionContextStatement is needed by the Discovery Service to support the AuthenicateSessionContext directive. By default, this option is not enabled.

Encrypt NameIdentifier in Session Context for Bootstrapping

If enabled, the service will encrypt the name identifier in a SessionContextStatement. By default, the option is not enabled.

Use Implied Resource; don't generate ResourceID for Bootstrapping

If enabled, the service will not generate a resource identifier for bootstrapping. By default, the option is not enabled.

Resource Offerings for Bootstrapping

This attribute defines a resource offering for bootstrapping a service. After single sign-on (SSO), this resource offering and its associated credentials will be sent to the client in the SSO assertion. Only one resource offering is allowed for bootstrapping. By default, this offering contains information regarding the Discovery Service. Tasks associated with this attribute include:

• To Configure a Resource Offering for Bootstrapping

• To Configure a Service Description

The value of the Resource Offerings for Bootstrapping Resources attribute is a default value configured during installation. If you wish to define a new resource offering, you must first delete the existing resource offering. If you wish to modify the existing resource offering, click on the Edit link.

To Configure a Resource Offering for Bootstrapping

Only one resource offering is allowed for bootstrapping. By default, this offering contains information regarding the Discovery Service. If a resource offering is already defined, you can modify the attributes by clicking the Edit link. You may also select the box next to the name of the Resource Offering to delete the existing resource offering. To configure a new resource offering, you would then click New.

1. In the Federation Manager Console, click the Web Services tab.

2. Under Web Services, select the Discovery Service tab.

3. Under Resource Offerings for Bootstrapping, click New or click Edit to modify existing attributes.

   The Resource Offering attributes are displayed.

4. Provide or modify values for the resource offerings attributes.

   Description

   An optional description of the resource offering.

   Service Type

   A URI that defines the type of service the resource offering implements. For example, urn:liberty:disco:2003-08.

   ---

   Note –

   It is recommended that this URI be the same as the targetNamespace URI of the abstract WSDL description for the service.

   ---

   Provider ID

   A URI that points to the provider of the service instance. For example, http://server.sun.com:80/amserver/Liberty/disco.

   Security Mechanism ID

   One or more URIs that identify the security mechanisms supported by the service instance defined in the previous attributes. These security mechanisms refer to the way a web service consumer authenticates to the web service provider. This attribute lists all of the security mechanisms that the service instance supports. The consumer picks the first mechanism (in the order listed) that it supports. They are listed in order of preference.

   See To Configure a Service Description.

   Options

   Check this box if the service has no options available for the resource offering. Options provide hints to a potential requester whether certain data or operations may be available with a particular resource offering. For example, an option may be provided stating that home contact information is available.

   Option List

   This attribute contains a list of options for the service instance. The option is defined as a URI. The set of possible URIs are generally standardized by the service type.

   Directives

   All supported directives (as described in Supported Directives) may contain a descriptive reference. If these Description ID References attributes are not defined for a directive, the directive is taken to apply to all authentication mechanisms provided in the resource offering. If a directive is enabled here, it MUST be defined with a list of Description ID References that refer to the authentication mechanism with which the directive is associated. The directive also MUST be taken to apply only to those descriptions referred to in the ID Refs list. This may be useful if certain directives are incompatible with certain security mechanisms. The supported directives for which Description ID References can be defined are:

   • GenerateBearerToken

   • AuthenticateRequestor

   • Encrypt ResourceID

   • AuthenticateSessionContext

   • AuthorizeRequester

5. Click OK to complete the mapper configuration.

6. Click Save on the Discovery Service page to complete the service configuration.

To Configure a Service Description

The Service Description attribute defines a running web service at a distinct protocol endpoint. It is defined when you configure Resource Offerings for Bootstrapping. Information about service instances needs to be communicated in various contexts. For example, the Discovery Service defined is an identity service which provides an enumeration of resource offerings (each of which includes a service instance description).

1. In the Federation Manager Console, click the Web Services tab.

2. Under Web Services, select the Discovery Service tab.

3. Under Resource Offerings for Bootstrapping, click New or click Edit to modify existing attributes.

   The Resource Offering attributes are displayed.

4. From the configuration screen of the Resource Offering for Bootstrapping attribute, click Add Mechanism ID to display the new security mechanism ID attributes or click Edit to modify an existing description.

5. Provide values for the attributes based on the following information:

   Security Mechanism ID

   This attribute is where authentication methods supported by the Discovery Service are added. These security mechanisms refer to the way a web service consumer authenticates to the web service provider or provides message-level security. By default, all available methods that the service instance supports are selected. If an authentication method is not selected, and a web services consumer sends a request using that method, the request is rejected. See Supported Authentication Mechanisms.

   End Point URL

   Takes the URI for the SOAP-over-HTTP endpoint. For example, http://daiquiri.sun.com:80/amserver/Liberty/disco.

   SOAP Action

   SOAP Action can be used to indicate the intent of the SOAP HTTP request. The SOAP processor on the receiving system can use this information to determine the ultimate destination for the service. The value is a URI. No defined value indicates no intent.

   ---

   Note –

   SOAP places no restrictions on the format or specificity of the URI or that it is resolvable.

   ---

6. Click OK to complete the service configuration.

7. Click Save on the Discovery Service page to complete the service configuration.

SOAP Binding Service

SOAP Binding Service is a transport layer for sending and receiving SOAP messages. In the SOAP Binding Service process, an identity service calls the client side application programming interface to construct a message and send it to the SOAP Receiver servlet (SOAP endpoint). The SOAP Receiver servlet receives the message, verifies the signature, and constructs a second message. The SOAP Receiver servlet then invokes the correct Request Handler to send this second message to the corresponding identity service for a response. The identity service processes the second message, generates a response, and sends that response back to the SOAP Receiver servlet. The servlet, in turn, sends the response back to the identity service for processing.

The following SOAP Binding Service global attributes can be configured for your implementation.

• Request Handler List

• Web Service Authenticator

• Supported Authentication Mechanisms

The following task is associated with configuring the SOAP Binding Service:

• To Configure a Request Handler

Request Handler List

The Request Handler List stores information about the classes implemented from the com.sun.identity.liberty.ws.soapbinding.RequestHandler interface. The SOAP Binding Service provides the interface to process requests and return responses. It must be implemented on the server side for each Liberty-based web service that uses the SOAP Binding Service.

Currently, the Discovery Service, implemented Data Services Template (DST) services (including the Liberty Personal Profile Service and the sample Employee Profile Service, if deployed), and the Authentication Web Service use the SOAP Binding Service client API.

The Request Handler List displays entries that contain key/value pairs separated by a pipe as in key=disco|class=com.example.identity.liberty.ws.disco.DiscoveryService.

To modify the Request Handler list, see To Configure a Request Handler.

To Configure a Request Handler

The Request Handler List stores information about the classes implemented from the com.sun.identity.liberty.ws.soapbinding.RequestHandler interface. com.sun.identity.liberty.ws.soapbinding.RequestHandler must be implemented on the server side by each Liberty-based identity service that accesses the SOAP Binding Service.

1. In the Federation Manager Console, click the Web Services tab.

2. Under Web Services, select the SOAP Binding Service tab.

3. Under Request Handler List, click New or Edit to display the Request Handler List attributes.

4. Provide values for the attributes.

   Key

   The Key property is the last part of the URI path to a SOAP endpoint. The SOAP endpoint in Federation Manager is the SOAP Receiver servlet. The URI to the SOAP Receiver uses the format protocol://host:port/deloy-uri/Liberty/key. If you define disco as the Key, the URI path to the SOAP endpoint for the corresponding Discovery Service would be protocol://host:port/amserver/Liberty/disco. Different service clients use different keys when connecting to the SOAP Receiver.

   Class

   The Class property specifies the name of the implemented Request Handler class for the particular web service. For example, class=com.example.identity.liberty.ws.disco.DiscoveryService.

   SOAP Action

   SOAP Action can be used to indicate the intent of the SOAP HTTP request. The SOAP processor on the receiving system can use this information to determine the ultimate destination for the service. The value is a URI. No defined value indicates no intent.

   ---

   Note –

   SOAP places no restrictions on the format or specificity of the URI or that it is resolvable.

   ---

5. Click OK to complete the Request Handler configuration.

6. Click Save on the SOAP Binding Service page to complete the service configuration.

Web Service Authenticator

This attribute takes as a value the implementation class for the Web Service Authenticator interface. This class authenticates a request and generates a credential for a web service consumer.

Supported Authentication Mechanisms

This attribute specifies the authentication mechanisms supported by the SOAP Receiver. Authentication mechanisms offer user authentication, as well as data integrity and encryption. By default, all available authentication mechanisms are selected. If one is not selected, and a web services consumer sends a request using it, the request is rejected. Following is a list of the supported authentication mechanisms:

• urn:liberty:security:2003-08:null:null

• urn:liberty:security:2003-08:null:X509

• urn:liberty:security:2003-08:null:SAML

• urn:liberty:security:2004-04:null:Bearer

• urn:liberty:security:2003-08:TLS:null

• urn:liberty:security:2003-08:TLS:X509

• urn:liberty:security:2003-08:TLS:SAML

• urn:liberty:security:2004-04:TLS:Bearer

• urn:liberty:security:2003-08:ClientTLS:null

• urn:liberty:security:2003-08:ClientTLS:X509

• urn:liberty:security:2003-08:ClientTLS:SAML

• urn:liberty:security:2004-04:ClientTLS:Bearer

Authentication Web Service (Authentication Service)

The Authentication Web Service defines how to perform authentication using SOAP. The exchange of authentication information between a web service consumer (WSC) and the web service provider (WSP) is accomplished using SOAP-bound messages. The messages are a series of client requests and server responses specific to the defined Simple Authentication and Security Layer (SASL) mechanism (or mode of authentication). After receiving a request for authentication (or any request from the WSC), the WSP may issue additional challenges, or indicate authentication failure or success. The Authentication Web Service is for service-to-service (non-user) authentication. The following steps describe the sequence between the WSC and the Authentication Web Service (a WSP).

1. The authentication exchange begins with a WSC sending an SASL authentication request to the Authentication Web Service on behalf of a principal.

   The request message contains an identifier for the principal and indicates one or more SASL mechanisms from which the service can choose.

2. The Authentication Web Service responds by asserting the method to use and, if applicable, initiating a challenge.

   If the Authentication Web Service does not support any of the cited methods, it responds by aborting the exchange.

3. The WSC responds with the necessary credentials for the chosen method of authentication.

4. The Authentication Web Service replies by approving or disproving the authentication.

   If approved, the response includes the credentials the WSC needs to invoke other web services (like the Discovery Service).

The following Authentication Web Service global attribute can be configured for your implementation.

• Mechanism Handlers List

The following task is associated with configuring the Authentication Web Service:

• To Configure a Mechanism Handler

Mechanism Handlers List

The Mechanism Handler List attribute stores information about the SASL mechanisms supported by the Authentication Web Service. To add or modify these values, see To Configure a Mechanism Handler.

To Configure a Mechanism Handler

1. In the Federation Manager Console, click the Web Services tab.

2. Under Web Services, select the Authentication Service tab.

3. Under Mechanism Handlers List, click Add or Edit to display the Mechanism Handler attributes.

4. Provide values for the attributes.

   Key

   Defines the SASL mechanism supported by the Authentication Web Service.

   Class

   The Authentication Web Service provides a handler interface that needs to be implemented in order for each SASL mechanism to process the requested message and return a response. The class parameter specifies the name of the implementation class for the SASL mechanism. Two authentication mechanisms are supported out-of-the-box by the following classes:

   com.sun.identity.liberty.ws.authnsvc.mechanism.PlainMechanismHandler

   This class is the default implementation for the PLAIN authentication mechanism. It maps user identifiers and passwords in the PLAIN mechanism to the user identifiers and passwords in the LDAP authentication module under the root organization.

   com.sun.identity.liberty.ws.authnsvc.mechanism.CramMD5MechanismHandler

   This class is the default implementation for the CRAM-MD5 authentication mechanism.

5. Click OK or Save to complete the Mechanism Handler configuration.

6. Click Save on the Authentication Web Service page to complete the service configuration.

Creating a New Web Service

Federation Manager contains a sample that illustrates how to develop a simple web service. The ample web service sends stock data based on a defined user type. It shows how to extract authentication information from an authenticated SAML Assertion (SAML Bearer Token). The sample instructions can be modified to develop your own web service. The sample is located in the /FederationManager-base/SUNWam/fm/samples/liberty/webservices/stockticker directory.