Sun Java System Federation Manager 7.0 User's Guide

Discovery Service

The initial step in accessing identity data is to determine where the information is located. (For example, which identity service holds the principal's credit card information, or which server stores the principal's calendar service.) Typically, there are one or more services on a network that allow other entities to perform an action on identity data. Because clients are not expected to keep track of these services or to know which can be trusted, they require a discovery service.

A discoverable web service is assigned a service type URI in the specification that defines it. This URI points to the Web Services Description Language (WSDL) file that describes the service’s data, the operations that can be performed on it, and a protocol detailing how to perform an action. The discoverable service specification itself adds the available ways the data can be exchanged. A discovery service is essentially a web service interface for discovery resources. A discovery resource is a registry of resource offerings. A resource offering defines an association between a piece of identity data and the service instance that provides access to that data. A resource identifier is a unique resource identifier (URI) registered with the Discovery Service that points to a particular discovery resource.

When a client sends a request for some type of data, it includes a resource identifier that the Discovery Service uses to locate the web services provider (WSP) for the requested attributes. The Discovery Service returns a resource offering that contains the information necessary to locate the data.

Note –

In order for access to occur, the hosting provider of the Liberty Personal Profile Service needs to be registered with the Discovery Service on behalf of each identity principal.

The following Discovery Service global attributes can be configured for your implementation.

The following tasks are associated with configuring the Discovery Service:

Provider ID

This attribute takes a URI that points to the Discovery Service. Use the format protocol://host:port/amserver/Liberty/disco. This value can be changed as long as other relevant attributes values are changed to match the new location.

Supported Authentication Mechanisms

This attribute specifies the authentication methods supported by the Discovery Service. These security mechanisms refer to the way a web service consumer authenticates to the web service provider or provides message-level security. By default, all available methods that the service instance supports are selected. If an authentication method is not selected, and a web services consumer sends a request using that method, the request is rejected. See To Configure a Service Description.

Supported Directives

This attribute allows you to specify a policy-related directive for a resource. If a service provider wants to use an unsupported directive, the request will fail. The following table details the available options.

Directive	Purpose
`AuthenticateRequester`	The Discovery Service should include a SAML assertion (containing an `AuthenticationStatement`) in its responses to enable the client to authenticate to the service instance hosting the resource.
`AuthenticateSessionContext`	The Discovery Service should include a SAML assertion (containing a `SessionContextStatement`) in its responses that indicate the status of the session.
`AuthorizeRequestor`	The Discovery Service should include a SAML assertion (containing a `ResourceAccessStatement`) in its responses that indicate whether the client is allowed to access the resource.
`EncryptResourceID`	The Discovery Service should encrypt the resource identifier in responses to all clients.
`GenerateBearerToken`	For use with Bearer Token Authentication, the Discovery Service should generate a token that grants the bearer permission to access the resource.

Enable Policy Evaluation for DiscoveryLookup

If enabled, the service will perform a policy evaluation for the DiscoveryLookup operation. By default, the option is not selected.

Enable Policy Evaluation for DiscoveryUpdate

If enabled, the service will perform a policy evaluation for the DiscoveryUpdate operation. By default, this option is not selected.

Authorizer Plugin Class

The value of this attribute is the name and path to the class that implements the com.sun.identity.liberty.ws.interfaces.Authorizer interface used for policy evaluation of a web services consumer. The default class is com.sun.identity.liberty.ws.disco.plugins.DefaultDiscoAuthorizer.

Entry Handler Plugin Class

The value of this attribute is the name and path to the class that implements the com.sun.identity.liberty.ws.disco.plugins.DiscoEntryHandler interface used to set or retrieve a principal's discovery entries. To handle this feature differently, you can implement the interface and set the implementing class as the value for this attribute. The default implementation for the Discovery Service is com.sun.identity.liberty.ws.disco.plugins.UserDiscoEntryHandler.

Classes for ResourceID Mapper Plugin

The value of this attribute is a list of classes that generate identifiers for a resource offering configured for an organization or role. com.sun.identity.liberty.ws.interfaces.ResourceIDMapper is an interface used to map a user identifier to the resource identifier associated with it. The Discovery Service provides two implementations for this interface:

com.sun.identity.liberty.ws.disco.plugins.Default64ResourceIDMapper (format: providerID + "/" + the Base64 encoded userIDs)
com.sun.identity.liberty.ws.disco.plugins.DefaultHexResourceIDMapper (format: providerID + "/" + the hex string of userID)

Different implementations may be developed with the implementing class and added as a value of this attribute by clicking New and using the format providerid=providerID|class_name_and_path. See To Configure a ResourceID Mapper.

To Configure a ResourceID Mapper

com.sun.identity.liberty.ws.interfaces.ResourceIDMapper is an interface used to map a user identifier to the resource identifier associated with it. Different implementations may be developed and added to the attribute. The following procedure is for adding a new resourceID mapper to the Discovery Service. The starting point is the Discovery Service screen under Web Services.

In the Federation Manager Console, click the Web Services tab.

Under Web Services, select the Discovery Service tab.

Under Classes for ResourceID Mapper Plugin, click New or click on the name of a configured mapper to modify it.

The New Resource ID Mapping page is displayed.

Provide values for the mapper attributes.

Provider ID

A URI that points to the Discovery Service. Use the format http://host:port/amserver/Liberty/disco.

ID Mapper

The name of the implementing class.

Click OK to complete the mapper configuration.

Click Save on the Discovery Service page to complete the configuration.

Authenticate Response Message

If enabled, the service will authenticate the response message. By default, the function is not enabled.

Generate Session Context Statement for Bootstrapping

If enabled, this attribute specifies whether to generate a SessionContextStatement for bootstrapping. SessionConxtext in the SessionContextStatement is needed by the Discovery Service to support the AuthenicateSessionContext directive. By default, this option is not enabled.

Encrypt NameIdentifier in Session Context for Bootstrapping

If enabled, the service will encrypt the name identifier in a SessionContextStatement. By default, the option is not enabled.

Use Implied Resource; don't generate ResourceID for Bootstrapping

If enabled, the service will not generate a resource identifier for bootstrapping. By default, the option is not enabled.

Resource Offerings for Bootstrapping

This attribute defines a resource offering for bootstrapping a service. After single sign-on (SSO), this resource offering and its associated credentials will be sent to the client in the SSO assertion. Only one resource offering is allowed for bootstrapping. By default, this offering contains information regarding the Discovery Service. Tasks associated with this attribute include:

Note –

The value of the Resource Offerings for Bootstrapping Resources attribute is a default value configured during installation. If you wish to define a new resource offering, you must first delete the existing resource offering. If you wish to modify the existing resource offering, click on the Edit link.

To Configure a Resource Offering for Bootstrapping

Only one resource offering is allowed for bootstrapping. By default, this offering contains information regarding the Discovery Service. If a resource offering is already defined, you can modify the attributes by clicking the Edit link. You may also select the box next to the name of the Resource Offering to delete the existing resource offering. To configure a new resource offering, you would then click New.

In the Federation Manager Console, click the Web Services tab.

Under Web Services, select the Discovery Service tab.

Under Resource Offerings for Bootstrapping, click New or click Edit to modify existing attributes.

The Resource Offering attributes are displayed.

Provide or modify values for the resource offerings attributes.
Description

An optional description of the resource offering.

Service Type

A URI that defines the type of service the resource offering implements. For example, urn:liberty:disco:2003-08.

Note –
It is recommended that this URI be the same as the targetNamespace URI of the abstract WSDL description for the service.

Provider ID

A URI that points to the provider of the service instance. For example, http://server.sun.com:80/amserver/Liberty/disco.

Security Mechanism ID

One or more URIs that identify the security mechanisms supported by the service instance defined in the previous attributes. These security mechanisms refer to the way a web service consumer authenticates to the web service provider. This attribute lists all of the security mechanisms that the service instance supports. The consumer picks the first mechanism (in the order listed) that it supports. They are listed in order of preference.

See To Configure a Service Description.

Options

Check this box if the service has no options available for the resource offering. Options provide hints to a potential requester whether certain data or operations may be available with a particular resource offering. For example, an option may be provided stating that home contact information is available.

Option List

This attribute contains a list of options for the service instance. The option is defined as a URI. The set of possible URIs are generally standardized by the service type.

Directives
All supported directives (as described in Supported Directives) may contain a descriptive reference. If these Description ID References attributes are not defined for a directive, the directive is taken to apply to all authentication mechanisms provided in the resource offering. If a directive is enabled here, it MUST be defined with a list of Description ID References that refer to the authentication mechanism with which the directive is associated. The directive also MUST be taken to apply only to those descriptions referred to in the ID Refs list. This may be useful if certain directives are incompatible with certain security mechanisms. The supported directives for which Description ID References can be defined are:
- GenerateBearerToken
- AuthenticateRequestor
- Encrypt ResourceID
- AuthenticateSessionContext
- AuthorizeRequester

Click OK to complete the mapper configuration.

Click Save on the Discovery Service page to complete the service configuration.

To Configure a Service Description

The Service Description attribute defines a running web service at a distinct protocol endpoint. It is defined when you configure Resource Offerings for Bootstrapping. Information about service instances needs to be communicated in various contexts. For example, the Discovery Service defined is an identity service which provides an enumeration of resource offerings (each of which includes a service instance description).

In the Federation Manager Console, click the Web Services tab.

Under Web Services, select the Discovery Service tab.

Under Resource Offerings for Bootstrapping, click New or click Edit to modify existing attributes.

The Resource Offering attributes are displayed.

From the configuration screen of the Resource Offering for Bootstrapping attribute, click Add Mechanism ID to display the new security mechanism ID attributes or click Edit to modify an existing description.

Provide values for the attributes based on the following information:

Security Mechanism ID

This attribute is where authentication methods supported by the Discovery Service are added. These security mechanisms refer to the way a web service consumer authenticates to the web service provider or provides message-level security. By default, all available methods that the service instance supports are selected. If an authentication method is not selected, and a web services consumer sends a request using that method, the request is rejected. See Supported Authentication Mechanisms.

End Point URL

Takes the URI for the SOAP-over-HTTP endpoint. For example, http://daiquiri.sun.com:80/amserver/Liberty/disco.

SOAP Action

SOAP Action can be used to indicate the intent of the SOAP HTTP request. The SOAP processor on the receiving system can use this information to determine the ultimate destination for the service. The value is a URI. No defined value indicates no intent.

Note –
SOAP places no restrictions on the format or specificity of the URI or that it is resolvable.

Click OK to complete the service configuration.

Click Save on the Discovery Service page to complete the service configuration.