Liberty IDWSF2.0 Overview - PowerPoint PPT Presentation

1 / 42
About This Presentation
Title:

Liberty IDWSF2.0 Overview

Description:

Buy some electronics. CoolToys.com. Get Jane's credit Card. Interaction Svc. Ask Jane if ... allowing another to see photos, chatting, 'Find a Friend' etc ... – PowerPoint PPT presentation

Number of Views:67
Avg rating:3.0/5.0
Slides: 43
Provided by: project5
Category:

less

Transcript and Presenter's Notes

Title: Liberty IDWSF2.0 Overview


1
Liberty ID-WSF2.0 Overview
2
Table of Contents
  • Problem Introduction
  • Liberty Identity Web Services Framework
    (ID-WSF2.0)
  • Liberty Identity Service Interface Specifications

3
Introduction to Liberty Alliance
4
What is the Liberty Alliance?
  • The Liberty Alliance is the only global body
    working to define and drive open technology
    standards, privacy and business guidelines for
    federated identity management

5
What is Network Identity?
6
Liberty Identity Federation Framework (ID-FF)
Security Assertion Markup Language (SAML) 2.0
Enables interoperable identity services such as
personal identity profile service, contact book
service, geo-location service, presence service
and so on.
Enables identity federation and management
through features such as identity/account
linkage, simplified sign on, and simple session
management
Provides the framework for building interoperable
identity services, permission based attribute
sharing, identity service description and
discovery, and the associated security profiles
7
Liberty Identity Federation Framework (ID-FF)
Security Assertion Markup Language (SAML) 2.0
Enables interoperable identity services such as
personal identity profile service, contact book
service, geo-location service, presence service
and so on.
Enables identity federation and management
through features such as identity/account
linkage, simplified sign on, and simple session
management
Provides the framework for building interoperable
identity services, permission based attribute
sharing, identity service description and
discovery, and the associated security profiles
8
What is ID-WSF?
  • A privacy and security framework for locating and
    invoking identity based Web services to provide a
    simplified customized online experience
  • Identity-based Web services
  • Are associated with a Principal's Identity (e.g.
    My Calendar Service)
  • Can be Invoked using a Principals Identity
  • Permissions-based Attribute Sharing
  • Invoking Services under control of user
  • Service Requestor doing so on behalf (either
    directly or indirectly) of user.

9
What is an identity service?
  • A service that presents external interface to
    some aspect of my online identity (data or any
    other resource)
  • Typically exposed as a SOAP-based web service
  • Allows for greater control of my identity by
    reducing duplication throughout the network
  • Increases privacy because fewer personal
    information items are released, e.g.
  • An Inbox service might allow me to receive
    "permission-based" marketing without releasing my
    email address
  • A Payment service would allow payments to be
    made without releasing my credit card number

10
Connection between ID-FF/SAML2 WSF
  • ID-FF/SAML2 can be used to bootstrap into ID-WSF
  • SP gets Assertion which can include bootstrap
    information for invoking DS
  • SP then acts as WSC to invoke ID-WSF services
  • Authentication Service (AS) provides a SOAP
    interface in to the IdP to perform ID-FF like
    operations (non-web)
  • Results in ID-FF/SAML2 assertion provided back to
    client
  • Client can then invoke SSOS and DS
  • WSF specifies how SAML Assertions can be used to
    communicate identity information between WSF
    actors

11
ID-FF/SAML2 and ID-WSF together
SP/WSC
WSP
WSP
IdP
DS
12
ID-FF ID-WSF Sequence
IDP
DS
13
ID-WSF Core Components
  • Discovery Service
  • Service Invocation
  • Interaction Service
  • Security Mechanisms
  • Authentication Service
  • Data Services Template
  • People Service
  • SSO Service
  • Identity Mapping Service (IMS)
  • Subscription Notification
  • Privacy mechanisms

14
Discovery Service
  • Registry for services associated with an identity
  • WSPs register the identity services they host at
    the DS so that WSCs can subsequently discover
    them
  • Translates and protects tokens/identifiers as
    necessary to allow one entity to safely
    communicate with a second entity
  • Allows for multiple providers of the same service
  • Options specific discovery
  • Retrieve the wallet service that has a credit
    card
  • Retrieve the profile service that has an age

15
Adoption of WS-Addressing
  • W3C Recommendation
  • Adds Asynchronous Messaging support
  • Multi-path messaging
  • Responses can be directed to an address
  • Useful in server-to-server messaging with
    clusters
  • Replaces comparable functionality/headers of
    previous versions of ID-WSF

16
Endpoint Reference
  • Base EndpointReference structure defined in W3C
    WS-Addressing (WSA)
  • Liberty WSF profiles WSA's EPRs for our purposes
  • EndpointReferences replace ResourceOfferings of
    earlier versions of WSF
  • Profiling largely consists of defining what are
    allowed (and/or required) elements within the WSA
    ltMetadatagt element

17
Endpoint Reference Example
ltwsaEndpointReferencegt ltwsaAddressgtlt/wsaAdd
ressgt ltwsaMetadatagt
ltdsServiceTypegtlt/dsServiceTypegt
lt/wsaMetadatagt lt/wsaEndpointReferencegt
18
SOAP Binding
  • Liberty Identity Web Services Framework (ID-WSF)
    messages are designed so that they may be mapped
    onto various transport or transfer protocols.
  • Do not intrinsically address specific aspects of
    message exchange such as to which system entity
    the message is to be sent, message correlation,
    the mechanics of message exchange, or security
    context.
  • WSF defines a mapping onto SOAP 1.1, an XML-based
    messaging protocol
  • Neither does SOAP itself define the specific
    message exchange aspects mentioned above, but
    does offer an extensibility model that may be
    used to define message components that do address
    such message exchange specifics.
  • SOAP extensibility is effected by adding message
    components to the portion of the SOAP message
    called the Header.

19
SOAP Binding headers
  • Privacy-related (Consent, Usage Directives) Used
    by the requestor in order to indicate the privacy
    context in which the service invocation takes
    place, or the subsequent use and distribution of
    the obtained information.
  • Processing or Security Context (Processing
    Context, Credential Context, Endpoint Update,
    Timeout, Sender, Application EPR) Used by the
    parties to transfer extra information needed for
    the communication to take place (including token
    renewal or redirection to a different endpoint).
  • User Interaction ability to interact with the
    user
  • Identity-related info (TargetIdentity) The party
    whose resource is being accessed at the
    recipient. This may be the Invoker's resource, or
    a third party's resource,

20
Invocation Context
  • Extended Invocation Context to include
  • Invocation Identity
  • Who is submitting the request
  • Target Identity
  • Whos resource is targeted in the request
  • Sender
  • Server sending the request
  • Destination
  • Server receiving the request

Specific to identity services
21
Example
ltSEnvelopegt ltSHeadergt ltwsaTogt
SmustUnderstand"1"/gt ltwsaReplyTo
mustUnderstand1/gt ltsbSender
providerID"example.com /gt
ltsbUsageDirective id"directive1000 gt
ltPrivacyPolicyReference gt Privacy
Policy Information lt/PrivacyPolicyRefe
rencegt lt/sbUsageDirectivegt
ltwsseSecuritygt ltsamlpAssertion gt
Assertion data goes here
lt/samlpAssertiongt lt/wsseSecuritygt
lt/SHeadergt ltSBodygt Request Messages
go here lt/SBodygt lt/SEnvelopegt
22
Interaction Service
  • Enables WSP Interaction with User
  • Typically WSP does not have direct user access
  • Real-time consent, data, and/or decision
    Collection
  • Multiple Methods
  • Request that SP WSC re-direct users browser to
    WSP
  • Allow trusted WSC to proxy interactions
  • Direct interaction without involving SP (invoke
    user-specific Interaction Service)

23
Interaction Service
CoolToys.com
Jane using a browser
Wallet
Interaction Svc
24
Interaction Service Example
  • ltInteractionRequest xmlns"urnlibertyis2003-08"
    gt
  • ltInquiry title"Profile Provider Question"gt
  • ltHelp moreLink"http//location.example.com/help
    /consent"gt
  • Example.com is requesting your address. Please
    pick one of
  • the provided options.lt/Helpgt
  • ltSelect name"locationchoice"gt
  • ltLabelgtDo you want to share your address with
    Example.com?lt/Labelgt
  • ltValuegtnolt/Valuegt
  • ltItem label"Not this time" value"no"gt
  • ltHintgt We wont give out your
    address but well ask you again
    next timelt/Hintgt
  • lt/Itemgt
  • ltItem label"Yes, once" value"yes"gt
  • ltHintgtWe will share your
    address but will ask again next
    time.lt/Hintgt
  • lt/Itemgt
  • lt/Selectgt
  • lt/Inquirygt
  • lt/InteractRequestgt

25
Security Mechanisms
  • Sec Mech spec combines and profiles different
    security specifications (SSL/TLS, WS-Sec, STP)
    to ensure required security characteristics for
    SOAP messages.
  • This includes
  • validation of the message transport or message
    level authentication
  • the communication of info that could aid in
    performing an authorization decision
  • Mechanisms for confidentiality and non-repudiation

26
Usage Directives header
  • Allows for indication of associated privacy
    policy in both information request or reply
  • A ltUsageDirectivegt appearing in a request message
    expresses intended usage.
  • A ltUsageDirectivegt appearing in a response
    expresses how the receiver of the response is to
    use the response data.
  • A ltUsageDirectivegt in a response message
    containing no response message data, a fault
    response for example, may be used to express
    policies acceptable to the responder.
  • A message containing Usage Directive can be
    signed using XMLDsig and thus bind together the
    released personal information and associated
    policy

27
Security Mechanisms cont'd
  • WSC SOAP messages secured through a combination
    of transport level (e.g. SSL) message level
    (e.g. WS-Security) protection mechanisms
  • Liberty defines URIs for such combinations
  • urnlibertysecurity2004-12TLSSAMLV2 indicates
    that the WSC will authenticate to the WSP through
    a SAML 2.0 Assertion embedded within the SOAP
    Header, the message sent over a TLS-Protected
    pipe
  • When a WSP registers an EPR at a DS, it indicates
    what combinations it requires/supports by
    specifying appropriate URIs
  • When a WSC queries the DS for the principal's
    services, it can include which URIs it can
    support
  • DS filters EPRs appropriately to ensure that an
    intersection of capabilities can be found

28
Authentication Service
  • Allows general identity (user/device)
    authentication over SOAP
  • SASL Based SOAP Authentication
  • General purpose authentication exchange mechanism
  • Existing defined support for multiple mechanisms
  • CRAM-MD5, PLAIN, X.509, SECURID, etc.
  • Extensible for future methods/mechanisms
  • Client-gtServer or Server-gtServer Authentication
  • Can bootstrap to Discovery Service

29
Authentication Service Negotiation
Client
Server
Client
Server
30
SSO Service
  • Liberty-enabled User Agents or Devices are SOAP
    capable clients
  • (LUAD-)WSCs may need to interact with 'vanilla'
    SPs (that may not be SOAP/WSF capable)
  • The ID-WSF Single Sign-On Service is a profile of
    the ID-FF Single Sign-On and Federation Protocol
    to address this mismatch
  • The mechanism is based on two steps.
  • First, a (LUAD-)WSC wishing to interact with some
    SP can use the Authentication Service at an
    Identity Provider to obtain a security token for
    the SSOS.
  • Next, the (LUAD-)WSC invokes the Single Sign-On
    Service at the Identity Provider in order to
    obtain an authentication assertion to convey to
    the SP, thus enabling Liberty-SSO-enabled,
    vanilla, web-based interactions with that SP.

31
People Service
  • Sharing of users social network information
    among different applications, making use of
    ID-WSF privacy and security capabilities
  • More and more, online interactions are
    cross-user, e.g. one allowing another to see
    photos, chatting, 'Find a Friend' etc
  • The set of other people that any given user
    interacts with is likely relevant across
    different apps
  • As for other aspects of identity, there can be
    value if this list of 'friends' is maintained and
    managed 'centrally' such that it can be reused.

32
People Service
  • Identity Federation between individuals
  • Conor establishes a connection with Paul
  • Supports Invocation of another users service
  • Conor can access Pauls Calendar (w/Permission,
    of course)
  • Group (Collection) management
  • Invitation model for cross-IDP federations

33
Subscription/Notification
  • Template for service based subscriptions
  • Usable by all services
  • Notification when data changed
  • Supports Notifications with
  • Data changed flag (recipient has to go get data)
  • Changed data

34
Data Service Template
  • Data Service Template (DST) provides a generic
    template to build data services (CRUD-like)
  • Defines some guidelines, common XML attributes
    and data types for data services.
  • Different SIS services may chose to build on the
    common DST layer

35
Liberty ID-SISIdentity Service Interface
Specifications
36
Liberty Identity Federation Framework (ID-FF)
Security Assertion Markup Language (SAML) 2.0
Enables interoperable identity services such as
personal identity profile service, contact book
service, geo-location service, presence service,
content SMS messaging etc
Enables identity federation and management
through features such as identity/account
linkage, simplified sign on, and simple session
management
Provides the framework for building interoperable
identity services, permission based attribute
sharing, identity service description and
discovery, and the associated security profiles
37
Overview of Liberty Service Interfaces
Service Interface Specifications (ID-SIS)
Identity FederationFramework(ID-FF)
  • Multiple elevations (service interfaces) built
    on the same foundation frameworks (ID-FF
    ID-WSF)
  • First service tracks Identity Service Interface
    Specifications (ID-SIS)
  • Personal Profile Service
  • Employee Profile Service
  • Geo-location Service
  • Presence Service
  • Contact Book Service
  • Content SMS/MMS messaging Service

SMS/MMS messaging
Contact Book
Presence
Enables Identity federation and management
through features such as identity/account
linkage, simplified sign on, and simple session
management
Geo-location
Provides the framework for building
interoperable identity-based web
services. Discovery, Interaction, Invocation
38
ID-Service Interface Specifications
  • Family of interoperability specifications for
    identity-based web services
  • Use ID-WSF for the plumbing, concentrate on
    application logic
  • May use WSF Data Services Template as a model

39
Current Services Work
  • Personal Profile (ID-PP) and Employee Profile
    (ID-EP) Defines attributes for describing
    Principal demographic data elements (Individual
    and Employee respectively)
  • Contact Book Service A common method for users
    to manage and share personal or business contacts
    regardless of contact book provider, enabling
    service providers to access or automatically
    update, at the users request, information like
    billing or shipping address.
  • Geo-location Service An interoperable way to
    automatically identify a persons location, at
    the users request, to provide services like
    weather, news, travel or currency updates or
    directions to a chosen location.
  • Presence Service A common way for users to
    share presence information, such as whether they
    are online, offline, on the phone or in a
    meeting, with any service provider for the
    purpose of communicating availability.
  • Content SMS/MMS messaging Service - enables
    SMS/MMS messages over Web services

40
Summary
  • Liberty architecture provides standards-based
    platform for building identity-centric
    applications
  • Three components
  • ID-FF(SAML 2.0) federation of identities across
    domains and SSO
  • ID-WSF platform for SOAP-based identity
    attribute sharing
  • ID-SIS family of interoperability
    specifications for identity services

41
Resources
  • Liberty Developer Resource Center
  • www.projectliberty.org/resources/resources.html
  • SAML
  • www.oasis-open.org/committees/security
  • ID-WSF and other Liberty specifications
  • http//www.projectliberty.org/resources/specificat
    ions.phpbox2

42
Contributors
  • Conor Cahill, AOL
  • Carolina Canales-Valenzuela, Ericsson
  • Frederick Hirsch, Nokia
  • Paul Madsen, NTT
  • Prateek Mishra, Oracle
  • Rob Philpott, RSA Security
  • Jeff Smith, NTT
  • Eric Tiffany, ISTO
  • Greg Whitehead, Trustgenix
Write a Comment
User Comments (0)
About PowerShow.com