Title: Liberty IDWSF2.0 Overview
1Liberty ID-WSF2.0 Overview
2Table of Contents
- Problem Introduction
- Liberty Identity Web Services Framework
(ID-WSF2.0) - Liberty Identity Service Interface Specifications
3Introduction to Liberty Alliance
4What is the Liberty Alliance?
- The Liberty Alliance is the only global body
working to define and drive open technology
standards, privacy and business guidelines for
federated identity management
5What is Network Identity?
6Liberty Identity Federation Framework (ID-FF)
Security Assertion Markup Language (SAML) 2.0
Enables interoperable identity services such as
personal identity profile service, contact book
service, geo-location service, presence service
and so on.
Enables identity federation and management
through features such as identity/account
linkage, simplified sign on, and simple session
management
Provides the framework for building interoperable
identity services, permission based attribute
sharing, identity service description and
discovery, and the associated security profiles
7Liberty Identity Federation Framework (ID-FF)
Security Assertion Markup Language (SAML) 2.0
Enables interoperable identity services such as
personal identity profile service, contact book
service, geo-location service, presence service
and so on.
Enables identity federation and management
through features such as identity/account
linkage, simplified sign on, and simple session
management
Provides the framework for building interoperable
identity services, permission based attribute
sharing, identity service description and
discovery, and the associated security profiles
8What is ID-WSF?
- A privacy and security framework for locating and
invoking identity based Web services to provide a
simplified customized online experience - Identity-based Web services
- Are associated with a Principal's Identity (e.g.
My Calendar Service) - Can be Invoked using a Principals Identity
- Permissions-based Attribute Sharing
- Invoking Services under control of user
- Service Requestor doing so on behalf (either
directly or indirectly) of user.
9What is an identity service?
- A service that presents external interface to
some aspect of my online identity (data or any
other resource) - Typically exposed as a SOAP-based web service
- Allows for greater control of my identity by
reducing duplication throughout the network - Increases privacy because fewer personal
information items are released, e.g. - An Inbox service might allow me to receive
"permission-based" marketing without releasing my
email address - A Payment service would allow payments to be
made without releasing my credit card number
10Connection between ID-FF/SAML2 WSF
- ID-FF/SAML2 can be used to bootstrap into ID-WSF
- SP gets Assertion which can include bootstrap
information for invoking DS - SP then acts as WSC to invoke ID-WSF services
- Authentication Service (AS) provides a SOAP
interface in to the IdP to perform ID-FF like
operations (non-web) - Results in ID-FF/SAML2 assertion provided back to
client - Client can then invoke SSOS and DS
- WSF specifies how SAML Assertions can be used to
communicate identity information between WSF
actors
11ID-FF/SAML2 and ID-WSF together
SP/WSC
WSP
WSP
IdP
DS
12ID-FF ID-WSF Sequence
IDP
DS
13ID-WSF Core Components
- Discovery Service
- Service Invocation
- Interaction Service
- Security Mechanisms
- Authentication Service
- Data Services Template
- People Service
- SSO Service
- Identity Mapping Service (IMS)
- Subscription Notification
- Privacy mechanisms
14Discovery Service
- Registry for services associated with an identity
- WSPs register the identity services they host at
the DS so that WSCs can subsequently discover
them - Translates and protects tokens/identifiers as
necessary to allow one entity to safely
communicate with a second entity - Allows for multiple providers of the same service
- Options specific discovery
- Retrieve the wallet service that has a credit
card - Retrieve the profile service that has an age
15Adoption of WS-Addressing
- W3C Recommendation
- Adds Asynchronous Messaging support
- Multi-path messaging
- Responses can be directed to an address
- Useful in server-to-server messaging with
clusters - Replaces comparable functionality/headers of
previous versions of ID-WSF
16Endpoint Reference
- Base EndpointReference structure defined in W3C
WS-Addressing (WSA) - Liberty WSF profiles WSA's EPRs for our purposes
- EndpointReferences replace ResourceOfferings of
earlier versions of WSF - Profiling largely consists of defining what are
allowed (and/or required) elements within the WSA
ltMetadatagt element
17 Endpoint Reference Example
ltwsaEndpointReferencegt ltwsaAddressgtlt/wsaAdd
ressgt ltwsaMetadatagt
ltdsServiceTypegtlt/dsServiceTypegt
lt/wsaMetadatagt lt/wsaEndpointReferencegt
18SOAP Binding
- Liberty Identity Web Services Framework (ID-WSF)
messages are designed so that they may be mapped
onto various transport or transfer protocols. - Do not intrinsically address specific aspects of
message exchange such as to which system entity
the message is to be sent, message correlation,
the mechanics of message exchange, or security
context. - WSF defines a mapping onto SOAP 1.1, an XML-based
messaging protocol - Neither does SOAP itself define the specific
message exchange aspects mentioned above, but
does offer an extensibility model that may be
used to define message components that do address
such message exchange specifics. - SOAP extensibility is effected by adding message
components to the portion of the SOAP message
called the Header.
19SOAP Binding headers
- Privacy-related (Consent, Usage Directives) Used
by the requestor in order to indicate the privacy
context in which the service invocation takes
place, or the subsequent use and distribution of
the obtained information. - Processing or Security Context (Processing
Context, Credential Context, Endpoint Update,
Timeout, Sender, Application EPR) Used by the
parties to transfer extra information needed for
the communication to take place (including token
renewal or redirection to a different endpoint). - User Interaction ability to interact with the
user - Identity-related info (TargetIdentity) The party
whose resource is being accessed at the
recipient. This may be the Invoker's resource, or
a third party's resource,
20Invocation Context
- Extended Invocation Context to include
- Invocation Identity
- Who is submitting the request
- Target Identity
- Whos resource is targeted in the request
- Sender
- Server sending the request
- Destination
- Server receiving the request
Specific to identity services
21Example
ltSEnvelopegt ltSHeadergt ltwsaTogt
SmustUnderstand"1"/gt ltwsaReplyTo
mustUnderstand1/gt ltsbSender
providerID"example.com /gt
ltsbUsageDirective id"directive1000 gt
ltPrivacyPolicyReference gt Privacy
Policy Information lt/PrivacyPolicyRefe
rencegt lt/sbUsageDirectivegt
ltwsseSecuritygt ltsamlpAssertion gt
Assertion data goes here
lt/samlpAssertiongt lt/wsseSecuritygt
lt/SHeadergt ltSBodygt Request Messages
go here lt/SBodygt lt/SEnvelopegt
22Interaction Service
- Enables WSP Interaction with User
- Typically WSP does not have direct user access
- Real-time consent, data, and/or decision
Collection - Multiple Methods
- Request that SP WSC re-direct users browser to
WSP - Allow trusted WSC to proxy interactions
- Direct interaction without involving SP (invoke
user-specific Interaction Service)
23Interaction Service
CoolToys.com
Jane using a browser
Wallet
Interaction Svc
24Interaction Service Example
- ltInteractionRequest xmlns"urnlibertyis2003-08"
gt - ltInquiry title"Profile Provider Question"gt
- ltHelp moreLink"http//location.example.com/help
/consent"gt - Example.com is requesting your address. Please
pick one of - the provided options.lt/Helpgt
- ltSelect name"locationchoice"gt
- ltLabelgtDo you want to share your address with
Example.com?lt/Labelgt - ltValuegtnolt/Valuegt
- ltItem label"Not this time" value"no"gt
- ltHintgt We wont give out your
address but well ask you again
next timelt/Hintgt - lt/Itemgt
- ltItem label"Yes, once" value"yes"gt
- ltHintgtWe will share your
address but will ask again next
time.lt/Hintgt - lt/Itemgt
- lt/Selectgt
- lt/Inquirygt
- lt/InteractRequestgt
25Security Mechanisms
- Sec Mech spec combines and profiles different
security specifications (SSL/TLS, WS-Sec, STP)
to ensure required security characteristics for
SOAP messages. - This includes
- validation of the message transport or message
level authentication - the communication of info that could aid in
performing an authorization decision - Mechanisms for confidentiality and non-repudiation
26Usage Directives header
- Allows for indication of associated privacy
policy in both information request or reply - A ltUsageDirectivegt appearing in a request message
expresses intended usage. - A ltUsageDirectivegt appearing in a response
expresses how the receiver of the response is to
use the response data. - A ltUsageDirectivegt in a response message
containing no response message data, a fault
response for example, may be used to express
policies acceptable to the responder. - A message containing Usage Directive can be
signed using XMLDsig and thus bind together the
released personal information and associated
policy
27Security Mechanisms cont'd
- WSC SOAP messages secured through a combination
of transport level (e.g. SSL) message level
(e.g. WS-Security) protection mechanisms - Liberty defines URIs for such combinations
- urnlibertysecurity2004-12TLSSAMLV2 indicates
that the WSC will authenticate to the WSP through
a SAML 2.0 Assertion embedded within the SOAP
Header, the message sent over a TLS-Protected
pipe - When a WSP registers an EPR at a DS, it indicates
what combinations it requires/supports by
specifying appropriate URIs - When a WSC queries the DS for the principal's
services, it can include which URIs it can
support - DS filters EPRs appropriately to ensure that an
intersection of capabilities can be found
28Authentication Service
- Allows general identity (user/device)
authentication over SOAP - SASL Based SOAP Authentication
- General purpose authentication exchange mechanism
- Existing defined support for multiple mechanisms
- CRAM-MD5, PLAIN, X.509, SECURID, etc.
- Extensible for future methods/mechanisms
- Client-gtServer or Server-gtServer Authentication
- Can bootstrap to Discovery Service
29Authentication Service Negotiation
Client
Server
Client
Server
30SSO Service
- Liberty-enabled User Agents or Devices are SOAP
capable clients - (LUAD-)WSCs may need to interact with 'vanilla'
SPs (that may not be SOAP/WSF capable) - The ID-WSF Single Sign-On Service is a profile of
the ID-FF Single Sign-On and Federation Protocol
to address this mismatch - The mechanism is based on two steps.
- First, a (LUAD-)WSC wishing to interact with some
SP can use the Authentication Service at an
Identity Provider to obtain a security token for
the SSOS. - Next, the (LUAD-)WSC invokes the Single Sign-On
Service at the Identity Provider in order to
obtain an authentication assertion to convey to
the SP, thus enabling Liberty-SSO-enabled,
vanilla, web-based interactions with that SP.
31People Service
- Sharing of users social network information
among different applications, making use of
ID-WSF privacy and security capabilities - More and more, online interactions are
cross-user, e.g. one allowing another to see
photos, chatting, 'Find a Friend' etc - The set of other people that any given user
interacts with is likely relevant across
different apps - As for other aspects of identity, there can be
value if this list of 'friends' is maintained and
managed 'centrally' such that it can be reused.
32People Service
- Identity Federation between individuals
- Conor establishes a connection with Paul
- Supports Invocation of another users service
- Conor can access Pauls Calendar (w/Permission,
of course) - Group (Collection) management
- Invitation model for cross-IDP federations
33Subscription/Notification
- Template for service based subscriptions
- Usable by all services
- Notification when data changed
- Supports Notifications with
- Data changed flag (recipient has to go get data)
- Changed data
34Data Service Template
- Data Service Template (DST) provides a generic
template to build data services (CRUD-like) - Defines some guidelines, common XML attributes
and data types for data services. - Different SIS services may chose to build on the
common DST layer
35Liberty ID-SISIdentity Service Interface
Specifications
36Liberty Identity Federation Framework (ID-FF)
Security Assertion Markup Language (SAML) 2.0
Enables interoperable identity services such as
personal identity profile service, contact book
service, geo-location service, presence service,
content SMS messaging etc
Enables identity federation and management
through features such as identity/account
linkage, simplified sign on, and simple session
management
Provides the framework for building interoperable
identity services, permission based attribute
sharing, identity service description and
discovery, and the associated security profiles
37Overview of Liberty Service Interfaces
Service Interface Specifications (ID-SIS)
Identity FederationFramework(ID-FF)
- Multiple elevations (service interfaces) built
on the same foundation frameworks (ID-FF
ID-WSF) - First service tracks Identity Service Interface
Specifications (ID-SIS) - Personal Profile Service
- Employee Profile Service
- Geo-location Service
- Presence Service
- Contact Book Service
- Content SMS/MMS messaging Service
SMS/MMS messaging
Contact Book
Presence
Enables Identity federation and management
through features such as identity/account
linkage, simplified sign on, and simple session
management
Geo-location
Provides the framework for building
interoperable identity-based web
services. Discovery, Interaction, Invocation
38ID-Service Interface Specifications
- Family of interoperability specifications for
identity-based web services - Use ID-WSF for the plumbing, concentrate on
application logic - May use WSF Data Services Template as a model
39Current Services Work
- Personal Profile (ID-PP) and Employee Profile
(ID-EP) Defines attributes for describing
Principal demographic data elements (Individual
and Employee respectively) - Contact Book Service A common method for users
to manage and share personal or business contacts
regardless of contact book provider, enabling
service providers to access or automatically
update, at the users request, information like
billing or shipping address. - Geo-location Service An interoperable way to
automatically identify a persons location, at
the users request, to provide services like
weather, news, travel or currency updates or
directions to a chosen location. - Presence Service A common way for users to
share presence information, such as whether they
are online, offline, on the phone or in a
meeting, with any service provider for the
purpose of communicating availability. - Content SMS/MMS messaging Service - enables
SMS/MMS messages over Web services
40Summary
- Liberty architecture provides standards-based
platform for building identity-centric
applications - Three components
- ID-FF(SAML 2.0) federation of identities across
domains and SSO - ID-WSF platform for SOAP-based identity
attribute sharing - ID-SIS family of interoperability
specifications for identity services
41Resources
- Liberty Developer Resource Center
- www.projectliberty.org/resources/resources.html
- SAML
- www.oasis-open.org/committees/security
- ID-WSF and other Liberty specifications
- http//www.projectliberty.org/resources/specificat
ions.phpbox2
42Contributors
- Conor Cahill, AOL
- Carolina Canales-Valenzuela, Ericsson
- Frederick Hirsch, Nokia
- Paul Madsen, NTT
- Prateek Mishra, Oracle
- Rob Philpott, RSA Security
- Jeff Smith, NTT
- Eric Tiffany, ISTO
- Greg Whitehead, Trustgenix