Liberty IDWSF2'0 Overview

1
Liberty ID-WSF2.0 Overview
2
Table of Contents

• Problem Introduction
• Liberty Identity Web Services Framework
  (ID-WSF2.0)
• Liberty Identity Service Interface Specifications

3
Introduction to Liberty Alliance
4
What is the Liberty Alliance?

• The Liberty Alliance is the only global body
  working to define and drive open technology
  standards, privacy and business guidelines for
  federated identity management

5
What is Network Identity?
6
Liberty Identity Federation Framework (ID-FF)
Security Assertion Markup Language (SAML) 2.0
Enables interoperable identity services such as
personal identity profile service, contact book
service, geo-location service, presence service
and so on.
Enables identity federation and management
through features such as identity/account
linkage, simplified sign on, and simple session
management
Provides the framework for building interoperable
identity services, permission based attribute
sharing, identity service description and
discovery, and the associated security profiles
7
Liberty Identity Federation Framework (ID-FF)
Security Assertion Markup Language (SAML) 2.0
Enables interoperable identity services such as
personal identity profile service, contact book
service, geo-location service, presence service
and so on.
Enables identity federation and management
through features such as identity/account
linkage, simplified sign on, and simple session
management
Provides the framework for building interoperable
identity services, permission based attribute
sharing, identity service description and
discovery, and the associated security profiles
8
What is ID-WSF?

• A privacy and security framework for locating and
  invoking identity based Web services to provide a
  simplified customized online experience
• Identity-based Web services
• Are associated with a Principal's Identity (e.g.
  My Calendar Service)
• Can be Invoked using a Principals Identity
• Permissions-based Attribute Sharing
• Invoking Services under control of user
• Service Requestor doing so on behalf (either
  directly or indirectly) of user.

9
What is an identity service?

• A service that presents external interface to
  some aspect of my online identity (data or any
  other resource)
• Typically exposed as a SOAP-based web service
• Allows for greater control of my identity by
  reducing duplication throughout the network
• Increases privacy because fewer personal
  information items are released, e.g.
• An Inbox service might allow me to receive
  "permission-based" marketing without releasing my
  email address
• A Payment service would allow payments to be
  made without releasing my credit card number

10
Connection between ID-FF/SAML2 WSF

• ID-FF/SAML2 can be used to bootstrap into ID-WSF
• SP gets Assertion which can include bootstrap
  information for invoking DS
• SP then acts as WSC to invoke ID-WSF services
• Authentication Service (AS) provides a SOAP
  interface in to the IdP to perform ID-FF like
  operations (non-web)
• Results in ID-FF/SAML2 assertion provided back to
  client
• Client can then invoke SSOS and DS
• WSF specifies how SAML Assertions can be used to
  communicate identity information between WSF
  actors

11
ID-FF/SAML2 and ID-WSF together
SP/WSC
WSP
WSP
IdP
DS
12
ID-FF ID-WSF Sequence
IDP
DS
13
ID-WSF Core Components

• Discovery Service
• Service Invocation
• Interaction Service
• Security Mechanisms
• Authentication Service
• Data Services Template

• People Service
• SSO Service
• Identity Mapping Service (IMS)
• Subscription Notification
• Privacy mechanisms

14
Discovery Service

• Registry for services associated with an identity
• WSPs register the identity services they host at
  the DS so that WSCs can subsequently discover
  them
• Translates and protects tokens/identifiers as
  necessary to allow one entity to safely
  communicate with a second entity
• Allows for multiple providers of the same service
  
• Options specific discovery
• Retrieve the wallet service that has a credit
  card
• Retrieve the profile service that has an age

15
Adoption of WS-Addressing

• W3C Recommendation
• Adds Asynchronous Messaging support
• Multi-path messaging
• Responses can be directed to an address
• Useful in server-to-server messaging with
  clusters
• Replaces comparable functionality/headers of
  previous versions of ID-WSF

16
Endpoint Reference

• Base EndpointReference structure defined in W3C
  WS-Addressing (WSA)
• Liberty WSF profiles WSA's EPRs for our purposes
• EndpointReferences replace ResourceOfferings of
  earlier versions of WSF
• Profiling largely consists of defining what are
  allowed (and/or required) elements within the WSA
  ltMetadatagt element

17
Endpoint Reference Example
ltwsaEndpointReferencegt ltwsaAddressgtlt/wsaAdd
ressgt ltwsaMetadatagt
ltdsServiceTypegtlt/dsServiceTypegt
lt/wsaMetadatagt lt/wsaEndpointReferencegt
18
SOAP Binding

• Liberty Identity Web Services Framework (ID-WSF)
  messages are designed so that they may be mapped
  onto various transport or transfer protocols.
• Do not intrinsically address specific aspects of
  message exchange such as to which system entity
  the message is to be sent, message correlation,
  the mechanics of message exchange, or security
  context.
• WSF defines a mapping onto SOAP 1.1, an XML-based
  messaging protocol
• Neither does SOAP itself define the specific
  message exchange aspects mentioned above, but
  does offer an extensibility model that may be
  used to define message components that do address
  such message exchange specifics.
• SOAP extensibility is effected by adding message
  components to the portion of the SOAP message
  called the Header.

19
SOAP Binding headers

• Privacy-related (Consent, Usage Directives) Used
  by the requestor in order to indicate the privacy
  context in which the service invocation takes
  place, or the subsequent use and distribution of
  the obtained information.
• Processing or Security Context (Processing
  Context, Credential Context, Endpoint Update,
  Timeout, Sender, Application EPR) Used by the
  parties to transfer extra information needed for
  the communication to take place (including token
  renewal or redirection to a different endpoint).
• User Interaction ability to interact with the
  user
• Identity-related info (TargetIdentity) The party
  whose resource is being accessed at the
  recipient. This may be the Invoker's resource, or
  a third party's resource,

20
Invocation Context

• Extended Invocation Context to include
• Invocation Identity
• Who is submitting the request
• Target Identity
• Whos resource is targeted in the request
• Sender
• Server sending the request
• Destination
• Server receiving the request

Specific to identity services
21
Example
ltSEnvelopegt ltSHeadergt ltwsaTogt
SmustUnderstand"1"/gt ltwsaReplyTo
mustUnderstand1/gt ltsbSender
providerID"example.com /gt
ltsbUsageDirective id"directive1000 gt
ltPrivacyPolicyReference gt Privacy
Policy Information lt/PrivacyPolicyRefe
rencegt lt/sbUsageDirectivegt
ltwsseSecuritygt ltsamlpAssertion gt
Assertion data goes here
lt/samlpAssertiongt lt/wsseSecuritygt
lt/SHeadergt ltSBodygt Request Messages
go here lt/SBodygt lt/SEnvelopegt
22
Interaction Service

• Enables WSP Interaction with User
• Typically WSP does not have direct user access
• Real-time consent, data, and/or decision
  Collection
• Multiple Methods
• Request that SP WSC re-direct users browser to
  WSP
• Allow trusted WSC to proxy interactions
• Direct interaction without involving SP (invoke
  user-specific Interaction Service)

23
Interaction Service
CoolToys.com
Jane using a browser
Wallet
Interaction Svc
24
Interaction Service Example

• ltInteractionRequest xmlns"urnlibertyis2003-08"
  gt
• ltInquiry title"Profile Provider Question"gt
• ltHelp moreLink"http//location.example.com/help
  /consent"gt
• Example.com is requesting your address. Please
  pick one of
• the provided options.lt/Helpgt
• ltSelect name"locationchoice"gt
• ltLabelgtDo you want to share your address with
  Example.com?lt/Labelgt
• ltValuegtnolt/Valuegt
• ltItem label"Not this time" value"no"gt
• ltHintgt We wont give out your
  address but well ask you again
  next timelt/Hintgt
• lt/Itemgt
• ltItem label"Yes, once" value"yes"gt
• ltHintgtWe will share your
  address but will ask again next
  time.lt/Hintgt
• lt/Itemgt
• lt/Selectgt
• lt/Inquirygt
• lt/InteractRequestgt

25
Security Mechanisms

• Sec Mech spec combines and profiles different
  security specifications (SSL/TLS, WS-Sec, STP)
  to ensure required security characteristics for
  SOAP messages.
• This includes
• validation of the message transport or message
  level authentication
• the communication of info that could aid in
  performing an authorization decision
• Mechanisms for confidentiality and non-repudiation

26
Usage Directives header

• Allows for indication of associated privacy
  policy in both information request or reply
• A ltUsageDirectivegt appearing in a request message
  expresses intended usage.
• A ltUsageDirectivegt appearing in a response
  expresses how the receiver of the response is to
  use the response data.
• A ltUsageDirectivegt in a response message
  containing no response message data, a fault
  response for example, may be used to express
  policies acceptable to the responder.
• A message containing Usage Directive can be
  signed using XMLDsig and thus bind together the
  released personal information and associated
  policy

27
Security Mechanisms cont'd

• WSC SOAP messages secured through a combination
  of transport level (e.g. SSL) message level
  (e.g. WS-Security) protection mechanisms
• Liberty defines URIs for such combinations
• urnlibertysecurity2004-12TLSSAMLV2 indicates
  that the WSC will authenticate to the WSP through
  a SAML 2.0 Assertion embedded within the SOAP
  Header, the message sent over a TLS-Protected
  pipe
• When a WSP registers an EPR at a DS, it indicates
  what combinations it requires/supports by
  specifying appropriate URIs
• When a WSC queries the DS for the principal's
  services, it can include which URIs it can
  support
• DS filters EPRs appropriately to ensure that an
  intersection of capabilities can be found

28
Authentication Service

• Allows general identity (user/device)
  authentication over SOAP
• SASL Based SOAP Authentication
• General purpose authentication exchange mechanism
• Existing defined support for multiple mechanisms
• CRAM-MD5, PLAIN, X.509, SECURID, etc.
• Extensible for future methods/mechanisms
• Client-gtServer or Server-gtServer Authentication
• Can bootstrap to Discovery Service

29
Authentication Service Negotiation
Client
Server
Client
Server
30
SSO Service

• Liberty-enabled User Agents or Devices are SOAP
  capable clients
• (LUAD-)WSCs may need to interact with 'vanilla'
  SPs (that may not be SOAP/WSF capable)
• The ID-WSF Single Sign-On Service is a profile of
  the ID-FF Single Sign-On and Federation Protocol
  to address this mismatch
• The mechanism is based on two steps.
• First, a (LUAD-)WSC wishing to interact with some
  SP can use the Authentication Service at an
  Identity Provider to obtain a security token for
  the SSOS.
• Next, the (LUAD-)WSC invokes the Single Sign-On
  Service at the Identity Provider in order to
  obtain an authentication assertion to convey to
  the SP, thus enabling Liberty-SSO-enabled,
  vanilla, web-based interactions with that SP.

31
People Service

• Sharing of users social network information
  among different applications, making use of
  ID-WSF privacy and security capabilities
• More and more, online interactions are
  cross-user, e.g. one allowing another to see
  photos, chatting, 'Find a Friend' etc
• The set of other people that any given user
  interacts with is likely relevant across
  different apps
• As for other aspects of identity, there can be
  value if this list of 'friends' is maintained and
  managed 'centrally' such that it can be reused.

32
People Service

• Identity Federation between individuals
• Conor establishes a connection with Paul
• Supports Invocation of another users service
• Conor can access Pauls Calendar (w/Permission,
  of course)
• Group (Collection) management
• Invitation model for cross-IDP federations

33
Subscription/Notification

• Template for service based subscriptions
• Usable by all services
• Notification when data changed
• Supports Notifications with
• Data changed flag (recipient has to go get data)
• Changed data

34
Data Service Template

• Data Service Template (DST) provides a generic
  template to build data services (CRUD-like)
• Defines some guidelines, common XML attributes
  and data types for data services.
• Different SIS services may chose to build on the
  common DST layer

35
Liberty ID-SISIdentity Service Interface
Specifications
36
Liberty Identity Federation Framework (ID-FF)
Security Assertion Markup Language (SAML) 2.0
Enables interoperable identity services such as
personal identity profile service, contact book
service, geo-location service, presence service,
content SMS messaging etc
Enables identity federation and management
through features such as identity/account
linkage, simplified sign on, and simple session
management
Provides the framework for building interoperable
identity services, permission based attribute
sharing, identity service description and
discovery, and the associated security profiles
37
Overview of Liberty Service Interfaces
Service Interface Specifications (ID-SIS)
Identity FederationFramework(ID-FF)

• Multiple elevations (service interfaces) built
  on the same foundation frameworks (ID-FF
  ID-WSF)
• First service tracks Identity Service Interface
  Specifications (ID-SIS)
• Personal Profile Service
• Employee Profile Service
• Geo-location Service
• Presence Service
• Contact Book Service
• Content SMS/MMS messaging Service

SMS/MMS messaging
Contact Book
Presence
Enables Identity federation and management
through features such as identity/account
linkage, simplified sign on, and simple session
management
Geo-location
Provides the framework for building
interoperable identity-based web
services. Discovery, Interaction, Invocation
38
ID-Service Interface Specifications

• Family of interoperability specifications for
  identity-based web services
• Use ID-WSF for the plumbing, concentrate on
  application logic
• May use WSF Data Services Template as a model

39
Current Services Work

• Personal Profile (ID-PP) and Employee Profile
  (ID-EP) Defines attributes for describing
  Principal demographic data elements (Individual
  and Employee respectively)
• Contact Book Service A common method for users
  to manage and share personal or business contacts
  regardless of contact book provider, enabling
  service providers to access or automatically
  update, at the users request, information like
  billing or shipping address.
• Geo-location Service An interoperable way to
  automatically identify a persons location, at
  the users request, to provide services like
  weather, news, travel or currency updates or
  directions to a chosen location.
• Presence Service A common way for users to
  share presence information, such as whether they
  are online, offline, on the phone or in a
  meeting, with any service provider for the
  purpose of communicating availability.
• Content SMS/MMS messaging Service - enables
  SMS/MMS messages over Web services

40
Summary

• Liberty architecture provides standards-based
  platform for building identity-centric
  applications
• Three components
• ID-FF(SAML 2.0) federation of identities across
  domains and SSO
• ID-WSF platform for SOAP-based identity
  attribute sharing
• ID-SIS family of interoperability
  specifications for identity services

41
Resources

• Liberty Developer Resource Center
• www.projectliberty.org/resources/resources.html
• SAML
• www.oasis-open.org/committees/security
• ID-WSF and other Liberty specifications
• http//www.projectliberty.org/resources/specificat
  ions.phpbox2

42
Contributors

• Conor Cahill, AOL
• Carolina Canales-Valenzuela, Ericsson
• Frederick Hirsch, Nokia
• Paul Madsen, NTT
• Prateek Mishra, Oracle
• Rob Philpott, RSA Security
• Jeff Smith, NTT
• Eric Tiffany, ISTO
• Greg Whitehead, Trustgenix