Question Me An Answer About Federation

Following are a bunch of high-level answers to some questions regarding federation configuration.

  1. How can a service provider request one or more individual attributes (or a Class of Attributes) from an identity provider for a specified principal in a single request?

    • The identity provider can be configured to send any of a principal's attributes during the single sign-on process by defining simple attribute mappings for both the identity provider and service provider using the console.
    • Using SAMLv1 or SAMLv2, an explicit Attribute Query can be sent to an Attribute Authority.
    • Configure the Liberty Personal Profile Service.
  2. These options can also be used if an identity provider wants to send one or more attributes in a single response to the requesting entity.

  3. How can a service provider indicate that they are federated to an identity provider as a member of an affiliation rather than a circle of trust?

    An affiliation (referenced by an affiliationID) is a grouping of entity providers maintained by an affiliation owner who chooses the members without regard to the boundaries of any circles of trust which might also include the providers as members. Affiliation data is part of the provider metadata and the service provider request itself denotes whether it is an affiliation or not.
  4. How might a service provider or identity provider request a list of members in an affiliation?

    Affiliation-based federation is driven by a boolean flag at the service provider and uses the affiliationID defined for the remote provider (since a local provider can participate in more than one affiliation). The affiliationID can be used to request a list of members.
  5. How might a service provider indicate in an authentication request that they are acting as a member of an affiliation?

    Affiliation-based federation is driven by a boolean flag at the service provider and uses the affiliationID defined for the remote provider (since a local provider can participate in more than one affiliation). If enabled, the authentication request will be sent with the affiliation flag set to true.
  6. How might a service provider indicate in an attribute request that they are acting as a member of an affiliation?

    For explicit attribute requests, I am not sure if there is a flag to indicate whether it is acting as an affiliation however, if it is during authentication process, the affiliation can be used.
  7. How might an identity provider verify the affiliation membership indicated in an attribute request? For explicit attribute requests, I am not sure if there is a flag to indicate whether it is acting as an affiliation however, if it is during authentication process, the affiliation can be used.
  8. How might a service provider make anonymous attribute requests and receive anonymous attribute responses? In other words, the ability to share attributes without disclosing the identity of the Principal to the requestor or Service Provider.

    In requests using SAML or the Liberty Personal Profile Service, the identity of a principal is never disclosed. The interactions are made using an encrypted user ID. You could also use an anonymous user.
  9. How might a service provider associate intended usage with the corresponding requested attributes in an attribute request to an identity provider?

    See the usage directives are part of ID-WSF 2.0.
  10. Guideline for Attribute Providers (in the usage negotiation scenario) to reply, always, to a service provider's attribute request with usage directives that, for privacy purposes, are equal to or stricter than those originally stated in the Service Provider's attribute request.

    The usage directives are part of ID-WSF 2.0 which we plan to implement in FAM 8.next releases
Now Question Me An Answer from the movie musical, Lost Horizon.
Comments:

Post a Comment:
Comments are closed for this entry.
About

docteger

Search

Categories
Archives
« July 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today