Monday Jul 28, 2008

Question Me An Answer About Federation

Following are a bunch of high-level answers to some questions regarding federation configuration.

  1. How can a service provider request one or more individual attributes (or a Class of Attributes) from an identity provider for a specified principal in a single request?

    • The identity provider can be configured to send any of a principal's attributes during the single sign-on process by defining simple attribute mappings for both the identity provider and service provider using the console.
    • Using SAMLv1 or SAMLv2, an explicit Attribute Query can be sent to an Attribute Authority.
    • Configure the Liberty Personal Profile Service.
  2. These options can also be used if an identity provider wants to send one or more attributes in a single response to the requesting entity.

  3. How can a service provider indicate that they are federated to an identity provider as a member of an affiliation rather than a circle of trust?

    An affiliation (referenced by an affiliationID) is a grouping of entity providers maintained by an affiliation owner who chooses the members without regard to the boundaries of any circles of trust which might also include the providers as members. Affiliation data is part of the provider metadata and the service provider request itself denotes whether it is an affiliation or not.
  4. How might a service provider or identity provider request a list of members in an affiliation?

    Affiliation-based federation is driven by a boolean flag at the service provider and uses the affiliationID defined for the remote provider (since a local provider can participate in more than one affiliation). The affiliationID can be used to request a list of members.
  5. How might a service provider indicate in an authentication request that they are acting as a member of an affiliation?

    Affiliation-based federation is driven by a boolean flag at the service provider and uses the affiliationID defined for the remote provider (since a local provider can participate in more than one affiliation). If enabled, the authentication request will be sent with the affiliation flag set to true.
  6. How might a service provider indicate in an attribute request that they are acting as a member of an affiliation?

    For explicit attribute requests, I am not sure if there is a flag to indicate whether it is acting as an affiliation however, if it is during authentication process, the affiliation can be used.
  7. How might an identity provider verify the affiliation membership indicated in an attribute request? For explicit attribute requests, I am not sure if there is a flag to indicate whether it is acting as an affiliation however, if it is during authentication process, the affiliation can be used.
  8. How might a service provider make anonymous attribute requests and receive anonymous attribute responses? In other words, the ability to share attributes without disclosing the identity of the Principal to the requestor or Service Provider.

    In requests using SAML or the Liberty Personal Profile Service, the identity of a principal is never disclosed. The interactions are made using an encrypted user ID. You could also use an anonymous user.
  9. How might a service provider associate intended usage with the corresponding requested attributes in an attribute request to an identity provider?

    See the usage directives are part of ID-WSF 2.0.
  10. Guideline for Attribute Providers (in the usage negotiation scenario) to reply, always, to a service provider's attribute request with usage directives that, for privacy purposes, are equal to or stricter than those originally stated in the Service Provider's attribute request.

    The usage directives are part of ID-WSF 2.0 which we plan to implement in FAM 8.next releases
Now Question Me An Answer from the movie musical, Lost Horizon.

Thursday Jan 10, 2008

OpenSSO: Subscribe and Learn

Charles Wesley, one of the QA engineers working on Federated Access Manager and related products, sent this procedure out to the users@opensso.dev.java.net mailing list. This is the type of minutiae (in a good way) that is available on the list. Plus, you can ask questions specific to your deployment, get answers, and help to review the official docs. You can join the list here - but only if you have an account.

Thanks Charles for giving me the opportunity to publicize the list and for this procedure - which only needed a little formatting in its move from email to blog.

Configuring OpenSSO on an Instance of Web Server 7.x Owned by webservd

When installed using the Java Enterprise System installer, Web Server 7.x creates a web server instance owned by the user webservd. In Solaris 10, webservd has a home directory of / by default. If OpenSSO is deployed to an instance owned by webservd with the default settings, the configuration will fail because the OpenSSO configurator will not create files under /. Following is a simple procedure to allow configuration on a webservd-owned web server instance to succeed.
  1. Create a new home directory for webservd
    mkdir /export/home/webservd
  2. Change the ownership of the directory to owner webservd and group webservd
    chmod -R webservd:webservd /export/home/webservd
  3. Replace / with /export/home/webservd as the home directory of webservd in the /etc/passwd file.
  4. Restart the web server instance on which OpenSSO will be deployed.
  5. Deploy the OpenSSO WAR.
  6. Configure the war file and enter /export/home/webservd as the configuration directory that will be used by OpenSSO.
So, in keeping with today's theme, I went looking for a clip of the song, The Things I Will Not Miss (aka On The List), from the 1973 musical remake of Lost Horizon. For those hoping to see Sally Kellerman and Olivia Hussey, fuggedaboutit. Here's Moshe en Joost!

About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today