Monday Jan 14, 2008

RESTful Identity Services - Service Registration

Alright, so in the previous 2 posts I described our overall approach for RESTful identity services and the core scenario we're thinking about. In this post I'm going to explore in a bit more details what happens during the first phase of our scenario: service registration.

One word of caution: this work is evolving quite rapidly so things I present here MAY (and will) change...

In our scenario, our service provider needs to registers itself at our Discovery service. To do so, needs to upload metadata that describes its service at a well known endpoint of the Discovery service. The service metadata we use is derived from what Liberty defines in ID-WSF2.0 although we have simplified it quite a bit. We describe RESTful services with the following metadata:

  • Abstract: some text describing the service
  • ProviderID: a URI that (uniquely) identifies the service (e.g. something like in our example)
  • ServiceContext is a complex type with the following elements:
    • ServiceType: this is the type of service. An example of this would be "calendar".
    • OneTimeURI: this is an element that describes whether this service supports our 1-time URI mechanism or not (described in a subsequent post)
    • RegURI: this is the registration URI. This element, assigned by the DS, contains the URI that points to the service metadata. Since it is a resource (in the REST sense) it can be acted upon (e.g. an HTTP DELETE on this URI corresponds to an unregistration).
    • SecurityMechID: this describes the security mechanisms supported by  For instance whether it support HTTPS or not.
    • Options: used to describe optional features of the service

So, to register its service at the DS, generates the above metadata and send it to the DS at the /SvcMDRegister URI as shown in the illustration below:

Service Metadata Registration

Saturday Jan 12, 2008

RESTful Identity Services - Core Scenario

In yesterday's post I introduced the work we're doing at Sun's CTO labs on integrating identity concepts within a RESTful framework. Before I post more technical details on how we do that I thought it would be better to give an overview of our core scenario.

Let's imagine the following scenario: I book a trip on a Part of the features that makes this site attractive to me is that it can automatically update my online calendar, which it offers to do as soon as I have purchased my ticket. It is important to note that my calendar service (let's call has no particular relationship with the travel service I use to book my trip. In fact I could change my calendar service at any time (or use another travel site). This scenario is quite simple but it will allow me to go through the various phases that need to take place.

At the highest level, 4 steps need to take place:

  1. I visit and book a ticket.
  2. offers to update my online calendar, should I have one. Since I do have such service (at, I accept the offer.
  3. finds out that my calendar service is hosted at and figures out the specifics of this service (more details on that later).
  4. contacts and updates my calendar there (on my behalf).
Many things need to happen under the hood, but one of the most interesting aspects of this scenario is the fact that we want services to be able to discover various other services that are associated with my (online) identity. In this case, the Travel site does not want to discover any calendar service, it wants to discover my calendar service.

How do we go about solving this discovery problem? One solution, proposed by Liberty Alliance, is the concept of a Discovery service. A Discovery service is an online service where a user can federate many services around his identity thus enabling their discovery. This is a powerful concept and our RESTful solution uses the same concept.

At a slightly more technical level, by including the Discovery Service notion we now have the following steps:

  1. At some point in time (prior to my ticket purchase) I visited and was asked if I wanted to associate this service with my account (i.e. my identity) at my Discovery service (I'll leave the details on how the Calendar service knows about my Discovery service out for now).
  2. When I consent, sends a request to associate itself with my identity there. Doing so, my calendar resource becomes discoverable by other services that can talk to my Discovery service.
  3. I visit, purchase a ticket and accept the offer to update my online calendar.
  4. performs a lookup query at my Discovery service to find out where my calendar service resides and retrieve details about it.
  5. After it gets the information, can now update my calendar that is hosted at
In order for the last step to be possible, needs information (metadata) about my calendar service (where it is, the security mechanisms it supports, etc.). We thus need to add a preliminary step to this sequence: registers its metadata at my Discovery service.

This scenario highlights the 3 core steps I described in my previous blog entry:

  1. A service provider (e.g. registers itself at my Discovery service and then associates itself with my identity there (at my Discovery Service)
  2. A service consumer (e.g. discovers the location and metadata of the service that it wants to access on my behalf
  3. This service consumer invokes the service provider to carry out some function (e.g. update my calendar).
This 3-step process corresponds to the core use case provided by Liberty's ID-WSF framework. It is also the core scenario we aim at enabling in a RESTful manner.

Monday May 07, 2007

OpenID at Sun

This is what I've been working on for the last (many) weeks:

Sun is deploying an OpenID enabled Identity Provider (OP in OpenID jargon) for its employees. Any Sun employee will be able to create an OpenID identifier and use it with OpenID enabled relying parties (RP).

Our primary objective is to figure out adequate uses of OpenID in the enterprise context. As SAML and Liberty supporters we know OpenID (1.1) is addressing a different market when it comes to delegated authentication. Its lack of trust establishment between the IdP and the RP is, in my opinion, one of the challenge OpenID is facing in a B2B scenario. By placing the IdP within Sun's DNS and controlling the OpenID identifier format we inject some of that trust in the authentication process. Consider the scenario where a company that does business with Sun offers a discount to Sun employees. In order for me to have access to the employee discount pages at their web site, Company A, in addition to my identity needs to know that I am indeed a Sun employee. I think combining OpenID and a certain for of trust of the IdP is ideal for that kind of scenario.

Our OpenID deployment (1.1 & Simple Reg.) is based on the module that was recently written by Paul Bryan as part of our open source effort OpenSSO. In my next blogs, I'll be posting a lot of tips and howtos directly related to this deployment.


Friday Dec 22, 2006

SAML vs. WS-Federation

Following my recent post on the (very) quiet publication of W-Federation, I was pointed at this excellent document that compares SAML and WS-Federation and explains why SAML is a better choice. This document is even more remarkable when one notices that it has been written by people working for the Government of Denmark obviously an impartial 3rd party.

I highly recommend this reading if you're in the process of selecting technology for identity federation or if you're just interested in understanding both specifications and some of their key differences. For those who don't have time I'm reproducing the main table in the Danish document below (I did not ask for permission but hopefully it's ok...):

 requirements  SAML2.0  WS-Federation
 Functionality related to requirements
Equal Equal 
 Support of the standard in commercially available products
 Microsoft support
 Proven usability from use in solutions in production
 Assessments by analyst companies
 Based on an adopted standards (e.g. within OASIS)
 Interaction with the other adopted standards, XACML and SPML  Advantage  
 Future development of the standard  Consolidation is expected
 Consolidation is expected
 Third party Interop Testing/Interoperability Certification  Advantage  


The document goes into more detail for each of those requirements and how the came to the conclusion presented in the table. I think this is a fair assessment of the situation!


Wednesday Dec 20, 2006

WS-Federation version 1.1 is out, 3 years after...

So, it seems Microsoft, IBM & al. have decided to release a new version of WS-Federation, more than 3 years after their first version. I've done a quick read on it and listed some of the most noticeable changes below:

  • Structurally there is now only one document. The passive, active and various interoperability profiles have all been combined in this single document. I tend to think this is a good thing since all these profiles were certainly creating confusion. IMHO they were also showing a certain lack of testing before the first publication hence leading to the need for additional interoperability profiles (but I'm being controversial here...).
  • All the protocols have been combined in a single big section (13)
  • The focus seems to be more on the active requestor rather than the passive profile which is mainly addressed in section 13.6

There are some new features in this spec too:

  • Federation metadata: with the concept of context to describe the fact of belonging to one or more federation (what SAML or Liberty Alliance calls Circle of Trust (CoT))
  • Authorization service & Pseudonym service: these are basically specialized versions of an STS in order to be able to include either attributes or pseudonyms along with the token that's being issued.

At this point it really looks like WS-Federation 1.1 is mimicking most of SAML2.0 functionalities although I think there are a few differences that I'll explore in a forthcoming post.
Finally, can someone tell me why in a world they decided to expand SSO as single sign-out when everyone else in the industry understands it as single sign-on ?!  Talk about confusing people...





« July 2016