A.6 Identity Federation from Paul Denning on 2004-01-28 (www-ws-arch@w3.org from January 2004)

From: Paul Denning <pauld@mitre.org>
Date: Wed, 28 Jan 2004 13:24:53 -0500
To: www-ws-arch@w3.org
Message-Id: <6.0.0.22.0.20040128132029.042cb070@mailsrv1.mitre.org>

This completes my action to provide a section for the security appendix of WSA.

A.6 Identity Federation

The Liberty Alliance is defining specifications [1] dealing with various
aspects of identity. Their phase 2 work is grouped into three
categories: ID-FF, ID-WSF, and ID-SIS.

ID-FF (Identity Federation Framework) discusses how businesses or
organizations can be affiliated into circles of trust and trust
relationships. ID-FF includes several normative specifications, which in
turn make normative references to SAML.

ID-WSF (Identity Web Services Framework) is a set of specifications for
creating, discovering, using, and updating various aspects of identities
through a particular type of web service known as an Identity
Service. ID-WSF builds on ID-FF. A user (Principal) may register with
several Identity Services. A prominent part of ID-WSF is a discovery
service for locating an Identity Service for a given user
(Principal). ID-SWF also defines a Data Services Template. ID-WSF has
also defined a draft specification for an approach to negotiating an
authentication method using SOAP messages to identify SASL mechanisms (RFC
2222) [2].

Note that WS-Security [4] specifically states that establishing a security
context or authentication mechanisms is outside its scope. ID-WSF may fill
this void. However, WS-Security also defines a Username Token Profile,
which could be used as an authentication mechanism. Potentially, Liberty
ID-WSF could be used to negotiate the use of WSS Username Token Profile as
the authentication mechanism. Currently, WSS Username Token Profile is not
registered in IANA's SASL Mechanisms collection [3].

ID-SIS (Identity Service Instance Specifications) defines profiles for
particular types of Identity Services. These profiles conform to the
ID-WSF Data Services Template. Liberty has defined two such profiles. The
Employee Profile (ID-SIS-EP) defines how to query and modify information
associated with a Principal in the context of their employer. The Personal
Profile (ID-SIS-PP) defines how to query and modify identity information
for Principals themselves.

[1] http://projectliberty.org/specs/
[2] http://www.rfc-editor.org/rfc/rfc2222.txt
[3] http://www.iana.org/assignments/sasl-mechanisms
[4]
http://www.oasis-open.org/committees/download.php/5072/oasis-200401-wss-soap-message-security-1.0.pdf
[5]
http://www.oasis-open.org/committees/download.php/5074/oasis-200401-wss-username-token-profile-1.0.pdf

Paul

Received on Wednesday, 28 January 2004 13:25:13 UTC