A.6 Identity Federation

This completes my action to provide a section for the security appendix of WSA.

A.6 Identity Federation


The Liberty Alliance is defining specifications [1] dealing with various 
aspects of identity.  Their phase 2 work is grouped into three 
categories:  ID-FF, ID-WSF, and ID-SIS.

ID-FF (Identity Federation Framework) discusses how businesses or 
organizations can be affiliated into circles of trust and trust 
relationships. ID-FF includes several normative specifications, which in 
turn make normative references to SAML.

ID-WSF (Identity Web Services Framework) is a set of specifications for 
creating, discovering, using, and updating various aspects of identities 
through a particular type of web service known as an Identity 
Service.  ID-WSF builds on ID-FF.  A user (Principal) may register with 
several Identity Services.  A prominent part of ID-WSF is a discovery 
service for locating an Identity Service for a given user 
(Principal).  ID-SWF also defines a Data Services Template.  ID-WSF has 
also defined a draft specification for an approach to negotiating an 
authentication method using SOAP messages to identify SASL mechanisms (RFC 
2222) [2].

Note that WS-Security [4] specifically states that establishing a security 
context or authentication mechanisms is outside its scope. ID-WSF may fill 
this void.  However, WS-Security also defines a Username Token Profile, 
which could be used as an authentication mechanism.  Potentially, Liberty 
ID-WSF could be used to negotiate the use of WSS Username Token Profile as 
the authentication mechanism.  Currently, WSS Username Token Profile is not 
registered in IANA's SASL Mechanisms collection [3].

ID-SIS (Identity Service Instance Specifications) defines profiles for 
particular types of Identity Services.  These profiles conform to the 
ID-WSF Data Services Template.  Liberty has defined two such profiles.  The 
Employee Profile (ID-SIS-EP) defines how to query and modify information 
associated with a Principal in the context of their employer.  The Personal 
Profile (ID-SIS-PP) defines how to query and modify identity information 
for Principals themselves.

[1] http://projectliberty.org/specs/
[2] http://www.rfc-editor.org/rfc/rfc2222.txt
[3] http://www.iana.org/assignments/sasl-mechanisms
[4] 
http://www.oasis-open.org/committees/download.php/5072/oasis-200401-wss-soap-message-security-1.0.pdf
[5] 
http://www.oasis-open.org/committees/download.php/5074/oasis-200401-wss-username-token-profile-1.0.pdf


Paul

Received on Wednesday, 28 January 2004 13:25:13 UTC