Security/identity · 2006-11-14

Open Federation goodies

Especially if you read Planet Identity, you’ve probably already seen Pat’s and Dennis’s [UPDATE: and how can I forget Hubert’s??] excellent posts announcing Open Federation, which is the addition of code for identity federation and identity-based web services to the OpenSSO project.

In order to make this something other than a “what they said” post, I just wanted to point out some interesting bits in the newly available documentation.

The architecture doc has all kinds of hardcore goodies, and its Section 3.2.3 illustrates the multi-protocol (dare I say metasystem-y?) nature of the code base:

Open Federation Library provides a pluggable framework for Identity Federation and Web Services. Followings are the list of industry standard supported in Open Federation Library implementation:

1. Liberty ID-FF 1.1 & 1.2, including SP/IDP extended profiles.
2. Liberty ID-WSF 1.0 & 1.1.
3. OASIS SAML 1.0 & 1.1.
4. OASIS SAML 2.0.

Features to be supported in future releases of Open Federation Library:

1. Liberty ID-WSF 2.0
2. WS-Federation Passive Requestor Profile
3. WS-I Basic Security Profile

To achieve extensibility and customizibility, a list of Service Provider Interfaces are provided in each standard implementation to satisfy different deployment use cases. A set of common Service Provider Interfaces used by all components are also defined to integrate with existing authentication, configuration, session, logging and data store infrastructure.

And it’s interesting to peruse the table of contents for the use cases doc, which includes these federation use cases:

UC001 : Persistent Federation
UC002 : Attribute Federation
UC003 : Transient Federation
UC004 : Transient Attribute Federation
UC005 : Transient Attribute Federation without Individual SP Account
UC006 : Attribute Federation with Auto-creation of SP Account
UC007 : Bulk Federation
UC008 : Single Sign-on Initialized from Service Provider
UC009 : Single Sign-on Initialized from IDP (Unsolicited Responses)
UC010: Single Sign-on with Attribute Sharing from IDP
UC011: Single Sign-on with Attribute Sharing from SP
UC012: Single Sign-on with Attribute Sharing from IDP side Application
UC013 : Single Sign-on with J2EE Declarative Policy Integration
UC014 : Single Sign-on with Web Agent Integration
UC015 : Single Sign-on with Authentication Context Mapping
UC016 : Single Logout
UC017 : Name Identifier Registration
UC018 : Federation Termination
UC019 : IDP Proxy
UC020 : Name Identifier Mapping
UC021 : IDP Discovery/Introduction
UC022 : Establish Trust

and these identity services use cases:

UC001 : Web Service Authentication
UC002 : Discovery Query
UC003 : WSP Registry with Discovery Service using B2C model
UC004 : WSP Registry with Discovery Service using B2E model
UC005 : ID-PP Query
UC006 : ID-PP Modify
UC007 : RedirectRequest based Interaction
UC008 : Developing and Deploying Web Service Provider

Check it out…