From brett.beaumont at fronde.com Wed Jun 4 16:55:08 2008 From: brett.beaumont at fronde.com (Brett Beaumont) Date: Thu, 5 Jun 2008 11:55:08 +1200 Subject: [wsf-dev] ID-WSF newbie questions Message-ID: <8854435B87A63345AE83468AE6F9831A08267635@wlg-ex01.synergyint.net> Hi, I'm investigating ID-WSF and how we may be able to use it for our set of services. As a starting point, I am wondering if anyone can point me to information regarding: * Does ID-WSF1.1 support SAML2 tokens? A pretty specific question, but we might look to integrate with an existing SAML2 provider. * Can anyone direct me to use cases implemented using ID-WSF. * Can anyone provide any information about server-side implementations of ID-WSF (i.e. Discovery Service, IdP, etc. under either 1.1 or 2.0) and what their experience has been? * Has anybody used the Conor Cahill server toolkit? It mentions that the implementation is limited, but I wonder if this is complete enough for prototyping purposes. I also see that the OpenLibertyJ client library appears to have been tested against this server. Thanks in advance. Brett ________________________________ Brett Beaumont | Technical Team Lead | Fronde Systems Group Ltd | 3 Queens Wharf, PO Box 11545, Wellington 6142, New Zealand | p. +64 4 439 4032 | m. +64 21 936 619 | f. +64 4 460 5703 | e. brett.beaumont at fronde.com | www.fronde.com The information contained in this email is privileged and confidential and intended for the addressee only. If you are not the intended recipient, please respect that confidentiality and do not disclose, copy or make use of its contents. If received in error, please destroy this email and contact the sender immediately. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openliberty.org/pipermail/wsf-dev_lists.openliberty.org/attachments/20080605/2f73cd1b/attachment.html From conor.p.cahill at intel.com Wed Jun 4 18:27:08 2008 From: conor.p.cahill at intel.com (Cahill, Conor P) Date: Wed, 4 Jun 2008 18:27:08 -0700 Subject: [wsf-dev] ID-WSF newbie questions In-Reply-To: <8854435B87A63345AE83468AE6F9831A08267635@wlg-ex01.synergyint.net> References: <8854435B87A63345AE83468AE6F9831A08267635@wlg-ex01.synergyint.net> Message-ID: <1B47D24854C7BC4FA8DA28BEBB59B0BA037B7B0C@orsmsx419.amr.corp.intel.com> * Does ID-WSF1.1 support SAML2 tokens? A pretty specific question, but we might look to integrate with an existing SAML2 provider. ID-WSF supports any token in both 1.x and 2.x. However, SAML2 tokens weren't explicitly profiled until ID-WSF 2.0 (which is what I would recommend you start with anyway as 2.0 has many important improvements). * Can anyone direct me to use cases implemented using ID-WSF. The Case studies section of the Liberty web site has a number of deployment descriptions for ID-WSF. * Can anyone provide any information about server-side implementations of ID-WSF (i.e. Discovery Service, IdP, etc. under either 1.1 or 2.0) and what their experience has been? I have an open source implementation of ID-WSF 2.0 (both a C++ client side library and a Java server side implementation of AS, DS an basic ID-WSF functionality). It is in the process of being contributed into OpenLiberty, but in the meantime, you can grab a copy of the latest code from http://www.cahillfamily.com in the OpenSource subdirectory. * Has anybody used the Conor Cahill server toolkit? It mentions that the implementation is limited, but I wonder if this is complete enough for prototyping purposes. I also see that the OpenLibertyJ client library appears to have been tested against this server. I have J. I have actually interopped it with a number of other implementations. The key restriction on the server side of the toolkit is the lack of support for XML Signature verification on incoming messages. So it's Ok for prototyping and testing (and I have a number of example services built ontop of the toolkit, some official liberty services and some home-grown (like a media service)); however, I would not use this toolkit for production code without getting support for XML Signatures. Conor -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openliberty.org/pipermail/wsf-dev_lists.openliberty.org/attachments/20080604/92f4ad60/attachment.html From asa.openliberty at zenn.net Wed Jun 4 18:49:54 2008 From: asa.openliberty at zenn.net (Asa Hardcastle) Date: Wed, 4 Jun 2008 21:49:54 -0400 Subject: [wsf-dev] ID-WSF newbie questions In-Reply-To: <8854435B87A63345AE83468AE6F9831A08267635@wlg-ex01.synergyint.net> References: <8854435B87A63345AE83468AE6F9831A08267635@wlg-ex01.synergyint.net> Message-ID: <38361445-0328-4B28-A25F-BB5FFD2AD408@zenn.net> Hi Brett, > Can anyone direct me to use cases implemented using ID-WSF. http://www.projectliberty.org/liberty/resource_center/case_studies (the location Conor referenced) > Can anyone provide any information about server-side implementations > of ID-WSF (i.e. Discovery Service, IdP, etc. under either 1.1 or > 2.0) and what their experience has been? Symlabs has a feature complete and interoperable (conformance tested and approved) server (IdP, DS, AS, PP, PS, ID-DAP, etc etc). My experience with it has been excellent. I test the OpenLiberty ID-WSF 2.0 Client Library against both Conor's toolkit and Symlabs FIS. http://symlabs.com/products/federated-identity-suite > Has anybody used the Conor Cahill server toolkit? It mentions that > the implementation is limited, but I wonder if this is complete > enough for prototyping purposes. I also see that the OpenLibertyJ > client library appears to have been tested against this server. Yes. Not only appears, but has been tested against. I have found it great for prototyping, and recently built a partial implementation of a personal profile service using Conor's toolkit. Can you share anything about your use case? talk later, asa -- Asa Hardcastle, Technical Lead, openLiberty ID-WSF ClientLib Tel: +1.413.429.1044 Skype: subsystem7 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openliberty.org/pipermail/wsf-dev_lists.openliberty.org/attachments/20080604/b6db70d8/attachment-0001.html From sampo at symlabs.com Thu Jun 5 01:59:15 2008 From: sampo at symlabs.com (sampo at symlabs.com) Date: Thu, 5 Jun 2008 10:59:15 +0200 (CEST) Subject: [wsf-dev] ID-WSF newbie questions In-Reply-To: <38361445-0328-4B28-A25F-BB5FFD2AD408@zenn.net> References: <8854435B87A63345AE83468AE6F9831A08267635@wlg-ex01.synergyint.net> <38361445-0328-4B28-A25F-BB5FFD2AD408@zenn.net> Message-ID: <59237.213.22.11.237.1212656355.squirrel@galactus.symlabs.net> Asa Hardcastle wrote: > Hi Brett, > >> Can anyone direct me to use cases implemented using ID-WSF. > http://www.projectliberty.org/liberty/resource_center/case_studies > (the location Conor referenced) > >> Can anyone provide any information about server-side implementations >> of ID-WSF (i.e. Discovery Service, IdP, etc. under either 1.1 or >> 2.0) and what their experience has been? > Symlabs has a feature complete and interoperable (conformance tested > and approved) server (IdP, DS, AS, PP, PS, ID-DAP, etc etc). My > experience with it has been excellent. I test the OpenLiberty ID-WSF > 2.0 Client Library against both Conor's toolkit and Symlabs FIS. > > http://symlabs.com/products/federated-identity-suite The OpenLiberty-ZXID (zxid.org) has WSP code for ID-DAP, ID-HR-XML, and generic WSP. However, it does not have Discovery WSP (it has Discovery WSC). Cheers, --Sampo >> Has anybody used the Conor Cahill server toolkit? It mentions that >> the implementation is limited, but I wonder if this is complete >> enough for prototyping purposes. I also see that the OpenLibertyJ >> client library appears to have been tested against this server. > Yes. Not only appears, but has been tested against. I have found it > great for prototyping, and recently built a partial implementation of > a personal profile service using Conor's toolkit. > > Can you share anything about your use case? > > talk later, > > asa > > > -- > Asa Hardcastle, Technical Lead, openLiberty ID-WSF ClientLib > Tel: +1.413.429.1044 Skype: subsystem7 > > _______________________________________________ > Wsf-dev mailing list > Wsf-dev at lists.openliberty.org > http://lists.openliberty.org/mailman/listinfo/wsf-dev_lists.openliberty.org > From pcros at entrouvert.com Thu Jun 5 05:59:56 2008 From: pcros at entrouvert.com (Pierre Cros) Date: Thu, 05 Jun 2008 14:59:56 +0200 Subject: [wsf-dev] ID-WSF newbie questions In-Reply-To: <8854435B87A63345AE83468AE6F9831A08267635@wlg-ex01.synergyint.net> References: <8854435B87A63345AE83468AE6F9831A08267635@wlg-ex01.synergyint.net> Message-ID: <1212670796.4510.126.camel@rascasse> Le jeudi 05 juin 2008 ? 11:55 +1200, Brett Beaumont a ?crit : > Hi, > > I'm investigating ID-WSF and how we may be able to use it for our set > of services. As a starting point, I am wondering if anyone can point > me to information regarding: > * Does ID-WSF1.1 support SAML2 tokens? A pretty specific > question, but we might look to integrate with an existing > SAML2 provider. > * Can anyone direct me to use cases implemented using ID-WSF. > * Can anyone provide any information about server-side > implementations of ID-WSF (i.e. Discovery Service, IdP, etc. > under either 1.1 or 2.0) and what their experience has been? You can have a look at Authentic. http://authentic.labs.libre-entreprise.org/ Regards, Pierre From brett at projectliberty.org Thu Jun 5 07:33:06 2008 From: brett at projectliberty.org (Brett McDowell) Date: Thu, 5 Jun 2008 10:33:06 -0400 Subject: [wsf-dev] call today? Message-ID: <3FBFB1D1-B2E3-4F5B-826C-891D0E9F67C5@projectliberty.org> Is there a call today? If not, what is the new schedule? -- Brett From asa.openliberty at zenn.net Thu Jun 5 07:42:08 2008 From: asa.openliberty at zenn.net (Asa Hardcastle) Date: Thu, 5 Jun 2008 10:42:08 -0400 Subject: [wsf-dev] call today? In-Reply-To: <3FBFB1D1-B2E3-4F5B-826C-891D0E9F67C5@projectliberty.org> References: <3FBFB1D1-B2E3-4F5B-826C-891D0E9F67C5@projectliberty.org> Message-ID: <8B40CF64-EB22-4AB7-853C-BF89177765B0@zenn.net> no call. asa -- Asa Hardcastle, Technical Lead, openLiberty ID-WSF ClientLib Tel: +1.413.429.1044 Skype: subsystem7 On Jun 5, 2008, at 10:33 AM, Brett McDowell wrote: > Is there a call today? If not, what is the new schedule? > > -- Brett > > _______________________________________________ > Wsf-dev mailing list > Wsf-dev at lists.openliberty.org > http://lists.openliberty.org/mailman/listinfo/wsf-dev_lists.openliberty.org From asa.openliberty at zenn.net Thu Jun 5 07:46:21 2008 From: asa.openliberty at zenn.net (Asa Hardcastle) Date: Thu, 5 Jun 2008 10:46:21 -0400 Subject: [wsf-dev] call today? In-Reply-To: <8B40CF64-EB22-4AB7-853C-BF89177765B0@zenn.net> References: <3FBFB1D1-B2E3-4F5B-826C-891D0E9F67C5@projectliberty.org> <8B40CF64-EB22-4AB7-853C-BF89177765B0@zenn.net> Message-ID: I will get a new schedule out soon. Also, I have a proposal for the final name of the OpenLiberty Client Library. Coming soon ;) asa -- Asa Hardcastle, Technical Lead, openLiberty ID-WSF ClientLib Tel: +1.413.429.1044 Skype: subsystem7 On Jun 5, 2008, at 10:42 AM, Asa Hardcastle wrote: > no call. > > asa > > -- > Asa Hardcastle, Technical Lead, openLiberty ID-WSF ClientLib > Tel: +1.413.429.1044 Skype: subsystem7 > > On Jun 5, 2008, at 10:33 AM, Brett McDowell wrote: > >> Is there a call today? If not, what is the new schedule? >> >> -- Brett >> >> _______________________________________________ >> Wsf-dev mailing list >> Wsf-dev at lists.openliberty.org >> http://lists.openliberty.org/mailman/listinfo/wsf-dev_lists.openliberty.org > > > _______________________________________________ > Wsf-dev mailing list > Wsf-dev at lists.openliberty.org > http://lists.openliberty.org/mailman/listinfo/wsf-dev_lists.openliberty.org From Andrew.Patterson at Sun.COM Thu Jun 5 12:42:05 2008 From: Andrew.Patterson at Sun.COM (Pat Patterson) Date: Thu, 05 Jun 2008 12:42:05 -0700 Subject: [wsf-dev] ID-WSF newbie questions In-Reply-To: <8854435B87A63345AE83468AE6F9831A08267635@wlg-ex01.synergyint.net> References: <8854435B87A63345AE83468AE6F9831A08267635@wlg-ex01.synergyint.net> Message-ID: <3102433D-BFED-4DF3-B565-BD291E54F839@sun.com> Hi Brett, OpenSSO (http://opensso.org/) has ID-WSF 1.1 - see Sun Access Manager docs for more details: http://docs.sun.com/app/docs/doc/819-4674/gdqow?a=view Cheers, Pat On Jun 4, 2008, at 4:55 PM, Brett Beaumont wrote: > Hi, > > I'm investigating ID-WSF and how we may be able to use it for our > set of services. As a starting point, I am wondering if anyone can > point me to information regarding: > Does ID-WSF1.1 support SAML2 tokens? A pretty specific question, but > we might look to integrate with an existing SAML2 provider. > Can anyone direct me to use cases implemented using ID-WSF. > Can anyone provide any information about server-side implementations > of ID-WSF (i.e. Discovery Service, IdP, etc. under either 1.1 or > 2.0) and what their experience has been? > Has anybody used the Conor Cahill server toolkit? It mentions that > the implementation is limited, but I wonder if this is complete > enough for prototyping purposes. I also see that the OpenLibertyJ > client library appears to have been tested against this server. > Thanks in advance. > > Brett > > > Brett Beaumont | Technical Team Lead | Fronde Systems Group Ltd | 3 > Queens Wharf, PO Box 11545, Wellington 6142, New Zealand | p. +64 4 > 439 4032 | m. +64 21 936 619 | f. +64 4 460 5703 | e. brett.beaumont at fronde.com > | www.fronde.com > The information contained in this email is privileged and > confidential and intended for the addressee only. If you are not the > intended recipient, please respect that confidentiality and do not > disclose, copy or make use of its contents. If received in error, > please destroy this email and contact the sender immediately. Thank > you. > > _______________________________________________ > Wsf-dev mailing list > Wsf-dev at lists.openliberty.org > http://lists.openliberty.org/mailman/listinfo/wsf-dev_lists.openliberty.org - - - - - Pat Patterson Federation Architect, Sun Microsystems, Inc. pat.patterson at sun.com - http://blogs.sun.com/superpat - - - - - Join OpenSSO today! http://opensso.dev.java.net/ - - - - - -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openliberty.org/pipermail/wsf-dev_lists.openliberty.org/attachments/20080605/ce437f07/attachment-0001.html From brett.beaumont at fronde.com Tue Jun 10 15:32:04 2008 From: brett.beaumont at fronde.com (Brett Beaumont) Date: Wed, 11 Jun 2008 10:32:04 +1200 Subject: [wsf-dev] ID-WSF newbie questions In-Reply-To: <38361445-0328-4B28-A25F-BB5FFD2AD408@zenn.net> References: <8854435B87A63345AE83468AE6F9831A08267635@wlg-ex01.synergyint.net> <38361445-0328-4B28-A25F-BB5FFD2AD408@zenn.net> Message-ID: <8854435B87A63345AE83468AE6F9831A0826765D@wlg-ex01.synergyint.net> Hi all, Thanks for the responses. At the moment I'm conducting an investigation into ID-WSF, rather than fully implementing specific scenarios. To that effect, I want to demo thing from the relatively simple, through to the more complex, cross-principal scenarios. At the simple end of the specturm, I want to demo relatively straightforward scenario of an interactive user using an SP that needs to pull information from a Personal Profile service. I would like to test the simple case where the PP directly releases the info, and possibly the case where the RedirectRequest protocol is used to redirect the user from the SP to the PP to acquire permission. Based on the responses to my earlier message, I have got a simple demo up and running, and should be able to re-skin that for our demo purposes. In terms of a cross-principal scenario, I am thinking of something along the lines of: 1. I already have a relationship with CompanyA (federated pseudonymous nameids etc). 2. I SSO onto CompanyA's website and submit a query. 3. Later, an employee at CompanyA wants to respond to my query using their CRM tool, and needs my Personal Profile to find my email address. 4. The CRM (SP) looks up my discovery service and locates my personal profile service. 5. The CRM sends a message to my personal profile service. 6. The Personal Profile services determines that I have already agreed to release my information to CompanyA and returns my email adress. Altenatively, it may need to contact my Interaction Service to approve release of my email address. This seems to me like a case similar to the cases in the Interaction Service specification. For this type of scenario I have two main questions: 1. How does the CompanyA CRM get hold of my Discovery Service? Does it capture this information when I federate my accounts, and then use either the NameID mapping service or SSOS service of my IdP to get the appropriate tokens for my discovery service when it needs to as the DS? 2. In step 5 (CRM sends a request to the Personal Profile), who would be the "RequestingPrincipal"? I see two options: 1. A principal representing CompanyA (or perhaps CompanyA's CRM). This would allow me to grant access to my email to CompanyA, and not worry about changes in the CRM user group. Since I may deal with many people from the CRM user group in subsequent interactions with CompanyA, this approach would simplify my burden of granting access. 2. The principal representing the CRM user. Perhaps the Personal Profile can use SAML attributes in the RequestingPrincipal's assertion to determine whether to grant access. However, this would make the policy enforcement at the Personal Profile service fairly complex - it would need to know what attribute statements to expect, and these could possibly be different between different IdPs. Note that this approach would be perfect if I had a specific account manager, but I'm thinking more of a generic consumer case, where I might be a customer of Amazon.com and not have a specific person looking after my account. Question 2 is more conceptual than technical, but it would be interesting to get your thoughts. Thanks, Brett ________________________________ From: Asa Hardcastle [mailto:asa.openliberty at zenn.net] Sent: Thursday, 5 June 2008 1:50 p.m. To: Brett Beaumont Cc: Wsf-dev at lists.openliberty.org Subject: Re: [wsf-dev] ID-WSF newbie questions Hi Brett, * Can anyone direct me to use cases implemented using ID-WSF. http://www.projectliberty.org/liberty/resource_center/case_studies (the location Conor referenced) * Can anyone provide any information about server-side implementations of ID-WSF (i.e. Discovery Service, IdP, etc. under either 1.1 or 2.0) and what their experience has been? Symlabs has a feature complete and interoperable (conformance tested and approved) server (IdP, DS, AS, PP, PS, ID-DAP, etc etc). My experience with it has been excellent. I test the OpenLiberty ID-WSF 2.0 Client Library against both Conor's toolkit and Symlabs FIS. http://symlabs.com/products/federated-identity-suite * Has anybody used the Conor Cahill server toolkit? It mentions that the implementation is limited, but I wonder if this is complete enough for prototyping purposes. I also see that the OpenLibertyJ client library appears to have been tested against this server. Yes. Not only appears, but has been tested against. I have found it great for prototyping, and recently built a partial implementation of a personal profile service using Conor's toolkit. Can you share anything about your use case? talk later, asa -- Asa Hardcastle, Technical Lead, openLiberty ID-WSF ClientLib Tel: +1.413.429.1044 Skype: subsystem7 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openliberty.org/pipermail/wsf-dev_lists.openliberty.org/attachments/20080611/d46d9ea4/attachment.html From cantor.2 at osu.edu Tue Jun 10 19:03:45 2008 From: cantor.2 at osu.edu (Scott Cantor) Date: Tue, 10 Jun 2008 22:03:45 -0400 Subject: [wsf-dev] ID-WSF newbie questions In-Reply-To: <8854435B87A63345AE83468AE6F9831A0826765D@wlg-ex01.synergyint.net> References: <8854435B87A63345AE83468AE6F9831A08267635@wlg-ex01.synergyint.net> <38361445-0328-4B28-A25F-BB5FFD2AD408@zenn.net> <8854435B87A63345AE83468AE6F9831A0826765D@wlg-ex01.synergyint.net> Message-ID: <01a801c8cb67$627405e0$275c11a0$@2@osu.edu> > 1. > How does the CompanyA CRM get hold of my Discovery Service? Does it > capture this information when I federate my accounts, and then use either > the NameID mapping service or SSOS service of my IdP to get the appropriate > tokens for my discovery service when it needs to as the DS? I believe the People Service includes such use cases, or there are ways to "subscribe" to that user's DS to get updates when it moves. Yes, you would typically discover the other user's PP with their DS but use your SSOS to get a token for it. > 2. > The principal representing the CRM user. Perhaps the Personal > Profile can use SAML attributes in the RequestingPrincipal's assertion to > determine whether to grant access. However, this would make the policy > enforcement at the Personal Profile service fairly complex - it would need > to know what attribute statements to expect, and these could possibly be > different between different IdPs. Yes, that's just the reality of attribute-based authz. The policy required should determine what you do, not the ease of implementing it. Otherwise it wasn't the necessary policy to begin with. Policy is what you do, not what you say you should do. > Question 2 is more conceptual than technical, but it would be interesting to > get your thoughts. I think you've got a pretty good handle on it. -- Scott