[wsf-dev] ID-WSF newbie questions

Brett Beaumont brett.beaumont at fronde.com
Tue Jun 10 15:32:04 PDT 2008 

Hi all,
 
Thanks for the responses.
 
At the moment I'm conducting an investigation into ID-WSF, rather than
fully implementing specific scenarios. To that effect, I want to demo
thing from the relatively simple, through to the more complex,
cross-principal scenarios.
 
At the simple end of the specturm, I want to demo relatively
straightforward scenario of an interactive user using an SP that needs
to pull information from a Personal Profile service. I would like to
test the simple case where the PP directly releases the info, and
possibly the case where the RedirectRequest protocol is used to redirect
the user from the SP to the PP to acquire permission. Based on the
responses to my earlier message, I have got a simple demo up and
running, and should be able to re-skin that for our demo purposes.
 
In terms of a cross-principal scenario, I am thinking of something along
the lines of:

1.	
	I already have a relationship with CompanyA (federated
pseudonymous nameids etc).
2.	
	I SSO onto CompanyA's website and submit a query.
3.	
	Later, an employee at CompanyA wants to respond to my query
using their CRM tool, and needs my Personal Profile to find my email
address.
4.	
	The CRM (SP) looks up my discovery service and locates my
personal profile service.
5.	
	The CRM sends a message to my personal profile service.
6.	
	The Personal Profile services determines that I have already
agreed to release my information to CompanyA and returns my email
adress. Altenatively, it may need to contact my Interaction Service to
approve release of my email address.

This seems to me like a case similar to the cases in the Interaction
Service specification. For this type of scenario I have two main
questions:

1.	
	How does the CompanyA CRM get hold of my Discovery Service? Does
it capture this information when I federate my accounts, and then use
either the NameID mapping service or SSOS service of my IdP to get the
appropriate tokens for my discovery service when it needs to as the DS?
2.	
	In step 5 (CRM sends a request to the Personal Profile), who
would be the "RequestingPrincipal"? I see two options:

	1.	
		A principal representing CompanyA (or perhaps CompanyA's
CRM). This would allow me to grant access to my email to CompanyA, and
not worry about changes in the CRM user group. Since I may deal with
many people from the CRM user group in subsequent interactions with
CompanyA, this approach would simplify my burden of granting access.
	2.	
		The principal representing the CRM user. Perhaps the
Personal Profile can use SAML attributes in the RequestingPrincipal's
assertion to determine whether to grant access. However, this would make
the policy enforcement at the Personal Profile service fairly complex -
it would need to know what attribute statements to expect, and these
could possibly be different between different IdPs. Note that this
approach would be perfect if I had a specific account manager, but I'm
thinking more of a generic consumer case, where I might be a customer of
Amazon.com and not have a specific person looking after my account.

Question 2 is more conceptual than technical, but it would be
interesting to get your thoughts.
 
Thanks,
 
Brett
 
 
________________________________

From: Asa Hardcastle [mailto:asa.openliberty at zenn.net] 
Sent: Thursday, 5 June 2008 1:50 p.m.
To: Brett Beaumont
Cc: Wsf-dev at lists.openliberty.org
Subject: Re: [wsf-dev] ID-WSF newbie questions


Hi Brett,



	*	Can anyone direct me to use cases implemented using
ID-WSF.

http://www.projectliberty.org/liberty/resource_center/case_studies  (the
location Conor referenced)


	*	Can anyone provide any information about server-side
implementations of ID-WSF (i.e. Discovery Service, IdP, etc. under
either 1.1 or 2.0) and what their experience has been?

Symlabs has a feature complete and interoperable (conformance tested and
approved) server (IdP, DS, AS, PP, PS, ID-DAP, etc etc).  My experience
with it has been excellent.  I test the OpenLiberty ID-WSF 2.0 Client
Library against both Conor's toolkit and Symlabs FIS.


http://symlabs.com/products/federated-identity-suite



	*	Has anybody used the Conor Cahill server toolkit? It
mentions that the implementation is limited, but I wonder if this is
complete enough for prototyping purposes. I also see that the
OpenLibertyJ client library appears to have been tested against this
server.

Yes. Not only appears, but has been tested against.  I have found it
great for prototyping, and recently built a partial implementation of a
personal profile service using Conor's toolkit.  


Can you share anything about your use case?

talk later,

asa


--
Asa Hardcastle, Technical Lead, openLiberty ID-WSF ClientLib
Tel: +1.413.429.1044 Skype: subsystem7

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openliberty.org/pipermail/wsf-dev_lists.openliberty.org/attachments/20080611/d46d9ea4/attachment.html

More information about the Wsf-dev mailing list