Discovery Service Client

From OpenLiberty.org Wiki

Contents 1 Discovery Service Client 1.1 "Discovery Service Bootstrap" 1.2 Discovery Query 1.3 Discovery Response Handling 1.4 Notes 1.5 Questions

Discovery Service Client

The ID-WSF Discovery Service is utilized by a WSC to discover ID-WSF Service Instances and describes those ID-WSF service instances which in turn facilitates the invocation of those same service instances with the appropriate credentials.

     

"Discovery Service Bootstrap"

This client will be able to use a bootstrap Disco EPR (urn:liberty:disco:2006-08:DiscoveryEPR) to instantiate communication with a discovery service. Initial support will be for SAML2.0 security tokens. Will work toward accepting SAML1 tokens and ID-WSF 1 resource offerings for bootstrap.      

Discovery Query

Will query a discovery service (urn:liberty:disco:2006-08:Query) with the bootstrapped assertion. The DS Client will provide mechanisms for the DS Client User to specify the criteria of the query. These will include:

• ServiceType
• ProviderId (for a specific WSP)
• Options (describing the required options that must be supported by a matched WSP)
• SecurityMechID (identifying the security mechanism(s) that the WSC will support )
• FrameWork(s) supported - which will be "2.0" for this library
• Action (If specified, identifies the required actions. If not, the DS assumes all.)
• resultsType (to specify the size of the set returned: best, all, or only-one)
• Allow for request of signed response (urn:liberty:disco:2006-08:options:security-response-x509) This is done inside of an <option> element

Will support multiple RequestedService blocks in a single query to the DS.      

Discovery Response Handling

Will be capable of interpreting a response from a DS (urn:liberty:disco:2006-08:QueryResponse), which may be in the form of one or more EPRs to service, which will include meta-data such as security tokens for interaction.      

Notes

• DS Unable to provide the necessary security token (ObtainFromIDP) - In certain cases the "ref" attribute of the security token in the EPR will contain the following URI: urn: liberty: disco: tokenref: ObtainFromIDP. In this case the WSC will request a token from an IdP specifying the security mechanism required by the EPR. It is specified that this would take place following the authentication model defined in LibertyAuthn using an IdP's SSOS.

• should contain best fit logic which helps the WSC ClientLib User (User) to automatically be presented with the best choice EPR. This might be based on the level of security or order of return. It is also possible that the User may override this and choose from a list of possibilities. This logic might also decide against using an EPR or Security Context (in the case of multiple security contexts) where the token is not present requiring interaction with an AS or SSOS.

• Support for TargetIdentity.
  • Will support the specification of a targetIdentity for a query to the DS
  • Must be able to handle the response where the ERP returned contains security tokens with usage attributes set to "urn:liberty:security:tokenusage:2006-08:TargetIdentity" and "urn:liberty:security:tokenusage:2006-02:SecurityToken" where the security token of the

• Must be able to request the location of available AS before principal Identity has been established.

     

Questions

Logical service type vs service type?

Do we need to support urn:liberty:disco:2006-08 and urn:liberty:disco:2003-08?

TargetIdentity vs InvocationIdentity?

Frameworks supported? Assumed is 2.0 to start.

Discovery Service Bootstrap EPR: What existing SSO services have the capability to deliver this inside of a security token?