Liberty Alliance ID-WSF
The Liberty Identity Web Services Framework (ID-WSF) is a standards-based architecture for identity-based web services. An identity-based web service is one that exposes an interface on behalf on a particular user's identity. For example, Lois may have her social graph on Orkut – that graph can be made available to requestors through an identity-based service.
- Authentication - As the provider of a web service, I might wish to know who is accessing my service in order to ensure that only authorized users are provided service access. This demands that service requestors be authenticated.
- Message protection - Both clients and providers of web services would like to know that messages they send cannot be intercepted by a malicious entity and then either modified or cached and then replayed.
- Privacy protection - Unless special care is taken, identifiers for Lois used in web service calls can serve as handles by which her actions and identity at various providers can be inappropriately correlated. ID-WSF defines a number of mechanisms to inhibit such correlation.
- Service discovery and addressing - Some application requiring a particular attribute of Lois will need to discover where the associated identity service is concretely located in order to address messages to the service. For instance, for an SP to offer Lois customized service based on her geolocation, the SP will first need to determine from where such location data can be retrieved.
- Interaction – Before an Identity Service Provider will release Lois's identity attributes to a requestor, it will want consent from Lois that such sharing is acceptable. ID-WSF defines a number of mechansisms for both obtaining such real-time consent, and indicating this fact in messages.
- Social identity – The People Services allows Lois to manage her social graph (friends, family, colleagues, etc) at a social network provider of their choice, and subsequently leverage it at other service providers.
ID-WSF 2.0 is optimized to work with SAML 2.0 SSO , with ID-WSF-based attribute sharing operations following SAML SSO. ID-WSF can however also work with other SSO schemes (with appropriate profiling).
Shown below is an ID-WSF scenario in which
- A user SSOs into an SP Puppies.com from their IdP using SAML and purchases a puppy.
- Puppies.com discovers where the user's shipping address is stored.
- The Profile Provider interacts with the user through their phone to clarify consent.
- The Profile Provider returns the shipping address to Puppies.com.
- Puppies.com ships the Great Dane puppy to the user.