[Prev]

2.7.3 Components of Credentials and Privacy Negotiator


Fig-5: Credentials and Privacy Negotiation Components

  1. Service Requestor (SR) discovers the location of the User's Credentials and Privacy Negotiator Agent (U-CPNA) and a candidate list of Web Service Providers (WSPs).

  2. SR passes the candidate list to the U-CPNA.

  3. U-CPNA discovers the location of user's attribute aggregator.

  4. U-CPNA obtains a token with user's pseudonym at the Attribute Aggregator.

  5. U-CPNA obtains necessary credentials for the user from the Attribute Aggregator. Attribute Aggregator, in turn may contact Attribute Authorities to obtain the credentials. Each such contact involves its own web service call, with discovery, IDMap, and actual web service calls, each with appropriate authorization steps. This complexity is not shown in the diagram.

  6. U-CPNA engages in credentials and privacy negotiation with the WSP's Credentials and Privacy Negotiation service.

  7. Once U-CPNA returns the chosen WSP, the SR obtains a token for calling the WSP.

  8. Finally the actual web service call is realized (with appropriate authorization steps, not shown in the diagram).

Some variants and optimizations to this basic flow are possible. One obvious variant is to merge the calls to Discovery Registry and IDMapper. Liberty Alliance Discovery Service [Disco2] effectively uses this optimization.

Another, perhaps more significant, optimization is to integrate the credentials and privacy negotiation under the Discovery Service. In this scenario, the U-CPNA is called from the midst of the discovery process. This reduces steps and may allow the discovery process to use criteria from the credentials and privacy negotiation.


Fig-6: Credentials and Privacy Negotiation optimized flow

1

Service Requestor (SR) discovers Web Service Provider (WSP).

2

Discovery passes the candidate list to the U-CPNA. Discovery can also pass the End Point Reference (EPR), which includes a token with pseudonym for the call, to the Attribute Aggregator.

5

U-CPNA obtains necessary credentials for the user from the Attribute Aggregator in same way as in unoptimized case.

6

U-CPNA engages in credentials and privacy negotiation with the WSP's Credentials and Privacy Negotiation service.

8

The discovery service returns to SR the EPR of the WSP. Finally the actual web service call is realized.

[Prev | Next]