Is your software TAS3 or ID-WSF 2.0 compliant?
Is it certified? When, by whom: ____
Have you determined
SOAP endpoint URL: ___________________
Human friendly name for your service: _______________
Entity ID of your service (usually different from SOAP endpoint): __________________________
Service Type URI of your service: _______________________
The Service Type URI designates the type of service you provide. If you are providing a standardized service, the relevant standard should specify what the Service Type URI is for services of that type. All instances of the service use the same Service Type URI. Some well known Service Types:
"urn:ios:pds:2010-05:dst-2.1" - Internet of Subjects Personal Data Store
"urn:liberty:id-sis-dap:2006-08:dst-2.1" - Liberty ID Directory Access Protocol
"urn:liberty:id-sis-cb:2004-10" - Liberty Contact Book Service
"urn:liberty:id-sis-gl:2005-07" - Liberty Geolocation Service
"http://www.3gpp.org/ftp/Specs/archive/23_series/23.140/schema/REL-6-MM7-1-4"
ID-MM7 messaging service
If you created the service yourself, you can pick the URI as you please, provided that it is globally unique. The usual convention is to use the namespace URI of the top level XML element of the service payload, i.e. the namespace of the first child element of SOAP Envelope Body element.
Have you registered your service end point with a Discovery Service?
Often the Discovery Service Provider or IdP provides a registration interface on the web. For example the TAS3 IdP provides "Circle of Trust Manager" at URL https://idp.tas3.eu/cot/
If you do not plan to use discovery, what arrangements do you plan to use to locate your service? What arrangements do you plan to make for issuing security tokens for accessing your service?
Have you successfully tested calling your web service from a third party web service client?
Is your service an identity service, i.e. does it need to know something about the user?
Does your service need persistent handle to user, e.g. to track something about the user (this question aims to establish whether your service needs to see persistent or transient NameID)?
What types of credentials need to be presented upon web service call to authorize the call?
This question aims at determining what credentials your callers will need to gather and present. We do not need full description of your policy.
Do you need user to consent to anything and how do you arrange to obtain consent when needed? Do you plan to use the Interaction Service facility and/or handle Interaction Redirect?
Are you capable to act as a Credentials and Privacy Negotiation server? If yes, please provide end point URL: ________________
What security mechanisms are you willing and able to support
(__) Bearer Token
(__) Holder of Key Token
(__) X509 signature without token
(__) None
Which Policy Enforcement Points do you implement?
(__) Request Out PEP
(__) Response In PEP
(__) Other, please describe: _______________
Which Policy Decision Point do you use?
(__) Internal or built in
(__) External XACML PDP
(__) Other: _______________
Which obligations or policy languages do you use or support? (tick all that apply)
(__) SOL1
(__) Permis
(__) XACML2
(__) Other, please specify: _____________