TAS$^3$: Protocols, API, and Concrete Architecture (14)

Jan 13, 2011

Download as pdf
Single page

Table of Contents

1 Introduction
1.1 Standardized Wire Protocol Interfaces
1.2 Composition and Co-location of Architectural Components
2 Protocols and Profiles
2.1 Signature and Encryption Considerations
2.2 Supported Authentication and Login Systems
2.2.1 System Entity Authentication
2.2.2 SAML
2.2.2.1 Authentication Request
2.2.2.2 Authentication Response
2.2.3 Proxy IdP Profile
2.2.4 Shibboleth
2.2.5 eID and Other Smart Cards
2.2.6 One-Time-Password Tokens
2.2.7 OpenID
2.2.8 CardSpace / InfoCard and WS-Federation
2.2.9 CA / Netegrity Siteminder Proprietary SSO
2.2.10 Citrix, Sun, and other proprietary SSO
2.2.11 Web Local Login
2.2.12 Desktop Login
2.2.13 Fat Client Login
2.2.14 User Not Present or Batch Operations
2.3 Supported Identity Web Services Systems
2.3.1 Framework
2.3.2 Liberty ID-WSF Profile
2.3.3 Bare WS-Security Header or Simplified ID-WSF
2.3.4 WS-Trust
2.3.5 RESTful Approach
2.3.6 Message Bus Approach
2.4 Authorization Systems
2.4.1 Authorization Queries
2.4.2 Policy Languages
2.5 Trust and Security Vocabularies
2.5.1 Levels of Authentication (LoA)
2.5.2 Vocabularies for Authorization
2.5.3 Vocabularies for Basic Attributes (PII)
2.5.4 Discovery Vocabularies
2.5.5 Security and Trust Vocabularies
2.5.6 Audit Vocabularies
2.6 Realization of the Discovery Function
2.7 Realization of the Credentials and Privacy Negotiator Function
2.7.1 Discovery in Credentials and Privacy Negotiation
2.7.2 Frontend Credentials and Privacy Negotiation
2.7.3 Components of Credentials and Privacy Negotiator
2.7.4 Protocol between Service Requester and the Credentials and Privacy Negotiation Agent
2.7.5 Protocol between Credentials and Privacy Negotiation Agent and Attribute Aggregator
2.7.6 Protocol between Credentials and Privacy Negotiation Agent and Service
2.8 Using Trust Scoring in Discovery
2.8.1 Specifying Trust Inputs
2.8.2 Returning Trust Scores
2.9 Realization of the Audit and Dashboard Function
2.9.1 Audit Event Bus
2.9.2 Audit Event Ontology
2.9.3 Dashboard Function
2.9.4 User Interaction
2.9.5 TAS³ User Interaction Widget
2.10 Realization of Delegation Function
2.11 Attribute Authorities
2.12 TAS³ Simple Obligations Language (SOL)
2.12.1 SOL1 Query String Attributes
2.12.2 Matching Pledges to Sticky Policies and Obligations
2.12.3 Passing Simple Obligations Dictionaries Around
2.13 Realization of Sticky Policies
2.14 Passing Additional Credentials in Web Service Call
2.15 Uniform Application Status and Error Reporting
2.15.1 TAS³ Status Header
2.15.2 TAS³ Status Codes
2.15.3 TAS³ Control and Reporting Points
2.16 Registration of Business Process Models
3 The Official TAS³ API (normative, but non-exclusive)
3.1 Language Independent Description of the API
3.1.1 Single Sign On (SSO) Alternatives
3.1.2 SSO: ret = tas3_sso(conf, qs, auto_flags)
3.1.3 Authorization: decision = tas3_az(conf, qs, ses)
3.1.4 Authorization base: decision = tas3_az_base(conf, qs, ses)
3.1.5 Web Service Call: ret_soap = tas3_call(cf, ses, svctype, url, di_opt, az_cred, req_soap)
3.1.6 Requester out: req_decor_soap = tas3_wsc_prepare_call(cf, ses, svctype, az_cred, req_soap)
3.1.7 Requester in: status = tas3_wsc_valid_resp(cf, ses, az_cred, res_decor_soap)
3.1.8 Responder in: tgtnid = tas3_wsp_validate(cf, ses, az_cred, soap_req)
3.1.9 Responder out: soap = tas3_wsp_decorate(cf, ses, az_cred, soap_resp)
3.1.10 Explicit Discovery: epr = tas3_get_epr(cf, ses, svc, url, di_opt, act, n)
3.1.11 url = tas3_get_epr_url(cf, epr)
3.1.12 entityid = tas3_get_epr_entid(cf, epr)
3.1.13 a7n = tas3_get_epr_a7n(cf, epr)
3.1.14 SOAP Fault and Status Generation and Inspection
3.1.15 Delegated Discovery
3.2 Java Binding
3.2.1 Interface and Initialization
3.2.2 Initialize: cf = tas3.new_conf_to_cf(conf)
3.2.3 New session: ses = tas3.new_ses(cf)
3.2.4 SSO: ret = tas3.sso_cf_ses(cf, qs_len, qs, ses, null, auto_flags)
3.2.5 Authorization: decision = tas3.az_cf_ses(cf, qs, ses)
3.2.6 WSC: resp_soap = tas3.call(cf, ses, svctype, url, di_opt, az_cred, req_soap)
3.2.7 WSP: tgtnid = tas3.wsp_validate(cf, ses, az_cred, soap_req)
3.2.8 WSP: soap = tas3.wsp_decorate(cf, ses, az_cred, soap_resp)
3.2.9 Explicit Discovery: epr = tas3.get_epr(cf, ses, svc, url, di_opt, act, n)
3.2.10 url = tas3.get_epr_url(cf, epr)
3.2.11 entityid = tas3.get_epr_entid(cf, epr)
3.2.12 a7n = tas3.get_epr_a7n(cf, epr)
3.2.13 Available Implementations (Non-normative)
3.3 PHP Binding
3.3.1 Application Level Integration
3.3.2 cf = tas3_new_conf_to_cf(conf)
3.3.3 ses = tas3_new_ses(cf)
3.3.4 SSO: ret = tas3_sso_cf_ses(cf, -1, qs, ses, null, auto_flags)
3.3.5 Authorization: decision = tas3_az_cf_ses(cf, qs, ses)
3.3.6 WSC: resp_soap = tas3_call(cf, ses, svctype, url, di_opt, az_cred, req_soap)
3.3.7 WSP: tgtnid = tas3_wsp_validate(cf, ses, az_cred, soap_req)
3.3.8 WSP: soap = tas3_wsp_decorate(cf, ses, az_cred, soap_resp)
3.3.9 Explicit Discovery: epr = tas3_get_epr(cf, ses, svc, url, di_opt, act, n)
3.3.10 url = tas3_get_epr_url(cf, epr)
3.3.11 entityid = tas3_get_epr_entid(cf, epr)
3.3.12 a7n = tas3_get_epr_a7n(cf, epr)
3.3.13 Available Implementations (Non-normative)
3.4 C and C++ Binding
3.4.1 cf = tas3_new_conf_to_cf(conf)
3.4.2 ses = tas3_new_ses(cf)
3.4.3 SSO: ret = tas3_sso_cf_ses(cf, qs_len, qs, ses, &res_len, auto_flags)
3.4.4 Authorization: decision = tas3_az_cf_ses(cf, qs, ses)
3.4.5 WSC: resp_soap = tas3_call(cf, ses, svctype, url, di_opt, az_cred, req_soap)
3.4.6 resp_soap = tas3_callf(cf, ses, svctype, url, di_opt, az_cred, fmt, ...)
3.4.7 WSP: tgtnid = tas3_wsp_validate(cf, ses, az_cred, soap_req)
3.4.8 WSP: soap = tas3_wsp_decorate(cf, ses, az_cred, soap_resp)
3.4.9 WSP: soap = tas3_wsp_decoratef(cf, ses, az_cred, fmt, ...)
3.4.10 Explicit Discovery: epr = tas3_get_epr(cf, ses, svc, url, di_opt, act, n)
3.4.11 url = tas3_get_epr_url(cf, epr)
3.4.12 entityid = tas3_get_epr_entid(cf, epr)
3.4.13 a7n = tas3_get_epr_a7n(cf, epr)
3.4.14 Available Implementations (Non-normative)
3.5 Other Language Bindings
4 Deployment and Integration Models (Non-normative)
4.1 Frontend and Web Services Client Integration Model (Non-normative)
4.1.1 Integration Using ZXID (Non-normative)
4.1.2 Integration Using Other Platforms, Frameworks, and Packages (Non-normative)
4.2 Web Services Provider Integration Model (Non-normative)
5 Resilient Deployment Architecture (Non-normative)
5.1 Zero Downtime Updates
6 Feasibility and Performance Analysis (Non-normative)
6.1 Single use of single web service
6.1.1 Cost without auditing
6.1.2 Cost without auditing and without authorization
6.1.3 Cost without XML
6.2 Session of 3 frontends and five web services
7 Best Practises
8 Annex A: Examples
8.1 SAML 2.0 Artifact Response with SAML 2.0 SSO Assertion and Two Bootstraps
8.2 ID-WSF 2.0 Call with X509v3 Sec Mech
8.3 ID-WSF 2.0 Call with Bearer (Binary) Sec Mech
8.4 ID-WSF 2.0 Call with Bearer (SAML) Sec Mech
9 Annex B: Technical Self Assessment Questionnaire
9.1 Overview and Scope
9.2 System Entity Credentials and Private Keys
9.3 Trust Management
9.4 Threat and Risk Assessments
9.5 Service Provider Questions
9.5.1 Front End (FE) Single Sign-On Questions
9.5.2 Web Service Provider (WSP) Questions
9.5.3 Attribute Authority Questions
9.5.4 Web Service Client (WSC) Questions
9.6 Single Sign-On Identity Provider (IdP), Discovery Service, Discovery Registry, Identity Mapper, or Delegation Service Questions
9.6.1 Identity Provider Questions
9.6.2 Discovery Service Questions
9.7 Any Other Architectural Role