[foaf-protocols] wif identity SDK, nice opportunity for webid integration

Peter Williams pwilliams at rapattoni.com
Mon Mar 7 22:39:28 CET 2011


In the \\namespace Microsoft.IdentityModel.Samples.CustomRequestSecurityToken

In the WIF SDK, there is sample code. A service client authenticates to an STS associated with the service endpoint. It consume something like http webauth headers, and signs a token. The code shows how to easily add a custom property or two, to that token. For example, the webid URI known to be associated with basicAuth user Fred.

Assume that said STS signs for user Fred, with the user's signing key (much like a client authn key). If you want, assume the STS is on the user Fred's host (or not, since it might be on the users smartcard instead).

The code src also has the validation callback done, so that the service can consume the custom signed token format (now bearing webid). Presumably, it can now do the VA processing steps, per the spec - rather than simply test that a particular custom value exist (in the sample).

Would it matter that no SSL was involved?

Presumably not. A user signed token has been received, claiming (write-level) control over a resource document identified by name in the signed token. VA confirms this, to be true or not. It can be a user signed token minted by ws-trust, or SSL. It really doesn't matter.

If that STS minting an signed XML token happened to direct it as another STS (e.g. the ACS cloud), this could re-sign the content using the SWP token - for consumption by WIF libraries supporting WCF services exposing their REST bindings instread of SOAP bindings.

Now as part of "claimsauthorization" code class customization of ACS, per tenant, could we imagine IT doing the foaf card callback (or it callin further back itself, to Kingsley's sparql server) - offloading this duty from the RP app?

Alternatively, perhaps Kingsley's server already exposes an STS  endpoint directly - and just can play the [integrated] role of ACS?

Since MSFT are assuming a million tenants will setup ACS accounts (to define their federation network), sounds like Kingsley's service could compete - with a million dataspaces doing the same thing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20110307/c4a5c870/attachment.htm 


More information about the foaf-protocols mailing list