[foaf-protocols] wif identity SDK, nice opportunity for webid integration

Kingsley Idehen kidehen at openlinksw.com
Mon Mar 7 22:52:53 CET 2011

On 3/7/11 4:39 PM, Peter Williams wrote:
> In the 
> \\namespaceMicrosoft.IdentityModel.Samples.CustomRequestSecurityToken
> In the WIF SDK, there is sample code. A service client authenticates 
> to an STS associated with the service endpoint. It consume something 
> like http webauth headers, and signs a token. The code shows how to 
> easily add a custom property or two, to that token. For example, the 
> webid URI known to be associated with basicAuth user Fred.
> Assume that said STS signs for user Fred, with the user's signing key 
> (much like a client authn key). If you want, assume the STS is on the 
> user Fred's host (or not, since it might be on the users smartcard 
> instead).
> The code src also has the validation callback done, so that the 
> service can consume the custom signed token format (now bearing 
> webid). Presumably, it can now do the VA processing steps, per the 
> spec -- rather than simply test that a particular custom value exist 
> (in the sample).
> Would it matter that no SSL was involved?
> Presumably not. A user signed token has been received, claiming 
> (write-level) control over a resource document identified by name in 
> the signed token. VA confirms this, to be true or not. It can be a 
> user signed token minted by ws-trust, or SSL. It really doesn't matter.
> If that STS minting an signed XML token happened to direct it as 
> another STS (e.g. the ACS cloud), this could re-sign the content using 
> the SWP token -- for consumption by WIF libraries supporting WCF 
> services exposing their REST bindings instread of SOAP bindings.
> Now as part of "claimsauthorization" code class customization of ACS, 
> per tenant, could we imagine IT doing the foaf card callback (or it 
> callin further back itself, to Kingsley's sparql server) -- offloading 
> this duty from the RP app?
> Alternatively, perhaps Kingsley's server already exposes an STS 
>  endpoint directly -- and just can play the [integrated] role of ACS?

That's possible too. I just use WebID to constrain who (as in Agent with 
a WebID) can do it etc..

> Since MSFT are assuming a million tenants will setup ACS accounts (to 
> define their federation network), sounds like Kingsley's service could 
> compete -- with a million dataspaces doing the same thing.


> _______________________________________________
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols



Kingsley Idehen	
President&  CEO
OpenLink Software
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20110307/3e6f431e/attachment-0001.htm 

More information about the foaf-protocols mailing list