I made a presentation on March 10th in Santa Clara at a workshop preceding the Liberty Alliance Plenary. A few days ago I cleaned it up, filled in the missing pieces. This should give you a good overview of the state of the ID-WSF Client Library, the ECP plugin, and new code about to be contributed to OpenLiberty (ID-WSF and SAML2 SP).

Download the PDF OpenLiberty Presentation.

Chad La Joie of SWITCH announced yesterday the release OpenSAML/J v2.0.0. This is excellent news. As you probably know, the ID-WSF Client Library is based on the OpenSAML/J libraries. I am on the svn change notification email list and I can tell you that this release is the result of a huge amount of work.

From Chad:

“So I’m very happy to announce the 2.0.0 release of OpenSAML/J. This release closes out the remaining bugs from all the previous release candidates.

Documentation:
http://opensaml.org

Downloads:
http://shibboleth.internet2.edu/downloads/opensaml/java

We are working on the following items for future releases:
- Move to Maven build system
- Merge in the XACML code contribution provided by the EGEE Collaboration
- Merge in the WS-Trust code contribution provided by the EGEE Collaboration

And for those that like metrics, Ohloh indicates that OpenSAML 2.0 (Java and C++ versions) represents about 39 person years of work.
http://www.ohloh.net/projects/4504

Scott will be releasing the C++ code at a later date.”

Thank you for all of your hard work! I am looking forward to the upcoming additions.

Just to let everyone know … the ECP plugin for Firefox has been checked into subversion.

There are a couple caveats:

• Is preliminary only
• Needs testing
• No installation docs … yet
• User IdP selection dialog isn’t yet functional

I will post an xpi file for easy installation as soon as I get through the next round of debugging.

Question for everyone … do I need to sign this extension? And if so, whose CA should I use?

I am very excited to welcome Peter Pritchard to the development team for openLiberty. He has begun the development of a SAMLv2 ECP Firefox extension. You will notice that we are adding it to the projects on openLiberty. The WSF-DEV mailing list will be used for discussion, and the WSF-DEV phone calls will be used for ECP discussion as well as clientlib discussions.

Peter Pritchard is a programmer at Zenn New Media in western Massachusetts. His duties vary from back-end data modeling, front-end xhtml/js/css to client/server integration mechanisms. Primarily a Java/WebObjects programmer, he also works in Javascript, Ruby, Objective-C or anything else he can get away with for a particular project.

When he is not working on the latest project at Zenn, he is designing Tesla-based gravity engines, watching Smallville episodes, playing piano (poorly) or playing Candyland with his two daughters, Lucy and Stella.

The initial code-drop for IGF Attribute Services API has been checked in. This drop is based on igf-carml-08 schema (and is included in the project code repository).

In SVN you can either download the head version (under trunk), or the milestone0.2 version under branches.

Within each of trunk and branches/milestone0.2 you will find two eclipse projects:

• org.openliberty.igf.attributeServices
• org.openliberty.igf.attributeServices.test

The latter project is the JUnit code that tests the API in the first project. The JUnit code is currently the best way to see examples of how to use the API at this time.
Note: I don’t see any reason why these projects shouldn’t work in NetBeans or JDeveloper. However, I must confess I haven’t tested them. I was following the id-wsf client project’s example by using Eclipse. Since this release is still an early release, no build files have been constructed yet. This release is for comment and input.

Highlights for this check-in are:

• Basic implementation of the Attribute Services API including
• Carml Schema Declaration
• Simplistic WS-Policy support - policy is currently not interpreted at this time (see note below)
• Carml Transaction Declaration (Add, Authenticate, Delete, Modify, Read, Search)
• Transaction Implementation (for all above)
• IGF Stack Provider Interface - the interface that products like OVD need to implement to accept an IGF Attribute Service client.
• CARML document reader and writer methods
• JAAS LoginModule Implementation - rudimentary integration with platform/container security
• JUnit tests validating operations above. Note: the Write CARML step fails since XML is not done
• A Test provider that simulates a memory based repository.

There are still many items to implement, some of which are:

• Policy Assertions is still just a dumb object. And igf-appidpolicy and igf-deployid policy are not implemented. I’m still looking for a good open source implementation of WS-Policy - I found Apache Neethi, but it had some questionable dependencies that I still need to research.
• No server-side support such as AAPML
• IDE Integration Tools - this is another (much bigger) project that will happen likely after Liberty publishes IGF specs.
• There is no end-to-end demo. Next step is to write providers for Higgins IdAS and other possible connectors or attribute authorities.
• Deployment management - the API does not handle configuration management. This would be the job of the provider (e.g. OVD, Higgins) to decide how best to handle this.

The API description on the openLiberty site has been revised. The chief reason is we made some major changes after broader discussion:

• Separated schema from transactions. Now schema is declared on its own and transactions use schema….rather than the other way around. This is more friendly to enterprises who would like to use standardized schema or use enterprise standard schemas.
• Introduction of Roles and Filters
• Support for WS-Policy and the new drafts for (igf-appIdPolicy and igf-DeployIdPolicy)

Enjoy

This is the official announcement for the beta release of the ID-WSF 2.0 ClientLib! We have been working like mad to get this release out (hence the photo with this post). Lots of new code was cut, lots of old code was gutted or reworked, and there are many new features.

This release marks excellent progress, but there is still a lot of work to do. The beta is not bug free nor is it thoroughly tested. It is ready for other people to sink their teeth into and give feedback, make requests, or write some code. For development purposes we are currently testing against two ID-WSF WSPs and have access to a third (HP Select Federation) which we hope to have working with the library before Version 1 release planned later this year.

This beta would not have been possible without help from a number of people. Notably Conor Cahill, Sampo Kellomäki, and Scott Cantor & the OpenSAML guys. Luckily these people also wrote many of the specifications documents.

What’s New:

• Liberty SOAP Bindings fully implemented
• Handling of CredentialsContext
• Handling of EndpointUpdate
• Added WSFMessageSigner
• TLS and ClientTLS support
• Bearer & SAMLv2 Support (Signing!)
• CRAM-MD5 SASL Authentication
• Addition of ID-SIS-DAP XML Tooling and basic Service Client
• Addition of WSCUtilities to simplify basic ID-* operations
• Simplified approach to creating OpenSAML XML Tooling classes (Element, marshaller, unmarshaller, and builder as a self contained unit)
• javadoc now available
• sample code available
• switched from HttpURLConnection to not-yet-commons-ssl for transport
• Added BaseServiceClient
• Reworked the website to get you to the code faster
• Testing has begun with Symlabs Federated Identity

What remains:

• Lots of testing
• Liberty Certification
• OpenLiberty public testing environment
• compress the Tooling Objects that rely on 4 classes into 1 as per the new method
• sample application using the library
• more utility methods
• Build out: ID-SIS-DAP, People Service
• More Service Clients: ID-SIS SMS and MMS, Contact Book (ID-SIS-CB), SSOService …

If you have questions or interest, please send me a note at asa.openlibertyREMOVEIT@zenn.net (remove the REMOVEIT from the email).

Also, I will be in Santa Clara at the Liberty Alliance plenary meeting, all week. On Monday I’ll be presenting the library. If you are in the area or at the plenary and you want to check it out, do some coding, interop, anything just send me a note and I’ll send you my cell #.

The BETA deadline (February 16th) is rapidly approaching! With this in mind there are two major goals. The first is to have signing enabled and the second is to have an ID-SIS-DAP service client(SC) available. Development on the ID-SIS-DAP SC is going very well and has been a good learning experience. Here’s why:

The ID-WSF2.0 ClientLib uses OpenSAML xmltooling, ws, and saml libraries. There are no xsd code generators for the java-xmltooling classes, so I have spent a great deal of time becoming acquainted with the xsd for the various liberty specifications. I also spend a lot of time writing marshallers, unmarshallers, and builders. So for each element, there is the potential for 4 files. This gets big really fast. With the ID-SIS-DAP SC I began to embed the marshaller, unmarshaller, and builder inside the element class as static internal classes. Yay!! This has taken care of a tremendous amount of clutter, and generally helps with readability.

If you are using OpwnSAML’s java-xmltooling and you want to use this method, make sure that the classes are static, and reference the internal classes in the config file like this:

<MarshallingClass className=”org.openliberty.xmltooling.idsis.dap.DAPModifyItem$Marshaller” />

Notice the “$” between DAPModifyItem and Marshaller. This indicates that Marshaller is an internal class to DAPModifyItem.

Oh, and from Chad at OpenSAML:

The Java OpenSAML 2.0 Release Candidate 2 release is now available at the normal download site.

http://shibboleth.internet2.edu/downloads/opensaml/java/

This release includes minor bug fixes found in RC1 and includes the generated javadocs. This is the last release candidate and the next release will be the final 2.0 release.

The ClientLib tests fine with RC2.

Late news, but still very relevant. Earlier this month we took the alpha to Boston for a presentation at the Jan 8-10 TEG Interim, and interoperability testing with Symlabs Federated Identity Suite. We also made a visit to Parity Communications to meet with members of the Higgins Project to discuss some project synergies. Brett will follow with a post that has more details.

The presentation at the TEG Interim lasted about an hour and covered as many aspects of the project as possible. We discussed the website and the tools we’re using for collaboration, we went through some code, specifically the non standard DST 2.1 based Profile Service, and discussed briefly the trajectory of the project as a whole. Our next deadline (BETA), approaching quickly, is two days after Valentine’s Day, February 16th!!!! Not sure why we keep choosing deadline right around holidays, but there you have it.

The big news from going to Boston was having a chance to meet with Sampo Kellomäki, the Chief Architect at Symlabs. Sampo is extremely knowledgeable in the development and practice of ID-WSF and has written several Liberty specifications. He also has an open source project ZXID, which is aiming for a full stack implementation of all federated identity management and identity web services protocols. ZXID is written in c and supports PERL, PHP, and Java. It is 95% ID-WSF 2.0 feature complete. We are planning on testing with ZXID as soon as possible, using the Java support.

In Boston Sampo and I tested the ClientLib against Symlabs Federated Identity Suite. We successfully authenticated using the Symlabs AS and pulled a Discovery EPR. We then used the Discovery EPR to get another Discovery EPR from the DS. This was fun, and it all went off really well. So, we went to Boston and celebrated. The next day we did some more work and were able to use the DST 2.1 reference implementation to create a ID-DAP query and parse the response. ID-DAP (which is part of Symlabs Federated Identity) provides federated identity based access to an LDAP directory. It is a great example of an in production service that utilizes DST 2.1.

Overall it was a very successful trip. I learned a lot, did some testing, made some friends, and came back to Berkshire County in one piece. Keep your eyes open for the BETA an Feb 16th!

We are very pleased to announce that, after many setbacks and challenges, the ClientLib Alpha is now available online! As of this build, it is possible to use the AS client and the DS client with Conor Cahill’s WSP. The Personal Profile Service Client (operating on DST 2.1) is now complete — and there is now a shell of a People Service Client as well.

To enable you to begin experimenting with this build, we’ve put together a simple quick start, involving 5 simple steps. Please feel free to take a look and let us know what you think, but bear in mind that this is still Alpha code!

Here’s the latest update on our PP 1.1 client implementation:

The PP 1.1 XML schema has now been built out in its entirety — based on DST 1.1. This includes element classes, unmarshallers, marshallers, and builders. However…

When Asa got to the development of the queries, he realized that the 1.1 spec was looking for a discovery resourceID that has been deprecated as of ID-WSF 2. So, he’s now working on a DST 2.1 adaptation.

There was a suggestion recently that we should be building ID-DAP, which gives existing LDAP directories the ability to exist in a Liberty ID-WSF environment. Apparently Symlabs has implemented this. If anyone has info on the usage of ID-DAP, please post it!

Here’s what Symlabs says about it (from their site):

“ID-DAP clients can invoke this web service to remotely perform LDAP operations with no requirement to reveal a user’s actual private identity information, such as a telephone number.”

More snow expected tonight — looks like it’ll be a white Xmas…