Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
RDF-directed claim type transformation in the Schemat Selector
(20070706)
Informed Control released today the first version of the Schemat Selector, a proof of concept research implementation of an InfoCard identity selector, that illustrates the use of the Schemat Consumer and Schemat libraries for generating and parsing RDF.
The design of this selector differs from typical CardSpace-inspired identity selectors, as it assumes the user already has defined one or more personas which incorporate their personal attributes (such as name or address). A card is tied to a persona, which supplies the identity attributes which are sent to a web site as claims when using that card. The only claims which are stored with a card are those which are not part of the user's persona.
This design decision is intended to simplify the management of self-issued cards: a user may already manage certain claim values (such as their telephone number, email address or mailing address) in repositories maintained by other tools or social networking services external to the InfoCard environment. In order to avoid duplication of data, a self-issued card should not store these values, but should leverage existing repositories. In this first version, the card takes its values from a persona which is imported from a file, but later implementations could have the card dynamically obtain values from the user's web resource describing themself (in LDIF, vCard, FOAF, RDFa, etc).
After initializing their card store (implemented as a JCE keystore),
java -jar schemat_selector.jar --initialize-home keystore password: secret
the user imports a persona into their store. This version of the selector uses Schemat to implement parsing the persona from a file encoded either in RDF with FOAF-defined properties,
java -jar schemat_selector.jar --import-persona \ --import-file file:///tmp/me.rdf#me /tmp/me.rdf \ --persona personal
or in LDIF with the RFC 2079 (labeledURI), 2798 (inetOrgPerson), 4512 (top), 4519 (person) and 4524 (pilot) attributes.
java -jar schemat_selector.jar --import-persona \ --import-file file:///tmp/me.ldif#uid=me /tmp/me.ldif \ --persona work
When the user logs in to a web site using that persona,
java -jar schemat_selector.jar --login --persona work \ --uri https://rp.example.com/relyingparty/
they are prompted to create a new card, or send an existing card (if one is present in that store for that persona). When creating a new card, the user is only prompted to enter the values of claims which are not supplied by the persona backing the card.
The attributes or properties of a user's persona are stored using the original predicate URIs (if imported from FOAF) or URIs representing the attributes as defined in LDAP schema (if imported from LDIF). Since the relying party may ask for claims using a different schema (e.g., the Microsoft schema for self-issued claims at http://schemas.xmlsoap.org/ws/2005/05/identity/claims), the selector uses the Schemat Consumer to locate an equivalent property for the relying party's claim, using owl:equivalentProperty, and automatically maps existing schemas to those required by a relying party.
Currently, as the web site schemas.xmlsoap.org where the Microsoft claim types are stored does not appear to provide an RDF file with schema metadata, the Schemat Selector bundles selfissued.rdf which includes mapping statements for the Microsoft self-issued claims givenname, surname, emailaddress, streetaddress, locality, stateorprovince, postalcode, country, primaryphone, webpage, homephone, mobilephone. These mapping statements resemble
<rdf:Description rdf:about="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<rdfs:isDefinedBy
rdf:resource="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/" />
<owl:equivalentProperty rdf:resource="http://xmlns.com/foaf/0.1/surname" />
<owl:equivalentProperty rdf:resource="http://www.ldap.com/1/schema/rfc4519.owl#2.5.4.4" />
</rdf:Description>
The preceeding RDF description of the Microsoft self-asserted claim surname states that it is equivalent to the FOAF surname property, and the LDAP attribute 2.5.4.4 (sn, defined in RFC 4519).
Note that this version of Schemat Selector is not a full identity selector, in that it does not include the support for managed cards, WS-MetadataExchange or WS-Trust. It only submits to a relying party web site, via a HTTPS POST, a SAML 1.1 attribute assertion for a self-issued card.
- Download the Schemat Selector as a standalone runnable jar and man page in schemat_selector-jar-20070706.zip, last updated 2007 July 6.
The Schemat Selector requires the Sun Java SE Runtime Environment 1.5 or later with JCE unlimited strength jurisdiction policy files installed.
(The unlimited strength jurisdiction policy files can be downloaded from the "Other Downloads" section of the Sun Java SE JDK 5 downloads page for Java SE 5, or the "Other Downloads" section of the Sun Java SE downloads page for Java SE 6.)
- Download the latest snapshot of the Schemat Selector research software source code in schemat-src-20070706.zip, last updated 2007 July 6.
- Download the HTML version of the Schemat Selector man page, last updated 2007 July 6.
This software is distributed under the BSD-style Informed Control Research Software License B, and relies upon third-party components distributed under various BSD-style licenses, the Apache Public License, and Netscape Public License.
More information on the Schemat Consumer and Schemat are available at Schema Ontology Tools page.