Liberty Advanced Client Specifications
Liberty Alliance Releases New Specifications for Linking Digital Identity Management to Consumer Devices
March 21, 2007
Liberty Alliance, the global identity consortium working to build a more trusted Internet for consumers, governments and businesses worldwide, today announced the release of the Advanced Client specifications designed to allow enterprise users and consumers to manage identity information on devices such as cameras, handhelds, laptops, printers, and televisions. The Advanced Client is a set of specifications and technologies that leverage the proven interoperability, security and privacy capabilities of Liberty Federation and Liberty Web Services to allow users to conduct a wide range of new identity-based transactions from any device.
The Advanced Client is part of Liberty's roadmap to deliver an end-to-end digital identity management framework that provides enterprise users and consumers with increased identity management functionality across all networks and devices. The set of platform independent specifications were developed to extend identity management capabilities such as single sign-on, access to Web Services, stronger authentication and user-controlled provisioning to client devices. The Advanced Client will allow users to securely store identity data on a device and access and manage the information when the device is either connected to a network or offline.
"Liberty's Advanced Client specifications mark a new era in how consumers will access identity-based applications and businesses and governments will deploy and manage new identity-based services," said Roger Sullivan, president of the Liberty Alliance Management Board and vice president of Oracle Identity Management. "With today's news, Liberty Alliance is closer to delivering an always available end-to-end identity framework where devices of all kinds are linked by federation and users are in better control of their identity information."
The Advanced Client represents the third phase of Liberty's ongoing work in delivering increased identity management functionality to client devices. In phase one Liberty Alliance defined the LECP (Liberty Enabled Client/Proxy) which was incorporated into SAML 2.0 and supports federation operations as the Enabled Client/Proxy. The Active Client is part of phase two and provides client-based Web services functionality, single sign-on into Liberty Web Services and support for any authentication model. Work on the Robust Client specifications, phase four, is underway. These phase four specifications will support trusted digital identity relationships, mobility modules and provide a platform for facilitating client-based universal strong authentication.
Advanced Client relies on ID-WSF 2.0 (Liberty Web Services) which includes support for WS-Addressing and WS-Security specifications. The specific functionality included in the Advanced Client specifications released in draft form today includes:
Trusted Module — The Advanced Client acts as an extension of the identity provider (IdP) offering protocol support for trusted model capabilities and able to function when the IdP is not present. The specifications allow the client to assert assurances on behalf of the authority issuing the identity in a closed and protected environment such as a smart card or other tamper resistant mechanism within the client device.
Provisioning — The Advanced Client supports full life-cycle provisioning of data and/or functionality to the client over the air in a privacy sensitive and secure manner.
Service Hosting/Proxying (SHPS) — Allows a service, such as a calendar or e-commerce profile to be hosted on a client device, such as a cell phone or laptop. The specifications allow others to interact with the service via a proxy based on the security, privacy and permission controls established by the user and when the device is either on or offline.
Liberty's Technology Expert Group (TEG) has been driving the development of client specifications based on well-defined use cases and market requirements. The next version of the Advanced Client specification is due for release later this year when provisioning functionality will be expanded and new reporting capabilities will be available. These features will provide deployers with end-to-end capabilities for better managing identity-based transactions across networks and devices and a framework for more easily meeting compliance and regulatory requirements. The Advanced Client specifications released today are available for review and download at:
Advanced Client Specifications
Enterprises and identity providers can leverage Liberty's portfolio of client specifications to offer customers a wide range of new services that can be provisioned and deprovisioned based on functionality included in the Advanced Client. Liberty Alliance member representatives from BT, HP and Intel recently demonstrated a proof-of-concept application using the Advanced Client in a working service provider implementation. The Remote Provisioning of Soft Credentials presentation illustrates how Liberty specifications were used to provision secure credentials to consumers in order to deliver an improved user experience across networks and devices. The presentation is available at:
"Utilizing clients has been a focus of the Liberty Alliance specifications since inception," said Conor Cahill, editor of the Advanced Client specification within the Liberty Alliance Technology Expert Group and identity architect with Intel. "The Advanced Client is helping to make clients 'first class identity citizens' with controls for privacy and connectivity challenges built into the specifications."
About Liberty Alliance
Liberty Alliance is a global identity consortium with a membership base that includes technology vendors, consumer service providers and educational and government organizations working together to build a more trusted Internet by addressing the technology, business and privacy aspects of digital identity management. The Liberty Alliance Management Board consists of representatives from AOL, Ericsson, Fidelity Investments, France Telecom, HP, Intel, Novell, NTT, Oracle, and Sun Microsystems. Liberty's four Expert Groups are the Technology Expert Group (TEG), the Public Policy Expert Group (PPEG), the Strong Authentication Expert Group (SAEG) and the Business and Marketing Expert Group (BMEG). Members form special interest groups based on the need to solve regional and global identity issues and include the eGovernment, eHealth, Identity Theft Prevention and Open Source groups. More information about Liberty Alliance is available at http://www.projectliberty.org
Liberty Alliance ID-WSF Advanced Client 1.0 DRAFT Specifications
Liberty ID-WSF Advanced Client Technologies Overview. Provides an overview of the mechanisms by which smart clients can operate in disconnected mode while accessing and providing web services.
Liberty ID-WSF Design Patterns. This specification defines common design patterns that can be included in other Liberty ID-WSF specifications.
Liberty IDP Service Specification. This specification describes the ID-WSF IDP Service. The minting assertion (MING) is a SAML assertion issued by an IdP granting a TM permission to mint assertions on behalf of the IdP. This assertion will be built from standard SAML Assertion elements...
Liberty ID-WSF Provisioned Module Manager Service Specification. This specification defines the interfaces for the Provisioning Module Manager (PMM). The Provisioned Module Manager (PMM) is a component used to instantiate and manage Provisioned Modules. This specification documents the interfaces exposed by the PMM. The Provisioning Service specification provides an overview of the provisioning process and describes how the PMM fits into this process.
Liberty ID-WSF Provisioning Service Specification. This specification defines the Provisioning Service interfaces. Provisioning, in this context, refers to the distribution, installation and maintenance (update/delete) of some functional module (perhaps a TM) onto a device or platform. The specific capabilities and features of a particular functional module are out of scope here. This process is only concerned with getting the functional module up and running within the target environment.
Liberty ID-WSF Service Hosting and Proxying Service Specification. This specification describes the Service Hosting and Proxying Service and its interfaces. Smart clients are more and more capable of directly hosting identity services for the various service providers at which those clients interact. However, the realities of variable client connectivity and privacy concerns dictate that it may also be desirable that services also be hosted by network providers on behalf of such clients. A Service Hosting or Proxying Service (SHPS) provides such functionality to clients. This specification details the mechanisms by which clients can discover which services a SHPS is able to provide, request the SHPS provide particular services, and manage the availability of said services.
Prepared by Robin Cover for The XML Cover Pages archive. See also "Liberty Alliance Specifications for Federated Network Identification and Authorization."