liberty id-sis directory access protocol
TRANSCRIPT
Liberty Alliance Project: Version: 1.0
Liberty ID-SIS Directory Access ProtocolVersion: 1.0
Editors:Sampo Kellomäki, Symlabs, Inc.
Contributors:Guillermo Lorenzo, Symlabs, Inc.Rob Lockhart, IEEE-ISTO
Abstract:
The Liberty ID-SIS Directory Access Protocol (ID-SIS-DAP) specifies a web service offering directory information.ID-SIS-DAP is an instance of a data-oriented identity web service, based on the Liberty ID-WSF Data ServicesTemplate (DST). ID-SIS-DAP is characterized by the ability to query and update attribute data and incorporates, fromother specifications, mechanisms for access control and for conveying data validation information and usagedirectives. Readers of this document should be familiar with LDAP, SOAP, SAML, and XML. Readers may alsowish to familiarize themselves with the Liberty ID-SIS Personal Profile (ID-SIS-PP) and ID-SIS Contact Book(ID-SIS-CB), which provide similar function, but with standardized schemata.
Filename: liberty-id-sis-dap-v1.0.pdf
Liberty Alliance Project
1
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
Notice1
This document has been prepared by Sponsors of the Liberty Alliance. Permission is hereby granted to use the2
document solely for the purpose of implementing the Specification. No rights are granted to prepare derivative works3
of this Specification. Entities seeking permission to reproduce portions of this document for other uses must contact4
the Liberty Alliance to determine whether an appropriate license for such use is available.5
Implementation of certain elements of this document may require licenses under third party intellectual property6
rights, including without limitation, patent rights. The Sponsors of and any other contributors to the Specification are7
not and shall not be held responsible in any manner for identifying or failing to identify any or all such third party8
intellectual property rights.This Specification is provided "AS IS," and no participant in the Liberty Alliance9
makes any warranty of any kind, express or implied, including any implied warranties of merchantability,10
non-infringement of third party intellectual property rights, and fitness for a particular purpose. Implementers11
of this Specification are advised to review the Liberty Alliance Project’s website (http://www.projectliberty.org/) for12
information concerning any Necessary Claims Disclosure Notices that have been received by the Liberty Alliance13
Management Board.14
Copyright © 2005-2007 Ericsson; NeuStar; Symlabs, Inc.; Telefónica Móviles; and Vodafone Group Plc. All rights15
reserved.16
17
Liberty Alliance Project18
Licensing Administrator19
c/o IEEE-ISTO20
445 Hoes Lane21
Piscataway, NJ 08855-1331, USA22
24
Liberty Alliance Project
2
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
Contents25
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
1.1. Notational Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427
1.2. Derivation of ID-SIS-DAP from DST and WSF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
1.3. Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
1.4. Namespaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
2. Definition of Parameters (checklists). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
2.1. DST-Mandated Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .632
2.2. Subscription Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933
3. Mapping to LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1134
4. Processing Rules and Other Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1235
4.1. Query Is Not Required to Report Same Data to Repeated Queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1236
4.2. Simulation (dry-run) is Required. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1237
4.3. Use of Usage Directives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1238
4.4. Granularity of Metadata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1239
4.5. Subscription to Change in an Attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1240
5. DST 1.1 Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1441
6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1542
6.1. ID-SIS-DAP Query Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1543
6.2. ID-SIS-DAP QueryResponse. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1644
7. Schema for ID-SIS-DAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1845
7.1. Summary of ID-SIS-DAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1846
7.2. Formal XML Schema for ID-SIS-DAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2047
8. WSDL for ID-SIS-DAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2648
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2849
Liberty Alliance Project
3
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
1. Introduction50
The ID-SIS Directory Access Protocol (ID-SIS-DAP) enables Liberty identity web services that pass directory data51
with arbitrary schema over a web services interface.52
This document is a Liberty ID Services Interface Specification that normatively specifies the ID-SIS-DAP Service.53
In case of disagreement between the present document and any guidelines or XML schema descriptions, this document54
is prescriptive. Any published errata is hereby incorporated to this document by reference and as such is normative.55
1.1. Notational Conventions56
When capitalized, the key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," "SHOULD,"57
"SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this specification are to be interpreted as58
described in [RFC2119]. When these words are not capitalized, they are meant in their natural-language sense.59
N.B. LDAP [RFC2251] and colloquial directory terminology is used where ever possible. In LDAP,60
a typical container is anentry, which containsattributeswhich can be multivalued. Contrast this61
with an attribute of an XML element, which is always single-valued. To avoid confusion, the latter62
will always be referred to as an "XML attribute." A directory entry is identified by adistinguished63
name. XML elements are sometimes identified by XPaths [XPATH], but this specification does64
not use XPath. Directory data is often described by aschema, see [RFC2252], but XML protocols65
are often described by a schema as well [Schema1-2]. The latter will always be termed an "XML66
schema."67
For better readability, XML schemata are described using notation defined in Section 1.3 "Schema Grammar68
Formalism" of [LibertyDST].69
1.2. Derivation of ID-SIS-DAP from DST and WSF70
The ID-SIS-DAP service is an instance of the Liberty ID-WSF Data Services Template [LibertyDST] and all71
stipulations therein are hereby incorporated unless expressly waived or modified in this document. However, a72
special provision is made that either version 1.1 or 2.1 of DST MAY be used. An implementation MUST support DST73
2.1 [LibertyDST]. Support for DST 1.1 [LibertyDST11] will naturally not be as rich in features, but useful, never-the-74
less, in the interim while sites are migrating to DST 2.1. This document is written from a DST 2.1 perspective. The75
DST 1.1 specifics are isolated inSection 5.76
A service that consults the ID-SIS-DAP service SHOULD use the Liberty architectural framework, see [Liber-77
tyProtSchema] and [LibertyIDWSFGuide10]. The Liberty architectural framework is relied upon to ensure that a78
service acts on behalf of the Principal or that the Principal has consented to sharing the data. A service that consults an79
ID-SIS-DAP-compliant service MUST adhere to the specifications that comprise the Liberty architectural framework,80
see [LibertyProtSchema] and [LibertyIDWSFOverview]. A service MUST be able to demonstrate adherence to the81
specifications.82
A special provision is made that a service MAY support ID-SIS-DAP using ID-WSF 1.1. A service MUST support83
ID-WSF 2.0. The choice of ID-WSF version is orthogonal to choice of DST version and an implementation MAY84
support any or all four combinations. The combination of DST 2.1 with ID-WSF 2.0 MUST be supported.85
1.3. Compliance86
This specification defines an interface to which animplementationand aninstance(deployment) of ID-SIS-DAP87
service MUST conform. For an AP to be ID-SIS-DAP-compliant, it MUST adhere to all aspects of the specification.88
A minimally-compliant ID-SIS-DAP implementation MAY choose not to support optional features of this specifica-89
tion. Such an implementation may be labeled as an "ID-SIS-DAP implementation" provided that publicly-available90
Liberty Alliance Project
4
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
documentation about the implementation clearly discloses which optional parts of the schema and which features are91
not supported. All other features and schema are assumed to be supported. A deployment of an implementation that is92
not capable of supporting the full schema SHOULD only register the discovery option keywords that accurately reflect93
its capabilities.94
An implementation that supports all of the schema and features specified in this document MAY be labeled as a95
"full ID-SIS-DAP implementation." An implementation that is deficient in any feature or part of the schema MUST96
NOT be labeled as a "full ID-SIS-DAP implementation." A "full ID-SIS-DAP implementation" deployment MAY97
administratively or, via configuration, restrict the schema and features.98
An ID-SIS-DAP implementation MUST publicly disclose which DST and ID-WSF versions it supports. Labeling of99
an implementation that does not yet support DST 2.1 and ID-WSF 2.0 must be qualified by designator "(interim)."100
A deployment that supports all of the schema and features specified in this document MAY be labeled as a "full101
ID-SIS-DAP deployment" or a "full ID-SIS-DAP service." To meet "full ID-SIS-DAP deployment" status, all of the102
schema and features MUST be supported for all Principals wishing to use them, barring a policy decision excluding103
specific Principal(s).104
A deployment that only supports some subset of ID-SIS-DAP may still be labeled as an "ID-SIS-DAP deployment" or105
an "ID-SIS-DAP service" provided that the deployment publicly discloses the subset that it supports.106
An ID-SIS-DAP deployment or instance MUST publicly disclose which DST and ID-WSF versions it supports.107
Labeling of a deployment or implementation that does not yet support DST 2.1 and ID-WSF 2.0 must be qualified by108
designator "(interim)."109
1.4. Namespaces110
The ID-SIS-DAP namespace is abbreviated as "dap:" in this document. If the namespace has been omitted at any111
place in this document, "dap:" should be considered the default namespace. The namespace URI is also used as the112
ServiceType designator.113
Table 1. Referenced XML namespaces114
Prefix URI Description
dap: urn:liberty:id-sis-dap:2006-08:dst-2.1 SeeSection 2.1, checklist 1
dst: urn:liberty:dst:2006-08 [LibertyDST]
subs: urn:liberty:ssos:2006-08 [LibertySUBS]
xml: http://www.w3.org/TR/REC-xml XML Definition [XML ] (forxml:lang )
xs: http://www.w3.org/2002/XMLSchema XML Schema Definition [Schema1-2]
Liberty Alliance Project
5
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
2. Definition of Parameters (checklists)115
2.1. DST-Mandated Parameters116
In Section 10 of [LibertyDST], a checklist is provided for service specifications. This section corresponds, item for117
item, to that checklist.118
1. ID-SIS-DAP usesServiceType URN urn:liberty:id-sis-dap:2006-08:dst-2.1119
2.For service schema, seeSection 7120
3.Following object types are supported121
entry Object named bydistinguished name, often referred to asdn and containing a directory122
entry as defined in [RFC2251].123
_Subscription A subscription object, as defined in [LibertyDST]. Furthermore the subscriptions them-124
selves should follow the semantics of [LDAPPSearch].125
4.AppDataType is defined as follows126
%AppDataType: redef(liberty-idwsf-dst-v2.1.xsd)127
dap:LDIF | dst:Subscription128
;129
130
131
The<LDIF> element represents objects of type "entry" with contents as specified in [RFC2849].132
The <Subscription> elements represent objects of type "_Subscription" with schema as specified in [Liber-133
tyDST].134
5.Definition of SelectType :135
%SelectType:136
dn? -> %xs:string137
filter? -> %xs:string138
@scope? -> %xs:integer default(0)139
@sizelimit? -> %xs:integer default(0)140
@timelimit? -> %xs:integer default(0)141
@attributes? -> %xs:string142
@typesonly? -> %xs:boolean default(false)143
@derefaliases? -> %xs:integer default(0)144
;145
146
147
a.If objectType is "entry" then, with reference to Section 4.5.1 "Search Request" of [RFC2251], the <dn>148
is mapped tobaseObject and all other elements and XML attributes are mapped to correspondingly-149
named fields ofSearchRequest production. Theattributes single-valued XML attribute is con-150
verted to anAttributeDescriptionList by splitting the string on comma characters and forming an151
AttributeDescription from each resulting substring.152
b.The Searchfilter supplied in<Select>SHOULD be passed verbatim to the underlying directory system153
or repository. Full [RFC2254] language MUST be accepted by the ID-SIS-DAP service, though it need not154
ensure that the underlying directory understands the filters. Extensions to filter language MAY be accepted.155
c. If <dn> is omitted, or incomplete, the ID-SIS-DAP server MUST determine the correctdistinguished name156
from the identity information conveyed by the ID-WSF layer.157
Liberty Alliance Project
6
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
d. If <dn> is provided, the ID-SIS-DAP server MAY further determine the actualdistinguished namefrom the158
identity information conveyed by the ID-WSF layer. In this case, the<dn> could act as thebase suffix, while159
the identity information would provide thenaming attribute.160
e.If <Select>is used in<DeleteItem>or <ModifyItem> relating toobjectType "entry," <Filter> element161
MUST NOT be specified and NONE of the XML attributes MUST be specified.162
f. In case of omission of an XML attribute, the specified default value MUST be used. Usually, these mean163
that the limitation does not apply or, in case ofattributes , that all attributes, except metadata attributes,164
should be returned.165
g.An implementation that is not LDAP-based MAY interpret the fields in any other way that achieves the166
semantics inherent in [RFC2251].167
h.A specification that profiles ID-SIS-DAP MAY specify additionalobjectType s and MUST specify168
which query language applies to each of them. For example, a relational database profile could specify169
objectType "relational" with query language SQL.170
6.The TestOpType is defined to be equal toSelectType with all the filter language provisions for the various171
objectType s. If a filter is not by its nature a test, then it is consideredtrue if the result of its evaluation against172
underlying backend is nonempty. For example, if an LDAP search filter does not return any entries, then it173
evaluates tofalse.174
7.Contents ofSortType string is a dollar-separated (ASCII 0x24) list ofsort keysin descending order of175
importance, where each sort key is a comma-separated list of three elements:176
a.Order: "a" == ascending (reverse order false, the default), "d" == descending (reverse order true),177
b.Ordering rule (empty means default for the attribute),178
c.Attribute name.179
These elements are interpreted in the sense of [RFC2891], Section 1.1 "Request Control."180
Example:181
a„cn$d„fn$d„sn182
183
184
An implementation that does not support sorting MAY ignore the sort specification. An implementation that185
partially supports sorting, SHOULD make best effort to satisfy the sort criteria, but need not adhere to it literally.186
Such implementations MAY ignore LDAP control-criticality specifications regarding the sort control.187
Sorting is not supported for subscriptions.188
8.All DST methods are defined and the default method support policy applies.189
9.All DST-specified discovery option keywords are supported with the semantics defined in [LibertyDST].190
All discovery option keywords specified in [LibertySUBS] are supported.191
ID-SIS-DAP also supports the following additional discovery option keywords to indicate the supported ID-WSF192
framework and DST version(s):193
urn:liberty:ID-SIS-DAP:2006-08:framework:idwsf1.1 :dst1.1194
urn:liberty:ID-SIS-DAP:2006-08:framework: idwsf1.1:dst2.1195
urn:liberty:ID-SIS-DAP:2006-08:f ramework:idwsf2.0:dst1.1196
urn:liberty:ID-SIS-DAP:2006-08:framework:idwsf2.0:d st2.1197
198
199
Liberty Alliance Project
7
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
10.Element uniqueness mechanisms for objects of type "_Subscription" are specified in [LibertySUBS] (i.e.,200
subscriptionID ).201
For objects of type "entry,"distinguished nameprovides a unique identifier.202
11.The default policy for protocol extension applies.203
For objects of type "entry," no special extension mechanism is needed. ID-SIS-DAP does not specify any schema204
so all entries might as well belong to LDAPobjectClass "extensibleObject."205
While ID-SIS-DAP as protocol does not mandate any schema, or mechanism for schema validation, the206
underlying backend MAY, in fact, be schema-aware and perform schema validation in the way usual for directory207
servers. The agreement about the schema between WSC and WSP is out-of-band.208
12.Query features (default feature support policy applies):209
a.Testing MUST be supported.210
b.<ResultQuery>MUST be supported.211
c.Sorting is OPTIONAL (typically, the backend would have to implement [RFC2891]). If sorting is not212
supported forobjectType "entry," discovery option keywordurn:liberty:dst:noSorting MUST be213
registered.214
Sorting need not be supported forobjectType "_Subscription" and the lack of such support is NOT215
reflected in discovery option keyword registrations.216
d.Pagination of results is OPTIONAL (typically, the backend would have to implement [RFC2696]217
or [LDAPVLV ]). If pagination is not supported forobjectType "entry," discovery option keyword218
urn:liberty:dst:noPagination MUST be registered.219
Pagination need not be supported forobjectType "_Subscription" and the lack of such support is NOT220
reflected in discovery option keyword registrations.221
e.Support static sets in pagination is OPTIONAL (the backend probably would have to support [LDAPVLV ]).222
If static sets are not supported, discovery option keywordurn:liberty:dst:noStatic MUST be223
registered.224
f. Multiple <Query> elements MUST be supported. No transactional semantic is attached to this construct.225
g.Multiple <QueryItem> elements MUST be supported. No transactional semantic is attached to this226
construct.227
h.Multiple <TestItem> elements MUST be supported. No transactional semantic is attached to this construct.228
i. changedSince MUST be supported in<ResultQuery> and <QueryItem>, but the granularity of the229
change detection MAY be one directory entry.<ChangeFormat>CurrentElements MUST be supported230
and is interpreted as returning the entire changed directory entry, possibly projected using the attribute231
list supplied in the query.<ChangeFormat>specificationsChangedElements andAll MUST NOT be232
used. If<ChangeFormat> is omitted,CurrentElements is assumed. Since there is only one possible233
<ChangeFormat>, we RECOMMENDED that<ChangeFOrmat> is always omitted.234
j. includeCommonAttributes MUST be supported.235
13.Create features:236
a.Multiple <Create>elements MUST be supported. No transactional semantic is attached to this construct.237
14.Delete features:238
Liberty Alliance Project
8
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
a.Multiple <Delete>elements MUST be supported. No transactional semantic is attached to this construct.239
15.Modify features:240
a.Multiple <Modify> elements MUST be supported. No transactional semantic is attached to this construct.241
b.Multiple <ModifyItem> elements MUST be supported. No transactional semantic is attached to this242
construct.243
c.Multiple <ModifyItem> elements may fail independently. No atomic modify or transactional semantic244
needs to be supported.245
d.notChangedSince MUST be supported, but only at directory entry granularity.246
2.2. Subscription Parameters247
In Section 7 of [LibertySUBS], a checklist is provided for service specifications. This section corresponds, item for248
item, to that checklist.249
1.Standard names are used. SeeSection 7.250
2.The <Subscription> elements represent objects of type "_Subscription" inAppDataType with schema as251
specified in [LibertySUBS].252
3. If objectType is "_Subscription," then the<dn> string is an XPath expression [XPATH] pointing to the253
subscription object and NO other elements or XML attributes MUST BE specified. Default restriction on XPaths254
for subscriptions applies.255
4.TriggerType is not used. The only way to trigger notifications is by change of data.256
5.AggregationType is not used. The underlying backend MAY use any aggregation policy it chooses.257
6.Extension mechanisms for objects of type "_Subscription" are specified in [LibertySUBS].258
7.How subscriptions can be established and manipulated:259
a.Supporting objectType "_Subscription" is OPTIONAL (typically, the backend would have260
to support [LDAPPSearch]). If subscription is not supported, the discovery option keyword261
urn:liberty:dst:noSubscribe MUST be registered.262
b.Subscribing in<Query> MUST be supported ifobjectType "_Subscription" is supported. However,263
subscriptions to objects of type "_Subscription" need not be supported.264
c.Multiple <Subscription> elements in<Query> MUST be supported ifobjectType "_Subscription" is265
supported.266
d.Subscribing in<Create> MUST be supported ifobjectType "_Subscription" is supported. However,267
subscriptions to objects of type "_Subscription" need not be supported.268
e.Multiple <Subscription> elements in<Create> MUST be supported ifobjectType "_Subscription" is269
supported.270
f. Subscribing in<Modify> MUST be supported ifobjectType "_Subscription" is supported. However,271
subscriptions to objects of type "_Subscription" need not be supported.272
g.Multiple <Subscription> elements in<Modify> MUST be supported ifobjectType "_Subscription" is273
supported.274
Liberty Alliance Project
9
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
8.starts XML attribute MUST be supported for specification of the start of a subscription ifobjectType275
"_Subscription" is supported.276
9. If objectType "_Subscription" is supported, it MUST be possible to expire subscriptions by at least two277
methods:278
a.by expiration of credentials,279
b.by specification of theexpires XML attribute, and omission ofexpires implies expiration when280
credentials expire.281
Expiration will happen at the earlier of the occasions specified by (a) and (b).282
10.Use of same value for theexpires andstarts XML attributes MUST be supported to request one notification283
message at a specified time ifobjectType "_Subscription" is supported.284
11.Querying existing subscriptions SHOULD be supported.285
12.Notifications SHOULD be acknowledged.286
Liberty Alliance Project
10
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
3. Mapping to LDAP287
Generally, ID-WSF-conveyed identity will map to the LDAPdistinguished nameas described in theSelectType288
discussion, above. In results, thedn attribute SHOULD be substituted by a dummy value such as "liberty-identity-289
based-dn" if any identifiable information is available from it. Access controls keyed on the WSC’s identification should290
be applied to other attribute data to achieve deployment-dependent privacy goals.291
ID-SIS-DAP<ResultQuery>, <QueryItem>, and<TestItem> map to LDAPSearchoperation in a straight forward292
way. <TestItem> can, in some cases, be mapped to the LDAPCompareoperation. <Sort> can be mapped to the293
LDAP control described in [RFC2891]. Pagination functionality (count andoffset XML attributes) can be mapped294
to either [RFC2696] or [LDAPVLV ]. The static set functionality (setID andsetReq XML attributes) can be mapped295
to [LDAPVLV ].296
ID-SIS-DAP<CreateItem>maps straight to the LDAPAddoperation. The LDIF format data in the<LDIF> container297
in the<NewData>container will specify the distinguished names of the new entries.298
ID-SIS-DAP<DeleteItem>maps straight to the LDAPDeleteoperation.299
LDAP Bind operation does not have direct mapping, but the identity information conveyed by the ID Web Services300
Framework should allow the ID-SIS-DAP implementation to perform aBind to authenticate, correctly, the Principal to301
the directory server. SinceBind normally uses a password or SASL authentication mechanism and since it would be302
ill-advised for the ID-SIS-DAP implementation to know the credentials, it may be more convenient to use the LDAP303
control for proxy authentication [LDAPproxyauth]. Another alternative would be to develop a SASL mechanism that304
would somehow allow ID credentials that were received from the ID-WSF layer to be passed to the directory server.305
There is no mapping for the LDAPUnbind, Abandon, or Extendedoperations. No requirement for such mapping is306
known.307
There is no mapping for the LDAPModify RDN(rename) operation.308
ID-SIS-DAP <ModifyItem> maps to the LDAPModify operation, but the mapping is not straight forward. The309
following rules describe the mapping.310
1.The <LDIF> container in<NewData>MUST contain attribute data for one entry, however, this data may be311
empty.312
2.The distinguished name in LDIF format data that is provided in the<LDIF> container in the<NewData>313
container MUST be ignored and MAY be entirely omitted.314
3.Distinguished name for LDAPModifyoperation MUST be taken from ID-WSF-conveyed identity combined with315
the<Select>element of the<ModifyItem> .316
4.The LDIF format data is interpreted as descriptive of the changes to be applied as described in [RFC2849].317
5.The changeTypeSHOULD be "Modify." However, otherchangeTypesare permitted for DST 1.1-based imple-318
mentations.319
6.Any number ofadd, delete, andreplacespecifications can be specified to effectuate the modification as described320
in [RFC2849].321
7.overrideAllowed XML attribute MUST NOT be supplied in<ModifyItem> and all DST processing rules322
regarding it are void.323
Liberty Alliance Project
11
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
4. Processing Rules and Other Considerations324
4.1. Query Is Not Required to Report Same Data to Repeated Queries325
An ID-SIS-DAP instance is NOT REQUIRED to report the same results to two instances of the same query. An326
ID-SIS-DAP instance SHOULD report the same results to the same query made by the same client unless an327
update (Create, Delete, Modify, or out-of-band) has occurred in the interim. An ID-SIS-DAP instance MAY use328
the Interaction Service protocol [LibertyInteract11] or out-of-band means to determine the data to return.329
Data to be returned in response to a query is determined by the ID-SIS-DAP provider as guided by its policies, the330
permissions the Principal has set, and the interaction with the Principal. Clients should use the data based on the data’s331
semantic meaning as specified here and further qualified by theacc (Attribute Collection Context) XML attributes332
[LibertyDST] that may be present in the query response. A client SHOULD NOT attempt to use ID-SIS-DAP as a333
transparent data store as there may be multiple updates, permission, and policy reasons that impede the transparency.334
4.2. Simulation (dry-run) is Required335
The simulation method using theProcessingContext header with value "urn:liberty:sb:2003-08:336
ProcessingContext:Simulate ," as specified in [LibertySOAPBinding], MUST be supported. If simulated337
operation succeeds, similar actual operation SHOULD have a high probability of succeeding within next 30 minutes.338
This feature allows a WSC to test whether a modification is plausible prior to invoking the user interface to query data339
from the Principal, thus avoiding principal-supplied nonactionable data unnecessarily.340
LDAP-specific guidance341
It is recommend that the simulation is actually implemented as real create or modify operations with dummy data,342
possibly followed by deletion of the dummy data. While this is expensive, it gives the degree of guarantee that is the343
intent of explicitly invoking the simulation run.344
The "real modify" approach may not be viable if the modify would destroy old data. In such cases, the implementation345
may need to use another substitute operation. Generally, the write-ability of the entry (or even the existence of it in346
the case of Modify) and the validity of the schema are what needs to be established - the dry-run operation has to be347
sufficiently realistic to establish this.348
4.3. Use of Usage Directives349
When querying a WSC, the query MUST include usage directives that indicate the reason for the request and the type350
of use to which the data will be put. If the ID-SIS-DAP WSP invokes the interaction service, it SHOULD display this351
information, usually after localization, to the Principal.352
The actual format of the usage directives MUST be agreed out of band, e.g., in a business agreement between the WSC353
and the ID-SIS-DAP WSP.354
4.4. Granularity of Metadata355
Since it may be cumbersome to remember metadata on a "per attribute" basis when using an LDAP backend, the356
following relaxations are made:357
1.XML attributes in a localizedLeafAttributes XML attribute group apply to the entire contents of the358
<LDIF> container, whether returned by<Query> or supplied as<NewData>to <Create>or <Modify> .359
2.modificationTime MAY be computed andnotChangedSince evaluated according to the last change to any360
attribute in the entry.361
Liberty Alliance Project
12
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
4.5. Subscription to Change in an Attribute362
If subscription is established by specifying a specific list of attributes, then the notification is triggered only if one of363
the specified attributes changes. If no specific attributes are specified, then change to any attribute in the entry triggers364
the notification.365
Liberty Alliance Project
13
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
5. DST 1.1 Support366
This list documents the limitations and modifications to this specification if DST 1.1 [LibertyDST11] is used. Mostly367
these reflect lesser functionality of the 1.1 version.368
1.The service type and namespace MUST be changed from "urn:liberty:id-sis-dap:2006-08:dst-2.1 "369
to "urn:liberty:id-sis-dap:2006-08:dst-1.1 " to reflect that the DST 1.1-based service is a different370
version than the DST 2.1-based service (checklist 1).371
2.<ResourceID>element MUST be omitted. Instead of the resource IDs, the identification of the principal MUST372
be done using a security mechanism that carries a SAML assertion (any version) whose statements have all the373
same subjects and that this subject identifies the resource to be accessed. Essentially, this adopts the ID-WSF374
2.0 model for all cases. This implies that there MUST be a federation for the principal between the ID-SIS-DAP375
server and IdP that was used to start the session involving ID-SIS-DAP access.376
3.The test feature is undefined (checklist 12.a)377
4.The<ResultQuery> is undefined (checklist 12.b)378
5.The optional pagination feature (checklist 12.d) is undefined and the corresponding discovery option keyword379
MUST be registered.380
6.The optional subscription feature is undefined and the corresponding discovery option keyword MUST be381
registered.382
7.The concept of object type does not exist. All objects MUST be of type "entry."383
8.The<Create>and<Delete>methods do not exist. Their function is accomplished using<Modify> and features384
of LDIF format.385
9.The ID-SIS-DAP schema is modified as follows386
a.The target namespace anddap namespace are changed from "urn:liberty:id-sis-dap:2006-08:387
dst-2.1 " to "urn:liberty:id-sis-dap:2006-08:dst-1.1 ."388
b.The include statement for "liberty-idwsf-dst-dt-v2.1.xsd " is changed to include389
"liberty-idwsf-dst-dt-v1.1.xsd " instead.390
c.The include statement for "liberty-idwsf-dst-v2.1.xsd " is changed to include391
"liberty-idwsf-dst-v1.1.xsd " instead.392
Liberty Alliance Project
14
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
6. Examples393
The following examples illustrate some ID-SIS-DAP protocol exchanges and the ID-WSF SOAP binding around them.394
These examples are not normative.395
6.1. ID-SIS-DAP Query Request396
This query queries for the specific attributeJAVAPROFILE from the LDAP entry associated with the Name ID397
PEx7_Y-G_hMaysCNJmaQj as specified in the assertion used as credential for TLS:Bearer security mechanism. This398
message would appear as the body of an https request.399
<soap:Envelope400
xmlns:lib="urn:liberty:iff:2003-08"401
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" >402
<soap:Header>403
<wsa:MessageID404
xmlns:wsa="http://www.w3.org/20 05/03/addressing"405
id="#MID">uuid:6g5n02-nzY8vJY wK2uCW</wsa:MessageID>406
<wsa:To407
xmlns:wsa="http://www.w3.org/2005/0 3/addressing">408
https://g-sp.liberty-iop.org:88 43/DAP-PSBEARER</wsa:To>409
<wsa:Action xmlns:wsa="http://www.w3.org/2005/03/addr essing"/>410
<wsa:ReplyTo xmlns:wsa="http://www.w3.org/2005/03/addressing">411
<wsa:Address>http://www.w3.org/2005/03/addressing/ro le/anonymous</wsa:Address>412
</wsa:ReplyTo>413
<wsse:Security414
xmlns:wsse="http://docs.oasis- open.org/wss/2004/01/oasis-200415
401-wss-wssecurity-secext-1.0. xsd">416
<sa:Assertion417
xmlns:sa="urn:oasis:names:tc:SAML:2 .0:assertion"418
ID="CRED1Wqsz7VozwEo6TBpkIMV"419
IssueInstant="2005-10-03T16:58:33Z"420
Version="2.0">421
<sa:Issuer Format="urn:oasis:names:tc:SAML: 2.0:nameid-format:entity">422
https://g-ds.liberty-iop.org:8681/idp. xml</sa:Issuer>423
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmld sig#">424
<ds:SignedInfo>425
<ds:CanonicalizationMethod426
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>427
<ds:SignatureMethod428
Algorithm="http://www.w3.org/2000/09/xmldsig#rs a-sha1"/>429
<ds:Reference URI="#CRED1Wqsz7VozwEo6TBpkIMV">430
<ds:Transforms>431
<ds:Transform432
Algorithm="http://www.w3.org/ 2000/09/xmldsig#enveloped-sign ature"/>433
<ds:Transform434
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>435
</ds:Transforms>436
<ds:DigestMethod Algorithm="http://www.w3.org/2 000/09/xmldsig#sha1"/>437
<ds:DigestValue>BA5GsDSlCmzvCTkNoBORaS CP9kI=</ds:DigestValue>438
</ds:Reference>439
</ds:SignedInfo>440
<ds:SignatureValue>441
Y+kMa0ToVrbG8smohquiGyeMrKM5Dw4aizPszOQ6h DWODvpH/q0eIow7PIFzvoN+7XUQbkZ442
aA0J4KXEyzeRtOrt5XrhOzg6d2BCnK SHZXHwCE7d6qa5NJGtQlszOjMtwTcM ByNKMWdcuksQdryGsklNkED6ZPEFpn443
xK4aKs57Rs=444
</ds:SignatureValue>445
</ds:Signature>446
<sa:Subject>447
<sa:NameID448
Format="urn:oasis:names:tc:SAML: 2.0:nameid-format:persistent "449
NameQualifier="https://g-ds.liber ty-iop.org:8681/idp.xml">PEx7 _Y-G_hMaysCNJmaQj450
</sa:NameID>451
<sa:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />452
</sa:Subject>453
Liberty Alliance Project
15
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
<sa:Conditions454
NotBefore="2005-10-03T16:53:33Z"455
NotOnOrAfter="2005-10-03T17:08:33Z">456
<sa:AudienceRestriction>457
<sa:Audience>https://g-wsc.liberty-iop.org:8643 /sp.xml</sa:Audience>458
</sa:AudienceRestriction>459
</sa:Conditions>460
<sa:AuthnStatement AuthnInstant="2005-10-03T16:58:33Z">461
<sa:AuthnContext>462
<sa:AuthnContextClassRef>463
urn:oasis:names:tc:SAML:2.0: ac:classes:Password464
</sa:AuthnContextClassRef>465
</sa:AuthnContext>466
</sa:AuthnStatement>467
</sa:Assertion>468
</wsse:Security>469
<sb2:Timestamp xmlns:sb2="urn:liberty:sb:2004-12" >470
<wsu:Created471
xmlns:wsu="http://docs.oasis-open.org/wss/20 04/01/oasis-200401-wss-wssecur472
ity-utility-1.0.xsd">473
2005-10-03T16:58:33Z474
</wsu:Created>475
</sb2:Timestamp>476
<sb2:Sender xmlns:sb2="urn:liberty:sb:2004-12"477
providerID="https://g-wsc.liberty-iop.org:8643/sp.x ml"478
soap:actor="http://schemas.xmlsoap.org/soa p/actor/next"/>479
</soap:Header>480
<soap:Body id="bdy">481
<dap:Query482
xmlns:dap="urn:liberty:id-sis-dap:2006-08:dst-2.1"483
id="id:CoS9jNRrwxeCrm_TEFqU"484
itemID="itm:S9fdkoCcS8_PoRAhvRlt">485
<dap:QueryItem486
id="id:0nlI3-cRcCl5Wo1nEfAF"487
itemID="itm:UsMupiJjpt1CN4PkR zyQ"488
objectType="entry">489
<dap:Select attributes="JAVAPROFILE"/>490
</dap:QueryItem>491
</dap:Query>492
</soap:Body>493
</soap:Envelope>494
495
496
6.2. ID-SIS-DAP QueryResponse497
This is a response to the query in the previous example. This illustrates how the distinguished name is blanked out with498
valueliberty-identity-based-dn to avoid leaking privacy-sensitive information that may have been present in499
the dn. The requested attribute has valueJ2ME. This message would appear as the body of an https response.500
<soap:Envelope501
xmlns:lib="urn:liberty:iff:2003-08"502
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" >503
<soap:Header>504
<wsa:MessageID505
xmlns:wsa="http://www.w3.org/20 05/03/addressing"506
id="#MID">uuid:eg4ZFqQi3PmHSS EUdg0Q</wsa:MessageID>507
<wsa:RelatesTo508
xmlns:wsa="http://www.w3.org /2005/03/addressing">uuid:6g5 n02-nzY8vJYwK2uCW509
</wsa:RelatesTo>510
<wsa:To xmlns:wsa="http://www.w3.org/2005/03/addressing">511
http://www.w3.org/2005/03/addressing/role/anonymous</w sa:To>512
<wsa:Action xmlns:wsa="http://www.w3.org/ 2005/03/addressing"/>513
<wsa:ReplyTo xmlns:wsa="http://www.w3.org/2005/03/address ing">514
<wsa:Address>http://www.w3.org/2005/03/a ddressing/role/anonymous</wsa: Address>515
Liberty Alliance Project
16
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
</wsa:ReplyTo>516
<sb2:Timestamp xmlns:sb2="urn:liberty:sb:20 04-12">517
<wsu:Created518
xmlns:wsu="http://docs.oasis-open.org/ wss/2004/01/oasis-200401-wss-w519
ssecurity-utility-1.0.xsd">520
2005-10-03T16:58:34Z</wsu:Created>521
</sb2:Timestamp>522
<sb2:Sender523
xmlns:sb2="urn:liberty:sb:2004-12"524
providerID="https://g-sp.liberty-iop.org:8843/ sp.xml"525
soap:actor="http://schemas.xmlsoap.org /soap/actor/next"/>526
</soap:Header>527
<soap:Body>528
<dap:QueryResponse529
xmlns:dap="urn:liberty:id-sis-dap:2006-08:dst-2. 1"530
id="dapid:aM7j4DhGRwZ69dsQPWvh"531
itemIDRef="itm:S9fdkoCcS8_PoR AhvRlt">532
<dap:Status code="OK"/>533
<dap:Data id="dapdataid:kc430k3KmG3Ju79KKFc6">534
dn: liberty-identity-based-dn JAVAPROFILE: J2ME535
</dap:Data>536
</dap:QueryResponse>537
</soap:Body>538
</soap:Envelope>539
540
541
Liberty Alliance Project
17
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
7. Schema for ID-SIS-DAP542
7.1. Summary of ID-SIS-DAP543
The ID-SIS-DAP schema may be summarized as follows.544
target(dap, urn:liberty:id-sis-dap:2006-08:dst-2.1)545
import(dst, urn:liberty:dst:2006-08, liberty-idwsf-dst-v2.1.xsd)546
import(subs, urn:liberty:ssos:2006-08, liberty-idwsf-subs-v1.0.xsd)547
import(subsref, urn:liberty:ssos:2006-08:ref, liberty-idwsf-subs-ref-v1.0.xsd)548
import(lu, urn:liberty:util:2006-08, liberty-idwsf-utility-v2.0.xsd)549
550
#sec(methods)551
Create -> %subsref:CreateType552
CreateResponse -> %subsref:CreateResponseType553
Query -> %subsref:QueryType554
QueryResponse -> %subsref:QueryResponseType555
Modify -> %subsref:ModifyType556
ModifyResponse -> %subsref:ModifyResponseType557
Delete -> %subsref:DeleteType558
DeleteResponse -> %subsref:DeleteResponseType559
Notify -> %subsref:NotifyType560
NotifyResponse -> %subsref:NotifyResponseType561
#endsec(methods)562
563
# ==========================================564
565
#sec(redefs)566
%SelectType:567
dn? -> %xs:string568
filter? -> %xs:string569
@scope? -> %xs:integer default(0)570
@sizelimit? -> %xs:integer default(0)571
@timelimit? -> %xs:integer default(0)572
@attributes? -> %xs:string573
@typesonly? -> %xs:boolean default(false)574
@derefaliases? -> %xs:integer default(0)575
;576
577
%TestOpType: base(dap:SelectType) ;578
%SortType: base(xs:string) ;579
%TriggerType: base(xs:string) ;580
%AggregationType: base(xs:string) ;581
582
%AppDataType:583
dap:LDIF584
| dap:Subscription585
;586
587
LDIF: base(xs:string)588
&@dst:localizedLeafAttributes589
;590
#endsec(redefs)591
592
# =================================== =======593
594
#sec(create)595
%CreateType: base(dst:RequestType)596
dap:Subscription*597
dap:CreateItem+598
dap:ResultQuery*599
;600
601
CreateItem -> %dap:CreateItemType602
%CreateItemType:603
dap:NewData?604
Liberty Alliance Project
18
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
&@dst:CreateItemAttributeGroup605
;606
607
NewData -> %dap:AppDataType608
609
%CreateResponseType: base(dap:DataResponseType) ;610
%DataResponseType: base(dst:DataResponseBaseType)611
dap:ItemData*612
;613
#endsec(create)614
615
# ==================================== ======616
617
#sec(query)618
%QueryType: base(dst:RequestType)619
dap:TestItem*620
dap:QueryItem*621
dap:Subscription*622
;623
624
TestItem -> %dap:TestItemType625
%TestItemType: base(dst:TestItemBaseType)626
TestOp? -> %dap:TestOpType627
;628
629
QueryItem -> %dap:QueryItemType630
%QueryItemType: base(dap:ResultQueryType)631
&@dst:PaginationAttributeGroup632
;633
#endsec(query)634
635
#sec(queryresp)636
%QueryResponseType: base(dst:DataResponseBaseType)637
dst:TestResult*638
dap:Data*639
;640
641
Data -> %dap:DataType642
%DataType: base(dap:ItemDataType)643
&@dst:PaginationResponseAttributeGroup644
;645
#endsec(queryresp)646
647
# ==========================================648
649
#sec(mod)650
%ModifyType: base(dst:RequestType)651
dap:Subscription*652
dap:ModifyItem+653
dap:ResultQuery*654
;655
656
ModifyItem -> %dap:ModifyItemType657
%ModifyItemType:658
dap:Select?659
dap:NewData?660
&@dst:ModifyItemAttributeGroup661
;662
663
%ModifyResponseType: base(dap:DataResponseType) ;664
#endsec(mod)665
666
# ==========================================667
668
#sec(del)669
%DeleteType: base(dst:RequestType)670
dap:DeleteItem+671
Liberty Alliance Project
19
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
;672
673
DeleteItem -> %dap:DeleteItemType674
%DeleteItemType: base(dst:DeleteItemBaseType)675
dap:Select?676
;677
678
%DeleteResponseType: base(lu:ResponseType) ;679
#endsec(del)680
681
# =================================== =======682
683
#sec(resqry)684
Select -> %dap:SelectType685
686
ResultQuery -> %dap:ResultQueryType687
%ResultQueryType: base(dst:ResultQueryBaseType)688
dap:Select?689
Sort? -> %dap:SortType690
;691
692
ItemData -> %dap:ItemDataType693
%ItemDataType: base(dap:AppDataType)694
&@dst:ItemDataAttributeGroup695
;696
#endsec(resqry)697
698
#sec(subscr)699
Subscription -> %dap:SubscriptionType700
%SubscriptionType: base(subs:SubscriptionType)701
dap:ResultQuery*702
Aggregation? -> %dap:AggregationType703
Trigger? -> %dap:TriggerType704
;705
#endsec(subscr)706
707
#sec(notif)708
%NotifyType: base(dst:RequestType)709
dap:Notification*710
&@subs:NotifyAttributeGroup711
;712
713
Notification -> %dap:NotificationType714
%NotificationType: base(subs:NotificationType)715
dap:ItemData*716
;717
718
%NotifyResponseType: base(subs:NotifyResponseType) ;719
#endsec(notif)720
721
#EOF722
723
7.2. Formal XML Schema for ID-SIS-DAP724
The formal ID-SIS-DAP schema follows.725
<?xml version="1.0" encoding="UTF-8"?>726
<xs:schema727
targetNamespace="urn:liberty:id-s is-dap:2006-08:dst-2.1"728
xmlns:dap="urn:liberty:id-s is-dap:2006-08:dst-2.1"729
xmlns:dst="urn:liberty:dst: 2006-08"730
xmlns:subs="urn:liberty:ssos:2006-08"731
xmlns:subsref="urn:liberty: ssos:2006-08:ref"732
xmlns:lu="urn:liberty:util:2006- 08"733
Liberty Alliance Project
20
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
xmlns:xs="http://www.w3.org/2001/XMLSchema"734
elementFormDefault="qualified"735
attributeFormDefault="unqualified">736
<xs:import namespace="urn:liberty:dst:2006-08 "737
schemaLocation="liberty-idwsf-dst-v2.1.xsd"/>738
<xs:import namespace="urn:liberty:ssos:2006-08"739
schemaLocation="liberty-idwsf-subs-v 1.0.xsd"/>740
<xs:import namespace="urn:liberty:ssos:2006 -08:ref"741
schemaLocation="liberty-idwsf-subs-ref-v1.0. xsd"/>742
<xs:import namespace="urn:liberty:util:2006-08"743
schemaLocation="liberty-idwsf-utility-v2.0.xsd"/>744
<!--sec(methods)-->745
<xs:element name="Create" type="subsref:CreateType"/>746
<xs:element name="CreateResponse" type="subsref:CreateResponseType"/>747
<xs:element name="Query" type="subsref:QueryType"/>748
<xs:element name="QueryResponse" type="subsref:QueryResponseType"/>749
<xs:element name="Modify" type="subsref:ModifyType"/>750
<xs:element name="ModifyResponse" type="subsref:ModifyResponseType"/>751
<xs:element name="Delete" type="subsref:DeleteType"/>752
<xs:element name="DeleteResponse" type="subsref:DeleteResponseType"/>753
<xs:element name="Notify" type="subsref:NotifyType"/>754
<xs:element name="NotifyResponse" type="subsref:NotifyResponseType"/>755
<!--endsec(methods)-->756
<!--sec(redefs)-->757
<xs:complexType name="SelectType">758
<xs:sequence>759
<xs:element name="dn" minOccurs="0" maxOccurs="1" type="xs:string"/>760
<xs:element name="filter" minOccurs="0" maxOccurs="1" type="xs:string"/>761
</xs:sequence>762
<xs:attribute name="scope" use="optional" type="xs:integer" default="0"/>763
<xs:attribute name="sizelimit" use="optional" type="xs:integer" default="0"/>764
<xs:attribute name="timelimit" use="optional" type="xs:integer" default="0"/>765
<xs:attribute name="attributes" use="optional" type="xs:string"/>766
<xs:attribute name="typesonly" use="optional" type="xs:boolean" default="false"/>767
<xs:attribute name="derefaliases" use="optional" type="xs:integer" default="0"/>768
</xs:complexType>769
<xs:complexType name="TestOpType">770
<xs:complexContent>771
<xs:extension base="dap:SelectType"/>772
</xs:complexContent>773
</xs:complexType>774
<xs:complexType name="SortType">775
<xs:simpleContent>776
<xs:extension base="xs:string"/>777
</xs:simpleContent>778
</xs:complexType>779
<xs:complexType name="TriggerType">780
<xs:simpleContent>781
<xs:extension base="xs:string"/>782
</xs:simpleContent>783
</xs:complexType>784
<xs:complexType name="AggregationType">785
<xs:simpleContent>786
<xs:extension base="xs:string"/>787
</xs:simpleContent>788
</xs:complexType>789
<xs:complexType name="AppDataType">790
<xs:choice>791
<xs:element ref="dap:LDIF"/>792
<xs:element ref="dap:Subscription"/>793
</xs:choice>794
</xs:complexType>795
<xs:element name="LDIF">796
<xs:complexType>797
<xs:simpleContent>798
<xs:extension base="xs:string">799
<xs:attributeGroup ref="dst:localizedLeafAttribute s"/>800
Liberty Alliance Project
21
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
</xs:extension>801
</xs:simpleContent>802
</xs:complexType>803
</xs:element>804
<!--endsec(redefs)-->805
<!--sec(create)-->806
<xs:complexType name="CreateType">807
<xs:complexContent>808
<xs:extension base="dst:RequestType">809
<xs:sequence>810
<xs:element ref="dap:Subscription" minOccurs="0" maxOccurs="unbounded"/>811
<xs:element ref="dap:CreateItem" minOccurs="1" maxOccurs="unbounded"/>812
<xs:element ref="dap:ResultQuery" minOccurs="0" maxOccurs="unbounded"/>813
</xs:sequence>814
</xs:extension>815
</xs:complexContent>816
</xs:complexType>817
<xs:element name="CreateItem" type="dap:CreateItemType"/>818
<xs:complexType name="CreateItemType">819
<xs:sequence>820
<xs:element ref="dap:NewData" minOccurs="0" maxOccurs="1"/>821
</xs:sequence>822
<xs:attributeGroup ref="dst:CreateItemAttributeGroup"/>823
</xs:complexType>824
<xs:element name="NewData" type="dap:AppDataType"/>825
<xs:complexType name="CreateResponseType">826
<xs:complexContent>827
<xs:extension base="dap:DataResponseType"/>828
</xs:complexContent>829
</xs:complexType>830
<xs:complexType name="DataResponseType">831
<xs:complexContent>832
<xs:extension base="dst:DataResponseBaseType">833
<xs:sequence>834
<xs:element ref="dap:ItemData" minOccurs="0" maxOccurs="unbounded"/>835
</xs:sequence>836
</xs:extension>837
</xs:complexContent>838
</xs:complexType>839
<!--endsec(create)-->840
<!--sec(query)-->841
<xs:complexType name="QueryType">842
<xs:complexContent>843
<xs:extension base="dst:RequestType">844
<xs:sequence>845
<xs:element ref="dap:TestItem" minOccurs="0" maxOccurs="unbounded"/>846
<xs:element ref="dap:QueryItem" minOccurs="0" maxOccurs="unbounded"/>847
<xs:element ref="dap:Subscription" minOccurs="0" maxOccurs="unbounded"/>848
</xs:sequence>849
</xs:extension>850
</xs:complexContent>851
</xs:complexType>852
<xs:element name="TestItem" type="dap:TestItemType"/>853
<xs:complexType name="TestItemType">854
<xs:complexContent>855
<xs:extension base="dst:TestItemBaseType">856
<xs:sequence>857
<xs:element name="TestOp" minOccurs="0" maxOccurs="1" type="dap:TestOpType"/>858
</xs:sequence>859
</xs:extension>860
</xs:complexContent>861
</xs:complexType>862
<xs:element name="QueryItem" type="dap:QueryItemType"/>863
<xs:complexType name="QueryItemType">864
<xs:complexContent>865
<xs:extension base="dap:ResultQueryType">866
<xs:attributeGroup ref="dst:PaginationAttributeGroup"/>867
Liberty Alliance Project
22
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
</xs:extension>868
</xs:complexContent>869
</xs:complexType>870
<!--endsec(query)-->871
<!--sec(queryresp)-->872
<xs:complexType name="QueryResponseType">873
<xs:complexContent>874
<xs:extension base="dst:DataResponseBaseType">875
<xs:sequence>876
<xs:element ref="dst:TestResult" minOccurs="0" maxOccurs="unbounded"/>877
<xs:element ref="dap:Data" minOccurs="0" maxOccurs="unbounded"/>878
</xs:sequence>879
</xs:extension>880
</xs:complexContent>881
</xs:complexType>882
<xs:element name="Data" type="dap:DataType"/>883
<xs:complexType name="DataType">884
<xs:complexContent>885
<xs:extension base="dap:ItemDataType">886
<xs:attributeGroup ref="dst:PaginationResponseAttribu teGroup"/>887
</xs:extension>888
</xs:complexContent>889
</xs:complexType>890
<!--endsec(queryresp)-->891
<!--sec(mod)-->892
<xs:complexType name="ModifyType">893
<xs:complexContent>894
<xs:extension base="dst:RequestType">895
<xs:sequence>896
<xs:element ref="dap:Subscription" minOccurs="0" maxOccurs="unbounded"/>897
<xs:element ref="dap:ModifyItem" minOccurs="1" maxOccurs="unbounded"/>898
<xs:element ref="dap:ResultQuery" minOccurs="0" maxOccurs="unbounded"/>899
</xs:sequence>900
</xs:extension>901
</xs:complexContent>902
</xs:complexType>903
<xs:element name="ModifyItem" type="dap:ModifyItemType"/>904
<xs:complexType name="ModifyItemType">905
<xs:sequence>906
<xs:element ref="dap:Select" minOccurs="0" maxOccurs="1"/>907
<xs:element ref="dap:NewData" minOccurs="0" maxOccurs="1"/>908
</xs:sequence>909
<xs:attributeGroup ref="dst:ModifyItemAttributeGroup"/>910
</xs:complexType>911
<xs:complexType name="ModifyResponseType">912
<xs:complexContent>913
<xs:extension base="dap:DataResponseType"/>914
</xs:complexContent>915
</xs:complexType>916
<!--endsec(mod)-->917
<!--sec(del)-->918
<xs:complexType name="DeleteType">919
<xs:complexContent>920
<xs:extension base="dst:RequestType">921
<xs:sequence>922
<xs:element ref="dap:DeleteItem" minOccurs="1" maxOccurs="unbounded"/>923
</xs:sequence>924
</xs:extension>925
</xs:complexContent>926
</xs:complexType>927
<xs:element name="DeleteItem" type="dap:DeleteItemType"/>928
<xs:complexType name="DeleteItemType">929
<xs:complexContent>930
<xs:extension base="dst:DeleteItemBaseType">931
<xs:sequence>932
<xs:element ref="dap:Select" minOccurs="0" maxOccurs="1"/>933
</xs:sequence>934
Liberty Alliance Project
23
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
</xs:extension>935
</xs:complexContent>936
</xs:complexType>937
<xs:complexType name="DeleteResponseType">938
<xs:complexContent>939
<xs:extension base="lu:ResponseType"/>940
</xs:complexContent>941
</xs:complexType>942
<!--endsec(del)-->943
<!--sec(resqry)-->944
<xs:element name="Select" type="dap:SelectType"/>945
<xs:element name="ResultQuery" type="dap:ResultQueryType"/>946
<xs:complexType name="ResultQueryType">947
<xs:complexContent>948
<xs:extension base="dst:ResultQueryBaseType">949
<xs:sequence>950
<xs:element ref="dap:Select" minOccurs="0" maxOccurs="1"/>951
<xs:element name="Sort" minOccurs="0" maxOccurs="1" type="dap:SortType"/>952
</xs:sequence>953
</xs:extension>954
</xs:complexContent>955
</xs:complexType>956
<xs:element name="ItemData" type="dap:ItemDataType"/>957
<xs:complexType name="ItemDataType">958
<xs:complexContent>959
<xs:extension base="dap:AppDataType">960
<xs:attributeGroup ref="dst:ItemDataAttributeGrou p"/>961
</xs:extension>962
</xs:complexContent>963
</xs:complexType>964
<!--endsec(resqry)-->965
<!--sec(subscr)-->966
<xs:element name="Subscription" type="dap:SubscriptionType"/>967
<xs:complexType name="SubscriptionType">968
<xs:complexContent>969
<xs:extension base="subs:SubscriptionType">970
<xs:sequence>971
<xs:element ref="dap:ResultQuery" minOccurs="0" maxOccurs="unbounded"/>972
<xs:element name="Aggregation" minOccurs="0" maxOccurs="1" type="dap:AggregationType"/>973
<xs:element name="Trigger" minOccurs="0" maxOccurs="1" type="dap:TriggerType"/>974
</xs:sequence>975
</xs:extension>976
</xs:complexContent>977
</xs:complexType>978
<!--endsec(subscr)-->979
<!--sec(notif)-->980
<xs:complexType name="NotifyType">981
<xs:complexContent>982
<xs:extension base="dst:RequestType">983
<xs:sequence>984
<xs:element ref="dap:Notification" minOccurs="0" maxOccurs="unbounded"/>985
</xs:sequence>986
<xs:attributeGroup ref="subs:NotifyAttributeGroup"/>987
</xs:extension>988
</xs:complexContent>989
</xs:complexType>990
<xs:element name="Notification" type="dap:NotificationType"/>991
<xs:complexType name="NotificationType">992
<xs:complexContent>993
<xs:extension base="subs:NotificationType">994
<xs:sequence>995
<xs:element ref="dap:ItemData" minOccurs="0" maxOccurs="unbounded"/>996
</xs:sequence>997
</xs:extension>998
</xs:complexContent>999
</xs:complexType>1000
<xs:complexType name="NotifyResponseType">1001
Liberty Alliance Project
24
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
<xs:complexContent>1002
<xs:extension base="subs:NotifyResponseType"/>1003
</xs:complexContent>1004
</xs:complexType>1005
<!--endsec(notif)-->1006
</xs:schema>1007
1008
1009
Liberty Alliance Project
25
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
8. WSDL for ID-SIS-DAP1010
The Abstract Web Services Description Language (WSDL) declaration for the ID-SIS-DAP follows. The declaration1011
states what is derived from [LibertyDST], namely that ID-SIS-DAP is characterized byQuery andModify operations1012
cast to the namespace of ID-SIS-DAP.1013
<?xml version="1.0" encoding="UTF-8"?>1014
<definitions1015
xmlns:typens="urn:liberty:i d-sis-dap:2006-08:dst-2.1:w sdl:interface"1016
xmlns="http://schemas.xmlsoap.org/w sdl/"1017
xmlns:xsd="http://www.w3.org/2001/XMLSchema"1018
xmlns:dap="urn:liberty:id-sis-dap:2006-08:dst- 2.1"1019
targetNamespace="urn:liberty:id-sis-dap:2006 -08:dst-2.1:wsdl:interface"1020
name="id-sis-dap_2006-08_interface">1021
<types>1022
<xsd:schema>1023
<xsd:import1024
namespace="urn:liberty:id-sis-dap:2006-08:dst-2.1"1025
schemaLocation="liberty-id-sis-dap-v1.0.xsd"/>1026
</xsd:schema>1027
</types>1028
1029
<message name="Query">1030
<part name="body" element="dap:Query"/>1031
</message>1032
<message name="QueryResponse">1033
<part name="body" element="dap:QueryResponse"/>1034
</message>1035
1036
<message name="Create">1037
<part name="body" element="dap:Create"/>1038
</message>1039
<message name="CreateResponse">1040
<part name="body" element="dap:CreateResponse"/ >1041
</message>1042
1043
<message name="Delete">1044
<part name="body" element="dap:Delete"/>1045
</message>1046
<message name="DeleteResponse">1047
<part name="body" element="dap:DeleteResponse"/>1048
</message>1049
1050
<message name="Modify">1051
<part name="body" element="dap:Modify"/>1052
</message>1053
<message name="ModifyResponse">1054
<part name="body" element="dap:ModifyResponse"/>1055
</message>1056
1057
<message name="Notify">1058
<part name="body" element="dap:Notify"/>1059
</message>1060
<message name="NotifyResponse">1061
<part name="body" element="dap:NotifyResponse"/>1062
</message>1063
1064
<portType name="IDDAPPort">1065
1066
<operation name="IDDAPQuery">1067
<input message="typens:Query"/>1068
<output message="typens:QueryResponse"/>1069
</operation>1070
1071
<operation name="IDDAPCreate">1072
<input message="typens:Create"/>1073
Liberty Alliance Project
26
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
<output message="typens:CreateResponse"/>1074
</operation>1075
1076
<operation name="IDDAPDelete">1077
<input message="typens:Delete"/>1078
<output message="typens:DeleteResponse"/>1079
</operation>1080
1081
<operation name="IDDAPModify">1082
<input message="typens:Modify"/>1083
<output message="typens:ModifyResponse"/>1084
</operation>1085
1086
<operation name="IDDAPNotify">1087
<input message="typens:Notify"/>1088
<output message="typens:NotifyRespons e"/>1089
</operation>1090
1091
</portType>1092
</definitions>1093
1094
1095
Liberty Alliance Project
27
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
References1096
Normative1097
[LibertyDisco] Cahill, Conor, Hodges, Jeff, eds. "Liberty ID-WSF Discovery Service Specification," Version 2.0-1098
errata-v1.0, Liberty Alliance Project (29 November, 2006).http://www.projectliberty.org/specs1099
[LibertyDST11] Kainulainen, Jukka, Ranganathan, Aravindan, eds. "Liberty ID-WSF Data Services Template Speci-1100
fication," Version 1.1, Liberty Alliance Project (14 December 2004).http://www.projectliberty.org/specs/1101
[LibertyDST] Kellomäki, Sampo, Kainulainen, Jukka, eds. "Liberty ID-WSF Data Services Template," Version 2.1,1102
Liberty Alliance Project (30 July, 2006).http://www.projectliberty.org/specs1103
[LibertyIDPP] Kellomäki, Sampo, Lockhart, Rob, eds. "Liberty ID-SIS Personal Profile Service Specification,"1104
Version 1.1, Liberty Alliance Project (29 September, 2005).http://www.projectliberty.org/specs1105
[LibertyInteract11] Aarts, Robert, eds. "Liberty ID-WSF Interaction Service Specification," Version 1.1, Liberty1106
Alliance Project (14 December 2004).http://www.projectliberty.org/specs1107
[LibertyProtSchema] Cantor, Scott, Kemp, John, eds. "Liberty ID-FF Protocols and Schema Specification," Version1108
1.2-errata-v3.0, Liberty Alliance Project (14 December 2004).http://www.projectliberty.org/specs1109
[LibertyReg] Kemp, John, eds. "Liberty Enumeration Registry Governance," Version 1.1, Liberty Alliance Project (141110
December, 2004).http://www.projectliberty.org/specs1111
[LibertySOAPBinding] Hodges, Jeff, Kemp, John, Aarts, Robert, Whitehead, Greg, Madsen, Paul, eds. "Liberty1112
ID-WSF SOAP Binding Specification," Version 2.0-errata-v1.0, Liberty Alliance Project (21 April, 2007).1113
http://www.projectliberty.org/specs1114
[LibertySUBS] Kellomäki, Sampo, eds. "Liberty ID-WSF Subscriptions and Notifications," Version 1.0, Liberty1115
Alliance Project (30 July, 2006).http://www.projectliberty.org/specs1116
[RFC2119] S. Bradner "Key words for use in RFCs to Indicate Requirement Levels," RFC 2119, The Internet1117
Engineering Task Force (March 1997).http://www.ietf.org/rfc/rfc2119.txt1118
[RFC2251] "Lightweight Directory Access Protocol (v3)," M. Wahl T. Howes S. Kille (December 1997). RFC 2251,1119
Internet Engineering Task Forcehttp://www.ietf.org/rfc/rfc2251.txt1120
[RFC2252] "Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions," M. Wahl A.1121
Coulbeck T. Howes S. Kille (December 1997). RFC 2252, Internet Engineering Task Force1122
http://www.ietf.org/rfc/rfc2252.txt1123
[RFC2254] "The String Representation of LDAP Search Filters," T. Howes (December 1997). RFC 2254, Internet1124
Engineering Task Forcehttp://www.ietf.org/rfc/rfc2254.txt1125
[RFC2696] "LDAP Control Extension for Simple Paged Results Manipulation," C. Weider A. Herron A. Anantha T.1126
Howes (September 1997). RFC 2696, Internet Engineering Task Forcehttp://www.ietf.org/rfc/rfc2696.txt1127
[RFC2849] Good, G., eds. (June 2000). "The LDAP Data Interchange Format (LDIF) - Technical Specification,"1128
RFC 2828, Internet Engineering Task Forcehttp://www.ietf.org/rfc/rfc2849.txt1129
[RFC2891] Howes, T., Wahl, M., eds. (August 2000). "LDAP Control Extension for Server Side Sorting of Search1130
Results," RFC 2891, Internet Engineering Task Forcehttp://www.ietf.org/rfc/rfc2891.txt1131
Liberty Alliance Project
28
Liberty Alliance Project: Version: 1.0Liberty ID-SIS Directory Access Protocol
[LDAPPSearch] Smith, M., Good, G., Howes, T., Weltman, R., eds. (06 August, 1998). "Persistent Search: A Simple1132
LDAP Change Notification Mechanism (expired, WIP)," Internet-Draft, The Internet Engineering Task Force1133
http://www.ietf.org/proceedings/98aug/I-D/draft-ietf-ldapext-psearch-01.txt1134
[LDAPVLV] Boreham, D., Sermersheim, J., Kashi, A., eds. (November, 2002). "LDAP Extensions for Scrolling1135
View Browsing of Search Results (expired, WIP)," Internet-Draft, The Internet Engineering Task Force1136
http://www.ietf.org/proceedings/02nov/I-D/draft-ietf-ldapext-ldapv3-vlv-09.txt1137
[LDAPproxyauth] Weltman, Rob, eds. (June, 2005). "LDAP Proxied Authorization Control (WIP)," Internet-Draft,1138
The Internet Engineering Task Forcehttp://www.ietf.org/internet-drafts/draft-weltman-ldapv3-proxy-13.txt1139
[Schema1-2] Thompson, Henry S., Beech, David, Maloney, Murray, Mendelsohn, Noah, eds. (28 October1140
2004). "XML Schema Part 1: Structures Second Edition," Recommendation, World Wide Web Consortium1141
http://www.w3.org/TR/xmlschema-1/1142
[XML] Bray, Tim, Paoli, Jean, Sperberg-McQueen, C. M., Maler, Eve, Yergeau, Francois, eds. (04 February 2004).1143
"Extensible Markup Language (XML) 1.0 (Third Edition)," Recommendation, World Wide Web Consortium1144
http://www.w3.org/TR/2004/REC-xml-200402041145
[XPATH] Clark , J., DeRose , S., eds. (16 November 1999). "XML Path Language (XPath) Version 1.0 ,"1146
Recommendation, W3Chttp://www.w3.org/TR/xpath[August 2003].1147
Informative1148
[LibertyIDWSFGuide10] Weitzel, David, eds. (22 May 2005). "Liberty ID-WSF Implementation Guideline," Draft1149
v1.0-12, Liberty Alliance Projecthttp://www.projectliberty.org/specs/1150
[LibertyIDPPGuide] Kellomäki, Sampo, Lockhart, Rob, eds. "Liberty ID-SIS Personal Profile Service Implementation1151
Guidelines," Version 1.1, Liberty Alliance Project (29 September, 2005).http://www.projectliberty.org/specs1152
[LibertyIDWSFOverview] Tourzan, Jonathan, Koga, Yuzo, eds. "Liberty ID-WSF Web Services Framework1153
Overview," Version 2.0, Liberty Alliance Project (30 July, 2006).http://www.projectliberty.org/specs1154
Liberty Alliance Project
29