334 lines
15 KiB
XML
334 lines
15 KiB
XML
<?xml version="1.0"?>
|
|
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"
|
|
[
|
|
<!ENTITY % local.common.attrib "xmlns:xi CDATA #FIXED 'http://www.w3.org/2003/XInclude'">
|
|
<!ENTITY % gtkdocentities SYSTEM "xml/gtkdocentities.ent">
|
|
%gtkdocentities;
|
|
]>
|
|
<book id="index" xmlns:xi="http://www.w3.org/2003/XInclude">
|
|
<bookinfo>
|
|
<title>&package_name; Reference Manual</title>
|
|
<releaseinfo>
|
|
for &package_string;.
|
|
The latest version of this documentation can be found on-line at
|
|
<ulink role="online-location" url="http://lasso.entrouvert.org/documentation/index.html">http://lasso.entrouvert.org/documentation/index.html</ulink>.
|
|
</releaseinfo>
|
|
|
|
<legalnotice>
|
|
<para>
|
|
Permission is granted to copy, distribute and/or modify this document
|
|
under the terms of the GNU General Public License as published by the
|
|
Free Software Foundation; either version 2 of the License, or (at your
|
|
option) any later version.
|
|
</para>
|
|
</legalnotice>
|
|
|
|
<copyright>
|
|
<year>2004, 2005, 2006, 2007, 2008, 2009, 2010</year>
|
|
<holder>Entr'ouvert</holder>
|
|
</copyright>
|
|
|
|
</bookinfo>
|
|
|
|
<chapter id="lasso">
|
|
<title>Lasso & Liberty Alliance Overview</title>
|
|
<para>
|
|
Lasso is a library which provides all the necessary functions for sites to
|
|
implement <ulink url="http://www.projectliberty.org">Liberty Alliance</ulink>
|
|
specifications. It defines processes for federated identities, single sign-on
|
|
and related protocols.
|
|
</para>
|
|
|
|
<para>
|
|
Founded in 2001 by Sun in order to propose an alternative to the
|
|
Microsoft Passport project, the consortium Liberty Alliance aims to
|
|
promote an infrastructure of standards allowing the management of
|
|
federated identities between several services or systems.
|
|
</para>
|
|
|
|
<para>
|
|
|
|
A federated identity (or network identity) of an individual or a legal entity
|
|
on Internet gather at the same time:
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
Its identification (name, co-ordinates, preferences, history...);
|
|
</listitem>
|
|
<listitem>
|
|
Its authentication (which guarantees the validity of an identity);
|
|
</listitem>
|
|
<listitem>
|
|
Its authorisations (access rights to information, access rights to
|
|
services).
|
|
</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
|
|
<para>
|
|
Liberty standards aims to give more coherence to a network identity
|
|
which is scattered (numerous logins and passwords) today. This identity
|
|
becomes frequently delicate to manage, both for customers and businesses.
|
|
</para>
|
|
|
|
<para>
|
|
The Liberty Alliance specifications define three types of actors:
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
The user, person or entity who can acquire an identity;
|
|
</listitem>
|
|
<listitem>
|
|
The identity provider which creates and manages the identity of
|
|
the users, and authenticates them to the service providers;
|
|
</listitem>
|
|
<listitem>
|
|
The service provider who provides services to the users once that
|
|
they have authenticated to an identity provider.
|
|
</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
|
|
<para>
|
|
One calls circle of trust a grouping of identity providers and service
|
|
providers which agreed to share (to federate) the identity of their users.
|
|
</para>
|
|
|
|
<para>
|
|
Contrary to most other implementations of Liberty Alliance, Lasso is not a
|
|
full-fedged system but a simple C library, with complete bindings for Java,
|
|
Perl, PHP and Python. The integration work should largely be facilitated.
|
|
An existing site should be able to integrate it in a few days of
|
|
development, without calling into question its architecture. Lasso is a
|
|
library written in C Language.
|
|
</para>
|
|
|
|
<para>
|
|
Lasso is built on top of <ulink url="http://www.xmlsoft.org">libxml2</ulink>,
|
|
<ulink url="http://www.aleksey.com/xmlsec/">XMLSec</ulink> and
|
|
<ulink url="http://www.openssl.org">OpenSSL</ulink> and is licensed under
|
|
the <ulink url="http://lasso.entrouvert.org/license">GNU General Public License</ulink>
|
|
(with an <ulink url="http://lasso.entrouvert.org/license#openssl">OpenSSL exception</ulink>).
|
|
</para>
|
|
|
|
</chapter>
|
|
|
|
<reference label="I">
|
|
<title>Application Programming Interface</title>
|
|
<chapter id="architecture">
|
|
<title>Lasso Architecture</title>
|
|
<para>Lasso handle the concepts of providers sharing identities, that can
|
|
enable the creation of sessions following an authentication. The
|
|
current provider is represented by the <link linkend="#lasso-LassoServer">LassoServer</link> object, which
|
|
inherit from the <link linkend="lasso-LassoProvider">LassoProvider</link>. All known providers to the current
|
|
provider must be registered inside the <link linkend="lasso-LassoServer">LassoServer</link> object. Some
|
|
providers are identity providers, by sending authentication request
|
|
you can establish federation, materialised by <link linkend="lasso-LassoFederation">LassoFederation</link>
|
|
objects, between identity stored by the identity provider and
|
|
another stored by the current provider. Those federation are stored
|
|
in the <link linkend="lasso-LassoIdentity">LassoIdentity</link> object. Each time an authentication is done,
|
|
an assertion reprenting it is stored in the <link linkend="lasso-LassoSession">LassoSession</link> object.
|
|
They are stored in a map, keyed by the originating identity
|
|
provider, see lasso_session_get_assertion().
|
|
</para>
|
|
<para>Protocols from the ID-FF 1.2 or the SAML 2.0 family are represented
|
|
by object whose class inherit from <link linkend="lasso-LassoProfile">LassoProfile</link>. The constructor
|
|
of those profile objects needs a <link linkend="lasso-LassoServer">LassoServer</link>, and eventually a
|
|
<link linkend="lasso-LassoIdentity">LassoIdentity</link> and a <link linkend="lasso-LassoSession">LassoSession</link>.
|
|
</para>
|
|
<xi:include href="xml/server.xml"/>
|
|
<xi:include href="xml/provider.xml"/>
|
|
<xi:include href="xml/identity.xml"/>
|
|
<xi:include href="xml/federation.xml"/>
|
|
<xi:include href="xml/session.xml"/>
|
|
<xi:include href="xml/profile.xml"/>
|
|
<xi:include href="xml/errors.xml"/>
|
|
<para><link linkend="lasso-LassoNode">LassoNode</link> is the base class for all Lasso classes, it gives XML serialization and deserialization support to all of them.</para>
|
|
<xi:include href="xml/node.xml"/>
|
|
<para>The <link linkend="lasso-LassoMiscTextNode">LassoMiscTextNode</link> allows to represent miscellenaous nodes for whose no mapping to a specific <link linkend="GObjectClass">GObjectClass</link> exists.</para>
|
|
<xi:include href="xml/strings.xml"/>
|
|
<xi:include href="xml/registry.xml"/>
|
|
<xi:include href="xml/misc_text_node.xml"/>
|
|
</chapter>
|
|
|
|
<chapter id="idff">
|
|
<title>Identity Federation Framework - ID-FF 1.2 profiles</title>
|
|
<xi:include href="xml/login.xml"/>
|
|
<xi:include href="xml/logout.xml"/>
|
|
<xi:include href="xml/defederation.xml"/>
|
|
<xi:include href="xml/name_registration.xml"/>
|
|
<xi:include href="xml/name_identifier_mapping.xml"/>
|
|
<xi:include href="xml/lecp.xml"/>
|
|
</chapter>
|
|
|
|
<chapter id="xml-idff">
|
|
<title>Objects from ID-FF 1.2 schemas</title>
|
|
|
|
<xi:include href="xml/id_ff_strings.xml"/>
|
|
<xi:include href="xml/lib_assertion.xml"/>
|
|
<xi:include href="xml/lib_authentication_statement.xml"/>
|
|
<xi:include href="xml/lib_authn_context.xml"/>
|
|
<xi:include href="xml/lib_authn_request_envelope.xml"/>
|
|
<xi:include href="xml/lib_authn_request.xml"/>
|
|
<xi:include href="xml/lib_authn_response_envelope.xml"/>
|
|
<xi:include href="xml/lib_authn_response.xml"/>
|
|
<xi:include href="xml/lib_federation_termination_notification.xml"/>
|
|
<xi:include href="xml/lib_idp_entries.xml"/>
|
|
<xi:include href="xml/lib_idp_entry.xml"/>
|
|
<xi:include href="xml/lib_idp_list.xml"/>
|
|
<xi:include href="xml/lib_logout_request.xml"/>
|
|
<xi:include href="xml/lib_logout_response.xml"/>
|
|
<xi:include href="xml/lib_name_identifier_mapping_request.xml"/>
|
|
<xi:include href="xml/lib_name_identifier_mapping_response.xml"/>
|
|
<xi:include href="xml/lib_register_name_identifier_request.xml"/>
|
|
<xi:include href="xml/lib_register_name_identifier_response.xml"/>
|
|
<xi:include href="xml/lib_request_authn_context.xml"/>
|
|
<xi:include href="xml/lib_scoping.xml"/>
|
|
<xi:include href="xml/lib_status_response.xml"/>
|
|
<xi:include href="xml/lib_subject.xml"/>
|
|
<xi:include href="xml/paos_request.xml"/>
|
|
<xi:include href="xml/paos_response.xml"/>
|
|
<xi:include href="xml/saml_advice.xml"/>
|
|
<xi:include href="xml/saml_assertion.xml"/>
|
|
<xi:include href="xml/saml_attribute_designator.xml"/>
|
|
<xi:include href="xml/saml_attribute_statement.xml"/>
|
|
<xi:include href="xml/saml_attribute_value.xml"/>
|
|
<xi:include href="xml/saml_attribute.xml"/>
|
|
<xi:include href="xml/saml_audience_restriction_condition.xml"/>
|
|
<xi:include href="xml/saml_authentication_statement.xml"/>
|
|
<xi:include href="xml/saml_authority_binding.xml"/>
|
|
<xi:include href="xml/saml_condition_abstract.xml"/>
|
|
<xi:include href="xml/saml_conditions.xml"/>
|
|
<xi:include href="xml/saml_name_identifier.xml"/>
|
|
<xi:include href="xml/samlp_request_abstract.xml"/>
|
|
<xi:include href="xml/samlp_request.xml"/>
|
|
<xi:include href="xml/samlp_response_abstract.xml"/>
|
|
<xi:include href="xml/samlp_response.xml"/>
|
|
<xi:include href="xml/samlp_status_code.xml"/>
|
|
<xi:include href="xml/samlp_status.xml"/>
|
|
<xi:include href="xml/saml_statement_abstract.xml"/>
|
|
<xi:include href="xml/saml_subject_confirmation.xml"/>
|
|
<xi:include href="xml/saml_subject_locality.xml"/>
|
|
<xi:include href="xml/saml_subject_statement_abstract.xml"/>
|
|
<xi:include href="xml/saml_subject_statement.xml"/>
|
|
<xi:include href="xml/saml_subject.xml"/>
|
|
</chapter>
|
|
|
|
<chapter id="saml2">
|
|
<title>SAML 2.0 Single Sign On profiles</title>
|
|
<para>
|
|
The profile <link linkend="lasso-login">LassoLogin</link> and <link linkend="lasso-LassoLogout">LassoLogout</link> are shared between SAML
|
|
2.0 and ID-FF 1.2, depending on the declared protocol support,
|
|
Lasso will create request respecting the chosen standard. Beware
|
|
that initialization of the <link linkend="lasso-LassoLogin">LassoLogin</link> object, after construction,
|
|
differ between the two stacks of profiles. The
|
|
<link linkend="lasso-LassoNameIdManagement">LassoNameIdManagement</link> profile replace the nearly equivalent
|
|
<link linkend="lasso-LassoDefederation">LassoDefederation</link> profile from ID-FF 1.2.
|
|
</para>
|
|
|
|
<xi:include href="xml/assertion_query.xml"/>
|
|
<xi:include href="xml/name_id_management.xml"/>
|
|
<xi:include href="xml/ecp.xml"/>
|
|
<xi:include href="xml/saml2_utils.xml"/>
|
|
|
|
</chapter>
|
|
|
|
<chapter id="xml-samlv2">
|
|
<title>Objects from SAML 2.0 schemas</title>
|
|
|
|
|
|
<xi:include href="xml/saml2_strings.xml"/>
|
|
<xi:include href="xml/saml2_action.xml"/>
|
|
<xi:include href="xml/saml2_advice.xml"/>
|
|
<xi:include href="xml/saml2_assertion.xml"/>
|
|
<xi:include href="xml/saml2_attribute_statement.xml"/>
|
|
<xi:include href="xml/saml2_attribute_value.xml"/>
|
|
<xi:include href="xml/saml2_attribute.xml"/>
|
|
<xi:include href="xml/saml2_audience_restriction.xml"/>
|
|
<xi:include href="xml/saml2_authn_context.xml"/>
|
|
<xi:include href="xml/saml2_authn_statement.xml"/>
|
|
<xi:include href="xml/saml2_authz_decision_statement.xml"/>
|
|
<xi:include href="xml/saml2_base_idabstract.xml"/>
|
|
<xi:include href="xml/saml2_condition_abstract.xml"/>
|
|
<xi:include href="xml/saml2_conditions.xml"/>
|
|
<xi:include href="xml/saml2_encrypted_element.xml"/>
|
|
<xi:include href="xml/saml2_evidence.xml"/>
|
|
<xi:include href="xml/saml2_key_info_confirmation_data.xml"/>
|
|
<xi:include href="xml/saml2_name_id.xml"/>
|
|
<xi:include href="xml/saml2_one_time_use.xml"/>
|
|
<xi:include href="xml/saml2_proxy_restriction.xml"/>
|
|
<xi:include href="xml/saml2_statement_abstract.xml"/>
|
|
<xi:include href="xml/saml2_subject_confirmation_data.xml"/>
|
|
<xi:include href="xml/saml2_subject_confirmation.xml"/>
|
|
<xi:include href="xml/saml2_subject_locality.xml"/>
|
|
<xi:include href="xml/saml2_subject.xml"/>
|
|
<xi:include href="xml/samlp2_artifact_resolve.xml"/>
|
|
<xi:include href="xml/samlp2_artifact_response.xml"/>
|
|
<xi:include href="xml/samlp2_assertion_id_request.xml"/>
|
|
<xi:include href="xml/samlp2_attribute_query.xml"/>
|
|
<xi:include href="xml/samlp2_authn_query.xml"/>
|
|
<xi:include href="xml/samlp2_authn_request.xml"/>
|
|
<xi:include href="xml/samlp2_authz_decision_query.xml"/>
|
|
<xi:include href="xml/samlp2_extensions.xml"/>
|
|
<xi:include href="xml/samlp2_idp_entry.xml"/>
|
|
<xi:include href="xml/samlp2_idp_list.xml"/>
|
|
<xi:include href="xml/samlp2_logout_request.xml"/>
|
|
<xi:include href="xml/samlp2_logout_response.xml"/>
|
|
<xi:include href="xml/samlp2_manage_name_id_request.xml"/>
|
|
<xi:include href="xml/samlp2_manage_name_id_response.xml"/>
|
|
<xi:include href="xml/samlp2_name_id_mapping_request.xml"/>
|
|
<xi:include href="xml/samlp2_name_id_mapping_response.xml"/>
|
|
<xi:include href="xml/samlp2_name_id_policy.xml"/>
|
|
<xi:include href="xml/samlp2_request_abstract.xml"/>
|
|
<xi:include href="xml/samlp2_requested_authn_context.xml"/>
|
|
<xi:include href="xml/samlp2_response.xml"/>
|
|
<xi:include href="xml/samlp2_scoping.xml"/>
|
|
<xi:include href="xml/samlp2_status_code.xml"/>
|
|
<xi:include href="xml/samlp2_status_detail.xml"/>
|
|
<xi:include href="xml/samlp2_status_response.xml"/>
|
|
<xi:include href="xml/samlp2_status.xml"/>
|
|
<xi:include href="xml/samlp2_subject_query_abstract.xml"/>
|
|
<xi:include href="xml/samlp2_terminate.xml"/>
|
|
<xi:include href="xml/ecp_request.xml"/>
|
|
<xi:include href="xml/ecp_response.xml"/>
|
|
<xi:include href="xml/ecp_relaystate.xml"/>
|
|
</chapter>
|
|
|
|
<chapter id="soap">
|
|
<title>Object from the SOAP 1.1 schemas</title>
|
|
<xi:include href="xml/soap_body.xml"/>
|
|
<xi:include href="xml/soap_detail.xml"/>
|
|
<xi:include href="xml/soap_envelope.xml"/>
|
|
<xi:include href="xml/soap_fault.xml"/>
|
|
<xi:include href="xml/soap_header.xml"/>
|
|
<xi:include href="xml/soap_strings.xml"/>
|
|
</chapter>
|
|
|
|
<chapter id="xml-dsig">
|
|
<title>Object from the XML-DSIG schemas</title>
|
|
<xi:include href="xml/ds_key_info.xml"/>
|
|
<xi:include href="xml/ds_key_value.xml"/>
|
|
<xi:include href="xml/ds_rsa_key_value.xml"/>
|
|
<xi:include href="xml/dsig_strings.xml"/>
|
|
</chapter>
|
|
|
|
</reference>
|
|
|
|
<index id="api-index-full">
|
|
<title>API Index</title>
|
|
<xi:include href="xml/api-index-full.xml"><xi:fallback /></xi:include>
|
|
</index>
|
|
|
|
<index id="deprecated-api-index" role="deprecated">
|
|
<title>Index of deprecated API</title>
|
|
<xi:include href="xml/api-index-deprecated.xml"><xi:fallback /></xi:include>
|
|
</index>
|
|
|
|
<index id="api-index-2-3" role="2.3">
|
|
<title>Index of new API in 2.3</title>
|
|
<xi:include href="xml/api-index-2.3.xml"><xi:fallback /></xi:include>
|
|
</index>
|
|
<xi:include href="xml/annotation-glossary.xml"><xi:fallback /></xi:include>
|
|
</book>
|