I spent a good amount of time in November and December focusing on the WAVES solution that was demonstrated at the TMForum’s Management Americas show. WAVES is a multi-industry effort to develop a reference architecture allowing a consumer to access content over the Internet and view content over multiple devices. WAVES requires coordination between multiple entities: media companies providing content (content providers); communications service providers (CSPs) who provide access to content; companies that provide content delivery networks (CDNs) that support the fast streaming of video content; and platform technology companies that offer devices that the user interacts with and Internet-scale operating systems that provide the technologies that allow for the coordination of the disparate parts of the solution. Microsoft has been sponsoring the TM Forum Dynamic (Syndicated) Content Delivery Catalyst to help drive this initiative.
My focus on this project was the authentication and authorization mechanism for the solution. WAVES used the technology stack formerly known as ‘Geneva’ - Windows Identity Foundation (WIF), Active Directory Federation Services 2.0 (AD FS 2.0), and Cardspaces.
The ‘Geneva’ solution is based on open standards like version 2 of the Security Assertion Markup Language (SAML 2.0) OASIS standard to provide single-sign on between multiple Identity Providers and Multiple Content Providers. SAML has wide industry support from companies like Microsoft, Sun, Computer Associates and RSA. There is also open-source support for SAML, like the OpenSAML project. The key features of SAML 2.0 that helps support this scenario are: (1) content provider initiated Web SSO exchanges in which the content provider queried the identity provider for user authentication; and (2) single logout functionality.
SAML consists of four components: assertions; protocols; bindings; and profiles. Each of these components needs to be defined for any particular implementation. SAML assertions define the transaction between an identity provider and content provider in this scenario. SAML protocols define how assertions are communicated between content providers and the identity providers. SAML bindings map the SAML protocol to the lower-level network communications protocol. SAML profiles dictate how the assertion, protocol and binding work together to provide SSO.
For the WAVES scenario, we will use the Web Browser SSO Profile. The Web Browser SSO Profile defines all assertion information to be sent to the content provider at once. This protocol uses the Authentication Request Protocol which defines how a service provider can request an assertion that contains attribute statements. This profile also uses the HTTP Post binding.
To learn more about the project go to the Dynamic (Syndicated) Content Delivery web site. The WAVES whitepaper posted at the bottom of this blog.