WebID+TLS+Delegation provides WebID authentication delegation whereby a user accessing a Virtuoso resource delegates identity authentication to an actual software agent that interacts with the resource.
In all cases the software agent is identified by a WebID.
The semantics of this kind of delegated identity authentication is expressed through reciprocal relationship types
onBehalfOf represented by RDF statements stored in WebID profile documents of user(s) and software agents.
The process is as follows:
- Delegate's credentials (X.509 certificate and private key) are used to complete the basic TLS-handshake
- Following successful TLS-handshake the reciprocal relationships in the users profile documents are verified by using them to locate the public key that was used successfully in the TLS-handshake
- Resource access is granted following successful evaluation of Attribute-based based ACLs (ABAC) associated with the WebID of a given user (e.g. if connecting through isql, the user is identified by the WebID provided as the value of the -W option used with ISQL or /delegate connection attribute.
The primary benefit of WebID authentication delegation is that a single X.509 certificate can function as the identity card for a software agent used by many users, each of which is uniquely identified by their own WebIDs which are the targets of ABAC-based ACLs.
The following notes detail how to configure and test WebID+TLS+Delegation.
- Virtuoso Server WebID+TLS+Delegation Setup
- Software Agent & WebID Profile Document Creation
- WebID+TLS+Delegation VAL ACL Creation
- WebID+TLS+Delegation ACL Testing
- Virtuoso WebID+TLS+Delegation Usage Guide
- Virtuoso Authentication Layer (VAL) - What, Why and How
- Virtuoso Authentication Layer - ACL System QuickStart Guide
- Using X509 Certificates With ODBC Connection