VOS.VirtWTDStepByStepConfigGuide

Virtuoso WebID+TLS+Delegation Step by Step Configuration Guide

WebID+TLS+Delegation provides WebID authentication delegation whereby a user accessing a Virtuoso resource delegates identity authentication to an actual software agent that interacts with the resource. In all cases the software agent is identified by a WebID. The semantics of this kind of delegated identity authentication is expressed through reciprocal relationship types hasIdentityDelegate and onBehalfOf represented by RDF statements stored in WebID profile documents of user(s) and software agents.

How it works

The process is as follows:

1. Delegate's credentials (X.509 certificate and private key) are used to complete the basic TLS-handshake
2. Following successful TLS-handshake the reciprocal relationships in the users profile documents are verified by using them to locate the public key that was used successfully in the TLS-handshake
3. Resource access is granted following successful evaluation of Attribute-based based ACLs (ABAC) associated with the WebID of a given user (e.g. if connecting through isql, the user is identified by the WebID provided as the value of the -W option used with ISQL or /delegate connection attribute.

The primary benefit of WebID authentication delegation is that a single X.509 certificate can function as the identity card for a software agent used by many users, each of which is uniquely identified by their own WebIDs which are the targets of ABAC-based ACLs.

The following notes detail how to configure and test WebID+TLS+Delegation.

• Virtuoso Server WebID+TLS+Delegation Setup
• Software Agent & WebID Profile Document Creation
• WebID+TLS+Delegation VAL ACL Creation
• WebID+TLS+Delegation ACL Testing
• Using Named Graph for hosting WebID Profile Document Data

Related

• Virtuoso WebID+TLS+Delegation Usage Guide
• Virtuoso Authentication Layer (VAL) - What, Why and How
• Virtuoso Authentication Layer - ACL System QuickStart Guide
• Using X509 Certificates With ODBC Connection