infocard support in simplesamlphp enrique de la hoz, diego r. l ó pez, antonio garc í a, samuel mu...
Post on 18-Dec-2015
214 views
TRANSCRIPT
Infocard Artifact with a unique identifier
from an identity provider that users can employ to visualize their digital relationship with the identity provider in user interfaces and request security tokens with claims from the identity provider.
An Information Card is a XML document that can be used as an artifact to get security tokens containing the value of the requested claims
Token agnostic: OpenID SAML1.1
Claims-based application Build upon WS-* protocols
Infocard support Client side:
Microsoft CardSpace Bandit project:
Digitalme: http://code.bandit-project.org/trac/wiki/DigitalMe Azigo: http://www.simplysecure.biz/InfoCards.html Safari, Firefox Identity selectors
Server side (RP / IP): Geneva Project, .NET Higgins Project: http://www.eclipse.org/higgins/ Shibboleth: https://spaces.internet2.edu/display/SHIB/Information+Cards Sun OpenSSO: https://cardspaceauthn.dev.java.net/ SimpleSAMLphp (coming soon)
High Level Protocol DescriptionHigh Level Protocol Description
Identity Provider(IP)
Relying Party(RP)
ClientClient would like to access a resource
RP provides identity requirements: format, claims & issuer of security token
1
2
User
3 Client shows which of known IPs can satisfy requirements
User selects an IP4
5Request to IPSecurity Token Service for security token providing user credentials
6
IP generates security token based on RP’s requirementswith display token and proof of possession for user
7User views display token andapproves the release of token
8
Token is released to RP with proof of possession RP reads claims and allows access
Information Card Support in simpleSAMLphp
RP support as starting point: It can be seen as a new authentication module for ssp Using Information Cards instead of user/password or
whatever Support of Self-Issued and Managed Cards Make use of a modified version of Zend Infocard Library
Information Cards Support in simpleSAMLphp
Easy deployment: Get the module, drop in the modules folder and enable it
#mv default-disable default-enable Easy configuration:
Move config-template folder contents to ssp config folder Config-login-infocard.php
– Quite self-explanatory Config authsources.php:
$config=array( [..]'InfoCard' => array(
'InfoCard:ICAuth',),
);
Config-login-infocard.php$config = array (
'server_key' => '/etc/apache2/ssl/idp.key','server_crt' => '/etc/apache2/ssl/idp.crt','IClogo' => 'resources/infocard_114x80.png','InfoCard' => array(
'schema' => 'http://schemas.xmlsoap.org/ws/2005/05/identity','issuer' => 'https://sts/tokenservice.php','issuerPolicy' => '','privacyURL' => '','tokenType' => 'urn:oasis:names:tc:SAML:1.0:assertion','requiredClaims' => array(
'privatepersonalidentifier' => array('displayTag'=>"Id", 'description'=>"id"),'givenname' =>array('displayTag'=>"Given Name", 'description'=>"etc"),'surname' =>array('displayTag'=>"Surname", 'description'=>"apellidos"),'emailaddress' =>array('displayTag'=>"e-mail",'description'=>"E-mail address")
),'optionalClaims' => array(
'country' => array('displayTag'=>"country", 'description'=>”Country"),'webpage' => array('displayTag'=>"webpage", 'description'=>”Web page")
),),
);
Configuration explained
Control what will be required in the Information Card: Required claims Optional claims (that may be used) Image that will be shown in the web page Token type
Login Page<ic:informationCard xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" name='xmlToken' https://sts/tokenservice.php
<ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="false" />
<ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country" optional="true" />
<ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage" optional="true" /></ic:informationCard>
<ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="false" /><ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="false" />
<ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" optional="false" />privacyVersion="">issuerPolicy="" tokenType="urn:oasis:names:tc:SAML:1.0:assertion"privacyUrl="”
issuer=
RP Open Issues
Issuer validation The Identity selector should check this Anyway, an allowed issuer certificate list may be necessary
New token types: At the moment, only SAML tokens are allowed (most
common use case) It could be easily extended to validate other type of tokens
IP/STS Support SimpleSAMLphp could issue Information Cards and tokens Based on carillon project:
http://www.carillon.ca/tools/demo-sts.php Beta state:
Tested with : Identity selectors: CardSpace, Digitalme, Azigo Browers: Safari, IE7, Firefox OS: Linux, Windows XP, Mac OS X
Supported Authentication methods: Currently only User/Password.
Supported token types: SAML tokens
IP/STS Support
It will be part of the InfoCard module: New directives in Infocard config file New endpoints defined in module www/ folder New libs added Files:
www/getinfocard.php: generates information card from configuration and data
www/tokenservice.php: generates tokens.
IP/STS
Open Issues (not technical): How do users get Information Cards? Where do we get profiles from? Where do we get claims from?
Authentication backend definition?
Wishlist? We do need feedback
Infocard Usage Authentication Secure OpenID: OpenID Information Cards
(https://openidcards.sxip.com/spec/openid-infocards.html) Self-issued cards as a replacement for user/password
authentication Plugin for wordpress: http://pamelaproject.com/pwwp/ Windows Live ID:http://dev.live.com/liveid/
Control of Information disclosure Easier management of digital identity