Infocard support in simpleSAMLphp

Enrique de la Hoz, Diego R. López, Antonio García, Samuel Muñoz

Index

Information Card Model Status of the project

RP Support IP/STS Support

Future lines

Infocard Artifact with a unique identifier

from an identity provider that users can employ to visualize their digital relationship with the identity provider in user interfaces and request security tokens with claims from the identity provider.

An Information Card is a XML document that can be used as an artifact to get security tokens containing the value of the requested claims

Token agnostic: OpenID SAML1.1

Claims-based application Build upon WS-* protocols

Infocard support Client side:

Microsoft CardSpace Bandit project:

Digitalme: http://code.bandit-project.org/trac/wiki/DigitalMe Azigo: http://www.simplysecure.biz/InfoCards.html Safari, Firefox Identity selectors

Server side (RP / IP): Geneva Project, .NET Higgins Project: http://www.eclipse.org/higgins/ Shibboleth: https://spaces.internet2.edu/display/SHIB/Information+Cards Sun OpenSSO: https://cardspaceauthn.dev.java.net/ SimpleSAMLphp (coming soon)

High Level Protocol DescriptionHigh Level Protocol Description

Identity Provider(IP)

Relying Party(RP)

ClientClient would like to access a resource

RP provides identity requirements: format, claims & issuer of security token

1

2

User

3 Client shows which of known IPs can satisfy requirements

User selects an IP4

5Request to IPSecurity Token Service for security token providing user credentials

6

IP generates security token based on RP’s requirementswith display token and proof of possession for user

7User views display token andapproves the release of token

8

Token is released to RP with proof of possession RP reads claims and allows access

Information Card Support in simpleSAMLphp

RP support as starting point: It can be seen as a new authentication module for ssp Using Information Cards instead of user/password or

whatever Support of Self-Issued and Managed Cards Make use of a modified version of Zend Infocard Library

Information Cards Support in simpleSAMLphp

Easy deployment: Get the module, drop in the modules folder and enable it

#mv default-disable default-enable Easy configuration:

Move config-template folder contents to ssp config folder Config-login-infocard.php

– Quite self-explanatory Config authsources.php:

$config=array( [..]'InfoCard' => array(

'InfoCard:ICAuth',),

);

Config-login-infocard.php$config = array (

'server_key' => '/etc/apache2/ssl/idp.key','server_crt' => '/etc/apache2/ssl/idp.crt','IClogo' => 'resources/infocard_114x80.png','InfoCard' => array(

'schema' => 'http://schemas.xmlsoap.org/ws/2005/05/identity','issuer' => 'https://sts/tokenservice.php','issuerPolicy' => '','privacyURL' => '','tokenType' => 'urn:oasis:names:tc:SAML:1.0:assertion','requiredClaims' => array(

'privatepersonalidentifier' => array('displayTag'=>"Id", 'description'=>"id"),'givenname' =>array('displayTag'=>"Given Name", 'description'=>"etc"),'surname' =>array('displayTag'=>"Surname", 'description'=>"apellidos"),'emailaddress' =>array('displayTag'=>"e-mail",'description'=>"E-mail address")

),'optionalClaims' => array(

'country' => array('displayTag'=>"country", 'description'=>”Country"),'webpage' => array('displayTag'=>"webpage", 'description'=>”Web page")

),),

);

Authsources.php

'InfoCard' => array('InfoCard:ICAuth',

),

Configuration explained

Control what will be required in the Information Card: Required claims Optional claims (that may be used) Image that will be shown in the web page Token type

Login Page<ic:informationCard xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" name='xmlToken' https://sts/tokenservice.php

<ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="false" />

<ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country" optional="true" />

<ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage" optional="true" /></ic:informationCard>

<ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="false" /><ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="false" />

<ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" optional="false" />privacyVersion="">issuerPolicy="" tokenType="urn:oasis:names:tc:SAML:1.0:assertion"privacyUrl="”

issuer=

RP Open Issues

Issuer validation The Identity selector should check this Anyway, an allowed issuer certificate list may be necessary

New token types: At the moment, only SAML tokens are allowed (most

common use case) It could be easily extended to validate other type of tokens

RP Demo

Once the token is validated, claims are imported into the session.

We need some feedback

IP/STS Support SimpleSAMLphp could issue Information Cards and tokens Based on carillon project:

http://www.carillon.ca/tools/demo-sts.php Beta state:

Tested with : Identity selectors: CardSpace, Digitalme, Azigo Browers: Safari, IE7, Firefox OS: Linux, Windows XP, Mac OS X

Supported Authentication methods: Currently only User/Password.

Supported token types: SAML tokens

IP/STS Support

It will be part of the InfoCard module: New directives in Infocard config file New endpoints defined in module www/ folder New libs added Files:

www/getinfocard.php: generates information card from configuration and data

www/tokenservice.php: generates tokens.

IP/STS

Open Issues (not technical): How do users get Information Cards? Where do we get profiles from? Where do we get claims from?

Authentication backend definition?

Wishlist? We do need feedback

Current status

RP part already in svn trunk. IP/STS ready for experimental use.

Infocard Usage Authentication Secure OpenID: OpenID Information Cards

(https://openidcards.sxip.com/spec/openid-infocards.html) Self-issued cards as a replacement for user/password

authentication Plugin for wordpress: http://pamelaproject.com/pwwp/ Windows Live ID:http://dev.live.com/liveid/

Control of Information disclosure Easier management of digital identity

Thank you

Questions/comments?

Further Info

Contact me at:enrique.delahoz@uah.es