1 / 21

Infocard support in simpleSAMLphp

Infocard support in simpleSAMLphp. Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz. Index. Information Card Model Status of the project RP Support IP/STS Support Future lines. Infocard.

Mercy
Télécharger la présentation

Infocard support in simpleSAMLphp

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Infocard support in simpleSAMLphp Enrique de la Hoz, Diego R. López, Antonio García, Samuel Muñoz

  2. Index • Information Card Model • Status of the project • RP Support • IP/STS Support • Future lines

  3. Infocard • Artifact with a unique identifier from an identity provider that users can employ to visualize their digital relationship with the identity provider in user interfaces and request security tokens with claims from the identity provider. • An Information Card is a XML document that can be used as an artifact to get security tokens containing the value of the requested claims • Token agnostic: • OpenID • SAML1.1 • Claims-based application • Build upon WS-* protocols

  4. Infocard support • Client side: • Microsoft CardSpace • Bandit project: • Digitalme: http://code.bandit-project.org/trac/wiki/DigitalMe • Azigo: http://www.simplysecure.biz/InfoCards.html • Safari, Firefox Identity selectors • Server side (RP / IP): • Geneva Project, .NET • Higgins Project: http://www.eclipse.org/higgins/ • Shibboleth: https://spaces.internet2.edu/display/SHIB/Information+Cards • Sun OpenSSO: https://cardspaceauthn.dev.java.net/ • SimpleSAMLphp (coming soon)

  5. High Level Protocol Description User User views display token and approves the release of token 7 Client 4 User selects an IP Client would like to access a resource 1 Request to IP Security Token Servicefor security token providing user credentials 3 Client shows which of known IPs can satisfy requirements 5 RP provides identity requirements: format, claims & issuer of security token 2 6 IP generates security token based on RP’s requirements with display token and proof of possession for user 8 Token is released to RP with proof of possession RP reads claims and allows access Identity Provider(IP) Relying Party(RP)

  6. Information Card Support in simpleSAMLphp • RP support as starting point: • It can be seen as a new authentication module for ssp • Using Information Cards instead of user/password or whatever • Support of Self-Issued and Managed Cards • Make use of a modified version of Zend Infocard Library

  7. Information Cards Support in simpleSAMLphp • Easy deployment: • Get the module, drop in the modules folder and enable it • #mv default-disable default-enable • Easy configuration: • Move config-template folder contents to ssp config folder • Config-login-infocard.php • Quite self-explanatory • Config authsources.php: $config=array( [..] 'InfoCard' => array( 'InfoCard:ICAuth', ), );

  8. Config-login-infocard.php $config = array ( 'server_key' => '/etc/apache2/ssl/idp.key', 'server_crt' => '/etc/apache2/ssl/idp.crt', 'IClogo' => 'resources/infocard_114x80.png', 'InfoCard' => array( 'schema' => 'http://schemas.xmlsoap.org/ws/2005/05/identity', 'issuer' => 'https://sts/tokenservice.php', 'issuerPolicy' => '', 'privacyURL' => '', 'tokenType' => 'urn:oasis:names:tc:SAML:1.0:assertion', 'requiredClaims' => array( 'privatepersonalidentifier' => array('displayTag'=>"Id", 'description'=>"id"), 'givenname' =>array('displayTag'=>"Given Name", 'description'=>"etc"), 'surname' =>array('displayTag'=>"Surname", 'description'=>"apellidos"), 'emailaddress' =>array('displayTag'=>"e-mail", 'description'=>"E-mail address") ), 'optionalClaims' => array( 'country' => array('displayTag'=>"country", 'description'=>”Country"), 'webpage' => array('displayTag'=>"webpage", 'description'=>”Web page") ), ), );

  9. Authsources.php 'InfoCard' => array( 'InfoCard:ICAuth', ),

  10. Configuration explained • Control what will be required in the Information Card: • Required claims • Optional claims (that may be used) • Image that will be shown in the web page • Token type

  11. Login Page <ic:informationCard xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" name='xmlToken' issuer=https://sts/tokenservice.php issuerPolicy="" tokenType="urn:oasis:names:tc:SAML:1.0:assertion" privacyUrl="” privacyVersion=""> <ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" optional="false" /> <ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="false" /> <ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="false" /> <ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="false" /> <ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country" optional="true" /> <ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage" optional="true" /> </ic:informationCard>

  12. RP Open Issues • Issuer validation • The Identity selector should check this • Anyway, an allowed issuer certificate list may be necessary • New token types: • At the moment, only SAML tokens are allowed (most common use case) • It could be easily extended to validate other type of tokens

  13. RP Demo • Once the token is validated, claims are imported into the session. • We need some feedback

  14. IP/STS Support • SimpleSAMLphp could issue Information Cards and tokens • Based on carillon project: • http://www.carillon.ca/tools/demo-sts.php • Beta state: • Tested with : • Identity selectors: CardSpace, Digitalme, Azigo • Browers: Safari, IE7, Firefox • OS: Linux, Windows XP, Mac OS X • Supported Authentication methods: • Currently only User/Password. • Supported token types: • SAML tokens

  15. IP/STS Support • It will be part of the InfoCard module: • New directives in Infocard config file • New endpoints defined in module www/ folder • New libs added • Files: • www/getinfocard.php: generates information card from configuration and data • www/tokenservice.php: generates tokens.

  16. IP/STS • Open Issues (not technical): • How do users get Information Cards? • Where do we get profiles from? • Where do we get claims from? • Authentication backend definition? • Wishlist? • We do need feedback

  17. Current status • RP part already in svn trunk. • IP/STS ready for experimental use.

  18. Infocard Usage • Authentication • Secure OpenID: OpenID Information Cards (https://openidcards.sxip.com/spec/openid-infocards.html) • Self-issued cards as a replacement for user/password authentication • Plugin for wordpress: http://pamelaproject.com/pwwp/ • Windows Live ID:http://dev.live.com/liveid/ • Control of Information disclosure • Easier management of digital identity

  19. Thank you • Questions/comments?

  20. Further Info • Contact me at: enrique.delahoz@uah.es

More Related