1 / 19

Infocard and Eduroam

Infocard and Eduroam. Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz. Index. Introduction to Infocard Infocard usage uSSO using Infocard in eduroam Questions. Infocard.

oren
Télécharger la présentation

Infocard and Eduroam

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Infocard and Eduroam Enrique de la Hoz, Diego R. López, Antonio García, Samuel Muñoz

  2. Index • Introduction to Infocard • Infocard usage • uSSO using Infocard in eduroam • Questions

  3. Infocard • Artifact with a unique identifier from an identity provider that users can employ to visualize their digital relationship with the identity provider in user interfaces and request security tokens with claims from the identity provider. • An Information Card is a XML document that can be used as an artifact to get security tokens containing the value of the requested claims • Token agnostic: • OpenID • SAML1.1 • Claims-based application • Build upon WS-* protocols

  4. Infocard support • Client side: • Microsoft CardSpace • Bandit project: • Digitalme: http://code.bandit-project.org/trac/wiki/DigitalMe • Azigo: http://www.simplysecure.biz/InfoCards.html • Safari, Firefox Identity selectors • Server side (RP / IP): • Geneva Project, .NET • Higgins Project: http://www.eclipse.org/higgins/ • Shibboleth: https://spaces.internet2.edu/display/SHIB/Information+Cards • Sun OpenSSO: https://cardspaceauthn.dev.java.net/ • SimpleSAMLphp (coming soon) • Information Cards Foundation: http://informationcard.net/ • Directory: http://www.informationcarddirectory.com/index.php/The_directory

  5. High Level Protocol Description User User views display token and approves the release of token 7 Client 4 User selects an IP Client would like to access a resource 1 Request to IP Security Token Servicefor security token providing user credentials 3 Client shows which of known IPs can satisfy requirements 5 RP provides identity requirements: format, claims & issuer of security token 2 6 IP generates security token based on RP’s requirements with display token and proof of possession for user 8 Token is released to RP with proof of possession RP reads claims and allows access Identity Provider(IP) Relying Party(RP)

  6. Infocard Architecture Elements • User app (usually a web browser but not necessarily) • Identity Selector • Relying Party (RP): token consumer • IP/STS: token issuer and Infocard Issuer

  7. Infocard Usage • Authentication • Secure OpenID: OpenID Information Cards (https://openidcards.sxip.com/spec/openid-infocards.html) • Self-issued cards as a replacement for user/password authentication • Plugin for wordpress: http://pamelaproject.com/pwwp/ • Windows Live ID:http://dev.live.com/liveid/ • Control of Information disclosure • Easier management of digital identity

  8. ¿eduroam? • What! • Infocard as a key technology for uSSO. • We do have working IdP • Either RADIUS or IdP in eduGAIN • We could issue Infocards • We have claims-based apps • We could issue tokens containing those claims on request

  9. Architecture Description

  10. Step by step • 1 - Radius Authentication Request • 2 - RADIUS Response • 3 (Optional) Information Card retrieval • 4 - SP Access • 5 - Redirection to Home IdP • 6 - Infocard Authentication: (WS-*) • 7 - Acces granted / rejected

  11. RADIUS (step 1 and 2) • User is authenticated to RADIUS as usual. • Communication channel between RADIUS and Infocard STS • Infocard STS generates an Information Card for the user • Information Card itself could be contained in the RADIUS response (EAP-TLV) or user could download the Information Card from an URI specified in an attribute of the RADIUS response (step 3 then) • What then? • Supplicant will be in charge of importing the received Information Card into Information Card store • No sensitive information in the Information Card

  12. User Privacy • What about user privacy? • Infocard does not contain any info about user attributes • Attributes disclosure is under strict control of end user

  13. Service Provider Access • What for? • Service access -> Information Card Model • Access to SP, redirection to home institution IdP • IdP will act as a RP in the InfoCard architecture • https access • It will require Information Card for access • Policy: • With a trusted issuer • Containing a certain set of attributes

  14. Information Card (step 6) • STS will be located in the home domain of each user • STS will issue a token containing the required attributes • It could be a signed SAML token. • If and only if user is connected. • As soon as user logs out, STS will stop token issuance for him. • IP/STS may o may not know about who is requesting the attributes

  15. Step 6 Explained • How? • WS-Trust, WS-Security, WS-MetadataExchange, WS-SecurityPolicy • RP<->STS communication • Information Card Validation • User consent • User MUST be connected to eduroam • User not connected -> validation will fail • Covert channel between RADIUS and STS • SAML token issuance

  16. Requirements • How would this affect existing infraestructure? • Minor changes • New RADIUS attributes: EAP TLV to exchange Information Card • Minor modifications to supplicant • IdP side: OpenSSO, Shibboleth support InfoCard model • And simpleSAMLphp ; (see you tomorrow!)

  17. Thank you • Questions/comments?

  18. Further Info • Contact me at: enrique.delahoz@uah.es

More Related