infocard support in simplesamlphp l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Infocard support in simpleSAMLphp PowerPoint Presentation
Download Presentation
Infocard support in simpleSAMLphp

Loading in 2 Seconds...

play fullscreen
1 / 21

Infocard support in simpleSAMLphp - PowerPoint PPT Presentation


  • 304 Views
  • Uploaded on

Infocard support in simpleSAMLphp. Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz. Index. Information Card Model Status of the project RP Support IP/STS Support Future lines. Infocard.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Infocard support in simpleSAMLphp' - RexAlvis


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
infocard support in simplesamlphp

Infocard support in simpleSAMLphp

Enrique de la Hoz, Diego R. López, Antonio García, Samuel Muñoz

index
Index
  • Information Card Model
  • Status of the project
    • RP Support
    • IP/STS Support
  • Future lines
infocard
Infocard
  • Artifact with a unique identifier from an identity provider that users can employ to visualize their digital relationship with the identity provider in user interfaces and request security tokens with claims from the identity provider.
  • An Information Card is a XML document that can be used as an artifact to get security tokens containing the value of the requested claims
  • Token agnostic:
    • OpenID
    • SAML1.1
  • Claims-based application
  • Build upon WS-* protocols
infocard support
Infocard support
  • Client side:
    • Microsoft CardSpace
    • Bandit project:
      • Digitalme: http://code.bandit-project.org/trac/wiki/DigitalMe
    • Azigo: http://www.simplysecure.biz/InfoCards.html
    • Safari, Firefox Identity selectors
  • Server side (RP / IP):
    • Geneva Project, .NET
    • Higgins Project: http://www.eclipse.org/higgins/
    • Shibboleth: https://spaces.internet2.edu/display/SHIB/Information+Cards
    • Sun OpenSSO: https://cardspaceauthn.dev.java.net/
    • SimpleSAMLphp (coming soon)
high level protocol description
High Level Protocol Description

User

User views display token and

approves the release of token

7

Client

4

User selects an IP

Client would like to access a resource

1

Request to IP

Security Token Servicefor security token

providing user credentials

3

Client shows which of known

IPs can satisfy requirements

5

RP provides identity requirements:

format, claims & issuer of security token

2

6

IP generates security token

based on RP’s requirements

with display token and proof

of possession for user

8

Token is released to RP

with proof of possession RP reads claims and

allows access

Identity Provider(IP)

Relying Party(RP)

information card support in simplesamlphp
Information Card Support in simpleSAMLphp
  • RP support as starting point:
    • It can be seen as a new authentication module for ssp
    • Using Information Cards instead of user/password or whatever
    • Support of Self-Issued and Managed Cards
    • Make use of a modified version of Zend Infocard Library
information cards support in simplesamlphp
Information Cards Support in simpleSAMLphp
  • Easy deployment:
    • Get the module, drop in the modules folder and enable it
      • #mv default-disable default-enable
    • Easy configuration:
      • Move config-template folder contents to ssp config folder
      • Config-login-infocard.php
        • Quite self-explanatory
      • Config authsources.php:

$config=array( [..]

'InfoCard' => array(

'InfoCard:ICAuth',

),

);

config login infocard php
Config-login-infocard.php

$config = array (

'server_key' => '/etc/apache2/ssl/idp.key',

'server_crt' => '/etc/apache2/ssl/idp.crt',

'IClogo' => 'resources/infocard_114x80.png',

'InfoCard' => array(

'schema' => 'http://schemas.xmlsoap.org/ws/2005/05/identity',

'issuer' => 'https://sts/tokenservice.php',

'issuerPolicy' => '',

'privacyURL' => '',

'tokenType' => 'urn:oasis:names:tc:SAML:1.0:assertion',

'requiredClaims' => array(

'privatepersonalidentifier' => array('displayTag'=>"Id", 'description'=>"id"),

'givenname' =>array('displayTag'=>"Given Name", 'description'=>"etc"),

'surname' =>array('displayTag'=>"Surname", 'description'=>"apellidos"),

'emailaddress' =>array('displayTag'=>"e-mail",

'description'=>"E-mail address")

),

'optionalClaims' => array(

'country' => array('displayTag'=>"country", 'description'=>”Country"),

'webpage' => array('displayTag'=>"webpage", 'description'=>”Web page")

),

),

);

authsources php
Authsources.php

'InfoCard' => array(

'InfoCard:ICAuth',

),

configuration explained
Configuration explained
  • Control what will be required in the Information Card:
    • Required claims
    • Optional claims (that may be used)
    • Image that will be shown in the web page
    • Token type
login page
Login Page

<ic:informationCard xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity" name='xmlToken' issuer=https://sts/tokenservice.php

issuerPolicy="" tokenType="urn:oasis:names:tc:SAML:1.0:assertion" privacyUrl="”

privacyVersion="">

<ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" optional="false" />

<ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="false" />

<ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="false" />

<ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="false" />

<ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country" optional="true" />

<ic:add claimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage" optional="true" /> </ic:informationCard>

rp open issues
RP Open Issues
  • Issuer validation
    • The Identity selector should check this
    • Anyway, an allowed issuer certificate list may be necessary
  • New token types:
    • At the moment, only SAML tokens are allowed (most common use case)
    • It could be easily extended to validate other type of tokens
rp demo
RP Demo
  • Once the token is validated, claims are imported into the session.
  • We need some feedback
ip sts support
IP/STS Support
  • SimpleSAMLphp could issue Information Cards and tokens
  • Based on carillon project:
    • http://www.carillon.ca/tools/demo-sts.php
  • Beta state:
    • Tested with :
      • Identity selectors: CardSpace, Digitalme, Azigo
      • Browers: Safari, IE7, Firefox
      • OS: Linux, Windows XP, Mac OS X
  • Supported Authentication methods:
    • Currently only User/Password.
  • Supported token types:
    • SAML tokens
ip sts support16
IP/STS Support
  • It will be part of the InfoCard module:
    • New directives in Infocard config file
    • New endpoints defined in module www/ folder
    • New libs added
    • Files:
      • www/getinfocard.php: generates information card from configuration and data
      • www/tokenservice.php: generates tokens.
ip sts
IP/STS
  • Open Issues (not technical):
    • How do users get Information Cards?
    • Where do we get profiles from?
    • Where do we get claims from?
      • Authentication backend definition?
  • Wishlist?
  • We do need feedback
current status
Current status
  • RP part already in svn trunk.
  • IP/STS ready for experimental use.
infocard usage
Infocard Usage
  • Authentication
  • Secure OpenID: OpenID Information Cards (https://openidcards.sxip.com/spec/openid-infocards.html)
  • Self-issued cards as a replacement for user/password authentication
    • Plugin for wordpress: http://pamelaproject.com/pwwp/
    • Windows Live ID:http://dev.live.com/liveid/
  • Control of Information disclosure
  • Easier management of digital identity
thank you
Thank you
  • Questions/comments?
further info
Further Info
  • Contact me at:

enrique.delahoz@uah.es