Infocard and Eduroam Enrique de la Hoz, Diego R. López, Antonio García, Samuel Muñoz
Index Introduction to Infocard Infocard usage usso using Infocard in eduroam Questions
Infocard Artifact with a unique identifier from an identity provider that users can employ to visualize their digital relationship with the identity provider in user interfaces and request security tokens with claims from the identity provider. An Information Card is a XML document that can be used as an artifact to get security tokens containing the value of the requested claims Token agnostic: OpenID SAML1.1 Claims-based application Build upon WS-* protocols
Infocard support Client side: Microsoft CardSpace Bandit project: Digitalme: http://code.bandit-project.org/trac/wiki/digitalme Azigo: http://www.simplysecure.biz/infocards.html Safari, Firefox Identity selectors Server side (RP / IP): Geneva Project,.NET Higgins Project: http://www.eclipse.org/higgins/ Shibboleth: https://spaces.internet2.edu/display/shib/information+cards Sun OpenSSO: https://cardspaceauthn.dev.java.net/ SimpleSAMLphp (coming soon)
Identity Selector Identity Provider RP s key is not known to IP Token is not encrypted Request security token Response security token Decrypt Encrypt token with RP s key Token requirements Generate message Relying Party Generate a response message Encrypt to the client
Client Application WS-* Metasystem Protocol Identity Selector Relying Party Identity Provider 1 2 3 WS-MEX GetMetadata Request WS-MEX GetMetadata Response GetToken(RP Policy) 4 Select Identity Policy WS-Security Policy 9 10 Identity needs credentials 5 6 7 8 Return security token Access Resource with security token (WS-Security) WS-MEX GetMetadata Request WS-MEX GetMetadata Response WS-Trust RST Request (user credentials) WS-Trust RSTR Response (security token) Token
Infocard Architecture Elements User app (usually a web browser but not necessarily) Identity Selector Relying Party (RP): token consumer IP/STS: token issuer and Infocard Issuer
Infocard Usage Authentication Secure OpenID: OpenID Information Cards (https://openidcards.sxip.com/spec/openid-infocards.html) Self-issued cards as a replacement for user/password authentication Plugin for wordpress: http://pamelaproject.com/pwwp/ Windows Live ID:http://dev.live.com/liveid/ Control of Information disclosure Easier management of digital identity
eduroam? What! Infocard as a key technology for usso. We do have working IdP Either RADIUS or IdP in edugain We could issue Infocards We have claims-based apps We could issue tokens containing those claims on request
Architecture Description
Step by step 1 - Radius Authentication Request 2 - RADIUS Response 3 (Optional) Information Card retrieval 4 - SP Access 5 - Redirection to Home IdP 6 - Infocard Authentication: (WS-*) 7 - Acces granted / rejected
RADIUS (step 1 and 2) User is authenticated to RADIUS as usual. Communication channel between RADIUS and Infocard STS Infocard STS generates an Information Card for the user Information Card itself could be contained in the RADIUS response (EAP-TLV) or user could download the Information Card from an URI specified in an attribute of the RADIUS response (step 3 then) What then? Supplicant will be in charge of importing the received Information Card into Information Card store No sensitive information in the Information Card
User Privacy What about user privacy? Infocard does not contain any info about user attributes Attributes disclosure is under strict control of end user
Service Provider Access What for? Service access -> Information Card Model Access to SP, redirection to home institution IdP IdP will act as a RP in the InfoCard architecture https access It will require Information Card for access Policy:» With a trusted issuer» Containing a certain set of attributes
Information Card (step 6) STS will be located in the home domain of each user STS will issue a token containing the required attributes It could be a signed SAML token. If and only if user is connected. As soon as user logs out, STS will stop token issuance for him. IP/STS may o may not know about who is requesting the attributes
Step 6 Explained How? WS-Trust, WS-Security, WS-MetadataExchange, WS- SecurityPolicy RP<->STS communication Information Card Validation User consent User MUST be connected to eduroam User not connected -> validation will fail Covert channel between RADIUS and STS SAML token issuance
Requirements How would this affect existing infraestructure? Minor changes New RADIUS attributes: EAP TLV to exchange Information Card Minor modifications to supplicant IdP side: OpenSSO, Shibboleth support InfoCard model And simplesamlphp ; (see you tomorrow!)
Thank you Questions/comments?
Further Info Contact me at: enrique.delahoz@uah.es