infocard and eduroam enrique de la hoz, diego r. l ó pez, antonio garc í a, samuel mu ñ oz

Infocard and Eduroam

Enrique de la Hoz, Diego R. López, Antonio García, Samuel Muñoz

Index

Introduction to Infocard Infocard usage uSSO using Infocard in eduroam Questions

Infocard Artifact with a unique identifier

from an identity provider that users can employ to visualize their digital relationship with the identity provider in user interfaces and request security tokens with claims from the identity provider.

An Information Card is a XML document that can be used as an artifact to get security tokens containing the value of the requested claims

Token agnostic: OpenID SAML1.1

Claims-based application Build upon WS-* protocols

Infocard support Client side:

Microsoft CardSpace Bandit project:

Digitalme: http://code.bandit-project.org/trac/wiki/DigitalMe Azigo: http://www.simplysecure.biz/InfoCards.html Safari, Firefox Identity selectors

Server side (RP / IP): Geneva Project, .NET Higgins Project: http://www.eclipse.org/higgins/ Shibboleth: https://spaces.internet2.edu/display/SHIB/Information+Cards Sun OpenSSO: https://cardspaceauthn.dev.java.net/ SimpleSAMLphp (coming soon)

Information Cards Foundation: http://informationcard.net/ Directory: http://www.informationcarddirectory.com/index.php/The_directory

High Level Protocol DescriptionHigh Level Protocol Description

Identity Provider(IP)

Relying Party(RP)

ClientClient would like to access a resource

RP provides identity requirements: format, claims & issuer of security token

1

2

User

3 Client shows which of known IPs can satisfy requirements

User selects an IP4

5Request to IPSecurity Token Service for security token providing user credentials

6

IP generates security token based on RP’s requirementswith display token and proof of possession for user

7User views display token andapproves the release of token

8

Token is released to RP with proof of possession RP reads claims and allows access

Infocard Architecture Elements

User app (usually a web browser but not necessarily) Identity Selector Relying Party (RP): token consumer IP/STS: token issuer and Infocard Issuer

Infocard Usage Authentication Secure OpenID: OpenID Information Cards

(https://openidcards.sxip.com/spec/openid-infocards.html) Self-issued cards as a replacement for user/password

authentication Plugin for wordpress: http://pamelaproject.com/pwwp/ Windows Live ID:http://dev.live.com/liveid/

Control of Information disclosure Easier management of digital identity

¿eduroam?

What! Infocard as a key technology for uSSO. We do have working IdP

Either RADIUS or IdP in eduGAIN We could issue Infocards We have claims-based apps We could issue tokens containing those claims on

request

Architecture Description

Para ver esta película, debedisponer de QuickTime™ y de

un descompresor None.

Para ver esta película, debedisponer de QuickTime™ y deun descompresor None.


Access Point



RADIUS Authentication

Traditional SSO procedure

Infocard Interactions

RADIUS-STS Communication

Client

RADIUS Server

SP

7

5

46

6

3

21

1




Infocard STS

RADIUS Server

IdP

Home Domain

Para ver esta película, debedisponer de QuickTime™ y de

un descompresor None.



Access Point



Client

Radius Server

SP

7

5

46

6

3

2

1

1




Infocard STS

Radius Server

IdP

Home Domain

Step by step

•1 - Radius Authentication Request

•2 - RADIUS Response

•3 (Optional) Information Card retrieval

•4 - SP Access

•5 - Redirection to Home IdP

•6 - Infocard Authentication: (WS-*)

•7 - Acces granted / rejected

RADIUS (step 1 and 2)

User is authenticated to RADIUS as usual. Communication channel between RADIUS and Infocard STS Infocard STS generates an Information Card for the user Information Card itself could be contained in the RADIUS response

(EAP-TLV) or user could download the Information Card from an URI specified in an attribute of the RADIUS response (step 3 then)

What then? Supplicant will be in charge of importing the received Information Card

into Information Card store No sensitive information in the Information Card

User Privacy

What about user privacy? Infocard does not contain any info about user attributes Attributes disclosure is under strict control of end user

Service Provider Access

What for? Service access -> Information Card Model Access to SP, redirection to home institution IdP IdP will act as a RP in the InfoCard architecture

https access It will require Information Card for access

– Policy:» With a trusted issuer» Containing a certain set of attributes

Information Card (step 6)

STS will be located in the home domain of each user STS will issue a token containing the required attributes

It could be a signed SAML token. If and only if user is connected. As soon as user logs out, STS will stop token issuance for him.

IP/STS may o may not know about who is requesting the attributes

Step 6 Explained

How? WS-Trust, WS-Security, WS-MetadataExchange, WS-

SecurityPolicy RP<->STS communication

Information Card Validation– User consent– User MUST be connected to eduroam– User not connected -> validation will fail– Covert channel between RADIUS and STS

SAML token issuance

Requirements

How would this affect existing infraestructure? Minor changes New RADIUS attributes: EAP TLV to exchange Information

Card Minor modifications to supplicant IdP side: OpenSSO, Shibboleth support InfoCard model

And simpleSAMLphp ; (see you tomorrow!)

Thank you

Questions/comments?

Further Info

Contact me at:[email protected]

infocard and eduroam enrique de la hoz, diego r. l ó pez, antonio garc í a, samuel mu ñ oz

Documents

infocard issuer slide

infocard authentication

request slide

infocard infocard usage

infocard sts infocard

infocard artifact

access slide

token issuer