Infocard support in simpleSAMLphp Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz

Index  Information Card Model  Status of the project  RP Support  IP/STS Support  Future lines

Infocard  Artifact with a unique identifier from an identity provider that users can employ to visualize their digital relationship with the identity provider in user interfaces and request security tokens with claims from the identity provider.  An Information Card is a XML document that can be used as an artifact to get security tokens containing the value of the requested claims  Token agnostic:  OpenID  SAML1.1  Claims-based application  Build upon WS-* protocols

Infocard support  Client side:  Microsoft CardSpace  Bandit project:  Digitalme:  Azigo:  Safari, Firefox Identity selectors  Server side (RP / IP):  Geneva Project,.NET  Higgins Project:  Shibboleth:  Sun OpenSSO:  SimpleSAMLphp (coming soon)

High Level Protocol Description Identity Provider (IP) Relying Party (RP) Client Client would like to access a resource RP provides identity requirements: format, claims & issuer of security token 1 2 User 3 Client shows which of known IPs can satisfy requirements User selects an IP 4 5 Request to IP Security Token Service for security token providing user credentials 6 IP generates security token based on RP’s requirements with display token and proof of possession for user 7 User views display token and approves the release of token 8 Token is released to RP with proof of possession RP reads claims and allows access

Information Card Support in simpleSAMLphp  RP support as starting point:  It can be seen as a new authentication module for ssp  Using Information Cards instead of user/password or whatever  Support of Self-Issued and Managed Cards  Make use of a modified version of Zend Infocard Library

Information Cards Support in simpleSAMLphp  Easy deployment:  Get the module, drop in the modules folder and enable it  #mv default-disable default-enable  Easy configuration:  Move config-template folder contents to ssp config folder  Config-login-infocard.php –Quite self-explanatory  Config authsources.php: $config=array( [..] 'InfoCard' => array( 'InfoCard:ICAuth', ), );

Config-login-infocard.php $config = array ( 'server_key' => '/etc/apache2/ssl/idp.key', 'server_crt' => '/etc/apache2/ssl/idp.crt', 'IClogo' => 'resources/infocard_114x80.png', 'InfoCard' => array( 'schema' => ' 'issuer' => ' 'issuerPolicy' => '', 'privacyURL' => '', 'tokenType' => 'urn:oasis:names:tc:SAML:1.0:assertion', 'requiredClaims' => array( 'privatepersonalidentifier' => array('displayTag'=>"Id", 'description'=>"id"), 'givenname' =>array('displayTag'=>"Given Name", 'description'=>"etc"), 'surname' =>array('displayTag'=>"Surname", 'description'=>"apellidos"), ' address' =>array('displayTag'=>" ", 'description'=>" address") ), 'optionalClaims' => array( 'country' => array('displayTag'=>"country", 'description'=>”Country"), 'webpage' => array('displayTag'=>"webpage", 'description'=>”Web page") ), );

Authsources.php 'InfoCard' => array( 'InfoCard:ICAuth', ),

Configuration explained  Control what will be required in the Information Card:  Required claims  Optional claims (that may be used)  Image that will be shown in the web page  Token type

Login Page <ic:informationCard xmlns:ic=" name='xmlToken' issuer= issuerPolicy="" tokenType="urn:oasis:names:tc:SAML:1.0:assertion" privacyUrl="” privacyVersion="">

RP Open Issues  Issuer validation  The Identity selector should check this  Anyway, an allowed issuer certificate list may be necessary  New token types:  At the moment, only SAML tokens are allowed (most common use case)  It could be easily extended to validate other type of tokens

RP Demo  Once the token is validated, claims are imported into the session.  We need some feedback

IP/STS Support  SimpleSAMLphp could issue Information Cards and tokens  Based on carillon project:   Beta state:  Tested with :  Identity selectors: CardSpace, Digitalme, Azigo  Browers: Safari, IE7, Firefox  OS: Linux, Windows XP, Mac OS X  Supported Authentication methods:  Currently only User/Password.  Supported token types:  SAML tokens

IP/STS Support  It will be part of the InfoCard module:  New directives in Infocard config file  New endpoints defined in module www/ folder  New libs added  Files:  www/getinfocard.php: generates information card from configuration and data  www/tokenservice.php: generates tokens.

IP/STS  Open Issues (not technical):  How do users get Information Cards?  Where do we get profiles from?  Where do we get claims from?  Authentication backend definition?  Wishlist?  We do need feedback

Current status  RP part already in svn trunk.  IP/STS ready for experimental use.

Infocard Usage  Authentication  Secure OpenID: OpenID Information Cards (  Self-issued cards as a replacement for user/password authentication  Plugin for wordpress:  Windows Live ID:  Control of Information disclosure  Easier management of digital identity

Thank you  Questions/comments?

Further Info  Contact me at: