240 likes | 389 Views
Waleed A. Alrodhan Royal Holloway, University of London Information Security Group. A Client-side CardSpace -Liberty Integration Architecture. 7th Symposium on Identity and Trust on the Internet ( IDtrust 2008). Agenda. Introduction Liberty Alliance Project (ID-FF LEC profile)
E N D
Waleed A. Alrodhan Royal Holloway, University of London Information Security Group A Client-side CardSpace-Liberty Integration Architecture 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Agenda • Introduction • Liberty Alliance Project (ID-FF LEC profile) • Microsoft CardSpace • Integrating the two schemes • Analysis 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Introduction • It has become common for Internet users to access multiple independent systems in a single working session. • Hence, users need multiple digital identities. • There are many solutions. (e.g. Federation, User Centric, CardSpace, etc.) • Interoperability? 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Liberty Alliance Project • Introduction • An industry collaboration, started in December 2001. • Liberty aims to build open standard-based specifications for federated identity, provide interoperability testing, and to help provide solutions to identity theft. • There are more than 40 million liberty-enabled identities and clients across the world (LAP, 2005). 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Liberty Alliance Project • The Basic Federation Model SP1 IdP 1 SP2 Federation Circle of trust A SP3 SP4 Chris the researcher SP5 SP6 Chris “Principal” IdP 2 Federation Circle of trust B SP7 Chris the musician SP8 IdP: Identity Provider SP: Service Provider 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Liberty Alliance Project • The Specifications The charts in this slide are taken from the Liberty Alliance Project website 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Liberty Alliance Project • The ID-FF Liberty Profiles • “The combination of message content specification and message transport mechanisms for a single client type (that is, user agent) is termed a Liberty profile.” • (Liberty Alliance Project - Liberty ID-FF Bindings and Profiles Specification) • There are many Profiles: • - Single Sign-On and Federation Profiles, Register Name Identifier Profiles, Identity Federation Termination Notification Profiles, Single Logout Profiles, Identity Provider Introduction, NameIdentifier Mapping Profile, NameIdentifier Encryption Profile • There are three Single Sign-On and Federation Profiles: • 1. Artifact profile • 2. Browser POST profile • 3. Liberty-enabled client and proxy profile 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Liberty Alliance Project • Liberty-Enabled Client and Proxy Profile It is assumed that the client has already been Authenticated by the IdP 1.User Agent → SP: Service Request (HTTP Request with Liberty Enabled Header) IdP 2. SP → User Agent: Authentication Request + “optionally” an IdPs List 4 3. User Agent OR User: Obtaining IdP SAML/SOAP/HTTPS 1 4. User Agent → IdP: SAML-Assertion Request 5 5. IdP → User Agent: SAML-Assertion Response SP 2 6 6. User Agent → SP: Authentication Response + SAML-Assertion (within the HTML Form) (Redirect, HTTP (HTML Form) POST) 3 ? 7. SP → User Agent: Service Granted! User Agent (Liberty-Enabled Web Browser) 7 Principal (User) 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Microsoft CardSpace • Introduction • WinFX software component that is built on the concept of the “identity metasystem”. • Designed to provide the user control over his digital identities in a user friendly manner, and to tackle problems such as privacy breaching and identity theft, with no single or central identity authority control. 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Microsoft CardSpace • Introduction II • Currently deployed with Windows Vista.(works with multiple browsers) • The identity is defined as a set of claims, where the claim is an assertion of the truth of something. • Based on the identification process we experience in the real world when using physical identification cards. • Laws of Identity. 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Microsoft CardSpace • InfoCard Example <InfoCard xmlns="http://schemas.microsoft.com/ws/2005/05/identity" xmlns:wsa=”http://schemas.xmlsoap.org/ws/2004/08/addressing” xmlns:wsp=”http://schemas.xmlsoap.org/ws/2002/12/policy” xml:lang=”en-us”> <InfoCardReference> <CardId>1234abcd</CardId> </InfoCardReference> <CardName>Royal Holloway Student Card</CardName> <CardImage MimeType=”image/gif”> ... </CardImage> <IssuerName>Royal Holloway</IssuerName> <TimeIssued>2008-03-04 T00:30:05Z</TimeIssued> <TokenServiceReference> <TokenService> <wsa:EndpointReference> <wsa:Address>http://www.rhul.ac.uk/sts</wsa:Address> <wsid:Identity> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>...</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </wsid:Identity> </wsa:EndpointReference> <UserNamePasswordAuthenticate> <Username>Waleed</Username> </UserNamePasswordAuthenticate> </TokenService> </TokenServiceReference> <ic:InfoCardPolicy> <SupportedTokenTypes> <TokenType URI=”urn:oasis:names:tc:SAML:1.0:assertion”/> </SupportedTokenTypes> <SupportedClaims> <SupportedClaim URI=”http://.../ws/2005/05/identity/claims/givenname”> <DisplayTag>First Name</DisplayTag> </SupportedClaim> <SupportedClaim URI=”http://.../ws/2005/05/identity/claims/surname”> <DisplayTag>Last Name</DisplayTag> </SupportedClaim> </SupportedClaims> <RequireAppliesTo /> </ic:InfoCardPolicy> </InfoCard> 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Microsoft CardSpace • The Message Flow 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Microsoft CardSpace • The Basic Model 1.User Agent → RP: HTTP GET Login HTML Page Request 2. RP → User Agent: HTML Login Page + CardSpace Tags (XHTML or HTML object tags) STS IdP 3. User Agent↔ RP-STS: User Agent retrieves Policy via WS-SecurityPolicy 1 4. User Agent ↔ User: User Picks an InfoCard 6 5 SOAP/HTTPS 5. User Agent ↔ IdP: User Authentication RP 6. User Agent ↔ IdP-STS: User Agents retrieves security token Via WS-MetadataExchange and WS-Trust 2 STS 3 4 7. User Agent → RP-STS: User Agent presents the security token via WS-Trust 7 8 User Agent (CardSpace Enabled Browser) 8. RP → User Agent: Welcome, your are now logged in! User 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Integrating the two schemes • Why? This can be changed! This can be changed! 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Integrating the two schemes • How? • CardSpace architecture consists of two parts: • The user agent supporting components. (ID-WSF?) • The identity framework. (ID-FF LEC) • Different scopes? 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Integrating the two schemes • The Identity management architecture adaptor • A piece of software installed on the user’s machine which understands both the Liberty and CardSpace frameworks, and their message flows and formats. • The main job is to interpose itself between IdPs and SPs adhering to different identity management architectures, in order to translate particular messages generated by one party to the other. • Assumptions • IdP-IdP integration is out of scope. • In case of L.E. IdP & CS.E. RP, we assume that there is a pre-established trust relationship. (Pseudonyms, CardSpace Ref./InfoCard ID) 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Integrating the two schemes • Restrictions • Only SAML tokens. • No end-to-end encryption. (secure channels) • Only Asymmetric proof of rightful possession. (holder-of-key) • In case of CS.E. RP & L.E. IdP, token freshness requests are discarded. 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Integrating the two schemes • How to represent the claims? • SAML Attribute Statement. • (Requires some modifications to the Liberty enabling component) • Authentication with no claims. • (severely impact on the usability of the integration) 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Integrating the two schemes CardSpace Enabling Component Identity Management Architecture Adaptor Liberty Enabling Component RP Retrieved Security Policy (WS-Policy, SOAP Envelope) Authentication Request within <AuthenticationRequestEnvelope> IdP-STS Retrieved Security Token (WS-Trust, SOAP Envelope) Authentication Response within <AuthenticationResponseEnvelope> 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Integrating the two schemes More details of message flow can be found in the paper. • First Scenario STS IdP CardSpace-Enabled 5 SAML/SOAP/HTTPS 4 1 SP 2 6 3 Liberty-Enabled User Agent (Liberty-Enabled and CardSpace-Enabled Web Browser + an IdM architecture adaptor) 7 Principal (User) 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Integrating the two schemes More details of message flow can be found in the paper. • Second scenario IdP CardSpace-Enabled Liberty-Enabled 1 6 SOAP/HTTPS RP 2 STS 3 4 7 8 User Agent (Liberty-Enabled and CardSpace-Enabled Web Browser + an IdM architecture adaptor( User 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Integrating the two schemes • Analysis • The proposed integration model is designed to be implemented without the need for technical cooperation between Microsoft and Liberty, however, Implementing such a model is non-trivial task. • CardSpace and the Liberty ID-FF are designed to somewhat different scopes. • User-agents still need to be CardSpace and Liberty enabled. • There is no end-to-end encryption. 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Integrating the two schemes • Analysis II • There are restrictions on the token type, encryption and freshness requests. • Interaction with CardSpace enabling component. (APIs) • Delay? • Bandit project. 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)
Thank You! 7th Symposium on Identity and Trust on the Internet (IDtrust 2008)