[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [higgins-dev] How specify the authentication method in the Relying Party Security Policy
|
I think you need to update few places in Configuration file to get the
new claim working. May be you can look at the example configuration at http://dev.eclipse.org/svnroot/technology/org.eclipse.higgins/trunk/plugins/org.eclipse.higgins.sts.binding.axis1x.service/WebContent/ConfigurationFiles/ManagedConfiguration.xml
and make the changes in your configuration. May be it's what you did
already.
http://dev.eclipse.org/svnroot/technology/org.eclipse.higgins/trunk/plugins/org.eclipse.higgins.sts.binding.axis1x.service/WebContent/ConfigurationFiles/ManagedConfiguration.xml
Please look for the cameratype as an example and see where all it is
referenced in the configuration.
-Jeesmon
On May 14, 2009, at 6:34 AM, Christopher Taylor wrote:
Leonardo,
I'm not a higgins dev, so I'm afraid I can't help you there. I'm
interested in how to do this, though, so if anyone else has pointers
to
some docs, I'd be grateful, too.
all the best,
--Chris
Leonardo Straniero schrieb:
Hi Chris, hi All,
We want add a new Claim when a user create a new account on the IdP
site (e.g Webpage claim, or "strong authentication", please see the
previous mail). Is it possible? How I can configure the IdP for
this scope? I tried to manually modify the xml configuration files
with a text editor but when I create a new account I get this LDAP
error:
• Error creating user ID 'jhon':
javax.naming.directory.InvalidAttributeIdentifierException: [LDAP:
error code 17 - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage
: AttributeDescription contains inappropriate characters];
remaining name 'cn=jhon,ou=identities,dc=project,dc=eu'
I added the webpage attribute in the LDAP schema.
Another question: is it possible retrieve the authentication method
on the IdP (e.g. X509 Certificate, UsernamePassword, PersonalCard)
from the security token returned? Is necessary modify any other
settings for this purpose? We need to know the authentication
method on the IdP to support or not only the X509Certificate
authentication method.
Any Ideas?
Any suggestion will be appreciated.
Thanks in advance.
Best Regards.
Leonardo.
-----Original Message-----
From: Christopher Taylor [mailto:christopher.taylor@xxxxxxxxxxxxxxxxxxx
]
Sent: martedì 12 maggio 2009 16.34
To: leonardo.straniero@xxxxxxxxxxxx; Higgins (Trust Framework)
Project developer discussions
Subject: Re: [higgins-dev] How specify the authentication method in
the Relying Party Security Policy
Leonardo Straniero schrieb:
Hi Chris,
thanks for the explanation and prompt reply.
Could you please clarify me how can I manage a situation such the
following one.
Suppose that the RP needs to dynamically change the type of
authentication a user has to do (e.g. from username/PWD or
X509certificate to X509 certificate only) against the IdP.
like I said, that's not really possible. The RP trusts that the
identities it recieves from the IdP are authentic. The steps the IdP
undertakes to ensure this (i.e. what kind of authentication it
uses) are
- from the viewpoint of the RP - out of scope.
My idea was to simply have different RP policies one for "weak
authentication" and another one for the strong case. These
policies, in my humble opinion, just had to have a statement whose
value is different like the ones I exemplified in my previous
posting.
So I was figuring to be able to restrict access to the RP in
certain situation to only users having X509 certificates cards.
You said the RP has no way to do this, right? Or can I add some
"required claims" in the RP "strong authentication" policy that
makes possible to force the IdP (or CardSpace) to only accepts
users with X509 certificate cards?
There's a couple of ways you could do this:
- you could have the policy specify an STS of which you *know* that
it
uses X.509 for authentication.
- you could require some custom claim in the policy, e.g.
* http://example.org/auth/#x509
* http://example.org/auth/#unpw
however, the RP has no way to check that the user did indeed use
this
authentication method, so I think it would make more sense to a
domain-specific claim like
http://example.org/user-can-access-restricted-site. The IdP can
then be
configured to only issue cards containing this claim to users that
can
use X.509 to authenticate themselves.
Of course the second solution might be difficult, if the STS is
controlled by some other company :). Like I said, the concept is that
the RP trusts the IdP to do whatever it takes to authenticate the
user.
If the RP doesn't do that, it shouldn't accept identities issued by
that
IdP.
hth,
--Chris
Thanks in advance.
Leonardo.
-----Original Message-----
From: Christopher Taylor [mailto:christopher.taylor@xxxxxxxxxxxxxxxxxxx
]
Sent: martedì 12 maggio 2009 15.17
To: leonardo.straniero@xxxxxxxxxxxx; Higgins (Trust Framework)
Project developer discussions
Subject: Re: [higgins-dev] How specify the authentication method
in the Relying Party Security Policy
Leonardo,
AFAIK you can't specify the authentication method as part of the RP
policy. The reasoning behind this is that the RP has a trust
relationship with the STS and trusts the method that the STS uses
to be
"good enough". This also makes sense because the RP would have no
way to
check if the STS actually used a specific method or just claims it
did.
Of course the STS could support a set of (non-standard) claims that
assert that a certain method was used, which the RP could then
require
in its policy.
hth,
--Chris
Leonardo Straniero schrieb:
Hi All,
I am trying to understand how to specify in the Relying Party
Security
Policy the authentication method (e.g. username/pwd, X509
certificate,
…) a user has to use to authenticate to the IP/STS when requesting
security tokens.
I think it is necessary to insert another parameter into the RP’s
*web.xml* file.
I saw in a security policy example a field “*Issuer*” as follows:
* <param-name>Issuer</param-name>*
* <param-value>shib2.internet2.edu</param-value>*
I know the Higgins STS provides some endpoints:
* *
*…./services/MetadataX509Token* (X509
Authentication)
*…/services/MetadataUsernameToken *(UsernamePassword
Authentication)
and so on.
Is it possible to insert another parameter (for example a
MetadataReference parameter that identifies the STST endpoint to be
used) to specify the authentication method? Do you know if,
adding a
parameter like this, CardSpace will properly manage it and select
only
the cards that meet the required authentication method?
Any ideas?
Thanks in advance.
Best Regards.
* *
*============================*
*Dr. Leonardo Straniero*
CRS - Corporate Research
TXT e-Solutions SpA
c/o Tecnopolis N.O.
Strada Prov. per Casamassima Km 3
70010 Valenzano (BA) - Italy
------------------------------------------------------------------------
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev
<smime.p7s><ATT00001.c>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature