[jdev] Claims-based Authentication

Mon, 31 May 2010 07:18:52 -0700 

Hi All,

I have been doing some research lately on claims-based authentication [CBA] 
(Microsoft implementation - AFAIK based on WS-Federation/WS-Trust). The 
previous discussions about OAuth and its limitations came to mind immediately - 
CBA seems to resolve the issues that we discussed (it is not tied to the web).

For those who are not familiar with it; it basically is an identity that 
consists of one or more claims. For example a Jabber claim might look like this:

JID: [email protected]
UPN: [email protected]
Name: Jonathan Dickinson from VCard
etc.

In this scenario jabber.org is the sole issuer. This identity (and it's claims) 
can be passed to other issuers so that they can fill in the blanks. For 
instance, if I were to start off with a X509 claim:

Thumbprint: BCF189...
Name: CN=jonathand...

I could send it to my internal JID issuer and land up with the following:

Thumbprint: BCF189...
Name: CN=jonathand...
JID: [email protected]
UPN: [email protected]

The idea of a claim is that you can use that claim to authenticate with SSO 
capabilities (this works particularly well with the Microsoft implementation of 
it). I could authenticate against a server using SQL-orientated credentials 
(e.g. PLAIN) - with appropriate translation components in place I could pick up 
my SAP creds, Windows creds and HTTP creds without the user having to enter 
them in. The whole exchange occurs using XML (primarily SAML).

The XML is where the problem lies - SASL dictates that the contents be 
base64-encoded. While this is perfectly valid it just feels plain wrong. After 
thinking about it (less than I should - but here goes):

<stream:features>
     <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
       <required/>
     </starttls>
     <federation xmlns='http://schemas.xmlsoap.org/ws/2006/12/federation' />
     <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
       <mechanism>DIGEST-MD5</mechanism>
       <mechanism>PLAIN</mechanism>
     </mechanisms>
   </stream:features>

The WS-Federation SignOn exchange could then be done via <federation> tags. 
Obviously one would need to be careful around namespace prefix conflicts etc. - 
but nothing too hairy.

Ideas/thoughts?

-- 
Jonathan Dickinson
_______________________________________________
JDev mailing list
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: [email protected]
_______________________________________________

Reply via email to