1. Is there a compelling use case for this? 2. Why wouldn't the WS-* folks define a new SASL mechanism?
On 5/31/10 8:18 AM, Jonathan Dickinson wrote: > Hi All, > > I have been doing some research lately on claims-based authentication > [CBA] (Microsoft implementation - AFAIK based on WS-Federation/WS-Trust > <http://en.wikipedia.org/wiki/WS-Federation>). The previous discussions > about OAuth and its limitations came to mind immediately - CBA seems to > resolve the issues that we discussed (it is not tied to the web). > > For those who are not familiar with it; it basically is an identity that > consists of one or more claims. For example a Jabber claim might look > like this: > > JID: [email protected] > UPN: [email protected] > Name: Jonathan Dickinson /from VCard/ > etc. > > In this scenario jabber.org is the sole /issuer/. This identity (and > it's claims) can be passed to other issuers so that they can fill in the > blanks. For instance, if I were to start off with a X509 claim: > > Thumbprint: BCF189... > Name: CN=jonathand... > > I could send it to my internal JID issuer and land up with the following: > > Thumbprint: BCF189... > Name: CN=jonathand... > JID: [email protected] > UPN: [email protected] > > The idea of a claim is that you can use that claim to authenticate with > SSO capabilities (this works particularly well with the Microsoft > implementation of it). I could authenticate against a server using > SQL-orientated credentials (e.g. PLAIN) - with appropriate translation > components in place I could pick up my SAP creds, Windows creds and HTTP > creds without the user having to enter them in. The whole exchange > occurs using XML (primarily SAML). > > The XML is where the problem lies - SASL dictates that the contents be > base64-encoded. While this is perfectly valid it just feels plain wrong. > After thinking about it (less than I should - but here goes): > > <stream:features> > <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'> > <required/> > </starttls> > <federation xmlns='http://schemas.xmlsoap.org/ws/2006/12/federation' /> > <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> > <mechanism>DIGEST-MD5</mechanism> > <mechanism>PLAIN</mechanism> > </mechanisms> > </stream:features> > > The WS-Federation SignOn exchange could then be done via <federation> > tags. Obviously one would need to be careful around namespace prefix > conflicts etc. - but nothing too hairy. > > Ideas/thoughts? > > -- > Jonathan Dickinson >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
