Re: [higgins-dev] How specify the authentication method in the Relying P

[Christopher Taylor <christopher.taylor@xxxxxxxxxxxxxxxxxxx>]

Leonardo Straniero schrieb:
> Hi Chris,
> thanks for the explanation and prompt reply.
> Could you please clarify me how can I manage a situation such the following one.
> Suppose that the RP needs to dynamically change the type of authentication a user has to do (e.g. from username/PWD or X509certificate to X509 certificate only) against the IdP.
>   
like I said, that's not really possible. The RP trusts that the 
identities it recieves from the IdP are authentic. The steps the IdP 
undertakes to ensure this (i.e. what kind of authentication it uses) are 
- from the viewpoint of the RP - out of scope.
> My idea was to simply have different RP policies one for "weak authentication" and another one for the strong case. These policies, in my humble opinion, just had to have a statement whose value is different like the ones I exemplified in my previous posting.
> So I was figuring to be able to restrict access to the RP in certain situation to only users having X509 certificates cards.
> You said the RP has no way to do this, right? Or can  I add some "required claims" in the RP "strong authentication" policy that makes possible to force the IdP (or CardSpace) to only accepts users with X509 certificate cards?
>   
There's a couple of ways you could do this:
- you could have the policy specify an STS of which you *know* that it 
uses X.509 for authentication.
- you could require some custom claim in the policy, e.g.
 * http://example.org/auth/#x509
 * http://example.org/auth/#unpw
 however, the RP has no way to check that the user did indeed use this 
authentication method, so I think it would make more sense to a 
domain-specific claim like 
http://example.org/user-can-access-restricted-site. The IdP can then be 
configured to only issue cards containing this claim to users that can 
use X.509 to authenticate themselves.

Of course the second solution might be difficult, if the STS is 
controlled by some other company :). Like I said, the concept is that 
the RP trusts the IdP to do whatever it takes to authenticate the user. 
If the RP doesn't do that, it shouldn't accept identities issued by that 
IdP.

hth,
 --Chris
> Thanks in advance.
> 	Leonardo.
>
> -----Original Message-----
> From: Christopher Taylor [mailto:christopher.taylor@xxxxxxxxxxxxxxxxxxx] 
> Sent: martedì 12 maggio 2009 15.17
> To: leonardo.straniero@xxxxxxxxxxxx; Higgins (Trust Framework) Project developer discussions
> Subject: Re: [higgins-dev] How specify the authentication method in the Relying Party Security Policy
>
> Leonardo,
>
> AFAIK you can't specify the authentication method as part of the RP 
> policy. The reasoning behind this is that the RP has a trust 
> relationship with the STS and trusts the method that the STS uses to be 
> "good enough". This also makes sense because the RP would have no way to 
> check if the STS actually used a specific method or just claims it did.
>
> Of course the STS could support a set of (non-standard) claims that 
> assert that a certain method was used, which the RP could then require 
> in its policy.
>
> hth,
>   --Chris
>
> Leonardo Straniero schrieb:
>   
> > Hi All,
> >
> > I am trying to understand how to specify in the Relying Party Security 
> > Policy the authentication method (e.g. username/pwd, X509 certificate, 
> > …) a user has to use to authenticate to the IP/STS when requesting 
> > security tokens.
> >
> >  
> >
> > I think it is necessary to insert another parameter into the RP’s 
> > *web.xml* file.
> >
> >  
> >
> > I saw in a security policy example a field “*Issuer*” as follows:
> >
> >
> >
> > *  <param-name>Issuer</param-name>*
> >
> > *  <param-value>shib2.internet2.edu</param-value>*
> >
> >  
> >
> > I know the Higgins STS provides some endpoints:
> >
> > * *
> >
> > *…./services/MetadataX509Token*                          (X509 
> > Authentication)
> >
> > *…/services/MetadataUsernameToken                *(UsernamePassword 
> > Authentication)
> >
> >  
> >
> > and so on.
> >
> >  
> >
> > Is it possible to insert another parameter (for example a 
> > MetadataReference parameter that identifies the STST endpoint to be 
> > used) to specify the authentication method? Do you know if, adding a 
> > parameter like this, CardSpace will properly manage it and select only 
> > the cards that meet the required authentication method?
> >
> >  
> >
> > Any ideas?
> >
> > Thanks in advance.
> >
> >  
> >
> > Best Regards.
> >
> > * *
> >
> > *============================*
> >
> > *Dr. Leonardo Straniero*
> >
> > CRS - Corporate Research
> >
> > TXT e-Solutions SpA
> >
> > c/o Tecnopolis N.O.
> >
> > Strada Prov. per Casamassima Km 3
> >
> > 70010 Valenzano (BA) - Italy
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > higgins-dev mailing list
> > higgins-dev@xxxxxxxxxxx
> > https://dev.eclipse.org/mailman/listinfo/higgins-dev
> >   
> >     
>
>
>
>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature