[jdev] Claims-based Authentication

Jonathan Dickinson jonathan at dickinsons.co.za
Mon May 31 09:18:43 CDT 2010 

Hi All,

I have been doing some research lately on claims-based authentication [CBA] (Microsoft implementation - AFAIK based on WS-Federation/WS-Trust). The previous discussions about OAuth and its limitations came to mind immediately - CBA seems to resolve the issues that we discussed (it is not tied to the web).

For those who are not familiar with it; it basically is an identity that consists of one or more claims. For example a Jabber claim might look like this:

JID: jonathand at jabber.org
UPN: jonathand at jabber.org
Name: Jonathan Dickinson from VCard
etc.

In this scenario jabber.org is the sole issuer. This identity (and it's claims) can be passed to other issuers so that they can fill in the blanks. For instance, if I were to start off with a X509 claim:

Thumbprint: BCF189...
Name: CN=jonathand...

I could send it to my internal JID issuer and land up with the following:

Thumbprint: BCF189...
Name: CN=jonathand...
JID: jonathand at jabber.org
UPN: jonathand at jabber.org

The idea of a claim is that you can use that claim to authenticate with SSO capabilities (this works particularly well with the Microsoft implementation of it). I could authenticate against a server using SQL-orientated credentials (e.g. PLAIN) - with appropriate translation components in place I could pick up my SAP creds, Windows creds and HTTP creds without the user having to enter them in. The whole exchange occurs using XML (primarily SAML).

The XML is where the problem lies - SASL dictates that the contents be base64-encoded. While this is perfectly valid it just feels plain wrong. After thinking about it (less than I should - but here goes):

<stream:features>
     <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
       <required/>
     </starttls>
     <federation xmlns='http://schemas.xmlsoap.org/ws/2006/12/federation' />
     <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
       <mechanism>DIGEST-MD5</mechanism>
       <mechanism>PLAIN</mechanism>
     </mechanisms>
   </stream:features>

The WS-Federation SignOn exchange could then be done via <federation> tags. Obviously one would need to be careful around namespace prefix conflicts etc. - but nothing too hairy.

Ideas/thoughts?

-- 
Jonathan Dickinson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.jabber.org/jdev/attachments/20100531/3045b049/attachment.htm>

More information about the JDev mailing list