<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=text/html;charset=iso-8859-1 http-equiv=Content-Type> <META name=GENERATOR content="MSHTML 8.00.7600.16535"></HEAD> <BODY style="PADDING-LEFT: 10px; PADDING-RIGHT: 10px; PADDING-TOP: 15px" id=MailContainerBody leftMargin=0 topMargin=0 CanvasTabStop="true" name="Compose message area"> <DIV><FONT size=2 face=Arial>Hi All,</FONT></DIV> <DIV><FONT size=2 face=Arial></FONT> </DIV> <DIV><FONT size=2 face=Arial>I have been doing some research lately on claims-based authentication [CBA] (Microsoft implementation - AFAIK based on <A title="http://en.wikipedia.org/wiki/WS-Federation
CTRL + Click to follow link" href="http://en.wikipedia.org/wiki/WS-Federation">WS-Federation/WS-Trust</A>). The previous discussions about OAuth and its limitations came to mind immediately - CBA seems to resolve the issues that we discussed (it is not tied to the web).</FONT></DIV> <DIV><FONT size=2 face=Arial></FONT><FONT size=2 face=Arial></FONT> </DIV> <DIV><FONT size=2 face=Arial>For those who are not familiar with it; it basically is an identity that consists of one or more claims. For example a Jabber claim might look like this:</FONT></DIV> <DIV><FONT size=2 face=Arial></FONT> </DIV> <DIV><FONT size=2 face=Arial>JID: jonathand@jabber.org</FONT></DIV> <DIV><FONT size=2 face=Arial>UPN: jonathand@jabber.org</FONT></DIV> <DIV><FONT size=2 face=Arial>Name: Jonathan Dickinson <EM>from VCard</EM></FONT></DIV> <DIV><FONT size=2 face=Arial>etc.</FONT></DIV> <DIV><FONT size=2 face=Arial></FONT> </DIV> <DIV><FONT size=2 face=Arial>In this scenario jabber.org is the sole <EM>issuer</EM>. This identity (and it's claims) can be passed to other issuers so that they can fill in the blanks. For instance, if I were to start off with a X509 claim:</FONT></DIV> <DIV><FONT size=2 face=Arial></FONT> </DIV> <DIV><FONT size=2 face=Arial>Thumbprint: BCF189...</FONT></DIV> <DIV><FONT size=2 face=Arial>Name: CN=jonathand...</FONT></DIV> <DIV><FONT size=2 face=Arial></FONT> </DIV> <DIV><FONT size=2 face=Arial>I could send it to my internal JID issuer and land up with the following:</FONT></DIV> <DIV><FONT size=2 face=Arial></FONT> </DIV> <DIV><FONT size=2 face=Arial> <DIV><FONT size=2 face=Arial>Thumbprint: BCF189...</FONT></DIV> <DIV><FONT size=2 face=Arial>Name: CN=jonathand...</FONT></DIV> <DIV> <DIV><FONT size=2 face=Arial>JID: jonathand@jabber.org</FONT></DIV> <DIV><FONT size=2 face=Arial>UPN: jonathand@jabber.org</FONT></DIV></DIV></FONT></DIV> <DIV><FONT size=2 face=Arial></FONT> </DIV> <DIV><FONT size=2 face=Arial>The idea of a claim is that you can use that claim to authenticate with SSO capabilities (this works particularly well with the Microsoft implementation of it). I could authenticate against a server using SQL-orientated credentials (e.g. PLAIN) - with appropriate translation components in place I could pick up my SAP creds, Windows creds and HTTP creds without the user having to enter them in. The whole exchange occurs using XML (primarily SAML).</FONT></DIV> <DIV><FONT size=2 face=Arial></FONT> </DIV> <DIV><FONT size=2 face=Arial>The XML is where the problem lies - SASL dictates that the contents be base64-encoded. While this is perfectly valid it just feels plain wrong. After thinking about it (less than I should - but here goes):</FONT></DIV> <DIV><FONT size=2 face=Arial></FONT> </DIV> <DIV><FONT size=2 face=Arial><stream:features><BR>     <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><BR>       <required/><BR>     </starttls></FONT></DIV> <DIV><FONT size=2 face=Arial>     <federation xmlns='http://schemas.xmlsoap.org/ws/2006/12/federation' /><BR>     <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><BR>       <mechanism>DIGEST-MD5</mechanism><BR>       <mechanism>PLAIN</mechanism><BR>     </mechanisms></FONT><FONT size=2 face=Arial><BR>   </stream:features></FONT></DIV> <DIV><FONT size=2 face=Arial></FONT> </DIV> <DIV><FONT size=2 face=Arial>The WS-Federation SignOn exchange could then be done via <federation> tags. Obviously one would need to be careful around namespace prefix conflicts etc. - but nothing too hairy.</FONT></DIV> <DIV><FONT size=2 face=Arial></FONT> </DIV> <DIV><FONT size=2 face=Arial>Ideas/thoughts?</FONT></DIV> <DIV><FONT size=2 face=Arial></FONT> </DIV> <DIV><FONT size=2 face=Arial>-- <BR>Jonathan Dickinson</FONT></DIV></BODY></HTML>