|
|
Browse by Tags
All Tags » infocard (RSS)
-
The power of bookmarklets is still to be seen in many situations. Consider the "Where Are You From?" (WAYF) problem, a common issue with federation technologies. The simple question of where to send the user to complete a federated authentication is one of the more complicated and error prone issues in identity federation. The key metrics for any WAYF solution are that the user should have the opportunity to choose any relevant identity context and the process should be hard for a RP to subvert. Read More...
|
-
Something we've been working on is the ability to create a web-based card selector which will work in situations where a full card selector is not available or appropriate. Since selectors are not yet ubiquitous and inappropriate in many tactical situations, we are working on using a HTML5 based approach to enable an Infocard/CardSpace-based enterprise to work with standard web browsers. The major changes in HTML5 which allow for this to occur are offline caching (HTML Manifest), the navigator.registerProtocolHandler Read More...
|
-
Anders Lundgren from RSA Labs just forwarded me a link to a Nokia research paper that describes an implementation of the Bandit 's project architecture on mobile devices. Too bad my attempts to contact Nokia regarding the Identity Metasystem failed. I tried to contact them right after Catalyst Barcelona but replies remained vague and dried out soon. I think that mobiles are THE target for information cards. Maybe somebody from Nokia reading identity blogs reads this and we work together? I think Read More...
|
-
I’ll be at RSA Conference next week participating in the following events.
Concordia
What: The current goal is to demonstrate that SAML, WS-Fed and Information cards can co-exist and some of use cases where it makes sense. For instance, if you already have a federation setup (using SAML or WS-Fed), you can leverage Information Cards as [...] Read More...
|
-
I wrote an entry on Tuesday about CardSpace as a Password Manager . Kim responded with a request : "I’d like to hear Pat’s ideas about the user experience of bootstrapping the passwords into the Identity Provider." . Well, I see this happening at the relying party (RP) - if you already had an account there you would go to some 'change password' page containing the information card 'script' to invoke the identity selector and proceed as I detailed in the earlier post . When the identity provider (IP/STS) Read More...
|
-
Superpat postet here that there is now a new opensso extension that enables opensso to be an information card relying party. Patrick Petit (pictured) who wrote this extension uses the xmldap library to process the xmltoken. Great. Note to self: be carefull when changing the xmldap codebase. Don't break this opensso extension. Another (simpler) SUN access manager login module is described here . I am glad that Patrick improved my demo-grade login module to opensso quality. Thanks you. Read More...
|
-
You might have noticed the exchange between Ben and Kim over the past day or two... Ben made a point that CardSpace makes OpenID redundant - why not just send a password to the RP? Kim jumped all over him - somewhat misinterpreting what Ben later describes as one of my most diabolical hungover bits of prose ever . Ben goes on to clarify that maybe CardSpace can have a role in helping the user manage passwords; Kim says "Hmm... Food for thought" (okay, I'm paraphrasing); Ben admits he didn't explain Read More...
|
-
A while back I spent some time researching into several strong authentication methods that are available in the online world. In order to get real user experience, I ended up creating online accounts with several banks and financial institutions . I got to try out various methods including OTP, biometrics, device fingerprinting etc. However, I [...] Read More...
|
-
I'm glad to see that I'm not the only one out there battling various Cardspace bugs and quirks . I'm shocked that I hadn't see her blog earlier. As the shepherd of the Pamelaware module, maybe she can focus a bit of effort in quashing the bugs in that code which were inherited from Kim's implementation. Read More...
|
-
OpenSAML (to include Apache Xmlsec) and the PHP RP seem to disagree about what to do with unused namespaces during canonicalization. Xmlsec strips out the namespace declaration, whereas the PHP keeps it in. Looking at the spec, I'm going to side with Xmlsec. Raw XML: <attribute xsd="http://www.w3.org/2001/XMLSchema" xsi="http://www.w3.org/2001/XMLSchema-instance" attributename="surname" attributenamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"><attributevalue>MyLastName</attributevalue></attribute> Read More...
|
-
Ah. Sweet success. Finally. A InfoCard compliant STS which issues credentials from a LDAP backend based on X509 credentials. A pursuit which was wonderfully enlightening, painfully tedious, and maddening at times. Thanks to an idiotic obsession to complete this thing and some limited help received from a Java PingIdentity guy on the MSDN forums about proper certificate hashing ( ! ), I've got a working proof of concept based on the work of the XMLDAP work . As I close the compiler and take a few Read More...
|
-
Ashish Jain announced the release of the Apache CardSpace Module today in his blog. I'm really happy to hear that. Together with the Firefox 3.0 adoption of the spec, there should be plenty of tools to start piecing together some really interesting solutions. But where is the bigger fish (IMO), the open-source STS ? There is apparently some interest judging from the comments on his blog, but emails requesting access have thus far been dismissed. Or maybe it's just my emails. Read More...
|
-
I'm still having fun in my IDP quest. I've successfully navigated the X509V3Credential issue thanks to some help from the MSDN board and despite some apparently bad or outdated MS doco . What does that mean? I'm accepting requested along with a client certificate (which I trust), which is then included into the card I issue. When the user selects the card, the CardSpace client will retrieve the certificate from the appropriate store and use it for authentication back to the IDP. The IDP will retrieve Read More...
|
-
So I've got a working STS based on the work provided by the XMLDAP code- great work by the way. Issuing card and pulling user info from an LDAP, I'm really happy about how things are coming together. Now if I can just get X509 authentication working. I've hit a few issues along the way, but the cards are kinda working now- they're at least importing correctly. I'm issuing cards with X509Credential identified with a SHA-1 hash of the certificate I want to use, but the Windows CardSpace client goes Read More...
|
-
Kevin Miller's new Firefox plugin wraps the native Windows CardSpace identity selector, and in the process provides a great card parsing implementation. Since Kevin was kind enough to implement a plugin framework, I figured I'd take advantage and added plugin support to the xmldap selector. If you pick up the latest version of the plugin (requires Java 1.5 on your system) you will now find a new Identity Selector option in your preferences. If you have both Kevin and my extension installed, and you're Read More...
|
|
|
|