Skip to Content.
Sympa Menu

shibboleth-dev - infocard investigations

Subject: Shibboleth Developers

List archive

infocard investigations


Chronological Thread 
  • From: Jim Fox <>
  • To:
  • Subject: infocard investigations
  • Date: Thu, 3 Apr 2008 14:06:38 -0700 (PDT)


In Monday's call I said I'd look into some directions
for the infocard plugin. They go something like;

1) Different ways to authenticate.

The extension uses id and password, through JAAS. Other
possibilities include Kerberos, X509 certificate, and
self-issued card.

a. A kerberos authn would give the user's principal name
directly. Not clear to me what percentage of
our population has kerberos on their workstations.

b. A certificate authn gives the IdP the certificate,
from which, if the idp was sufficiently in cahoots
with the issuing CA, it could directly extract the
principal name. This could be a security improvement,
as one could be stored on a USB token and used like a key.

c. The self-issued card gives the IdP the equivalent of
a ePTID. The IdP would have to look up the user's
principal name from a database - could be LDAP.
This might be a convenience to the user, but most
users would likely not protect their self card with
a password - making a lost laptop more likely a lost
identity.

2) Allow infocard authn to the IdP.

The obvious way to do this at Univ of Washington is to
put an infocard-shib SP on our pubcookie servers. That
way all university SSO login can be done with infocard,
not just the shib ones. However, that wouldn't work
with non-apache sso sites.

Another possibility is to allow a shib IdP to request an
infocard login directly, as an alternative to the username
and password form it comes with now.


Jim




  • infocard investigations, Jim Fox, 04/03/2008

Archive powered by MHonArc 2.6.16.

Top of Page