[jdev] Claims-based Authentication

Peter Saint-Andre stpeter at stpeter.im
Thu Jun 3 08:41:25 CDT 2010

1. Is there a compelling use case for this?

2. Why wouldn't the WS-* folks define a new SASL mechanism?

On 5/31/10 8:18 AM, Jonathan Dickinson wrote:
> Hi All,
> I have been doing some research lately on claims-based authentication
> [CBA] (Microsoft implementation - AFAIK based on WS-Federation/WS-Trust
> <http://en.wikipedia.org/wiki/WS-Federation>). The previous discussions
> about OAuth and its limitations came to mind immediately - CBA seems to
> resolve the issues that we discussed (it is not tied to the web).
> For those who are not familiar with it; it basically is an identity that
> consists of one or more claims. For example a Jabber claim might look
> like this:
> JID: jonathand at jabber.org
> UPN: jonathand at jabber.org
> Name: Jonathan Dickinson /from VCard/
> etc.
> In this scenario jabber.org is the sole /issuer/. This identity (and
> it's claims) can be passed to other issuers so that they can fill in the
> blanks. For instance, if I were to start off with a X509 claim:
> Thumbprint: BCF189...
> Name: CN=jonathand...
> I could send it to my internal JID issuer and land up with the following:
> Thumbprint: BCF189...
> Name: CN=jonathand...
> JID: jonathand at jabber.org
> UPN: jonathand at jabber.org
> The idea of a claim is that you can use that claim to authenticate with
> SSO capabilities (this works particularly well with the Microsoft
> implementation of it). I could authenticate against a server using
> SQL-orientated credentials (e.g. PLAIN) - with appropriate translation
> components in place I could pick up my SAP creds, Windows creds and HTTP
> creds without the user having to enter them in. The whole exchange
> occurs using XML (primarily SAML).
> The XML is where the problem lies - SASL dictates that the contents be
> base64-encoded. While this is perfectly valid it just feels plain wrong.
> After thinking about it (less than I should - but here goes):
> <stream:features>
>      <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
>        <required/>
>      </starttls>
>      <federation xmlns='http://schemas.xmlsoap.org/ws/2006/12/federation' />
>      <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
>        <mechanism>DIGEST-MD5</mechanism>
>        <mechanism>PLAIN</mechanism>
>      </mechanisms>
>    </stream:features>
> The WS-Federation SignOn exchange could then be done via <federation>
> tags. Obviously one would need to be careful around namespace prefix
> conflicts etc. - but nothing too hairy.
> Ideas/thoughts?
> -- 
> Jonathan Dickinson

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6820 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20100603/78e8e07c/attachment.bin>

More information about the JDev mailing list