I changed the openinfocard id selector and the xmldap idp to make it easier to install managed cards.
Let's say you visit the IdP of your trust and have logged into its service using username and password. In fact the choice of this authentication might influence the rest of this scenario.
After authentication you are presented the list of your current cards:
Formerly you were presented with a list of links that you could click and you had to save the .crd file to disk, then open the id selector of your choice to import the card.
Now, you have noticed the column of little icons, you can invoke the id selector directly. Let's say use click on one of these icons (20071018xmldap):
The new card wizard of the openinfocard id selector has opened and the card is retrieved from the URL that was delivered to the id selector.
After this you are (currently) back to the page that shows the list of your cards and you might now open the id selector to verify that the new card was imported (20071018xmldap):
Well, how does this work?! I use a special tokentype "urn:oasis:names:tc:IC:1.0:managedcard" that tells the openinfocard id selector to use the value of the "issuer" parameter to retrieve and import the card.
There might be better ways to do it and there is a precondition here that I did not mention. Do you see it?
Back to the IdP authentication... Instead of username and password an IdP might have allowed authentication with a self-issued card and then that card could be used for authentication when the managed card is used to provide claims to a relying party!
(More preconditions here... Find them!!! and discuss this either here on this blog or here)
Integrity Properties for Federations
2 weeks ago
No comments:
Post a Comment