Tuesday, November 25, 2008

java again

I got a new computer and tried the openinfocard id selector with it; but Boom the Java code did not run. Hm, I forgot to install a new version. Preinstalled was some Java 1.4 version... I installed Java 1.6 update 10 and tried again, but again it failed. Ahh, the new java plugin for Firefox hit me again.
Error calling method on NPObject! [plugin exception: java.security.AccessControlException: access denied (java.security.SecurityPermission getPolicy)]

I had to set HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\1.6.0_10\UseNewJavaPlugin from 1 to 0 to disable the new plugin.

After that the openinfocard selector worked again.

Sun promised to fix this in Java 1.6 update 12 but there is no early access version available...
Another bug in the new plugin is that it does not implement the instanceof operator for Java objects.

Kenneth from Sun suggested a workaround: Have to change
if (!(bootstrapClassLoader instanceof java.net.URLClassLoader)) {
if (!(bootstrapClassLoader.getClass().isInstance(java.lang.Class.forName("java.net.URLClassLoader")))) {

For this bug there is not even a promise to fix it... Well, thank you SUN for making my life interesting; NOT.

Friday, November 21, 2008

Information Cards for Google Apps

Information Cards are an industry standard that enable people to maintain a set of personal digital identities.
Information Cards are like cards in your wallet. Each one defines a relationship between you -the cardholder- and the card issuer -the identity provider. They provide a way to transfer claims/attributes from the identity provider to a relyingparty. Information Card selectors are available for all major operating systems and major browsers. To learn more about Information Cards please visit the Information Card Foundation.

Having provided support for "SAML Single Sign-On (SSO) Service for Google Apps" not so long ago Google is now proud to present support for Information Cards for Google Apps.
The step from "SAML Single Sign-On (SSO) Service for Google Apps" to Information Card support is actually quite small. This is due to the fact that all Information Card selectors are token agnostic that is: They don't care which type of token is transfered from the identity provider to the relying party. Therefore we choose to use SAML assertions that are used in "SAML Single Sign-On (SSO) Service for Google Apps" too.

Security Assertion Markup Language (SAML) is an XML standard that allows secure web domains to exchange user authentication and authorization data. Using SAML, an online service provider can contact a separate online identity provider to authenticate users who are trying to access secure content.

Google Apps offers an Information Card based claims transfer that provides partner companies with full control over the authorization and authentication of hosted user accounts that can access web-based applications like Gmail or Google Calendar. Using the Information Card model, Google acts as the relying party and provides services such as Gmail and Start Pages. Google partners act as identity providers and control credentials and other information (claims/attributes) used to identify, authenticate and authorize users for web applications that Google hosts. Google wants to point out that it is hard to overestimate the security gains for our partners. By using the authentication methods implemented in e.g. Windows Cardspace partners can use Kerberos, X509 and self-issued cards to authenticate the user to the security token server; thereby leveraging existing corporate infrastructure to access Google Apps through this new services.

There are a number of existing open source and commercial identity provider solutions that can help you implement Information Cards with Google Apps.
It is important to note that the SSO solution only applies to web applications. If you want to enable your users to access Google services with desktop clients such as Outlook—for example, Outlook would provide POP access to Gmail—you will still need to provide your users with usable passwords and synchronize those passwords with your internal user database using the Provisioning API.

The Google Apps with Information Card is based the "Identity Selector Interoperability Profile V1.5". Information Cards are supported by several widely known vendors. Visit the Information Card Foundation to learn more.

Understanding Information Card based usage of Google Apps

The following process explains how a user logs into a hosted Google application through a partner-operated identity provider service.

Figure 1: Logging in to Google Apps using Information Cards

This image illustrates the following steps.
  1. The user attemps to reach a hosted Google application, such as Gmail, Start Pages, or another Google service.
    Google presents a page with the purple-i that denotes that Information Cards can be used here. The RelayState parameter containing the encoded URL of the Google application that the user is trying to reach is transferred to the Google ACS as a form parameter. This RelayState parameter not transferred to the partner. Each google app requests at least one claim that is identitcal to the applications base url e.g. "http://calendar.parityapps.com/".
  2. The user clicks the purple-i icon
  3. The cardselector starts and the user selects her information card e.g. the managed card issued by Parity. The card selectore sends the security token request to the partner
  4. The partner parses the request and authenticats the user using one of the supported authentication methods Kerberos, X509 certificate, self-issued card or username and password
  5. Partner generates SAML assertion (security token).
  6. The browser posts the security token and the other form element's values to the Google ACS
  7. Google's ACS verifies the SAML response using the partner's public key. If the response is successfully verified, ACS redirects the user to the destination URL.
  8. The user has been redirected to the destination URL and is logged in to Google Apps.

I hope to read an anouncement like the fake one above by Google soon ;-)

Tuesday, November 18, 2008

Internet Explorer Mobile 6 Geneva? Not!

Microsoft just announced the new version of Internet Explorer Mobile 6.
The feedback on the PIE blog sounds mostly disappointed.

I guess that the new version still neither has CardSpace support.
I would welcome a mobileCardSpace even if it would have no self-issued card support.
Or maybe we should make the PKCS#5 algorithm in ISIP optional? Self-issued cards are the main reason we don't have mobile selectors.


No XHTML at Information Card Tile Page

Is it only me who finds it anoying that Microsoft over and over again produces example pages that have very very illegal (X)HTML code?

The example page for the Information Card Tile has yet several errors that occure when one uses a framework to create HTML pages that simply does not work well.
One should think that Microsoft's programmers have access to tools that produce valid code?! Or maybe all the Micorsoft tools and frameworks are so that they produce invalid code when you include one page into another?

Bad example. Although I like the Information Card Tile. Even though I would implement it in another way. Some time ago I came up with the same idea but did not implement it because that would have been "not standard". Well, now it seems we witness the birth of a new standard.

I would implement the Information Card Tile รก la microformats by using the class attribute. I would add a special class to the HTML-image tag to denote a tile.

If the RP does not want a tile when no selector is installed then:
Example: <image class="InformationCardTile" src="" id="the-ppid" alt="invisible"/>

If the RP does want an image when no selector is installed then:
Example: <image class="InformationCardTile" src="http://rp/image.png" id="the-ppid" alt="Purple Information Card Icon" onclick="submitForm()"/>

The selector would then overwrite the src-attribute when the card with the PPID "the-ppid" exists and add an onclick-handler that starts the selector or sends the card if the user has chosen to always use this card.

Thursday, November 13, 2008

Equifax Unveils Online Identity Card

ATLANTA, November 13, 2008 - Equifax Inc. (NYSE: EFX) unveiled today the Equifax online identity card or I-Card, with a beta test of a first-of-its-kind digital identity management solution that is designed to make online transactions easier and more secure for both consumers and businesses....

Read the whole story at Parity's website.

Wednesday, November 12, 2008

IIW2008b: XRDS for OpenID and Information Cards

We will have a session this morning about XRDS and OpenId and Information Cards.

The IIW2008b wiki has an initial page about this topic.

Please come and let us define something useful.

Sunday, November 09, 2008

"Big Dog" Wow!


Visit Boston Dynamics for the full story.

Friday, November 07, 2008

Common Browser Add-On

The current version of the openinfocard identity selector now uses the same browser add-on code as DigitalMe (revision 2525 of IdentitySelector.js).
Although there are some additional features like the status-bar icon and the XRDS support.