when you find the need to go beyond documentation.. IDentity EnAbled Services

OpenSSO has an "extended" set of webservices (REST) interfaces that enables applications to interface with openSSO a piece of cake. The following table lists the REST URL's and their operations and parameters:

 The following code snippet shows how you can authenticate against openSSO using the REST interface and obtain an openSSO token for a user.

<%
    url = "http://localhost:8080/opensso/identity/authenticate";

    String username = "rpinto";

    String password = "testpass";

    java.net.URL iurl = new java.net.URL(url);
    java.net.URLConnection connection = iurl.openConnection();
    connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
    // Send POST output.
    connection.setRequestMethod("POST");
    java.io.DataOutputStream printout = new java.io.DataOutputStream(connection.getOutputStream ());
    String content = "username=" + java.net.URLEncoder.encode (username) +
	"&password=" + java.net.URLEncoder.encode (password);
    printout.writeBytes (content);
    printout.flush (); printout.close ();
    java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(
	(java.io.InputStream) connection.getContent()));
    out.println("<h2>Successful Authentication using REST</h2>");
    String line;
    while ((line = reader.readLine()) != null) {
	out.println(line + "<br>");
	int index = line.indexOf("token");
	if (index != -1) {
	    token = line.substring(9);
	}
    }
%>

This code opens an HTTP URL connection and performs a POST operation with the user name and password before displaying the response in the browser.

The request on the wire reads as follows:

POST /opensso/authenticate HTTP/1.1
Host: localhost
User-Agent: Mozilla/4.0
Content-Length: 27
Content-Type: application/x-www-form-urlencoded

username=rpinto&password=testpass

And the response would be—

token.id=AQIC5wM2LY4SfcykUxffyyVGC6k9vHhe7JcyrhHbmlpVZPI=@AAJTSQACMDE=#f

My laptop started behaving weird today. everytime I restart it I get a error window popup with the word "smoni" in the title and the message "ReceiveDatagram error # 10054". A screenshot of the error message is as below: Does anybody have any idea what this could possible be from ? I'm clueless... I'd appreciate any help I can get to eliminate this error window from popping up on every reboot...

Back to normal programming. No more infocard stuff here. With a typical Access Manager deployment atop a webserver or appserver, there are many instances where apart from the Access Manager services deployed, one may deploy other applications on the same server instance and may need to "protect" them. The right way of going about it is to deploy a policy agent on the same server instance. I noticed that in some cases folks choose not to deploy an agent but "embed" code in every page of their webapp to check for the validity of the SSOToken issues by AM and enable access to thise pages that they need "protected". Well, if all one needs is to protect a few URI's that reside on the same server instance as AM, one could also use a Servlet Filter to do the same without having to embed code in every page of their application to check for it. This is a simple SSO only method and not a replacement for a policy agent. Here's what one needs to do to enable this. Declare the [filter] element in your web application deployment descriptor. For Sun's Webserver it would be the default-web.xml file. Map the filter to a servlet by defining a <filter-mapping> element in the deployment descriptor. This element maps a filter name to a servlet by name or by URL pattern. Add the URL's you would like to "protect" to the url-pattern tag element. Now compile the attached code, build a jar file and add it to your servers classpath.

for some reason I just cannot post code on this blog. No matter what I try, the code gets converted over to HTML. I did follow Pat's advise, but that didnt help. So I'm uploading the NNAgent.java file and providing you a link to download it instead of posting code as inline text

Restart your webserver.

• Try accessing the "protected" URL without authentication.
• Try accessing the "protected" URL with authentication.

You'd see the difference... NOTE: This is NOT a replacement for a Policy Agent. This is just an FYI/example of how one could achieve SSO only using a Filter.

No. This is not the long tailed Mouse "Higgins" you may be thinking about. I just could not resist posting this: Bill Higgins from IBM just blogged about IBM developerWorks community changing their backend weblog engine over to rollerweblogger, the same engine that powers blogs.sun.com.

I've always wanted to have the ability to extract a few files from an iso file for development. The approach I used to take to obtain the files was to download the .iso image of the distribution, and then use my CD Burner to burn a CD using the .iso image and then extract the file from that image. Well, a friend of mine just pointed me to this excellently cool utility. and hey !! It's Microsoft's own utility (though unsupported) and it's FREE !! and has a extremely small footprint (60kb). Here's the download link: WinXP Virtual CD Control Panel. Here's the readme:

Readme for Virtual CD-ROM Control Panel v2.0.1.1 THIS TOOL IS UNSUPPORT BY MICROSOFT PRODUCT SUPPORT SERVICES System Requirements =================== - Windows XP Home or Windows XP Professional Installation instructions =========================

1. Copy VCdRom.sys to your %systemroot%\system32\drivers folder.
2. Execute VCdControlTool.exe
3. Click "Driver control"
4. If the "Install Driver" button is available, click it. Navigate to the %systemroot%\system32\drivers folder, select VCdRom.sys, and click Open.
5. Click "Start"
6. Click OK
7. Click "Add Drive" to add a drive to the drive list. Ensure that the drive added is not a local drive. If it is, continue to click "Add Drive" until an unused drive letter is available.
8. Select an unused drive letter from the drive list and click "Mount".
9. Navigate to the image file, select it, and click "OK". UNC naming conventions should not be used, however mapped network drives should be OK.

You may now use the drive letter as if it were a local CD-ROM device. When you are finished you may unmount, stop, and remove the driver from memory using the driver control.

I never thought I'd be publicly saying this. But here goes anyway: Thanks Microsoft. (It wouldnt hurt to be honest and thank someone, would it ?)

I was almost a quarter past ways devloping the smartcard applet which theoretically could read the info from the smartcaard and use the digital certificate from the smartcard to authenticate you to Access Manager. Here's the low-down on the effort. Smartcard readers are vendor specific. I used the ActivCard SDK for building the applet with some amout of minor hacking. So now; I have come to realize that the smartcard reader and the applet are vendor specific. whew !! what a painstaking effort. But nevertheless a good learning experience. So Now; I'm invesigating musclecard; and hope to learn that the applet that I develop is not vendor specific... If anybody has any info on developing a non vendor specific (smartcard reader manufacturer specific) applet, please, please please do "SHARE" the info. I wish everybody adopts the OpenSC Framework. Identity Alliance has a product called ID Alley.

ID Ally provides everything you need to begin deploying and using smart cards for security purposes. It provides the necessary software components to enable your smart card with a variety of applications and purposes such as:

• Email Signing / Encryption using Outlook
• Web Authentication using Internet Explorer
• Signing and Encryption using Adobe Acrobat
• Password wallet for secure password storage
• Enrollment using Windows 2003 CA
• Certificate Auto-Enrollment Options
• Digital ID (certificate) Self-Enrollment Tool
• Mozilla/Firefox Email, Web Authentication
• Caching for convenience and speed
• Utility for viewing certs and changing pin and unblocking
• Card applet management capability
• Easy to Use Installer and Documentation

ID Alleyis FREE for personal use, and has a 30 day free trial for professional use so you can trial the software before choosing whether to license it. Using Windows 2000 or XP, you can use the provided installer to install all the components and documentation needed to begin.
Download ID Ally

In order to use ID Alley, You need to do the following:

• Download ID Alley
• Unpack ID Alley
• double click on the msi file to install it
• start regedt32
• change HKEY_LOCAL_MACHINE\SOFTWARE\Identity Alliance\AuthShim\PKCS11BaseModule to "opensc-pkcs11.dll"
• change HKEY_LOCAL_MACHINE\SOFTWARE\Identity Alliance\AuthShim\PKCS11Module to "opensc-pkcs11.dll"
• change HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Identity Alliance CSP\PKCS11Module to "opensc-pkcs11.dll"
• close regedt32
• run "ID Alley Card Manager"
• enter PIN
• urn off virtual slots in opensc.conf

Test it by visiting some ssl client certificate protected web site with Internet Explorer AH !! you need to also use a PC/SC compliant smartcard reader FROM ANY VENDOR. And if you do this my SmartCard applet would work... So help me please...

This " - night - Graveyard-shift " infocard project of mine is working out to be an expensive affair for me, in the $$ terms. I travel around so much (every mon-fri) that in order to work on it at nights, I needed to have WinXP with SP2 and ie7 on it. There's no way I would risk putting my endeared Ferarri through the BSoD (Blue Screen of Death) trauma. Well There was no way for me to carry all my desktops around when I travel. So came VMware to the rescue. My VMWare Workstation costs US$199, and then another WinXP Pro license was another US$299. And another CD$100 for bribing my wife with a L'Occitane gift pack to entice her to let me spend this money. Whew!!. I hope this expense pays off in terms of learning. I believe that there can be no cost factor associated with learning. And hope & pray that this pays off in the long run. Now I have a "infocard" ready system in addition to a development environment, and a webserver with me all the time. Hopefully in the coming weeks, (with my new set of ammunition), I should be able to blog more on my discoveries... So stay tuned...

Kim had posted a nice article on A simple managed payment card example a while ago. So basicaly what happens with a "issued" infocard is that the infocard only contains a pointer to where the user information is to be obtained from (in this case as per Kim's example the issuer happens to be Bank Of America, and the requestor is amazon.com). Well, Kapil had a nicer post on Smartcards and Federated Identity. Kapil quotes

Smartcards are the actually the real enabler of biggest network of identity federations world has known till date i.e GSM. [...] various standards like SAML, Liberty, InfoCard/WS-Trust, WS-Federation etc for identity federation respect and understand the usefulness of security devices like Smartcards. All these standards propose the solution to same set of problems in _almost_ same way and differ mostly in wire protocols used. SAML and Liberty has a profiles ECP (Enhanced client proxy) and LECP (Liberty enabled client or proxy) respectively which enables a Smartcard based authentication where as InfoCard (a profile of WS-Trust) treats Smartcard as another Security token service which can generate self issued security tokens.

nice... I see the light at the end of the tunnel. infocard treats a smartcard as a personal security token service (PSTS) which can issue security token in form of SAML assertions. and so i thought... or rather... continue to think... Whats the difference between the long existent JavaCard/Liberty vs InfoCard/WS-Federation ? I remember sometime back I had read an article on Microsoft Employees Get Carded" by Karen Epper Hoffman via Kapil's Blog. Well, Scott made us use these along from a long time ago... And Microsoft's views on smartcards are no different. Hubert has put together a nice demo of how a using Liberty’s ID-WSF protocols, we can create a module that greatly helps the user in dealing with his digital identities. Currently laptops, sunray 1g, sunray 170 and desktops ARE available with builtin smartcard readers. and hence my dilema...

Yes (to all those who were wondering on who is working on porting infocard to Solaris/Linux, I currently am working on integrating infocard with access manager and my next move would be to port infocard to Solaris/Linux. The process of porting infocard over is not a 1 week task. It may take me longer as i'm overloaded with work and hardly have time to spare for this development. But with me assigning an hour or two everyday I hopefully would complete this shortly. In the meantine I shall also blog my experiences in the process. and here's my first run at it. infocard in it's current form can be used on Window XP desktops  which have SP2 installed, Windows 2003 Server with SP1 installed and Windows Vista (February CTP). It require WinFX Runtime Components (for x86 or for x64). I currently am playing around with infocard on Window XP with SP2 and Windows 2003 Server with SP1. As soon as the WinFX CTP is installed on the system, the infocard components also get installed. You would also notice that your control panel would now have a "Digital Identities" component installed. This is the core component from which you can create, edit, import or delete your infocard's. You can create as many "Identities" as you choose. but what Bugs me is that I can create "any" Identity of my choosing. The screenshot below shows how I created Identities with Myself, Kim, Pat and Bill Gates as the "identities" "I" wish to be recognized as.
click to enlarge Here's the issue that bugs me. This issue has been bugging me for a while since the time "user-controlled" identities became the talk of the town oops web. The term "identity management" I believed was a step forward in preventing "identity theft" (someone, please correct me If i'm wrong here). With the volume of identity theives who exists on the web today, the ability of creating "identities" just faciliatates the process. I agree that the "identity" may be of no good is nobody accepts the identity. But however, Microsoft would succeed to enabling organization in adopting infocard and it's usage participation would rise. For Organizations (participants) who have their head over their shoulders, the organizations ("issuers") would issue users their "infocard"/"identities" which could be used to access a service. Users could import the "issued" infocard onto their desktops using the "Install a provider card" as in the screenshot below.
click to enlarge Here's my biased opinion. If the only infocard's that MATTER are the ones that are issued by a provider, What makes it different from "Liberty"? Liberty is built on the "identity-given" framework/concept. The ability of enabling a user to create his own "infocard" may sound appealing, but how does it help? Well, for a novice user, it may sound cool, because he/she can create several "infocards" of themselves and choose which one to provide a "requestor" based on the information he/she would want to provide a particular web service/application. But for the miscreants, it's a toolkit to spoof identities. Another issue is that the "infocard's" are stored on a users desktop (porting them from one system to another "may" be a pain to a novice user). Now, this makes it even worse. anybody who has access to the users machine has the ability to delete the infocard's that one may have created. What IF my son deletes my infocard'S intentionally or accidentally ? What If my infocard gets stolen ? If the infocard's are not protected, they could be exported from one machine to the other with ease. The only way to secure it it by password protecting it. (So where does no passwords required play a picture in this ?) One can come up (makeup) with numerous issues with this model. But whats important is the fact that the "only" infocard's that matter would be the ones that are issued by a service provider/identity provider. Well, we have another issue now, IF  each IDP/SP would start issuing infocard's to their users, the user ends up having tens of hundreds of infocard's to manage. How different is that from tens of hundreds of username/password combinations? As a infocard user am I supposed to store all my infocard's on a USB drive and carry it along with me just to enable me to use a service from any desktop? (the desktop additionally should be infocard enabled !!). AH!! I'm tired right now. I shall follow up on this again soon.. as my thoughts keep formulating and changing. PS: I personally like JavaCards. Please read Hubert's post on Liberty à la InfoCard. And think... "JavaCards and Liberty". You be the judge. So you decide for yourselves. UPDATE : This does not mean that I am not working on porting infocard to *nix and integrating it with AM. I am working on that too. Shall keep you posted on developments at my end periodically. UPDATE 2 : I am NOT against infocard. I'm just thinking out loud as I keep discovering new stuff. And thought processes change periodically. The only thing that has been constant in my discoveries so far has been "change"

As a taste of upcoming MIX06 sessions, Kim Cameron presents a thumbnail sketch of how InfoCards bring an architecture for identity to the Internet, a demo of how it works and a peek at how you integrate it into a Web page.

1. 20060209InfoCardKC.EXE
2. 20060209InfoCardKCDemo.EXE

source : MSDN TV

See Kim's full session on this topic at the MIX06 conference. UPDATE 1 : Also read Johannes Ernst's blog on "There are lots of things that are right about Microsoft InfoCard. After seeing the infocard demo, I feel that infocard really is a nice thing. I do not want to comment on the "open source or closed source" part as there are several of us in this field who are debating that topic. So I leave that upto those who better understand it and fight for it in the open source community. Here's my take. Sun has the Sun Java Systems Access Manager. This product really has extremely good visibility and usage in the real world, especially in the corporate sector. Individuals who care about secure identity and those who (by choice or otherwise) use a microsoft windows desktop as the client would end up using infocard for authentication in the future as microsoft plans to use infocard for building what they call a fundamentally secure platform. Now having said that I dont see the entire world not using windows as the desktop client. yep; true; mac's, linux, and solaris have a long way to go to becoming the defacto standard desktop for end users. So. All said and done, I thought of a small project that I would embark on in my free time. I would try to develop a InfoCard Authentication Plugin (using the Microsoft Federated Identity and Access Resource Kit and JAAS) for the Sun Java Systems Access Manager. Well; this may not be a good idea, but I guess it would be well worth my free time. As soon as I finish the module (hopefully soon, especially with Kim's & Kapil's help), I shall distribute the entire codebase and procedure for enabling you to deploy the infocard authentication plugin on Access Manager soon. (This may make for a good demo given that most users happen to have a windows desktop). One main reason for me to embark on this is because I see a strong similarity between this effort and nFactor Authentication (which I had blogged about a long tiem ago). After all SUN and Microsoft have joined hands for the inter-operability of Liberty and WS-Federation and the results of which have led to the Web Single Sign-On Interoperability Profile & the Web Single Sign-On Metadata Exchange Protocol (which have just been released). UPDATE 2 : Also read "Microsoft Employees Get Carded" (an old post) by Karen Epper Hoffman