dacs_managed_infocard(8) create a managed Information Card

SYNOPSIS

dacs_managed_infocard [m[blue]dacsoptionsm[][1]]

DESCRIPTION

This program is part of the DACS suite.

The dacs_managed_infocard web service is used to create and register a managed InfoCard so that it can be used for authentication or other purposes. InfoCard-based authentication is performed by m[blue]local_infocard_authenticatem[][2], a DACS authentication module.

A managed InfoCard must be registered by dacs_managed_infocard before it can be used by DACS. After registration, use m[blue]dacs_infocard(8)m[][3] or m[blue]dacsinfocard(1)m[][4] to administer self-issued or managed InfoCards.

There are several operational modes, determined by the MODE argument. In a self-serve mode, an authenticated user requests a managed InfoCard (with various limitations imposed); the new InfoCard is either sent directly to the user's browser or written to a file that the user can access in a separate operation. In an administrative mode, a DACS administrator requests a managed InfoCard on behalf of a user and is responsible for directing it to the user in a separate, secure operation.

There are many m[blue]configuration directivesm[][5] associated with managed InfoCards. One of the most important is m[blue]INFOCARD_STS_AUTH_TYPEm[][6], which determines the authentication method ("credential type") used between an Identity Selector, such as CardSpace, and the managed InfoCard's Identity Provider/Secure Token Service (IP/STS), such as m[blue]dacs_sts(8)m[][7]. The following authentication methods are prescribed by the InfoCard specification:

UsernamePasswordCredential

This is a username/password type of authentication. See m[blue]INFOCARD_STS_PASSWORD_METHODm[][8]. At present, only a global (but changeable) password is allowed, or no password at all. A future release might allow a per-InfoCard account password, or tie an InfoCard account to some other password-based account.

X509V3Credential

In this authentication type, an SSL client certificate must be used with the request to dacs_managed_infocard for a managed InfoCard, and the same certificate must be used when the managed InfoCard is submitted to a Relying Party. A self-signed certificate may be used.

SelfIssuedCredential

In this authentication type, a self-issued InfoCard must be submitted with the request to m[blue]dacs_managed_infocard(8)m[][9] for a managed InfoCard (more precisely, a secure token obtained from a self-issued InfoCard that is passed as the argument xmlToken) and the same self-issued InfoCard must be available to the user's Identity Selector when the managed InfoCard is submitted to a Relying Party.

KerberosV5Credential

This is the Kerberos V5 credential type. This authentication credential type is currently unsupported.


Note

An Identity Selector will display all claim values returned to it by an Identity Provider. An Identity Provider must therefore employ cryptographic methods to obtain privacy or check authenticity with respect to claim values.

Accounts are accessed through DACS's virtual filestore using item type infocards. It is assumed that file permissions on the account database are such that all access is limited to the administrator, local_infocard_authenticate, m[blue]dacs_infocard(8)m[][3], and m[blue]dacs_sts(8)m[][7].

Configuration

The following configuration variables are available:

infocard_card_image_card

If m[blue]INFOCARD_STS_AUTH_TYPEm[][6] is "card", this is used as the filename of the image to include with a new managed card, relative to the m[blue]INFOCARD_CARD_IMAGE_BASE_URLm[][10] URI. The default value is the string "dacs_selfissued_credential.png" (or similar).

infocard_card_image_cert

If m[blue]INFOCARD_STS_AUTH_TYPEm[][6] is "cert", this is used as the filename of the image to include with a new managed card, relative to the m[blue]INFOCARD_CARD_IMAGE_BASE_URLm[][10] URI. The default value is the string "dacs_x509certificate_credential.png" (or similar).

infocard_card_image_passwd

If m[blue]INFOCARD_STS_AUTH_TYPEm[][6] is "passwd", this is used as the filename of the image to include with a new managed card, relative to the m[blue]INFOCARD_CARD_IMAGE_BASE_URLm[][10] URI. The default value is the string "dacs_username_password_credential.png" (or similar).

infocard_sts_title

This string identifies the IP/STS and may be displayed on web pages and Identity Selector prompts, or in error messages. The default value is the string "DACS Managed InfoCard IP/STS" (or similar).

infocard_sts_username_password_prompt_fmt

This is a m[blue]printf(3)m[][11]-type format string. It may contain at most one conversion specification, %s, which will interpolate the value of infocard_sts_title.

OPTIONS

Web Service Arguments

In addition to the m[blue]standard CGI argumentsm[][12], dacs_managed_infocard understands the following CGI arguments:

xmlToken

This argument is required if m[blue]INFOCARD_STS_AUTH_TYPEm[][6] is set to "card". The self-issued InfoCard is registered with the account associated with the new managed InfoCard and the user's Identity Selector must possess the self-issued InfoCard in order to use the managed InfoCard.

CARD_IMAGE_SUBTYPE

This optional argument specifies the MIME media subtype (e.g., the image format, such as "jpeg") of the image file attached to the new InfoCard. By default, the subtype is derived from the extension on the end of the last path component of the image's URI. For example, if CARD_IMAGE_URL is /card_images/bob.tn.gif, then the extension .gif is used to obtain a media subtype of gif and a MIME media type of image/gif. It is sometimes necessary to give the image format explicitly, however. See m[blue]INFOCARD_CARD_IMAGE_BASE_URLm[][10] for additional details. Only a DACS administrator may use this argument.

CARD_IMAGE_URL

This optional argument specifies the location (as a DACSm[blue]VFS URIm[][13]) of the image file to attach to the new InfoCard, overriding the default method that uses only m[blue]INFOCARD_CARD_IMAGE_BASE_URLm[][10]. If a file is specified (i.e., the value begins with a '/' or uses the file scheme), the path is relative to the INFOCARD_CARD_IMAGE_BASE_URL, which must specify a directory. Only a DACS administrator may use this argument.

FORMAT

By default, or if the value of the m[blue]FORMAT argumentm[][14] is FILE, the new card is sent directly to the user's browser (which should automatically invoke the user's Identity Selector); no copy is retained on the server. If FORMAT is HTML, the new managed InfoCard is stored in a file, replacing any existing card of the same name (see m[blue]INFOCARD_CARD_OUTPUTDIRm[][15]). Output is emitted in HTML and includes a link to the file (see m[blue]INFOCARD_CARDID_BASE_URLm[][16]). Only the owner of new card should be able to access it.

INFOCARD_IDENTITY

Normally, this argument is omitted and the managed InfoCard is created on behalf of the identity that is invoking dacs_managed_infocard. This argument allows a DACS administrator to create a card for a specific identity.

MODE

This optional argument is used to select how m[blue]claim informationm[][17] is stored and retrieved. Four values are recognized:

DACS

In this usage mode, which is the default, claims are defined and filled depending on DACS configuration:

• if both m[blue]INFOCARD_CARD_DEFS_URLm[][18] and m[blue]INFOCARD_CARD_FILL_URLm[][19] are configured, the former web service is called (once, by dacs_managed_infocard) to define the claims that will be assigned to the new managed InfoCard and the latter web service is called (by m[blue]dacs_sts(8)m[][7], each time the InfoCard is used) to obtain the values of those claims (or the requested and approved subset). The claim definitions may not be modified, but claim values do not need to be static.

• if neither of those web services are configured, a minimal set of claims is automatically defined to facilitate authentication.

• any other configuration is invalid

An identity is always associated with these InfoCards using a claim named dacs_identity in the DACS namespace (http://dacs.dss.ca/claims). By default, the identity used is that of the requestor. An administrator may instead specify the identity using the INFOCARD_IDENTITY argument, which need only be a syntactically valid DACS identity.

STATIC

In this mode, the caller of dacs_managed_infocard defines the claims and their values when the card is created; DACS is responsible for storing this information and producing secure tokens from it. Unlike the DACS mode, the values of these claims cannot be changed; a future release may implement this capability.

The caller may specify from zero to a compile-time maximum number of claims (MIC_MAX_STATIC_CLAIMS, 10). A privatepersonalidentifier (PPID) is always created automatically, so any user request for that claim is ignored. Only a DACS administrator may define the dacs_identity claim in the DACS namespace; if present, it must be a syntactically valid DACS identity. Therefore, only a DACS administrator may use this mode to create an InfoCard that can be used for DACS authentication. Similiarly, only a DACS administrator may define the dacs_roles claim in the DACS namespace; if present, it must be a syntactically valid m[blue]role descriptor stringm[][20].

The claims are specified by up to MIC_MAX_STATIC_CLAIMS arguments (not counting any PPID claims) of the form CLAIM_num_type, where num starts at one and continues with consecutive integers and type is:

• NAME for the name of the claim, which must consist of between one and MIC_MAX_STATIC_NAME_CLAIM_SIZE (32) characters valid in a URI path segment.

• VALUE is the value associated with the claim and consists of between one and MIC_MAX_STATIC_VALUE_CLAIM_SIZE (64) printable characters.

• URI is the URI namespace with which NAME is associated; for convenience, "standard" signifies the self-issued InfoCard namespace (http://schemas.xmlsoap.org/ws/2005/05/identity/claims), and "dacs" is short for the DACS namespace (http://dacs.dss.ca/claims); any other non-empty string can be any syntactically valid URI of up to MIC_MAX_STATIC_URI_CLAIM_SIZE (128), and an empty string indicates that the default URI should be used.


Note
The DACS namespace is reserved for use by DACS and identifies claim types with semantics that are defined by DACS.

• LABEL is a string that an Identity Selector should display with the claim and consists of between one and MIC_MAX_STATIC_LABEL_CLAIM_SIZE (20) printable characters.

• DESC is a string that an Identity Selector should display with the claim and consists of between one and MIC_MAX_STATIC_DESC_CLAIM_SIZE (40) printable characters; if missing or the empty string, the value of the corresponding LABEL argument is used.

The optional argument CLAIM_URI has the same syntax as a CLAIM_num_URI argument and establishes a default URI that will be used if any CLAIM_num_URI argument is missing or is the empty string.

The optional argument CARD_NAME assigns a name to the InfoCard, which will be displayed by an Identity Selector.

The first missing or null-string-valued CLAIM_num_NAME or CLAIM_num_VALUE argument indicates the end of the list. For example, if two claims are defined, the following arguments might be passed: CLAIM_1_NAME, CLAIM_1_VALUE, CLAIM_1_URI, CLAIM_1_LABEL, CLAIM_1_DESC, CLAIM_2_NAME, CLAIM_2_VALUE, CLAIM_2_URI, CLAIM_2_LABEL, and CLAIM_2_DESC. Any syntactical or length violation causes a fatal error.

ISTATIC

This mode is identical to the STATIC mode except that if it is used by an identity other than a DACS administrator, a dacs_identity claim in the dacs namespace is automatically added with the value of the caller's identity. The InfoCard may be used for DACS authentication.

DYNAMIC

The caller of dacs_managed_infocard provides URLs for two web services: one to define claims and another to fill claims. The caller is responsible for managing claim definitions and values. These web services are expected to behave exactly the same as those that are specified by m[blue]INFOCARD_CARD_DEFS_URLm[][18] and m[blue]INFOCARD_CARD_FILL_URLm[][19]. This mode is not implemented.

FILES

m[blue]dacs_managed_infocard.cssm[][21]

DIAGNOSTICS

The program exits 0 if everything was fine, 1 if an error occurred.

BUGS

It is currently not possible to just register a managed InfoCard (you must create and register it), so you cannot import a card.

This functionality should probably be integrated with m[blue]dacs_infocard(8)m[][3] (and m[blue]dacsinfocard(1)m[][4]).

Once a managed InfoCard is created, most of its characteristics cannot be changed. There should be a way to "refresh" a managed InfoCard that has expired or otherwise become invalid.

The various constraints on claim types should probably be run-time configurable, or possibly done away with altogether. The specification imposes no limits on them.

There should be a web service and utility to allow creation of a self-issued InfoCard (which may then be imported into a user's Identity Selector).

AUTHOR

Distributed Systems Software (m[blue]www.dss.cam[][26])

COPYING

Copyright2003-2013 Distributed Systems Software. See the m[blue]LICENSEm[][27] file that accompanies the distribution for licensing information.

NOTES

1.
dacsoptions
http://dacs.dss.ca/man/dacs.1.html#dacsoptions
2.
local_infocard_authenticate
http://dacs.dss.ca/man/dacs_authenticate.8.html#local_infocard_authenticate
3.
dacs_infocard(8)
http://dacs.dss.ca/man/dacs_infocard.8.html
4.
dacsinfocard(1)
http://dacs.dss.ca/man/dacsinfocard.1.html
5.
configuration directives
http://dacs.dss.ca/man/dacs.conf.5.html#INFOCARD_prefixed
6.
INFOCARD_STS_AUTH_TYPE
http://dacs.dss.ca/man/dacs.conf.5.html#INFOCARD_STS_AUTH_TYPE
7.
dacs_sts(8)
http://dacs.dss.ca/man/dacs_sts.8.html
8.
INFOCARD_STS_PASSWORD_METHOD
http://dacs.dss.ca/man/dacs.conf.5.html#INFOCARD_STS_PASSWORD_METHOD
9.
dacs_managed_infocard(8)
http://dacs.dss.ca/man/dacs_managed_infocard.8.html
10.
INFOCARD_CARD_IMAGE_BASE_URL
http://dacs.dss.ca/man/dacs.conf.5.html#INFOCARD_CARD_IMAGE_BASE_URL
11.
printf(3)
http://www.freebsd.org/cgi/man.cgi?query=printf&apropos=0&sektion=3&manpath=FreeBSD+9.1-RELEASE&format=html
12.
standard CGI arguments
http://dacs.dss.ca/man/dacs.services.8.html#standard_cgi_args
13.
VFS URI
http://dacs.dss.ca/man/#VFS
14.
FORMAT argument
http://dacs.dss.ca/man/dacs.services.8.html#FORMAT
15.
INFOCARD_CARD_OUTPUTDIR
http://dacs.dss.ca/man/dacs.conf.5.html#INFOCARD_CARD_OUTPUTDIR
16.
INFOCARD_CARDID_BASE_URL
http://dacs.dss.ca/man/dacs.conf.5.html#INFOCARD_CARDID_BASE_URL
17.
claim information
http://dacs.dss.ca/man/dacs_infocard.8.html#about_claims
18.
INFOCARD_CARD_DEFS_URL
http://dacs.dss.ca/man/dacs.conf.5.html#INFOCARD_CARD_DEFS_URL
19.
INFOCARD_CARD_FILL_URL
http://dacs.dss.ca/man/dacs.conf.5.html#INFOCARD_CARD_FILL_URL
20.
role descriptor string
http://dacs.dss.ca/man/dacs.1.html#roles
21.
dacs_managed_infocard.css
http://dacs.dss.ca/man//css/dacs_managed_infocard.css
22.
dacs.conf(5)
http://dacs.dss.ca/man/dacs.conf.5.html
23.
dacs_authenticate(8)
http://dacs.dss.ca/man/dacs_authenticate.8.html
24.
dacs_mex(8)
http://dacs.dss.ca/man/dacs_mex.8.html
25.
Using InfoCards With DACS
http://dacs.dss.ca/man/using-infocards-with-dacs.html
26.
www.dss.ca
http://www.dss.ca
27.
LICENSE
http://dacs.dss.ca/man/../misc/LICENSE