Infocard meets eduroam

And SimpleSAMLphp introduce them.

After several months of hard work, I am proud to announce that we have a first prototype of the unified single sign on architecture that I have been mentioning all these months. Currently, it is based on simpleSAMLphp Infocard module, a slightly modifed version of PEAP authentication module in FreeRADIUS, DigitalMe and wpa_supplicant.

We will be showing it at TNC 2009 in Málaga. I hope to be able to meet some of you in Malaga to discuss our proposal.

Finally, I would like to thank RedIRIS, University of Alcala (Spain) and UNINETT that have supported this work. Special thanks should be given to Samuel Muñoz Hidalgo, a CS student from University of Alcala that has been in charge of most of the development effort.

Updating an Apple Addressbook from an eduPerson Directory

If you work for a company that organize employee data in an open directory and uses a mac, you have probably already configured Apple Addressbook to lookup addresses from the directory, like this:

Then, what you can do is search for users:

Great, but not good enough. You can not list all users, and more importantly you cannot sync them to your iphone.

So I tried to investigate ways of directly importing all employees into the Addressbook. Luckily Addressbook supports importing data form a number of formats, including LDIF and vcards.

I started out with LDIF. Working almost perfect! One command to get the LDIF:

ldapsearch -x -L -h ldap.uninett.no -b cn=internal,cn=people,dc=uninett,dc=no 'eduPersonPrincipalName=*' > ansatte.ldif

In Apple Addressbook I choose import from LDIF:

What is really smooth here is that if you already have entries in your addressbook for some of these contacts, they will be merged with the updated information. You can review all the updated info to verify that it is correct:

Great, but not perfect. I want somehow to know the eduPersonPrincipalName of all users, and I want the jpegPhoto. For some reason I don’t think the LDIF import supports photo. But luckily the vCards import does.

I created a script that created vCards from the LDIF. Here it is:

#! /usr/bin/php
<?php
function pdump($sn, $givenName, $jpeg, $feide) {
    $jpeg  = preg_replace('/\s+/s', "   ", $jpeg);
    echo 'BEGIN:VCARD
VERSION:3.0
N:' . $sn . ';' . $givenName . ';;;
PHOTO;BASE64:
  ';
    echo $jpeg . "\n";
    echo 'NOTE: Feide ID is ' . $feide . "\n";
    echo 'CATEGORIES:All
END:VCARD
';
}

$adr = file_get_contents('/Users/andreas/ansatte.ldif');
$persons = explode('dn: ', $adr);


function findK($p, $key) {
    if(preg_match('/' . $key . ': (.*?)\n/', $p, $matches))
        return $matches[1];
    if(preg_match('/' . $key . ':: (.*?)\n/', $p, $matches))
        return base64_decode($matches[1]);
    throw new Exception('not found [' .  $key . ']');
}

foreach($persons AS $p) {
    try {       
        $sn = findK($p, 'sn');
        $givenName = findK($p, 'givenName');
        $feide = findK($p, 'eduPersonPrincipalName');       
        if(!preg_match('/jpegPhoto:: (.*?)\n([a-z][a-zA-Z]+:|\n)/s', $p, $matches)) 
            continue;
        $jpeg = $matches[1];
        pdump($sn, $givenName, $jpeg, $feide);
    } catch(Exception $e) { }
}

I ran the script from the command line:

./adr.php > uninett.vcf

In the script I populate full name (for merging), a note with eduPersonPrincipalName and the photo in base64.

The output file is in UTF-8, and Apple Addressbook expects vcards to be in UTF-16, so I used BBedit to convert the file.

Now, I import the vcards file in Apple Addressbook and get both photo and eduPersonPrincipalName merged into the cards imported from LDIF. Next, I syncronize my iPhone using MobileMe, and yay, now I see pictures of UNINETT employees when they call. And I can access eduPersonPrincipalNames from my phone as well, and the address and e-mail, and so on.

Some slides on Infocard Module installation and configuration

Two weeks ago I spent two days in Malaga, hosted by Victoriano at University of Malaga, with WAYF and RedIRIS guys discussing on several identity related issues. I gave a small talk on Infocard module installation in SSP. In case you find it interesting, you can get it here: https://portal.uah.es/portal/page/portal/epd2_profesores/prof127418/investigacion/simpleSAMLphpInfocard.pdf

Infocard module updated

A bit more than a few dayes later :-P, We are glad to announce a new release of the InfoCard module implementation for simpleSAMLphp. Here are the major changes:

  • In addition to user-password authentication, STS is also accepting Self-issued cards.
  • Fully compatible with MS Cardspace. Really! (Tested with Digitalme and Cardspaces)
  • mex.php has been fully rewritten, now it’s short and understable. 🙂
  • A link has been added in the module main page so it’s possible to get a managed card once you get authenticated by means of a simple user-password form.Because of this getinfocard.php is replaced by getcardform.php
  • A new classs called STS has been added to handle the STS messages (issuing InfoCards and all the WS-TRUST stuff).
  • Tokenservice.php make use of STS class. This has allowed us to shorten it quite a lot.
  • Commented and more elegant code.
  • Logging support:It’s possible to log the RST (from the identity selector) and the RSTR (from the STS) messages in a configurable directory.
  • We carry on using transport binding for the communications.
  • This work is being supported by RedIRIS (the spanish NREN, www.rediris.es) and CS Department of the University of Alcala (Spain) (http://it.aut.uah.es) This module has been developed by Samuel Muñoz Hidalgo.

TNC 2009

Our paper about an unified SSO architecture for eduroam using simpleSAMLphp has been accepted for presentation at TNC 2009.

Malaga and the your favorite man from Malaga, Victoriano :-), will be waiting for you. Hope to see many of you there. Yes, you too, Feide guys!.

By the way, we have extended our version of Infocard SSP module. In a few days, I will blog about this.

OASIS gets into Information Cards Bussiness

Last september, OASIS announced the formation of a new Identity Metasystem Interoperability (IMI) Technical Committee, chartered to increase the quality and number of interoperable implementations of Information Cards and associated identity system components to enable the Identity Metasystem. The goal of IMI is to provide the interoperability support that will enable Information Card use to become ubiquitous.

Five specifications have been accepted as ‘Input Documents,’ where TC work will continue further refinement and finalization of these Input Documents to produce specifications that standardize the concepts and XML Schema renderings in a manner that is backward compatible with the input documents. Other contributions and changes to the input documents will be accepted for consideration insofar as they conform to the charter. The five principal contributions are:

  1. Identity Selector Interoperability Profile V1.5. Microsoft Corporation. An Identity Selector and the associated identity system components allow users to manage their Digital Identities from different Identity Providers, and employ them in various contexts to access online services. 
  2. Interoperability Profile V1.5 within Web Applications and Browsers. Microsoft Corporation. This paper documents the Web interfaces utilized by browsers and Web applications that support the Identity Metasystem; the information in this document is not specific to any one browser or platform. 
  3. An Implementer’s Guide to the Identity Selector Interoperability Profile V1.5. Microsoft Corporation and Ping Identity Corporation. The mechanisms described in this document elaborate on the Identity Selector Interoperability Profile Version 1.5. The interactions between a conforming Identity Selector and a Relying Party or an Identity Provider are illustrated, and the message exchanges with an Identity Provider are described in detail. 
  4. Application Note: Web Services Addressing Endpoint References and Identity. Microsoft and IBM. This note provides a mechanism to describe security-verifiable identity for endpoints by leveraging extensibility of the WS-Addressing specification; Web Services Addressing Identity extends WS-Addressing’s endpoint reference by providing identity information about the endpoint that can be verified through a variety of security means. 
  5. OSIS (Open Source Identity Systems) Feature Tests. Identity Commons. Interop tests relevant to an identity layer for the Internet from open-source and commercial participants, including interoperability work for Information Card.
By November 10th, the TC published its first draft that tries to summarizes all the previous documents. You cand find the draft here
 
We will keep on eye on this remarkable standarization effort.
 
You can read a detailed explanation of the commitee details, principles and objectives here