advanced clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · systems...
TRANSCRIPT
![Page 1: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/1.jpg)
Advanced ClientConor P. Cahill
Systems Technology LabIntel Corporation
![Page 2: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/2.jpg)
Disclaimer
This presentation discusses work-in-progress within the Liberty Alliance Technology Expert Group. The end result of the specification process MAY be different than what is discussed here.
![Page 3: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/3.jpg)
What is a Client?
A client is a piece of software that invokes or exposes a service.
![Page 4: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/4.jpg)
Where can we find clients?
![Page 5: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/5.jpg)
Features of a client
Close to, or in the hands of, the end-userMore restricted communications path
AddressabilityBandwidth
The root of authenticated sessions
![Page 6: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/6.jpg)
Evolution of Liberty related Clients
Phase 1: Liberty Enabled Client/Proxy (LECP)Phase 2: Active ClientPhase 3: Advanced Client (aka Intelligent Client)Phase 4: Robust Client
![Page 7: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/7.jpg)
Evolution: LECP
Liberty Enabled Client/ProxyFacilitate SSO and Federation operations
Especially IDP DiscoveryAuthentication Request Direction
Browser plug-in and/or Proxy serverIncorporated into SAML 2.0 as ECP
![Page 8: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/8.jpg)
Evolution: Active Client
AKA: LUADLocal Web Services Consumer (WSC)
Radio Service clientCalendar Service client
Liberty ID-WSF Authentication ServiceSOAP profile of SASL
Supports *any* authentication protocolEnabled SSO into Web Services
![Page 9: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/9.jpg)
In Progress: Advanced Client
The client as an extension of the IdPOff-line and privacy enabling modesStrong local authentication
Locally hosted/managed servicesReporting
![Page 10: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/10.jpg)
Future: Robust client
Provisioning (pulled into Advanced Client)Over-the-wire/air distribution of client modulesSupport for trusted environments
MobilityMoving service instances and/or client modules
Strong Authenticationmulti-factor
![Page 11: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/11.jpg)
Advanced Client: SSO/Federation
Trusted Module (TM)Extension of an IdPUsually in some form of protected environment
ClosedTamper resistentE.g.: SIM
Drive SSO and/or Federation operationsAble to manufacture and/or store assertionsAble to function when IdP is not present
![Page 12: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/12.jpg)
TM: Design Considerations
Privacynot shared by many usersID of TM could be a correlation handleSame for any public key used by TM for security
SecurityMostly out-of-scope for LibertyEnable features necessary for secure distribution
![Page 13: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/13.jpg)
TM: Single Sign On Assertions
Local manufacture of Assertions by TM (Minting)IdP Authorizes TM to manufacture AssnsIdP controls facets of AssnRelying Party (RP) can verify delegationPrivacy Protected by using uniqe keys for each RP
Long term storage of IdP Issued Assns (Hoarding) IdP issues Assns to TMTM chooses when one of those Assns used for SSO
![Page 14: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/14.jpg)
TM Conceptual Environment
Device
TM Protected Area
TM
TM
TM
Browser+
App(s)
TM ManagerIdP
SP
Calendar
![Page 15: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/15.jpg)
TM Pre-Separation (Minting)
Device
TM Protected Area
TM
TM Manager
IdP1
2
1. TM Requests Minting Assertions
2. IDP responds with Minting Assns
![Page 16: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/16.jpg)
TM Browser SSO
Device
TM Protected Area
TM
TM Manager
1
2
1. SP initiates SSO (AuthnRequest)
2. Browser “discovers” TMs
3. TM Manager returns TM EPR
4. Browser forwards AuthnReq to TM
5. TM Responds with AuthnReq for SP
6. Browser forwards response to SP –user is not SSO’d into SP
SP
Browser+3
4
5
6
![Page 17: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/17.jpg)
TM Application SSO
Device
TM Protected Area
TM
TM Manager
6
1
1. Cal Application “discovers” TMs
2. TM Manager returns TM EPR(s)
3. App requests token for Cal WSP
4. TM responds with token for WSP
5. App sends ID-WSF call with token to WSP
6. WSP responds with Cal infoCalender
WSP
Cal App2
3
4
5
![Page 18: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/18.jpg)
Client Service Instance (CSI)
Locally hosted service instanceE.g. Profile, Calendar, Payment, etc.
May or may not be in a trusted environmentLooks, feels, and acts like a typical ID-WSF or ID-SIS serviceIssues:
Privacy (location becomes correlation handle)Availability/connectivity
![Page 19: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/19.jpg)
SHPS: A remote partner
Service Hosting/Proxying ServiceHosts a remote instance of service
Full implementation of serviceSynchronization with Client Service Instance (CSI)CSI seen as master, but WSCs interact with Hosted service
Proxies remote service invocationsForwards each invocation to CSI
![Page 20: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/20.jpg)
CSI Conceptual EnvironmentDevice
CSI
DS
SP/WSC
SHPS
![Page 21: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/21.jpg)
CSI normal ID-WSF invocation
Device
Cal CSI
DS
SP/ WSC
SHPS
1. WSC discover’s Calendar service
2. DS returns CSI’s EPR to WSC
3. WSC invokes Calendar CSI
4. Calendar CSI returns data
1
2
34
![Page 22: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/22.jpg)
CSI with SHPS hosting
Device
Cal CSI
DS
SP/ WSC
SHPS
1. WSC discover’s Calendar service
2. DS returns Calendar EPR to WSC
3. WSC invokes Calendar Svc
4. SHPS Cal Svc returns response
1
2
3
4
![Page 23: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/23.jpg)
CSI with SHPS Proxy
Device
Cal CSI
DS
SP/ WSC
SHPS
1. WSC discover’s Calendar service
2. DS returns Calendar EPR to WSC
3. WSC invokes Calendar Svc
4. SHPS forwards req to Cal CSI
5. Cal CSI sends response to SHPS
6. SHPS returns response to WSC1
2
3
6
4
5
![Page 24: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/24.jpg)
Curent Status
Advanced clientRequirements completedSpecifications in development1Q2007 public draft
Robust ClientRequirements completedSome specifications work (Provisioning)No public estimates as to spec release
![Page 25: Advanced Clientprojectliberty.org/liberty/content/download/2985/19978/file/070118... · Systems Technology Lab Intel Corporation. Disclaimer This presentation discusses work-in-progress](https://reader035.vdocument.in/reader035/viewer/2022070906/5f79a80898192854c474145c/html5/thumbnails/25.jpg)
More Information
Web: http://www.projectliberty.orgMy blog: http://conorcahill.blogspot.comEmail: Conor.P.Cahill – at - intel.com