Its been more than month I have blogged something.... was on holidays and before that busy preparing demo using Liberty LECP profile for SmartCards. This is what is described below:
LECP or Liberty-Enable Client & Proxy profile is specified in “Liberty Bindings & Profiles Specificatios“ [Section 3.2.5]. LECP can be briefly explained as a client that has, or knows how to obtain, knowledge about the identity provider that the principal wishes to use with the Service Provider. This client receives and sends Liberty messages in the body of HTTP requests and responses.
Flow Diagram for LECP profile is :
The Demo comprised of 4 elements.
- Service Provider [SP], http://www.dotnetcard.com/Demos/Liberty-Catalyst/Liberty-sp/TinkuTinki.aspx
- Identity Provider [IDP], http://www.networksmartcard.com/Demos/Liberty-Catalyst/Liberty-idp/LECP.ashx
- Liberty UA : Internet Explorer + LECP ToolBar.
- Trusted Module : SmartCard.
Demo shows the proof-of-concept for role of SmartCards in Liberty Federation/ID Management world. I designed a toolbar for internet explorer which does the interactions with IDP, SP and Trusted Module (SmartCard). In the figure above toolbar can be considered as UserAgent (UA). Below is the picture of the toolbar:
Illustrated Below are the detailed steps of the demo:
- Clicking on the LogOn button in the toolbar prompts for user to enter PIN to authenticate to SmartCard.
-
On successful validation, a list of Service Providers (stored as Xml file in .NET SmartCard) is retrieved by toolbar and shown in Service Providers combo Box in toolbar. Options and AutoFill buttons also get enabled.
-
User selects the Service Provider from the combo Box.
-
UserAgent (here toolbar) sends the request to SP selected for getting the AuthnRequestEnvelope as specified in LECP [Section 3.2.5.2].
-
SP sends AuthnRequestEnvelope to UserAgent, UA validates and process this message to retrieve IDP (if provided by SP).
-
If AuthnRequest message is good and valid, UA helps doing the mutual authentication of Trusted Module (SmartCard here) & IDP based on some shared secret. This scheme (authentication) has been used for demo purposes, we can make it as sophisticated as required.
-
On Successful authentication, UA (toolbar) sends the AuthnRequest received from SP to the IDP.
-
IDP does the necessary validation and processing of message and generates the AuthnResponseEnvelope containing the assertion about the user.
AutoFill button on the toolbar is a nice application to fill the forms on web pages from user data retrieved from SmartCard.
I used .NET for all the pieces necessary for the demo. .NET SmartCard is used as a TrustedModule. Below is shown the contents of the .NET SmartCard.
Lets have a look at Card Contents:
- Liberty.TM.exe is the application doing mutual authentication with IDP.
- Liberty.ITrustedModule.dll is the interface to Trusted Module Service.
- AutoFillOptions.xml : Contains the user data (eg Name,address etc)
- ServiceProviders.xml : Contains the list of Service Providers supported by this SmartCard.
- Assertions.xml : This is another very interesting part. This is a cached assertion inside the SmartCard and to be used for offline mode. There may arise a need that Service Provider is not online so user can always download the assertions from IDP and present it to SP offline.