Previous Topic: How To Configure Kerberos AuthenticationNext Topic: RADIUS CHAP/PAP Authentication Schemes


Information Card Authentication Schemes

Using the Information Card Authentication Scheme (ICAS) feature of CA SiteMinder®, you can create multiple information card authentication schemes. Each one is configured as a custom authentication scheme.

Introduction to Information Cards

Information cards are like the physical cards that we carry in our wallets. Each information card represents a set of identity information. For example, an information card that represents a driver's license might contain the following sensitive identity information: photo, birth date, first and last name, and driver's license number.

Information cards let users manage their identity information. Users can view their information cards and the associated identity information. They can choose from the available cards for a given information exchange. And they can authorize the release of the identity information associated with a selected card.

Information cards are exposed by an Identity Selector.

Introduction to Identity Selectors

An Identity Selector is an application that lets users manage their identity information and their online relationships with Relying Parties and Identity Providers. A Relying Party (RP) is the web site, application or service that requires identity information to authenticate the user. The Identity Provider (IdP) is a third party that authenticates identity information and creates security tokens that the user can share with the Relying Party.

Identity Selectors allow users to access Web-based resources without having to manage a multitude of user names and passwords. Likewise, businesses no longer have to maintain a database of user identity information that can be inaccurate, out-of-date, and vulnerable to misuse, thus reducing risk and liability and enhancing agility.

Identity Selectors also give the user control over exactly what identity information is released to each Relying Party. And finally, Identity Selectors provide users with a consistent user interface and better user experience.

Windows CardSpace

Windows CardSpace, Microsoft's implementation of an Identity Selector, provides users with a consistent user interface for interacting with any Relying Party or Identity Provider. SiteMinder supports Windows CardSpace through a custom authentication scheme called Information Card Authentication Scheme (ICAS).

SiteMinder Information Card Authentication Scheme (ICAS)

CA SiteMinder® Information Card Authentication Scheme (ICAS) is a CA SiteMinder® authentication scheme that supports Windows CardSpace. Each instance of ICAS is configured as a custom authentication scheme in the Administrative UI and implemented like any other CA SiteMinder® custom authentication scheme.

ICAS Overview

Authenticating a user with SiteMinder ICAS is a process that involves these components and steps:

  1. A user wants to visit a SiteMinder-protected Web site or Relying Party (RP).
  2. The Web agent intercepts the user's request and invokes ICAS.
  3. ICAS sends the RP's policy requirements to the Web agent.
  4. The Web agent instructs the user's browser to launch an Identity Selector on the user's computer and sends the RP's policy requirements.
  5. The Identity Selector reads the policy requirements and highlights for the user those information cards that satisfy the requirements. The user selects one highlighted card. The Identity Selector collects the user's credentials and sends them to the Identity Provider (IdP) for authentication. The Identity Selector also sends the RP's policy requirements to the IdP and requests a token.

    Note: The user can select a card that contains optional claims not required by the RP.

  6. The IdP authenticates the user and processes the policy requirements. It generates a token containing the required claims and sends it back to the Identity Selector.
  7. The Identity Selector displays the claims, and the user approves release of the claims to the RP.
  8. ICAS decrypts the token, verifies the token's authenticity and integrity, and associates the user's claims to a user's identity in the user database. SiteMinder then performs standard policy-based authorization and grants access to the user if authorized.
  9. The user accesses the Web site.
ICAS Terms

The following terms are useful for understanding ICAS:

Identity Metasystem

An architecture that specifies how identity information can be shared by users, Relying Parties, and Identity Providers.

User

The person whose identity information is being shared. Sometimes, the user is called the subject.

Relying Party (RP)

The Web site that requests and consumes identity information.

Identity Provider (IdP)

A third party that authenticates identity information and shares the information with Relying Parties by creating security tokens. Credit card companies, banks, government agencies, employers, and insurance companies are all examples of Identity Providers.

Security Token Service (STS)

The technology used by Identity Providers to create security tokens. A Security Token Service:

Security Token

A cryptographically signed and encrypted set of claims.

Claim

An assertion of truth. Each token contains one or more claims about the user's identity. Examples of claims are first name, last name, email address, birth date, and so on. Claims can be made by the user or a third-party Identity Provider.

Information Card

A set of identity information. Information cards are comparable to the physical cards that we carry in our wallets. For example, an information card that corresponds to a driver's license might contain the following sensitive identity information: photo, birth date, first and last name, driver's license number, state, height, and sex.

Personal Card

An information card that contains claims that the user asserts about himself, but that are not corroborated by a third party. A personal card contains a Private Personal Identifier (PPID) that is generated when the card is created. Personal cards are appropriate for low-sensitivity identity information, such as an email address.

Note: Personal cards are also called self-issued cards.

Managed Card

An information card contains claims that the user asserts about himself and that are corroborated by a third party. A managed card contains a Private Personal Identifier (PPID) that is generated when the card is created and a pointer to the Identity Provider's STS. Managed cards are appropriate for sensitive identity information, such as a credit card number.

Identity Selector

An application that lets users manage their relationships with Relying Parties and Identity Providers and control how their identity information is shared and used. An identity selector:

Windows CardSpace

Microsoft's Identity Selector for the Windows operating system.

Information Card Authentication Scheme (ICAS)

Support for Windows Cardspace, Microsoft's Identity Selector, implemented in SiteMinder as a custom authentication scheme.

Private Personal Identifier (PPID)

Identifier generated by the Identity Selector when an information card is created.

ICAS Files

SiteMinder uses two files to configure each instance of ICAS: the fcc file and the properties file.

filename.fcc

Specifies the authentication settings that SiteMinder requires and that can be customized for each instance of ICAS.

InfoCard.fcc

A sample fcc file that is shipped with the Web Agent kit

filename.properties

Specifies how an instance of ICAS behaves.

InfoCard.properties

A sample properties file

Note: When configuring an instance of ICAS in the Administrative UI, the administrator specifies the path to the properties file.

ICAS Prerequisites

Before you can implement ICAS, the following conditions must be met:

Web Browser Configuration

One of the following web browsers must be used:

Web Server Configuration

The Web Server must be configured for SSL communication. This configuration protects the fcc file.

Note: For more information, see the Web Agent Configuration Guide.

Web Agent Configuration

The InfoCard.fcc file that is shipped with the Web Agent kit must be customized for each instance of ICAS.

Note: For more information, see the Web Agent Configuration Guide.

Java Runtime Environment (JRE) Configuration

The Java Runtime Environment must be configured to decrypt security tokens that are encrypted with strong encryption algorithms.

Policy Server Configuration

Policy Server Configuration includes the following tasks:

Configure the Java Runtime Environment (JRE) for ICAS

Configure the Java Runtime Environment (JRE) by installing the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction policy files. These files are needed to decrypt security tokens that are encrypted with strong encryption algorithms.

Important! Back up the default policy files that are shipped with the JRE before installing the new policy files.

Follow these steps:

  1. Download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction policy files from http://www.oracle.com/technetwork/java/index.html.
  2. Install them in the $NETE_JRE_ROOT\lib\security directory.
  3. Add the following line to the $NETE_JRE_ROOT\lib\security\java.security file:
    security.provider.7=com.rsa.jsafe.provider.JsafeJCE
    
How to Configure the Policy Server for ICAS

Configuring the Policy Server for ICAS includes the following steps:

  1. Configure an ICAS properties file.
  2. Store claims for later use in active responses.
  3. Configure the certificate data store for ICAS.
  4. Configure a user directory for ICAS.
  5. Create an instance of ICAS.
  6. Configure an active response that retrieves a claim value.
  7. Configure support for ICAM white list.

Configure an ICAS Properties File

An ICAS properties file specifies how an instance of ICAS behaves. When configuring an instance of ICAS in the Administrative UI, the administrator specifies the path to the associated properties file. To configure a new properties file, open a sample properties file with a text editor and edit the contents. Always save and rename the new properties file.

Note: Multiple instances of ICAS can share the same properties file.

Example: A properties file named InfoCard.properties contains the following properties and sample values:

fcc

Specifies the location of the Information Card fcc file.

Example: fcc=https://web_server_home/siteminderagent/forms/InfoCard.fcc

Note: To activate the Identity Selector, specify "https".

vppid_attribute

Specifies the VPPID attribute value. This attribute is required by the command UpdateUserStoreWithVPPID to update a user attribute.

Example: vppid_attribute=mail

vppid_claim

Specifies the claim to use to disambiguate the user.

Examples:

vppid_claim=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

vppid_claim=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

vppid_claim=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

alias

Specifies the key in the certificate data store that is used to retrieve the SSL certificate of the Relying Party.

Example: alias=rpssl

guestuser

If ICAS is configured in anonymous mode, specifies the guest user login.

Example: guestuser=guest

tokenPrim

Specifies the provider of the tokenPrim interface.

Example: tokenPrim=com.ca.sm.authscheme.infocard.higgins.TokenAdapter

storeclaims_attribute

Specifies the user attribute where the claims are stored when the command StoreClaimsToUserStore is executed.

Example: storeclaims_attribute=description

preprocessingchain

Defines a chain of commands to execute during user disambiguation.

Example: preprocessingchain=+vppidchain

Note: For more information, see Configure ICAS Command Chains.

postprocessingchain

Defines a chain of commands to execute during user authentication.

Example: postprocessingchain=+vppidchain;com.ca.sm.icas.command.StoreClaimsToContext

Note: For more information, see Configure ICAS Command Chains.

errorprocessingchain

Defines a chain of commands to execute during error processing.

Note: For more information, see Configure ICAS Command Chains.

whiteListLocation

(Optional) Defines the location of the XML file that contains the White List specified by Federal Identity, Credentialing, and Access Management (ICAM).

Example: whiteListLocation=C:\\Program Files\\ca\\siteminder\\config\\WhiteList.xml

Note: For more information about ICAM White List, see Configure Support for the ICAM White List.

Configure ICAS Command Chains

Command chains are defined in the ICAS properties file. A chain is a a set of commands that executes in an orderly manner.

Named chain of commands include:

These named chains are present by default.

Consider the following:

According to your requirements, configure the following class files:

Key Class Files to Configure ICAS

The following key class files are used to configure ICAS:

com.ca.sm.icas.StoreClaimsToSessionStore

Stores extracted claims to the session store of Policy Server.

com.ca.sm.icas.command.ExecuteClaimChain

Executes a set of commands over a claim. For each claim name, which forms the last part of the namespace, ICAS looks for a chain defined as chainID.claimID in the properties file. If the chain definition is found, then ICAS executes it and passes the context with the specific claim.

Example: For executeClaimCommand1=com.ca.sm.icas.command.ExecuteClaimChain, define the email claim as follows:

executeClaimCommand1.emailaddress=com.ca.sm.icas.command.DumpClaimsCommand;

Processes the DumpClaimsCommand if a token is found with an emailaddress claim.

com.ca.sm.icas.command.HashVPPID

Generates a hash of the VPPID claim attribute.

com.ca.sm.icas.command.SetVPPIDAsAnonymous

Sets the VPPID claim attribute value to anonymous. This class file is used for logging in with information cards that are not linked to any user accounts (anonymous access).

com.ca.sm.icas.command.SetVPPIDFromToken

Sets the VPPID claim attribute value from the information card token to the context object.

com.ca.sm.icas.command.StopChain

Returns the value true, which stops the execution of the currently running chain.

com.ca.sm.icas.command.StoreClaimsToContext

Reads the claims from the information card token and store them to the application specific context.

com.ca.sm.icas.command.StoreClaimsToUserStore

Stores the claims read from the information card token to a specified user attribute (in the ICAS properties file) in the user directory.

com.ca.sm.icas.command.TransformScriptInClaim

Escapes the script tags (<, >) in the claims using HTML entities. For example, <td> becomes &lt;td;&gt

com.ca.sm.icas.command.TransformSqlInClaim

Escapes the characters in a claim value so that it can be passed to an SQL query.

com.ca.sm.icas.command.TranslateErrorCode

Translates the exception string found within context. This translated string is stored back into the context.userText that is available in the FCC.

com.ca.sm.icas.command.TranslateErrorCodeFromParms

Translates the exception string found within the ICAS properties file. This translated string is stored back into the context.userText that is available in the FCC.

com.ca.sm.icas.command.UpdateUserStoreWithVPPID

Stores the claims read from the information card token to a specified user attribute (available in the ICAS properties file) from the user directory.

Class Files to Check the Values of Claims

The following class files are used to check the values of claims:

com.ca.sm.icas.StoreClaimsToSessionStore

Stores extracted claims to the session store of Policy Server.

com.ca.sm.icas.command.ErrorIfEmptyClaim

Generates an exception when the claim is empty.

com.ca.sm.icas.command.ErrorIfMultiValueClaim

Generates an exception when the given claim has multiple values.

com.ca.sm.icas.command.ErrorIfNotEmptyClaim

Generates an exception when the given claim is not empty.

com.ca.sm.icas.command.ErrorIfNotMultiValueClaim

Generates an exception when the given claim is not multivalued.

com.ca.sm.icas.command.ErrorIfNotNullClaim

Generates an exception when the given claim is not null.

com.ca.sm.icas.command.ErrorIfNotSingleValueClaim

Generates an exception when the given claim is not single valued.

com.ca.sm.icas.command.ErrorIfNullClaim

Generates an exception when the given claim is null.

com.ca.sm.icas.command.ErrorIfSingleValueClaim

Generates an exception when the given claim is single valued.

Class Files to Debug

The following class files are used for debugging purpose:

com.ca.sm.icas.command.debug.DumpChainID

Displays the chain ID on the console.

Note: To view the output, start the Policy Server in the console mode.

com.ca.sm.icas.command.debug.DumpClaim

Displays the VPPID claim details (name and value) on the console.

Note: To view the output, start the Policy Server in the console mode.

com.ca.sm.icas.command.debug.DumpClaims

Displays the details of all the claims in the token on the console

Note: To view the output, start the Policy Server in the console mode.

com.ca.sm.icas.command.debug.DumpContext

Displays the details of the context object on the console.

Note: To view the output, start the Policy Server in the console mode.

com.ca.sm.icas.command.debug.DumpParameters

Displays the details of the parameters specified in the ICAS properties file on the console.

Note: To view the output, start the Policy Server in the console mode.

com.ca.sm.icas.command.debug.DumpSystemVars

Displays the details of the system environment on the console.

Note: To view the output, start the Policy Server in the console mode.

com.ca.sm.icas.command.debug.DumpThreadStack

Displays the stack trace of the executing thread on the console.

Note: To view the output, start the Policy Server in the console mode.

com.ca.sm.icas.command.debug.GenerateClaim_claims_AsHTML

Generates a new claim "_claims_" that has an HTML table representing the known claims. You can use this claim in an active response to create a cookie or header to show the retrieved claims to a user.

com.ca.sm.icas.command.debug.GenerateClaim_parameters_AsHTML

Generates an HTML table representing the parameters specified in the ICAS properties file. You can use this HTML table in an active response to create a cookie or a header to show the retrieved claims to a user.

com.ca.sm.icas.command.debug.LogClaim

Writes the claim details (name and value) in the chain context to the Policy Server trace logs.

com.ca.sm.icas.command.debug.LogClaims

Writes the details of all the claims in the token to the Policy Server trace log.

com.ca.sm.icas.command.debug.LogDecryptedClaims

Logs the decrypted XML token to the Policy Server trace log.

com.ca.sm.icas.command.debug.LogEncryptedClaims

Logs the encrypted token obtained from the IDP to the Policy Server trace logs.

com.ca.sm.icas.command.debug.START

Displays a START message on the console.

Note: To view the output, start the Policy Server in the console mode.

com.ca.sm.icas.command.debug.STOP

Displays a STOP message on the console.

Note: To view the output, start the Policy Server in the console mode.

com.ca.sm.icas.command.debug.ThrowException

Generates an exception object that includes the claim value as a part of the message.

Store Claims for Later Use in Active Responses

You can store claims for later use in active responses. To store claims for later use, add the following property to the properties file:

postprocessingchain

Defines the chain of commands to execute during user authentication. This phase includes any claim transformation and storage commands.

Example: postprocessingchain=com.ca.sm.authscheme.infocard.command.StoreClaimsToContext

Configure the Certificate Data Store for ICAS

Consider the following:

To configure the certificate data store for ICAS

  1. Use the Web Server Certificate Wizard to export the SSL certificate from an IIS web server to a pfx file.

    Note: For more information, see the Microsoft documentation. The password you provide when exporting the SSL certificate to the pfx file is used later by CA SiteMinder® when importing the SSL certificate from the pfx file.

  2. Use the Administrative UI to import the SSL certificate into the certificate data store.

Configure a User Directory for ICAS

Authentication of the user depends on finding a match between one of the claims presented to ICAS and a user attribute in the user database. During token disassembly, the specified claim value is used as a lookup value in the user directory. Therefore, the user directory must be configured so that the LDAP lookup string or SQL query scheme specifies the user attribute that corresponds to the specified claim. The following examples show how to configure an LDAP lookup string and SQL query scheme for an email address.

LDAP Example

LDAP User DN Lookup group box

Start

(mail=

End

)

SQL Example

SQL Queries group box

Get User/Group Info

SELECT EmailAddress, 'User' FROM SmUser WHERE EmailAddress = '%s' UNION SELECT Name, 'Group' FROM SmGroup WHERE Name = '%s'

Authenticate User

SELECT EmailAddress FROM SmUser WHERE EmailAddress = '%s' AND Password = '%s'

Create an Instance of ICAS

You can create an instance of ICAS by specifying a custom authentication scheme in the Administrative UI.

Limit: Each policy store can support up to ten instances of ICAS.

To create an instance of ICAS

  1. Click Infrastructure, Authentication.
  2. Click Authentication Schemes.

    The Authentication Schemes page appears.

  3. Click Create Authentication Scheme.
  4. Select Create a new object of type Authentication Scheme, and click OK.

    The Create Authentication Scheme: Name page appears.

  5. Type the authentication scheme's name and description.
  6. Select Custom Template from the list of Authentication Scheme Types.

    The Scheme Setup group fields appear.

  7. Enter a value in the Protection Level field.
  8. Clear the Password Policies enabled for this Authentication Scheme Types.

    Note: ICAS does not support Password Policies.

  9. Enter the values for the following fields in Scheme Setup:
    Library

    smjavaapi

    Note: The custom authentication scheme uses the Java Authentication API.

    Secret and Confirm Secret

    Leave these fields blank.

    Note: The custom authentication scheme does not use the shared secret.

    Parameter

    Type the following two parameters in the Parameter field and separate them by a space:

    com.ca.sm.icas.SmAuthInfoCard

    This is the fully qualified name of the class that implements the SmAuthScheme interface.

    policy_server_home\config\icas\InfoCard.properties

    This is the location of the properties file.

    Example:

    com.ca.sm.icas.SmAuthInfoCard policy_server_home\config\icas\InfoCard.properties

  10. (Optional) Select the Store Auth Scheme Context to Session Store option in the Scheme Setup. This option specifies that the authentication context data is persisted.
  11. Click Submit.

    The Create Authentication Scheme task is submitted for processing.

Configure an Active Response that Retrieves a Claim Value

You can use the custom class com.ca.sm.icas.GetClaimValue to configure an active response that retrieves a claim value after authentication is complete.

Note: Storing and retrieving claim values requires a session store. For more information about session stores, see the Policy Server Administration Guide.

To configure an active response that retrieves a claim value

  1. Click Policies, Domain.
  2. Click Responses.

    The Responses page appears.

  3. Click Create Response.

    The Create Response: Select Domain page appears.

  4. Select a domain, and click Next.

    The Create Response: Define Response page appears.

  5. Type the name and a description of the response.
  6. Specify Web Agent as the Agent Type.
  7. Click Create Response Attribute in Attribute List.

    The Create Response Attribute: Name page appears.

  8. Select WebAgent-HTTP-Header-Variable or WebAgent-HTTP-Cookie-Variable from the list of attributes in Attribute Type.
  9. Select Active Response as the Attribute Kind in Attribute Setup.
  10. Type the following values in the Attribute Fields.
    Cookie or Variable Name

    Specifies the name of the claim.

    Example: emailaddress

    Library Name

    Specifies the name of the library.

    Value: smjavaapi

    Function Name

    Specifies the name of the function.

    Value: JavaActiveExpression

    Parameters

    Specifies the custom ICAS command and the location of the file, claims.xsd, that defines standard claim types according to the Information Card model.

    Example: com.ca.sm.authscheme.infocard.GetClaimValue http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  11. Click OK.

    The response that retrieves a claim value is created.

More information:

Store Claims for Later Use in Active Responses

Configure Support for the ICAM White List

The ICAS implementation supports the Federal Identity, Credentialing, and Access Management Identity Metasystem Interoperability 1.0 Profile (ICAM IMI 1.0 Profile) specifications, which is based on White List of issuers and LOA authorization.

Note: For more information about White List and LOA support, see ICAM IMI 1.0 Profile Release Candidate.

To enable White List processing, update the following parameters in the Infocard.properties file.

postprocessingchain

Defines the chain of commands to execute during user authentication.

Example: postprocessingchain=com.ca.sm.icas.whiteListChecker.whiteListChecker

whitelistlocation

Defines the location of the XML file that contains the White List specified by ICAM.

Example: whitelistlocation=C:\\Program Files\\ca\\siteminder\\config\\WhiteList.xml

The ICAS implementation supports the verification of three Level of Assurances (LOAs)

White List processing is mandatory to verify LOA1, LOA2, and LOA3. Append the following details to the postprocessingchain parameter to support LOA processing: