Certificate Module and different levels of assurance

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Certificate Module and different levels of assurance

Michael Alexander

Can a module return different authentication levels?  Is the module name mutable returned from the class?

 

Right now we have two certificate modules.  One is used for soft certificates, another is used for smart cards.  Authentications succeeds based on known issuers and revocation status.  You couldn’t use the soft certificate to sign-on to the smart card module and vice versa.  Now, we need to add a third certificate module for devices. 

 

I am wondering if there is a way in OpenAM >11.0 where we can build one module?  The module will look at the Issuer and the OIDs in the certificate to determine what authentication level should be assigned, maybe return a different module name.

 

Our policies in OpenAM will use the authentication level to determine access for resources.  For other applications that need more fine-grained controls will check the OpenAM session to see the module name, if softCert, then only allow functions 1-3 are permitted, if hardCert, then allow access is allowed.  If deviceCert, only one access is allowed.

 

If certificate.isDevice() {

   // check the issuer, check the template and assigned name

  // return an auth level of 30 and say this is module “deviceCert”

} else {

  Switch certificate.getIssuer() {

    Case “certissuer1”:

      // only issues soft certs, return level of 50 and module “softCert”;

     Break;

    Case “certissuer2”:

     // issues soft and smart card certificates

    If  (certificate.listOids().contains(hardware)) {

        // return level 80 and module “hardCert”

     } else {

        // return level 50

     }

    Break;

    Default:

       // unknown issuer authentication fails.

    Break

  }

}

 

 


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Certificate Module and different levels of assurance

Zoltan Tarcsay
Hi,

AFAIK, modules cannot “return” an authLevel; they can either succeed or fail (i.e. return an enum).
What would be the benefit of putting all this functionality into a a single module? To my mind it’s better to have more module instances so you have config level control over the authentication logic, rather than having to change the source code. You could make your module configurable so that you don’t need 3 different implementations for the 3 use cases.

-Zoltan

On 3 Feb 2016, at 14:40, Michael B Alexander <[hidden email]> wrote:

Can a module return different authentication levels?  Is the module name mutable returned from the class?
 
Right now we have two certificate modules.  One is used for soft certificates, another is used for smart cards.  Authentications succeeds based on known issuers and revocation status.  You couldn’t use the soft certificate to sign-on to the smart card module and vice versa.  Now, we need to add a third certificate module for devices. 
 
I am wondering if there is a way in OpenAM >11.0 where we can build one module?  The module will look at the Issuer and the OIDs in the certificate to determine what authentication level should be assigned, maybe return a different module name.
 
Our policies in OpenAM will use the authentication level to determine access for resources.  For other applications that need more fine-grained controls will check the OpenAM session to see the module name, if softCert, then only allow functions 1-3 are permitted, if hardCert, then allow access is allowed.  If deviceCert, only one access is allowed.
 
If certificate.isDevice() {
   // check the issuer, check the template and assigned name
  // return an auth level of 30 and say this is module “deviceCert”
} else {
  Switch certificate.getIssuer() {
    Case “certissuer1”:
      // only issues soft certs, return level of 50 and module “softCert”;
     Break;
    Case “certissuer2”:
     // issues soft and smart card certificates
    If  (certificate.listOids().contains(hardware)) {
        // return level 80 and module “hardCert”
     } else {
        // return level 50
     }
    Break;
    Default:
       // unknown issuer authentication fails.
    Break
  }
}
 
 
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Certificate Module and different levels of assurance

Michael Alexander

The reason I was hoping to use just one is so I can setup a single service for the realm that manages the authentication. Right now, I configure the CDCServlet property to redirect to an interim HTML page where the user has to select the authentication module.

 

I can make the new module configurable.  Parameters in the module for Issuer, OIDs to check, that kind of stuff.  Then setup three instances for hardCert, softCert, and deviceCert with the different auth levels.

 

Will that work in a service chain where I stack each of the three with “sufficient”? 

Then I can get the same effect, the user-agent doesn’t have to select between one of the three unless they have all of them, which isn’t normal configuration.

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Zoltan Tarcsay
Sent: Wednesday, February 03, 2016 8:51 AM
To: Users <[hidden email]>
Subject: Re: [OpenAM] Certificate Module and different levels of assurance

 

Hi,

 

AFAIK, modules cannot “return” an authLevel; they can either succeed or fail (i.e. return an enum).

What would be the benefit of putting all this functionality into a a single module? To my mind it’s better to have more module instances so you have config level control over the authentication logic, rather than having to change the source code. You could make your module configurable so that you don’t need 3 different implementations for the 3 use cases.

 

-Zoltan

 

On 3 Feb 2016, at 14:40, Michael B Alexander <[hidden email]> wrote:

 

Can a module return different authentication levels?  Is the module name mutable returned from the class?

 

Right now we have two certificate modules.  One is used for soft certificates, another is used for smart cards.  Authentications succeeds based on known issuers and revocation status.  You couldn’t use the soft certificate to sign-on to the smart card module and vice versa.  Now, we need to add a third certificate module for devices. 

 

I am wondering if there is a way in OpenAM >11.0 where we can build one module?  The module will look at the Issuer and the OIDs in the certificate to determine what authentication level should be assigned, maybe return a different module name.

 

Our policies in OpenAM will use the authentication level to determine access for resources.  For other applications that need more fine-grained controls will check the OpenAM session to see the module name, if softCert, then only allow functions 1-3 are permitted, if hardCert, then allow access is allowed.  If deviceCert, only one access is allowed.

 

If certificate.isDevice() {

   // check the issuer, check the template and assigned name

  // return an auth level of 30 and say this is module “deviceCert”

} else {

  Switch certificate.getIssuer() {

    Case “certissuer1”:

      // only issues soft certs, return level of 50 and module “softCert”;

     Break;

    Case “certissuer2”:

     // issues soft and smart card certificates

    If  (certificate.listOids().contains(hardware)) {

        // return level 80 and module “hardCert”

     } else {

        // return level 50

     }

    Break;

    Default:

       // unknown issuer authentication fails.

    Break

  }

}

 

 

_______________________________________________
Visit the OpenAM forum at 
https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

 


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Certificate Module and different levels of assurance

Bernhard Thalmayr
https://backstage.forgerock.com/static/docs/openam/12.0.0/apidocs/src-html/com/sun/identity/authentication/spi/AMLoginModule.html#line.1265


might be what you need ..

-Bernhard

Am 04/02/16 um 16:47 schrieb Michael B Alexander:

> The reason I was hoping to use just one is so I can setup a single
> service for the realm that manages the authentication. Right now, I
> configure the CDCServlet property to redirect to an interim HTML page
> where the user has to select the authentication module.
>
>  
>
> I can make the new module configurable.  Parameters in the module for
> Issuer, OIDs to check, that kind of stuff.  Then setup three instances
> for hardCert, softCert, and deviceCert with the different auth levels.
>
>  
>
> Will that work in a service chain where I stack each of the three with
> “sufficient”?
>
> Then I can get the same effect, the user-agent doesn’t have to select
> between one of the three unless they have all of them, which isn’t
> normal configuration.
>
>  
>
>  
>
> *From:*[hidden email]
> [mailto:[hidden email]] *On Behalf Of *Zoltan Tarcsay
> *Sent:* Wednesday, February 03, 2016 8:51 AM
> *To:* Users <[hidden email]>
> *Subject:* Re: [OpenAM] Certificate Module and different levels of assurance
>
>  
>
> Hi,
>
>  
>
> AFAIK, modules cannot “return” an authLevel; they can either succeed or
> fail (i.e. return an enum).
>
> What would be the benefit of putting all this functionality into a a
> single module? To my mind it’s better to have more module instances so
> you have config level control over the authentication logic, rather than
> having to change the source code. You could make your module
> configurable so that you don’t need 3 different implementations for the
> 3 use cases.
>
>  
>
> -Zoltan
>
>  
>
>     On 3 Feb 2016, at 14:40, Michael B Alexander <[hidden email]
>     <mailto:[hidden email]>> wrote:
>
>      
>
>     Can a module return different authentication levels?  Is the module
>     name mutable returned from the class?
>
>      
>
>     Right now we have two certificate modules.  One is used for soft
>     certificates, another is used for smart cards.  Authentications
>     succeeds based on known issuers and revocation status.  You couldn’t
>     use the soft certificate to sign-on to the smart card module and
>     vice versa.  Now, we need to add a third certificate module for
>     devices.
>
>      
>
>     I am wondering if there is a way in OpenAM >11.0 where we can build
>     one module?  The module will look at the Issuer and the OIDs in the
>     certificate to determine what authentication level should be
>     assigned, maybe return a different module name.
>
>      
>
>     Our policies in OpenAM will use the authentication level to
>     determine access for resources.  For other applications that need
>     more fine-grained controls will check the OpenAM session to see the
>     module name, if softCert, then only allow functions 1-3 are
>     permitted, if hardCert, then allow access is allowed.  If
>     deviceCert, only one access is allowed.
>
>      
>
>     If certificate.isDevice() {
>
>        // check the issuer, check the template and assigned name
>
>       // return an auth level of 30 and say this is module “deviceCert”
>
>     } else {
>
>       Switch certificate.getIssuer() {
>
>         Case “certissuer1”:
>
>           // only issues soft certs, return level of 50 and module
>     “softCert”;
>
>          Break;
>
>         Case “certissuer2”:
>
>          // issues soft and smart card certificates
>
>         If  (certificate.listOids().contains(hardware)) {
>
>             // return level 80 and module “hardCert”
>
>          } else {
>
>             // return level 50
>
>          }
>
>         Break;
>
>         Default:
>
>            // unknown issuer authentication fails.
>
>         Break
>
>       }
>
>     }
>
>      
>
>      
>
>     _______________________________________________
>     Visit the OpenAM forum
>     at https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>  
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam