Identity Management

The WSO2 Mashup Server utilizes the WSO2 Identity Solution to provide two user friendly means of authentication in addition to the traditional User ID and Password based login. Both OpenID and InfoCard are fast becoming preferred means of authentication for users frustrated and concerned by the need to remember and manage User ID and Password combinations for an increasing number of web sites and services that require authentication.

You can enable both OpenID and InfoCard based authentication for users registering on your WSO2 Mashup Server by updating your server installation as described below.

OpenID

Preparing the Server

If you have already setup the 'webapp_url' parameter in the lib/tomcat/webapps/ROOT/WEB-INF/web.xml file as shown below, when enabling self registration, your Mashup Server is ready to allow OpenID based authentication.

<init-param>
  <param-name>webapp_url</param-name>
  <param-value>https://mydomain/</param-value>
</init-param>

Using OpenID

Simply attempting to Login with an unregistered OpenID will trigger the self registration process, if internet guests are allowed on your server. The initial page displayed will warn you that you are attempting to use an unregistered OpenID to login and request confirmation to register this OpenId on the site.

Once you click on 'Register', the Mashup Server will retrieve your full name, nickname and e-mail ID from your identity provider and display this information in a confirmation page, requesting you to complete any required details that were not made available. Clicking on the 'Register' link here will initiate the standard e-mail ID verification process, after which you may Login using your newly registered OpenID.

Associating an OpenID with an Existing Profile

Clicking on the 'Register your OpenID' link will bring up a text field into which you can enter the URL of the OpenID that you wish to associate with your current profile. Clicking on the 'Add' button will complete the association, after which you can Login using this ID.

InfoCard

Preparing the Server

1. To use InfoCards for authentication, the JDK on your mashup server needs to include the 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files' which can be found, along with installation instructions, on the download page for your JDK. The policy file for JDK 1.5 can be found here. Typically, just copying the local_policy.jar and US_export_policy.jar files from the downloaded zip file to the /jre/lib/security directory of your JDK, overwriting the two existing files, is all you need to do.

2. A keystore needs to be configured on your server. The default configuration and keystore that ships with the Mashup Server will be sufficient for testing CardSpace on your local system, but if you wish to deploy the Mashup Server in a production environment, you need to obtain a valid certificate. The parameters hightlighted below need to be changed to match the valid certificate that you will have obtained for your domain before you can allow users to authenticate via InfoCards.

The [Mashup Home]/lib/tomcat/webapps/ROOT/WEB-INF/web.xml file needs to have the keystore information updated.

<init-param>
  <param-name>Keystore</param-name>
  <param-value>../../../../conf/mykeystore.jks</param-value>
</init-param>
<init-param>
  <param-name>StorePass</param-name>
  <param-value>mykeystorepassword</param-value>
</init-param>
<init-param>
  <param-name>KeyAlias</param-name>
  <param-value>myalias</param-value>
</init-param>
<init-param>
  <param-name>KeyPass</param-name>
  <param-value>mykeypass</param-value>
</init-param>

This change has to also be carried out in the [Mashup Home]/conf/axis2.xml file, by updating the values highlighted below.

<parameter name="keystore">
  <wso2wsas:KeyStore xmlns:wso2wsas="http://www.wso2.org/products/wsas">
  <!-- Keystore file location-->
  <wso2wsas:Location>conf/mykeystore.jks</wso2wsas:Location>
  <!-- Keystore type (JKS/PKCS12 etc.)-->
  <wso2wsas:Type>JKS</wso2wsas:Type>
  <!-- Keystore password-->
  <wso2wsas:Password>mykeystorepassword</wso2wsas:Password>
  </wso2wsas:KeyStore>
</parameter>

Preparing the Client

1. Windows/IE users should download the Microsoft .NET Framework 3.0 Redistributable Package from here and install it to setup the CardSpace selector in your Windows based client. Also, please make sure you're running MSIE 7.0 or newer.

2. Firefox user can use an Identity selector plugin of their choice.

3. If you are using the certificate that was shipped with the Mashup Server, or another certificate from an untrusted CA for your testing, you will need to trust the certificate of the root CA or the Identity Selector will display an error saying it cannot verify the identity of the site.

• On MSIE, right click on the self registration or profile page, before you chose to submit your InfoCard
• Select Properties --> Certificates --> Certification Path
• Select the certificate of the root CA
• View Certificate
• Install

Using InfoCard

As a user, you can either register yourself using your InfoCard directly, or register using a username and password, and associate your InfoCard with this profile later on.

Self Registration with InfoCard

When the 'Get details from my personal or Managed InfoCard' image is clicked, you will be shown the IdentitySelector, from whcih you need to select the InfoCard that you plan to use to register on the Mashup Server.

Once you send the card across, the server will extract the required claims from the information supplied by the InfoCard and display them for verification, while requesting you to enter a username, based on which the server will create your profile and script directory. After the standard e-mail ID verification step is complete, you may login using your InfoCard and associate other InfoCards, OpenID's or even a password with your profile.

Associating an InfoCard with an Existing Profile

The 'Management Tasks' pane of the profile page contains a link to 'Register your InfoCard'. This can be used as many times as necessary, to associate as many cards as you require with your profile. Simply click on the link, select the card to be associated in your Identity Selector and send. The next time you access your profile, you will see the list of associated cards displayed.

Further Reading

For more details on OpenID and the advantages of using OpenID based authentication on your Mashup Server, please refer to this article on the WSO2 Oxygen Tank.

For an introduction to Windows CardSpace, read this article at MSDN, which also contains a link to the CardSpace community site, from where you can get access to a host of other resources InfoCard.