Information Card Ruby

UPDATED WIKI: Home

joepoon — Fri, 06 Jul 2007 00:24:29 GMT

Project Home Page

For everything Information Card Ruby, visit http://www.informationcardruby.com

What is Information Card Ruby?
Information Card Ruby provides a rails plugin and supporting library for integrating personal information cards to your Ruby on Rails relying party web application. In the Identity Metasystem, an application that requests and consumes digital identities about an individual is called a relying party. As we develop and learn from this project, Information Card Ruby will generate a developer guideline for integrating information cards to your rails website, much in the spirit of Accepting Information Cards to your ASP.NET site - if we have done the plugin right, this guideline will be short and sweet.

Project Contributors
Information Card Ruby is an open source collaboration project driven by:
Microsoft and ThoughtWorks.


Microsoft is the project sponsor and being CardSpace experts, provides architectural guidance and best practices in the Identity MetaSystem.	ThoughtWorks is actively involved in some of the world's leading Ruby projects and is excited to be driving the development on Information Card Ruby.

What is CardSpace?
In the Identity Metasystem, there are several players including the user, the identity selector and the relying party. This project allows a relying party (your website) to accept and process information cards from a user.

From http://cardspace.netfx3.com/
"Windows CardSpace is a piece of client software that enables users to provide their digital identity to online services in a simple, secure and trusted way. It is what is known as an identity selector: when a user – or subject – needs to authenticate to a website or a web service, CardSpace pops up a special security-hardened UI with a set of “cards” for the user to choose from. Each card has some identity data associated with it – though this is not actually stored in the card – and has been given to the user by an identity provider such as their bank, employer or government. In fact, the user can also act as an identity provider – this is essentially what we do every time we register at a website. The CardSpace UI enables users to create Personal cards and associate a limited set of identity data. When the user chooses a card, a request in the form of a web service call goes to the relevant provider, and a signed and encrypted security token is returned containing the required information (e.g. credit limit, employer’s name and address, or perhaps a social security number). The user, in control of the flow of information at all times, then decides whether to release this information to the requesting online service. If the user approves then the token is sent on to this relying party where the token is processed and the user is authenticated."

Open Standards
The Information Card model is built on open, interoperable communication standards that have been implemented on Windows and other platforms. Case in point, the relying party can be implemented in Ruby on Rails (that's us!). For more information on interoperability, take a look at the Identity Selector Interoperability Profile.

The General Idea
Lost in the Identity Metasystem? Need more information on information cards? No worries! Below is a diagram of a typical scenario to set your mental context - here, we have our star user Molly who would like to login into your rails application with her personal information card. Note that this diagram is ultra simple and by no means correct - luckily for you, we have the good folks at Microsoft to provide us with the proper guidance at cardspace.netfx.com.

Squinting? To view a larger image, click here: The General Idea

User Scenarios
To get started, we have identified stories and tasks. To help you get a feel for what we are working on, some are listed below:

As a user, I would like to:

Design goals

Provide a plugin to provide out-of-the-box information card authentication
Provide documentation as to how to incorporate information cards to your website
Provide a well tested plugin that so that fellow developers using it can sleep at night and stay up late at night contributing to it.
Simplicity. From James Adams on rails plugins, "It was the small mammals who survived when the the dinosaurs died out."
Extract, don't expect it. To achieve this simplicity that James describes, we're not going to start by building a plugin to handle every conceivable cardspace scenario. Instead, we will first spike an application to authenticate personal information cards - we'll learn from it, immerse in it, be at one with the information card and then from there, extract out what makes sense. Afterall, every piece of code just wants to have a purpose.

Scope
To keep things simple, Information Card Ruby will only address personal information cards and SAML security tokens, as generated by Windows CardSpace.

Technical Notes
To use cardspace with your rails application, you need the following:

SSL: The Windows CardSpace Identity Selector requires an SSL channel. To setup a Ruby on Rails website configured over HTTPS, an option is to setup an Apache SSL virtual host which proxies requests to your mongrel server or cluster.
Internet Explorer 7 (or FireFox with Cardspace plugin)
Windows Vista or Windows XP with .NET 3.0 Framework
MySQL: This project will use MySQL as the underlying database.

Feedback
We believe in short feedback loops. We want to deploy often and always know the status of our codebase. So, we have a live server which will run the latest codebase and a continuous integration server to tell us who to thank for fixing the build.

A live demo can be found at: https://www.informationcardruby.com/forums
The cruisecontrol.rb server can be found at: http://cruisecontrol.informationcardruby.com

More importantly, let us know what you like and even more importantly, what you don't like!

Where's the code?
The code resides at RubyForge under the project Information Card.

CodePlex and RubyForge
In bringing together platforms and technologies (it's truly a beautiful thing), there are naturally more choices, including the project home for open source projects - namely CodePlex and RubyForge. The approach that we've taken is to use both. We'll use CodePlex's wiki and RubyForge's issue tracker, mailing list and subversion repository to house the codebase in subversion. We'll try our very best not to duplicate information between the sites and make it intuitive where to find things. We'd love to hear your comments or opinions as to what you would like to see!

UPDATED WIKI: Home

jsallis — Wed, 27 Jun 2007 17:35:04 GMT

Project Home Page


Microsoft is the project sponsor and being CardSpace experts, provides architectural guidance and best practices in the Identity MetaSystem.	ThoughtWorks is actively involved in some of the world's leading Ruby projects and is excited to be driving the development on Information Card Ruby.

What is CardSpace?
In the Identity Metasystem, there are several players including the user, the identity selector and the relying party. This project allows a relying party (your website) to accept and process information cards from a user.

From http://cardspace.netfx3.com/
"Windows CardSpace, formerly codenamed “InfoCard”, is a piece of client software that enables users to provide their digital identity to online services in a simple, secure and trusted way. It is what is known as an identity selector: when a user – or subject – needs to authenticate to a website or a web service, CardSpace pops up a special security-hardened UI with a set of “cards” for the user to choose from. Each card has some identity data associated with it – though this is not actually stored in the card – and has been given to the user by an identity provider such as their bank, employer or government. In fact, the user can also act as an identity provider – this is essentially what we do every time we register at a website. The CardSpace UI enables users to create Personal cards and associate a limited set of identity data. When the user chooses a card, a request in the form of a web service call goes to the relevant provider, and a signed and encrypted security token is returned containing the required information (e.g. credit limit, employer’s name and address, or perhaps a social security number). The user, in control of the flow of information at all times, then decides whether to release this information to the requesting online service. If the user approves then the token is sent on to this relying party where the token is processed and the user is authenticated."

Open Standards
The Information Card model is built on open, interoperable communication standards that have been implemented on Windows and other platforms. Case in point, the relying party can be implemented in Ruby on Rails (that's us!). For more information on interoperability, take a look at the Identity Selector Interoperability Profile.

The General Idea
Lost in the Identity Metasystem? Need more information on information cards? No worries! Below is a diagram of a typical scenario to set your mental context - here, we have our star user Molly who would like to login into your rails application with her personal information card. Note that this diagram is ultra simple and by no means correct - luckily for you, we have the good folks at Microsoft to provide us with the proper guidance at cardspace.netfx.com.

Squinting? To view a larger image, click here: The General Idea

User Scenarios
To get started, we have identified stories and tasks. To help you get a feel for what we are working on, some are listed below:

As a user, I would like to:

Design goals

Provide a plugin to provide out-of-the-box information card authentication
Provide documentation as to how to incorporate information cards to your website
Provide a well tested plugin that so that fellow developers using it can sleep at night and stay up late at night contributing to it.
Simplicity. From James Adams on rails plugins, "It was the small mammals who survived when the the dinosaurs died out."
Extract, don't expect it. To achieve this simplicity that James describes, we're not going to start by building a plugin to handle every conceivable cardspace scenario. Instead, we will first spike an application to authenticate personal information cards - we'll learn from it, immerse in it, be at one with the information card and then from there, extract out what makes sense. Afterall, every piece of code just wants to have a purpose.

SSL: The Windows CardSpace Identity Selector requires an SSL channel. To setup a Ruby on Rails website configured over HTTPS, an option is to setup an Apache SSL virtual host which proxies requests to your mongrel server or cluster.
Internet Explorer 7 (or FireFox with Cardspace plugin)
Windows Vista or Windows XP with .NET 3.0 Framework
MySQL: This project will use MySQL as the underlying database.

A live demo can be found at: https://www.informationcardruby.com/forums
The cruisecontrol.rb server can be found at: http://cruisecontrol.informationcardruby.com

UPDATED WIKI: Home

jsallis — Wed, 27 Jun 2007 17:34:12 GMT

Project Home Page


Microsoft is the project sponsor and being CardSpace experts, provides architectural guidance and best practices in the Identity MetaSystem.	ThoughtWorks is actively involved in some of the world's leading Ruby projects and is excited to be driving the development on Information Card Ruby.

What is CardSpace?
In the Identity Metasystem, there are several players including the user, the identity selector and the relying party. This project allows a relying party (your website) to accept and process information cards from a user.

From http://cardspace.netfx3.com/
"Windows CardSpace, formerly codenamed “InfoCard”, is a piece of client software that enables users to provide their digital identity to online services in a simple, secure and trusted way. It is what is known as an identity selector: when a user – or subject – needs to authenticate to a website or a web service, CardSpace pops up a special security-hardened UI with a set of “cards” for the user to choose from. Each card has some identity data associated with it – though this is not actually stored in the card – and has been given to the user by an identity provider such as their bank, employer or government. In fact, the user can also act as an identity provider – this is essentially what we do every time we register at a website. The CardSpace UI enables users to create Personal cards and associate a limited set of identity data. When the user chooses a card, a request in the form of a web service call goes to the relevant provider, and a signed and encrypted security token is returned containing the required information (e.g. credit limit, employer’s name and address, or perhaps a social security number). The user, in control of the flow of information at all times, then decides whether to release this information to the requesting online service. If the user approves then the token is sent on to this relying party where the token is processed and the user is authenticated."

Open Standards
The Information Card model is built on open, interoperable communication standards that have been implemented on Windows and other platforms. Case in point, the relying party can be implemented in Ruby on Rails (that's us!). For more information on interoperability, take a look at the Identity Selector Interoperability Profile.

The General Idea
Lost in the Identity Metasystem? Need more information on information cards? No worries! Below is a diagram of a typical scenario to set your mental context - here, we have our star user Molly who would like to login into your rails application with her personal information card. Note that this diagram is ultra simple and by no means correct - luckily for you, we have the good folks at Microsoft to provide us with the proper guidance at cardspace.netfx.com.

Squinting? To view a larger image, click here: The General Idea

User Scenarios
To get started, we have identified stories and tasks. To help you get a feel for what we are working on, some are listed below:

As a user, I would like to:

Design goals

Provide a plugin to provide out-of-the-box information card authentication
Provide documentation as to how to incorporate information cards to your website
Provide a well tested plugin that so that fellow developers using it can sleep at night and stay up late at night contributing to it.
Simplicity. From James Adams on rails plugins, "It was the small mammals who survived when the the dinosaurs died out."
Extract, don't expect it. To achieve this simplicity that James describes, we're not going to start by building a plugin to handle every conceivable cardspace scenario. Instead, we will first spike an application to authenticate personal information cards - we'll learn from it, immerse in it, be at one with the information card and then from there, extract out what makes sense. Afterall, every piece of code just wants to have a purpose.

SSL: The Windows CardSpace Identity Selector requires an SSL channel. To setup a Ruby on Rails website configured over HTTPS, an option is to setup an Apache SSL virtual host which proxies requests to your mongrel server or cluster.
Internet Explorer 7 (or FireFox with Cardspace plugin)
Windows Vista or Windows XP with .NET 3.0 Framework
MySQL: This project will use MySQL as the underlying database.

The cruisecontrol.rb server can be found at: http://cruisecontrol.informationcardruby.com
A live demo can be found at: https://www.informationcardruby.com/forums

CLOSED TASK: Logging strategy

joepoon — Mon, 25 Jun 2007 18:48:05 GMT

Reminder to investigate the logging strategy for information card ruby.
Comments: Migrating off of Codeplex

CLOSED FEATURE: Auto-populate user fields on registration with information card

joepoon — Mon, 25 Jun 2007 18:48:04 GMT

As a user, it'd be nice if the fields (ex. username, email address) would populate from the claims in the information card (if present).
Comments: Migrating off of Codeplex

CLOSED TASK: Performance Review

joepoon — Mon, 25 Jun 2007 18:48:04 GMT

This is a reminder to review the performance - epescially when it comes to parsing & examing the encrypted and SAML tokens.
Comments: Migrating off of Codeplex

CLOSED TASK: Security Review / Threat Model

joepoon — Mon, 25 Jun 2007 18:48:03 GMT

Examine the security vulnerabilities to exercise due diligence when providing a plugin/library that performs user authentication for sites.
Comments: Migrating off of Codeplex

CLOSED TASK: Validate SAML Schema

joepoon — Mon, 25 Jun 2007 18:48:01 GMT

Should the SAML document be validated against a schema?

Also, the schema does not allow "colons" in the AssertionID, yet the SAML tokens generated have "colons."
Comments: Migrating off of Codeplex

CLOSED TASK: Support encryption algorithms

joepoon — Mon, 25 Jun 2007 18:48:00 GMT

As a developer, I would like to support both http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p and http://www.w3.org/2001/04/xmlenc#rsa-1_5 algorithms for decrypting the incoming information card token.
Comments: Migrating off of Codeplex

CLOSED TASK: Support x509 certificates in SAML KeyInfo

joepoon — Mon, 25 Jun 2007 18:47:59 GMT

As a developer, I would like the library to support scenarios where the public key of the identity provider uses x509 certificates.
Comments: Migrating off of Codeplex

CLOSED TASK: Protect against replay attacks

joepoon — Mon, 25 Jun 2007 18:47:58 GMT

As a developer, I would like the library to protect the end user from replay attacks (ensure that the assertion id has not been used within the same window before).
Comments: Migrating off of Codeplex

CLOSED FEATURE: Detect for information card enabled browser

joepoon — Mon, 25 Jun 2007 18:47:58 GMT

s a developer, I would like a mechanism for detecting if the user is using an information card enabled browser.

Script code can detect browser support for Information Cards within Internet Explorer by testing the userAgent string to determine whether the browser version is greater than or equal to "MSIE 7.0". A second issue with Internet Explorer 7 is that the Information Card support might not be installed (because Microsoft .NET Framework 3.0 is not installed on the machine). This can be detected within the browser by using the "isInstalled" property on the Information Card OBJECT from scripting code. .NET 3.0 installation can be detected on web servers by testing whether the userAgent string contains ".NET CLR 3.0".

For example, the userAgent string on a Windows XP machine using IE 7 and .NET 3.0 will contain at least these elements:

MSIE 7.0; Windows NT 5.1; .NET CLR 3.0.04506.30
Comments: Migrating off of Codeplex

CLOSED FEATURE: Specify policy via XHTML Syntax

joepoon — Mon, 25 Jun 2007 18:47:57 GMT

As a developer, I would like the option of specifying the security policy via XHTML syntax (as opposed to OBJECT tags) to handle the scenarios where OBJECT tags are not supported.
Comments: Migrating off of Codeplex

CLOSED FEATURE: Specify policy via WS-SecurityPolicy

joepoon — Mon, 25 Jun 2007 18:47:57 GMT

As a developer, I would like to specify the security policy via WS-SecurityPolicy.

The most straight forward way to specify the policy is via HTML extensions which signal to the browser when to invoke the Identity Selector.

http://msdn2.microsoft.com/en-us/library/aa480726.aspx
Comments: Migrating off of Codeplex

CLOSED FEATURE: Guideline for integrating library / plugin to your rails site

joepoon — Mon, 25 Jun 2007 18:47:56 GMT

As a developer, I would like to have a guideline as to how to support information cards on my rails site.
Comments: Migrating off of Codeplex

CLOSED TASK: Generate unique ID from SAML token

joepoon — Mon, 25 Jun 2007 18:47:53 GMT

As a developer, I would like for the SAML token to provide me a unique ID such that I can identify this user in the database.

To identify a user, a unique id will be generated from the received SAML token. This could be generated from as hash of the Issuer's key + PPID (Identification Claim type).

A question that is up for discussion is what happens if the PPID is not a required claim? What would the uniqueID resolve to?
Comments: Migrating off of Codeplex

UPDATED WIKI: Home

joepoon — Mon, 25 Jun 2007 18:36:43 GMT

Project Home Page


Microsoft is the project sponsor and being CardSpace experts, provides architectural guidance and best practices in the Identity MetaSystem.	ThoughtWorks is actively involved in some of the world's leading Ruby projects and is excited to be driving the development on Information Card Ruby.

What is CardSpace?
In the Identity Metasystem, there are several players including the user, the identity selector and the relying party. This project allows a relying party (your website) to accept and process information cards from a user.

From http://cardspace.netfx3.com/
"Windows CardSpace, formerly codenamed “InfoCard”, is a piece of client software that enables users to provide their digital identity to online services in a simple, secure and trusted way. It is what is known as an identity selector: when a user – or subject – needs to authenticate to a website or a web service, CardSpace pops up a special security-hardened UI with a set of “cards” for the user to choose from. Each card has some identity data associated with it – though this is not actually stored in the card – and has been given to the user by an identity provider such as their bank, employer or government. In fact, the user can also act as an identity provider – this is essentially what we do every time we register at a website. The CardSpace UI enables users to create Personal cards and associate a limited set of identity data. When the user chooses a card, a request in the form of a web service call goes to the relevant provider, and a signed and encrypted security token is returned containing the required information (e.g. credit limit, employer’s name and address, or perhaps a social security number). The user, in control of the flow of information at all times, then decides whether to release this information to the requesting online service. If the user approves then the token is sent on to this relying party where the token is processed and the user is authenticated."

Open Standards
The Information Card model is built on open, interoperable communication standards that have been implemented on Windows and other platforms. Case in point, the relying party can be implemented in Ruby on Rails (that's us!). For more information on interoperability, take a look at the Identity Selector Interoperability Profile.

The General Idea
Lost in the Identity Metasystem? Need more information on information cards? No worries! Below is a diagram of a typical scenario to set your mental context - here, we have our star user Molly who would like to login into your rails application with her personal information card. Note that this diagram is ultra simple and by no means correct - luckily for you, we have the good folks at Microsoft to provide us with the proper guidance at cardspace.netfx.com.

Squinting? To view a larger image, click here: The General Idea

User Scenarios
To get started, we have identified stories and tasks. To help you get a feel for what we are working on, some are listed below:

As a user, I would like to:

Design goals

Provide a plugin to provide out-of-the-box information card authentication
Provide documentation as to how to incorporate information cards to your website
Provide a well tested plugin that so that fellow developers using it can sleep at night and stay up late at night contributing to it.
Simplicity. From James Adams on rails plugins, "It was the small mammals who survived when the the dinosaurs died out."
Extract, don't expect it. To achieve this simplicity that James describes, we're not going to start by building a plugin to handle every conceivable cardspace scenario. Instead, we will first spike an application to authenticate personal information cards - we'll learn from it, immerse in it, be at one with the information card and then from there, extract out what makes sense. Afterall, every piece of code just wants to have a purpose.

SSL: The Windows CardSpace Identity Selector requires an SSL channel. To setup a Ruby on Rails website configured over HTTPS, an option is to setup an Apache SSL virtual host which proxies requests to your mongrel server or cluster.
Internet Explorer 7 (or FireFox with Cardspace plugin)
Windows Vista or Windows XP with .NET 3.0 Framework
MySQL: This project will use MySQL as the underlying database.

The cruisecontrol.rb server can be found at: http://cruisecontrol.informationcardruby.com
A live demo can be found at: https://www.informationcardruby.com/forums

UPDATED WIKI: Home

joepoon — Mon, 25 Jun 2007 18:34:45 GMT

Project Home Page


Microsoft is the project sponsor and being CardSpace experts, provides architectural guidance and best practices in the Identity MetaSystem.	ThoughtWorks is actively involved in some of the world's leading Ruby projects and is excited to be driving the development on Information Card Ruby.

What is CardSpace?
In the Identity Metasystem, there are several players including the user, the identity selector and the relying party. This project allows a relying party (your website) to accept and process information cards from a user.

From http://cardspace.netfx3.com/
"Windows CardSpace, formerly codenamed “InfoCard”, is a piece of client software that enables users to provide their digital identity to online services in a simple, secure and trusted way. It is what is known as an identity selector: when a user – or subject – needs to authenticate to a website or a web service, CardSpace pops up a special security-hardened UI with a set of “cards” for the user to choose from. Each card has some identity data associated with it – though this is not actually stored in the card – and has been given to the user by an identity provider such as their bank, employer or government. In fact, the user can also act as an identity provider – this is essentially what we do every time we register at a website. The CardSpace UI enables users to create Personal cards and associate a limited set of identity data. When the user chooses a card, a request in the form of a web service call goes to the relevant provider, and a signed and encrypted security token is returned containing the required information (e.g. credit limit, employer’s name and address, or perhaps a social security number). The user, in control of the flow of information at all times, then decides whether to release this information to the requesting online service. If the user approves then the token is sent on to this relying party where the token is processed and the user is authenticated."

Open Standards
The Information Card model is built on open, interoperable communication standards that have been implemented on Windows and other platforms. Case in point, the relying party can be implemented in Ruby on Rails (that's us!). For more information on interoperability, take a look at the Identity Selector Interoperability Profile.

The General Idea
Lost in the Identity Metasystem? Need more information on information cards? No worries! Below is a diagram of a typical scenario to set your mental context - here, we have our star user Molly who would like to login into your rails application with her personal information card. Note that this diagram is ultra simple and by no means correct - luckily for you, we have the good folks at Microsoft to provide us with the proper guidance at cardspace.netfx.com.

Squinting? To view a larger image, click here: The General Idea

User Scenarios
To get started, we have identified stories and tasks. To help you get a feel for what we are working on, some are listed below:

As a user, I would like to:

Design goals

Provide a plugin to provide out-of-the-box information card authentication
Provide documentation as to how to incorporate information cards to your website
Provide a well tested plugin that so that fellow developers using it can sleep at night and stay up late at night contributing to it.
Simplicity. From James Adams on rails plugins, "It was the small mammals who survived when the the dinosaurs died out."
Extract, don't expect it. To achieve this simplicity that James describes, we're not going to start by building a plugin to handle every conceivable cardspace scenario. Instead, we will first spike an application to authenticate personal information cards - we'll learn from it, immerse in it, be at one with the information card and then from there, extract out what makes sense. Afterall, every piece of code just wants to have a purpose.

SSL: The Windows CardSpace Identity Selector requires an SSL channel. To setup a Ruby on Rails website configured over HTTPS, an option is to setup an Apache SSL virtual host which proxies requests to your mongrel server or cluster.
Internet Explorer 7 (or FireFox with Cardspace plugin)
Windows Vista or Windows XP with .NET 3.0 Framework
MySQL: This project will use MySQL as the underlying database.

The cruisecontrol.rb server can be found at: http://cruisecontrol.informationcardruby.com
A live demo of the code basecan be found at: http://www.informationcardruby.com/demo

COMMENTED FEATURE: Specify policy via XHTML Syntax

joepoon — Mon, 25 Jun 2007 18:32:14 GMT

COMMENTED FEATURE: Detect for information card enabled browser

joepoon — Mon, 25 Jun 2007 18:32:14 GMT