idp-sp-storage API #4
Comments
|
Hello! Also, the sequence diagram for this shows a flow that involves some kind of embedded discovery service (and I assume is limited to an embedded type). That is not clearly reflected in the test. For example, if the SP is in an unconfigured state, a first step could be to initiate discovery before the |
|
Allowing for IdP-Initiated SSO. It might be useful to have a similar call to |
|
Thinking about this after our workshop I suspect we may need some trust component in this case aswell to make the UX work reasonably well. As it stands the IdP and SP are represented essentially by their respective ORIGIN but in order to support human-friendly naming, branding elements and - equally importantly - multiple protocol endpoints per IdP/SP it is probably necessary to authenticate the binding between ORIGIN and any additional data needed to produce good UX. This is exactly what SAML and OIDC metadata does today but trusting the caller to provide this data opens the way for a rogue SP to provide false endpoints thereby tricking a user into a flow that leads to tracking. The solution could be to introduce some form of trust anchor (eg the federation operator) that can authenticate data associated with the SP and IdP. |
|
it may be possible to support a simple version of the api which only takes ORIGIN (sp and idp) as input without introducing external trust but at the expense of the UX only being able to display the ORIGIN. In the mockups above the name of the University would be replaced by its URL. |
|
added judielaine's flowchart diagram that was also agreed by the participants at the meeting |
|
Adding steps in authentication process is the opposite of seamless. It's not user-friendly; it's frustrating. There are already so many steps that users have to go through (multiple results in WAYF, IdP's MFA, questions at SP's side, popups asking for rating, updates, etc.). This was meant to be seamless access. If we ask a user to take action then it needs to make sense to them, and in such situation the user is not making an informed choice, they're just feeding the browser so it lets them pass. It's not even a choice. 99,99% of all users will have no clue what's going on, they can't possibly know whether the SP is to be trusted or not or whether their choice was the right one (before they actually authenticate). And if they do make the wrong choice in haste, then what? There's already an existing trust infrastructure that has been established for this purpose and we should utilize that. This could perhaps be a fallback for when the existing trust infrastructure isn't in place, for bilateral connections. It still won't be user friendly but at least it would be needed. |
|
It would be very helpful if you could add an intro section that talks about both the user journey and problem statement before diving into a proposed solution. For example, "A university student wants to access a research paper from research.org. Their university is part of a federation that provides access to research.org... blah blah". Ideally the problem statement would highlight the issues you're facing today and the issues you think you'll be facing tomorrow (3PCD, link decoration, etc). |
@philsmart The idea here is that |
|
Attaching a quickly put together user flow with some descriptions; if a different format is needed and/or I could upload it somewhere for easy collaboration, please let me know where. |
For clarity: This describes an old flow of how a implementor of the SeamlessAccess discovery and persistence service has its set up. It is not related to the context of the proposal #4. |
Yes, this was a response to timcappalli's comment above. |
|
Updated the proposal today with information about the "Threat model". |
|
Here are a few issues with the current FedCM and solutions this model offers. Many IdPs may be hosted by a cloud provider at an OriginAzure and Cirrus are examples. Current model cannot distinguish between all the different IdPs at the origin. This proposal provides a method by which more sophisticated integrations can supply the full URLs for the endpoints currently at .well-known . Note that while an identifier could be provided for the origin .well-known, the scale of some of the cloud provides may make loading that file prohibitively slow. Many SPs may be hosted by a cloud providerOffice 365 and Liblynx (a platform for journals) are examples. Current model cannot provide the IdP sufficient information to distinguish between options. This proposal provides a method by which more sophisticated integrations can supply the full URLs for the endpoints IdPs pre-provision as acceptable locations to return Authentication responses. Roadmap for more trustAssuming that browsers will allow protocol exchanges to continue, the provisioning of all the metadata allows a browser to restrict front channel cross domain authentication exchanges to the same pre-specified endpoints that the protocols use. Admittedly, this will require additional user interactions when protocol endpoints change. The endpoints provided by the SP for the IdP and or the SP itself can also be signed by a trust credentialing partner, allowing browsers to signal to endusers that the endpoints are certified by an trusted party. |
Can you give us real world examples? Can you copy/paste an Azure / Cirrus URL that represents a real world IdP? And can't some of this be solved with DNS CNAMES? |
From what I understand, one of the most fundamental problems with the current FedCM design at the moment is that the Multi-IdP API wouldn't be able to handle the scale of O(1K) IdPs (which is common in this space) that the user can choose from (we currently assume in the design O(< 10) IdPs). Is it fair to articulate this as one of the problems we face? |
The other issue that I heard from Gary was along the lines of "IdP sessions are typically short-lived (say, a few hours, e.g. at the University Of Arizona it was around 8 hours)", which is an assumption that we don't take into consideration in the current design. |
|
FedCM calls all IdPs to find accounts. Typical federation flow would be just to choose the IdP without making any calls to find account/session. |
Most website only support a few number of IdPs, I did conduct some empirical study several years ago. The 'craziest RP' supported 9 RPs then. This applied for OAuth and OpenID Connect RPs. |
|
Another note I got from the demo you walked us through:
|
Here are some examples:
|
CILogon is a RP that brokers access from the eduGAIN federation to a large number of scientific resources. It supports more than 4000 IdP. See https://cilogon.org/ That is only one example. Many RPs in the higher education and research space federate with thousands of IdPs. It's how the community facilitates scholarly and research collaboration. |
|
Correct.
Elsevier SP federates with 3200+ IdPs and that's not the only publisher doing that; this is a normal use case.
Kind regards,
Meshna
From: Scott Koranda ***@***.***>
Sent: Wednesday, March 22, 2023 17:04
To: fedidcg/proposals ***@***.***>
Cc: Koren, Meshna (ELS-AMS) ***@***.***>; Comment ***@***.***>
Subject: Re: [fedidcg/proposals] idp-sp-storage API (Issue #4)
*** External email: use caution ***
Here are a few issues with the current FedCM and solutions this model offers.
From what I understand, one of the most fundamental problems with the current FedCM design at the moment is that the Multi-IdP API wouldn't be able to handle the scale of O(1K) IdPs (which is common in this space) that the user can choose from (we currently assume in the design O(< 10) IdPs).
Is it fair to articulate this as one of the problems we face?
Most website only support a few number of IdPs, I did conduct some empirical study several years ago. The 'craziest RP' supported 9 RPs then. This applied for OAuth and OpenID Connect RPs.
CILogon is a RP that brokers access from the eduGAIN federation to a large number of scientific resources. It supports more than 4000 IdP. See https://cilogon.org/<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcilogon.org%2F&data=05%7C01%7Cm.koren%40elsevier.com%7Cf2b1b3ed5f81435628dd08db2aef0bf5%7C9274ee3f94254109a27f9fb15c10675d%7C0%7C0%7C638150978418604233%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XcOIWOQdq05LitgIJXm3VeNGVboaYnIKJhSBeyar2gU%3D&reserved=0>
That is only one example. Many RPs in the higher education and research space federate with thousands of IdPs. It's how the community facilitates scholarly and research collaboration.
-
Reply to this email directly, view it on GitHub<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ffedidcg%2Fproposals%2Fissues%2F4%23issuecomment-1479849732&data=05%7C01%7Cm.koren%40elsevier.com%7Cf2b1b3ed5f81435628dd08db2aef0bf5%7C9274ee3f94254109a27f9fb15c10675d%7C0%7C0%7C638150978418604233%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ktO3z7Gljws1nvlYsgxVpbGXPCxHsiAJ3e7fjAhmlOU%3D&reserved=0>, or unsubscribe<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAFOCGTRCFP4V5M6TVW5KHP3W5MPG5ANCNFSM6AAAAAAVMVWX3Q&data=05%7C01%7Cm.koren%40elsevier.com%7Cf2b1b3ed5f81435628dd08db2aef0bf5%7C9274ee3f94254109a27f9fb15c10675d%7C0%7C0%7C638150978418604233%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=cuG9LkZGecBT5U50TUH6RtCBbDsjBeOfKQ2DVJjbZcQ%3D&reserved=0>.
You are receiving this because you commented.Message ID: ***@***.******@***.***>>
…________________________________
Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The Netherlands, Registration No. 33158992, Registered in The Netherlands.
|
|
@wanpengli Yes! This proposal is in alignment with SAML discovery profiles.The actual specification for SAML Discovery is http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.html However, with recent user experience and privacy research in the RA21 project -- https://ra21.org/ -- spun off the Seamless Access project -- https://seamlessaccess.org/ . Participants from Seamless Access helped draft this specification. |
|
This is now markdown at: https://github.com/fedidcg/proposals/blob/idp-sp-storage-API-Issue-4/idp-sp-storage-api.md |
Proposal Summary: idp-sp-storage API
The problem we met to solve is how browsers can help prevent hidden tracking without breaking federation protocols for Research and Education federations. Our hope is that this scenario could be more broadly implemented for other federated use cases.
The RP, the browser, the IdP, and the user all need to own a piece of the consent that suggests the user is aware of and accepts that an authentication flow is about to happen. If this is done by interrupting the actual protocol flow, certain scenarios (e.g., when the IdP must know who the RP is before responding with a response that will allow the user to progress) will fail.
The group did not focus on third-party cookies specifically; the focus was on how to enable browser-level consent without breaking the protocol, regardless of the primitives being used. This means that this proposal might solve not only for third-party cookies but also for future issues with link decoration (aka, navigation-based tracking) and redirects (aka, bounce tracking).
Research & Education have tools and services, particularly federation operators that provide governance to the federation system, that we considered leveraging as part of the way to move from a consent model that focuses solely on gaining the user’s consent for a transaction to a classification model that allows the browser to differentiate between a federated authentication flow and a tracking flow. Consent can still be included, but by classifying the action correctly, the user experience should be much simpler.
The scenario in this proposal assumes that the metadata provided by the Relying Party to the browser will allow the browser to both classify the flow and provide a common UX for further IdP discovery (aka, resolve the NASCAR problem).
For more background see [20230309 Background for proposals]
We propose a javascript API for authorizing a set of mappings between an SP and an IdP in the browser.
The data that defines the SP and IdP in the API calls defined below (e.g.
n.c.allowed.put) is either the ORIGIN of the SP/IdP or a signed data structure which includes one or more of the URLs which the IdP has configured as the authorized location(s) to which the authentication response may be returned for a specific SP. Note that current authentication protocols have a limited list of permitted URLs that may be used by an SP; the SP must assert URLs from that list.The data that defines the IdP is, similarly, either the ORIGIN or a signed data structure which includes the URL the SP will use (via the appropriate protocol binding) to make its request, and a URL for UX information that is in the same ORIGIN as the IdP. The
.well-known/ location cannot be used for this purpose as many IdPs for different organizations may be hosted at the same ORIGIN. By requiring this URL to be at the same ORIGIN as the authentication endpoint the SP cannot insert misleading data. In the absence of an SP-asserted UX endpoint the.well-knownlocation could be used. In the absence of a.well-knownendpoint the URL could be presented to the user.By using a signed data structure, instead of simply specifying the ORIGIN, the caller can include additional information used to drive the UX–such as the human-friendly and/or localized name of the IdP/SP. The signed data structure is submitted, along with a proof of membership of the public key, in a recognized transparency log allowing the browser to validate the origin of the data.
Calls to the API will trigger browser-provided UX at certain stages to ensure that the user is aware that a mapping exists between the SP and the IdP. The browser will use this mapping – including the SP and IdP endpoints used in identity protocol flows – to allow interaction between these endpoints which would otherwise not be permitted. (That is: future bounce tracking and other cross domain exchanges that appear to be tracking data.)
Privacy threat model
There are 3 actors involved in the standard federated identity exchange:
The following is a brief description of a typical authentication flow using the most common protocol bindings for SAML. OIDC is quite similar.
In summary:
API calls
n.c.allowed.isEmpty(<sp>) -> BooleanReturns true if there are no objects associated with .
This is called the unconfigured state for the .
#####
n.c.allowed.put(<sp>, <idp>, [<ttl>]) -> Promise<IdP>The browser prompts the user to allow the - mapping to be authorized. If the user agrees, the mapping between and is stored. Optionally this mapping expires after time-to-live . If the user authorizes the mapping the Promise resolves with the choice, allowing the calling page to invoke the login flow for the chosen . Alternatively, if the user denies the mapping the Promise resolves as an error which can be handled in an exception flow by the caller.
#####
n.c.allowed.invoke(<sp>) -> Promise<IdP>The invoke method displays a UX allowing the user to select one among the ones already associated with (from a previous
n.c.allowed.putcall). When the user has chosen, the Promise resolves with the object. The user should be given the choice to not invoke any of the existing objects and have the UX behave as if it is in the unconfigured state for . This is signaled by resolving the Promise as an error which can be handled in an exception flow by the caller.#####
n.c.allowed.get(<sp>) -> Promise<[IdP]>The get method returns a list of the objects associated with the object. This API call will throw an exception through the Promise if called outside of a Chrome [fenced frame] (or equivalent code-execution sandbox in other browser engines). This allows an SP-supplied (not browser-provided) UX (in a sandbox) to be presented, which is not visible to the SP, but allows cross-origin resources, etc.
#####
n.c.allowed.deleteAll(<sp>)Delete all for this .
#####
n.c.allowed.delete(<sp>, <idp>)Delete this particular - pair.
What is the Expected RP (or IDP Library) Developer Experience?
An RP would either call a SAML or OIDC discovery service that calls the API or would call the API directly on the SP page.
What is the Expected IDP Developer Experience?
This proposal does not impact any of the current identity protocols.
What is the Expected User Experience?
Code executing on the page will call
n.c.allowed.put(<sp>,<idp>)which would cause the user to be prompted to allow the<idp>to be authorized for use by the page associated with<sp>. The<idp>and<sp>are expected to be objects representing “metadata” for the two entities. The UX is expected to be similar to current credit card autofill behaviour. When the calling page wants to use the mapping it callsn.c.allowed.invoke(<sp>)which prompts the user to select among the existing stored<idp>-objects associated with the<sp>object.The following pseudocode outlines the different API calls in use by the SP in the process of connecting the user to their IdP. The embedded STOP signals where the proposed new flow terminates and moves to existing protocol behavior.
a. SP knows the IdP it wants to use, so it calls
n.c.allowed.put(<sp>, <idp>, [<ttl>])to request consent for establishing that linkage and permission to invoke SSO.i. On error, go to b, otherwise proceed with SSO protocol. STOP
b. SP does not know the IdP to use.
i. SP calls
n.c.allowed.isEmpty(<sp>)to check for existing relationships to reuse.n.c.allowed.invoke(<sp>)to attempt browser-mediated reuse of an IdP choice.a. If error, go to ii, otherwise proceed with SSO protocol. STOP
ii. SP invokes a protocol and community appropriate Discovery Service (either embedded or external) using existing discovery protocol.
a. SP now knows the IdP it wants to use, so it calls
n.c.allowed.put(<sp>, <idp>, [<ttl>])to request consent for establishing that linkage and permission to invoke SSOi. On error (either IdP refuses or user rejects registering the IdP chosen) repeat discovery of a suitable IdP. Otherwise proceed with SSO protocol. STOP
Regarding discovery, this narrative assumes discovery may be embedded within SP or shared, but is not formally part of the browser apart from the “invoke” option to select from an existing set of relationships (not select new ones). This would obviate the need for a shared discovery service to ever retain state/choices since that would be managed by the browser alone and reused via
n.c.allowed.invoke.In a typical case, a user would be forced through discovery once, pick their IdP and establish the connection for some TTL, then reuse it via the ç method until it expires; discovery would be bypassed entirely by the SP for that TTL period. Multiple IdPs works fine, allowing that additional trips through discovery and the n.c.allowed.put call (to obtain consent) would occur. The user would have to select “none of the above” after
n.c.allowed.invokeis called to make that happen.Open questions
Out of scope
Consuming federation trust elements (e.g. metadata or public keys) is explicitly out of scope for this proposal however it is possible to combine this proposal with additional signals based on out-of-band import of metadata.
Flows
An account management module for editing and removing - for federated accounts
The text was updated successfully, but these errors were encountered: