ec24ad0e1c
structure. |
||
---|---|---|
.. | ||
idenTokenProviders | ||
linux | ||
authtoken.c | ||
config_if.h | ||
config.c | ||
iden_token_provider_if.h | ||
identoken.c | ||
internal.h | ||
Makefile.am | ||
principal.c | ||
README | ||
TODO | ||
util.c | ||
validate.c |
/*********************************************************************** * * README for libcasa_s_authtoken * ***********************************************************************/ INTRODUCTION libcasa_s_authtoken provides an API for the validation of CASA Authentication Tokens. The API provides a means for obtaining identity information about authenticated entities. Applications should avoid calling directly into this library's APIs. Instead, applications should code to the PAM API to validate authentication credentials or allow an external module to perform the credential validation. To facilitate this, CASA Authentication provides PAM, Apache, and JAAS modules that can be used to validate credentials containing CASA Authentication tokens, CONFIGURING TRUSTED AUTHENTICATION TOKEN SERVICES tbd. Add info about the installation of public certificates and trusted certificate authorities. CONFIGURING ADDITIONAL IDENTITY TOKEN PROVIDER MODULES CASA Authentication Tokens contain Identity Tokens. The Identity Tokens contain the identity information about the entity being authenticated. Identity Tokens can be of different types, the type utilized for use with a particular service is configured at the time that the service is configured for CASA Authentication. The default identity token type is CasaIdentityToken. libcasa_s_authtoken supports different identity token types through an API that allows for the configuration of different Identity Token Provider plug-ins. An Identity Token Provider plug-in is configured by placing a configuration file for the plug-ins in the /etc/opt/CASA/authtoken.d/modules.d folder. The name of the plug-in configuration file is related to the identity token type in the following manner: IdentityTokenTypeName.conf. Identity Token Provider plug-in configuration files must must contain a directive indicating the path to the library implementing the Identity Token Provider plug-in (See the configuration file for the CasaIdentityToken plug-in for an example). SERVER APPLICATION PROGRAMMING NOTES The Validate CASA Authentication Token API is defined in casa_s_authtoken.h. The API consists of a call to validate authentication tokens. The caller must supply a service name which must match the service name provided by the client when requesting the authentication token. Successful calls to the validate authentication token API will return a handle to a principal interface object. The principal interface object handle can be used to obtain identity information about the authenticated entity as well as information about the authentication realm. The principal interface object must be released after it is no longer needed. The amount and type of identity information associated with the principal interface is dependent on what is configured at the time that the service is enabled for CASA Authentication. For examples of code which uses the Validate CASA Authentication Token API look at the implementations of the CASA Authentication PAM module and the CASA Authentication Provider Apache module. IDENTITY TOKEN PROVIDER PROGRAMMING NOTES The Identity Token Provider API is defined in iden_token_provider.h. For an example see the implementation of the CASA Identity Token Provider. SECURITY CONSIDERATIONS CASA Authentication Tokens when compromised can be used to either impersonate a user or to obtain identity information about the user. Because of this it is important that the tokens be secured by applications making use of them. It is recommended that the tokens be transmitted using SSL.