In this user profile, the Authnicrp module provides anonymous access to resources protected by a Security Policy Agent. The term 'anonymous' here tends to be a misnomer as it refers to OpenSSO's anonymous access that allows to log on without presenting credentials. However, Information Cards identities are anonymous so long as one's claims do not allow others to know one’s personal identity. Furthermore, the Authnicrp module does not necessarily eliminate the need to present authentication credentials. To get a security token, a user is required to authenticate one way or another (e.g. password, X509 certificate, Kerberos, self-signed i-card), through the Identity Selector, for the Identity Provider (IDP) to assert the claims presented in the security token. This requirement can be enforced by configuring the module not to allow self-signed information cards for example. Hence, the level of trust a Relying Party (RP) puts in Information Cards will depend on the method used by the IDP to collect personal information, and the authentication schemes used to challenge the identity of a user.
The administrator must specify an anonymous user ID in a realm, so that anyone in that realm can log on with an information card provided the asserted claims honor the security requirements of the Relying Party (RP). The reason why we need a user ID with Information Cards is purely technical. An OpenSSO authentication module is a JAAS module, and as such, is required to return a subject's Principal. If the authentication succeeds, a session is created for the user ID that stores the claims and their values as property value-pairs. Session properties are retained in the system until the user's session expires. In a future post, I will explain how applications can retrieve session properties either by way of querying the Session Service, or by way of configuring the Security Policy Agent to copy them in various HTTP artifacts.
The anonymous mode provides several benefits. It allows to grant access to an information card bearer, while avoiding the usual tedious registration process of creating a user account. Also, because Information Cards supply claim values such as name, address, and e-mail address to RPs on demand, Web sites do not need to store persistent personal data. This way, the anonymous mode reduces the need for Web sites to request and store personal data across sessions and thereby narrows a classic attack vector for identity theft.
The short video sequence below shows the onscreen user's experience of getting access to a protected resource using an information card in anonymous mode. The sequence is as follow:
- The user hits a Web page with a link to a protected resource
- The user presents a self-signed i-card with a blank email-address required claim
- The Authnicrp denies access but gives the user a second chance
- The user this time uses another i-card that has all required claims filled in
- OpenSSO grants access to the protected resource that displays some of the information cards claims retrieved from the HTTP request