P-Asserted-Identity authentication in Sailfin Communication Server

P-Asserted-Identity authentication in Sailfin is based on RFC 3325 and requirements from JSR 289,

Steps to configure P-Asserted-Identity authentication

We will break the steps to configure P-Asserted-Identity authentication module into following steps,

       1.Configuring security realm
       2.Configuring Trust
       3.Configuring security for SIP Applications

1.Configuring security realm

Refer to section Configuring security realm in my previous blog entry.

2.Configuring Trust

  • Open sailfin administration console, default url will be http://localhost:4848
  • Click on Configuration tab
  • Click on Trust configurations

You can now either create new trust configuration elements or edit if you have already have one.
When you create a new trust configuration you have the option to either choose static configuration or you can write your own custom trust handler(to determine if a host from which message is being received or sent to is trusted).

Here are some snapshots 1 & 2.

Default trust handler provided by Sailfin trusts all hosts and maps the value in P-Asserted-Identity to a format suitable to the container for use in authentication,authorization tasks.For eg: "Cullen Jennings" value will be mapped/formatted to "CullenJ".

3.Configuring security for SIP Applications.

  • Configuration as per JSR 289
           1.Login configuration
           2.Securing methods

  • Implementation specific configuration
           1.Configuring sun-sip.xml

Configuration as per JSR 289.

1.Login configuration

              JSR 289 specific configuration elements (standard configuration) are defined in sip.xml, sip.xml has   following additional elements under login-config.

As per JSR 289 sailfin supports P-Asserted-Identity authentication in two modes (SUPPORTED , REQUIRED). When SUPPORTED value is used then incoming SIP messages are processed as follows

a) if P-Asserted-Identity header is present then process it.

b) if P-Asserted-Identity header is not present then apply the authentication method configured in auth-method element.


<identity-assertion>

          <identity-assertion-scheme>>P-Asserted-Identity</identity-assertion-scheme>

          <identity-assertion-support></identity-assertion-support>

          <!-- SUPPORTED/REQUIRED are supported values for identity-assertion-support -->

</identity-assertion>

As per JSR 289 Sailfin supports P-Asserted-Identity authentication in two modes (SUPPORTED , REQUIRED). When SUPPORTED value is used then incoming SIP messages are processed as follows

  a) if P-Asserted-Identity header is present then process it.

  b) if P-Asserted-Identity header is not present then apply the authentication method configured in auth-method element.        

<login-config>

          <identity-assertion>

                  <identity-assertion-scheme>P-Asserted-Identity</identity-assertion-scheme>

                  <identity-assertion-support>SUPPORTED</identity-assertion-support>

          </identity-assertion>

</login-config>

                                or

<login-config>

          <auth-method>DIGEST</auth-method>

          <realm-name>realmperapp</realm-name>

          <identity-assertion>

                  <identity-assertion-scheme>Identity</identity-assertion-scheme>

                  <identity-assertion-support>REQUIRED</identity-assertion-support>

         </identity-assertion>

</login-config>


When P-Asserted-Identity scheme is REQUIRED by the application, the P-Asserted-Identity header MUST be present in the request. If the P-Asserted-Identity header is not present, Sailfin will reject the request with a 403 response. If authorization of the Identity specified by P-Asserted-Identity header fails, Sailfin will return a 403 response.

2.Securing methods

   JSR 289 defines security-constraint( auth-constraints and resource-collection) elements which enables users to configure SIP methods that need to be secured i,e accessed by authorized users.

please refer to sample sip.xml file for more details.

Implementation specific configuration

1.Configuring sun-sip.xml

Following elements and properties need to configured in sun-sip.xml

security-role-mapping  element to enable principal to role mapping

properties trust-id-ref  and trust-auth-realm-ref, please refer to my previous blog entry to know learn about these properties.


Comments:

Hello, this post regarding 'P-Asserted-Identity authentication in Sailfin Communication Server' is really exciting. Highly recommended..

Thanks

Posted by Identity Authentication on July 14, 2009 at 10:39 AM IST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

venu

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today