Tractis id service how-to

Abstract

Tractis offers several services included on their features but not about contracts but closelly related. Those services are called id services, and allows thrid parties to include identity related services on their infrastructures with minimal integration or development overhead. This interaction between thrid party services, tractis id services and users to perform authentication tasks will be named as 'authentication challenges' on the rest of the document. Defining more concepts used on the rest of the document, the entity creating the challenges will be named as 'Service Provider', the tractis id services will be named also as 'Identity Provider' and the users that need to solve the challenges will be named as 'users'

Requirements

Tractis id services are offered as a remote service and could be invoked by all tractis users with the only need of having an account and some basic HTTP protocol knowledge.

Features

Currently the service offers some basic authentication services using certificate based mechanisms to allow those processed. In the future many other mechanisms like connection to third parties attribute repositories, open id and more mechanisms will be included in the framework to be used in conjunction with those based on digital certificates.

The services that could be accessed are :

  • Synchronous authentication: The user is redirected to tractis site, here an authentication challenge is presented to him to allow it's authentication. This allows for example the login on third party websites login based on certificates using the features provided by tractis.
  • Asynchronous authentication: A mail is sent to the user including a link to an authentication challenge that is served on the tractis site. This allows for example the binding between an email and its owner using for this purpose digital certificate based authentication.

After the process the result is delivered to the 'Service Provider'. This delivery could be performed using asynchronous mechanisms like email or direct callback invocation to a configure URL.

Usage

The usage involves 2 main tasks to be performed by the tractis client (Service Provider) that needs to create an authentication service to include on their authentication challenge

  • Challenge configuration: The client needs to configure a tratis id account and configure it. To perform this task the client need to have a tractis account and log with it on the tractis id configuration panel at Tractis id config panel .
  • Challenge creation: After the configuration, the challenges are required to be created by the 'Service Provider' sending a creation request to the identity provider and those challenges are sent to the users. At the end of the challenge, the result of the process is delivered to the 'Service Provider'.

Challenge configuration

After login at the tractis id configuration panel a list of all the API keys is shown. Each API key symbolizes a concrete authentication scenario where several attributes and authentication methods are used. In the authentication processes two main items are used attributes, and authentication methods that are grouped inside authentication scenarios (formerly known as API keys). Those items represent the following:

  • Attribute: Represent the information that needs to be recovered from the user , for example, his mail, his name or his national id card serial number.
  • Authentication method: Represents the way of recovering some attribute or attributes. Here many methods completelly different could be used to recover different types of attributes. For example the name of a person could be placed stamped inside his certificate, inside a third party attribute repository or in their tractis account.

Obviously the level of trust of the recovered data depends on the method used for it's recovery so the process of the authentication methods allowed is very sensible inside the challenge process because determines the level of reliability of the recovered data.

Here the 'Service Provider' configures the set of attributes that he wants to recover from the user and the service offers him the set of methods that could be used to recover those attributes. After this selection it needs to check activate the methods that wants to support and the type of callback.

The concept of callback is the mechanism that will be used by tractis id services to notify the result of the challenge. This callback is configured for each API key on it's detailled configuration section. Here a text entry for defining this value is offered and currently two type of values are supported:

  • HTTP based urls: URLs starting with http:// and pointing to an http endpoint
  • eMail based urls: URLs in the email address format like user@domain.com

NOTE: The URL configured will be shown to every client using the service in order to allow then to verify the authenticity of the provider requesting the challenge

Challenge creation

After the configuration process the challenge could be created and submited to users by synchronous or asynchronous methods. For this purpose you should invoke to the challenge creation feature illustrated at.

NOTE: Mind that this is only an HTTP POST call with the provided HTTP parameters.

Challenge result

After the challenge ends a result is submited to you in the configured way (callback or email). If the email way was choosen an email holding a link is sent that directs you to a protected area of the tractis site where you can consult the result of the process.

If the HTTP callback is used a callback with the result is posted to this url. To ensure the correctness of the data a call to the verify method (to verify) the authenticity of the result is recomended.

The result of the challenge includes all the attributes that have been recovered from the authentication process from the configuration described by the 'Service Provider'.

For example, if an authentication using digital certificates is requested and using this the name of the certificate subject needs to be recovered the challenge will consist on the creation of a digital signature using it, an after a validationb process against tractis validation services, this information will be extracted from the signing certificate.

NOTE: Only those challenges that have been resolved as ok will be notified in any of the ways. The others are discarded.