Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Moonshot ships with a tool, moonshot-webp, to securely and correctly provision credentials onto clients. The format for credential files is simple XML:

<?xml version="1.0" encoding="UTF-8"?>
<identities>
  <identity>
    <display-name>[i.e. John Smith from Camford University]</display-name>
    <user>[i.e. johnsmith]</user>
    <password>[i.e. correct-horse-battery-staple]</password>
    <realm>[i.e. camford.ac.uk]</realm>
    <services>[optional, see below]</services>
    <selection-rules>[optional, see below]</selection-rules>
    <trust-anchor>
      <!-- Either ca-cert and subject, or ca-cert and subject-alt -->
      <ca-cert>[base64-encoded representation of the IdP's root certificate in DER form]</ca-cert>
      <subject>Foo</subject>
      <subject-alt>Bar</subject-alt>
      <!-- Or alternatively -->
      <server-cert>[sha256 hash of the APC/IdP's server certificate]</server-cert>
    </trust-anchor>
  </identity>
</identities>

Inclusion of the trust anchor is vital - without it credentials may be exposed to malicious resource providers. This credential format is also used to secure communication between RP's, IdP's and trust routers.

The optional services section is used to determine which services credential will be automatically used for - each service will be contained in its own tag. For use with a trust router, it is better to use the selection-rules section instead. 

services
    <services>
      <service>xmpp@jabber.project-moonshot.org</service>
      <service>email@project-moonshot.org</service>
    </services>

The optional selection-rules section is used to restrict which services the credential will be automatically used for - for use with a trust router identity, the service type is "trustidentity" for all services.

selection-rules
    <selection-rules>
       <rule>
         <pattern>trustidentity/*</pattern>
         <always-confirm>false</always-confirm>
       </rule>
    </selection-rules>
  • No labels