IT Infrastructure and Implementation Division Danish National IT & Telecom Agency IT Architect Søren Peter Nielsen - [email protected]The OIOSAML Toolkits Accelerating a common eGov infrastructure using open source reference implementations OSOR.eu eID/PKI/eSignature Community Workshop in Brussels, 13. November 2008
27
Embed
15 The OIOSAML Toolkits - Accelerating a common eGov ... · Identity Provider Service Provider ok ... SAML 2.0 MetaData ... 15 The OIOSAML Toolkits - Accelerating a common eGov infrastructure
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
� WHAT – What exactly is contained in the toolkits?
� WHICH – Which OSS license is used
� HOW WELL – What kind of Quality assurance
� Status� Whats next
� WHEN – When can youget the toolkits?� Now ☺
Why is Open Source important
In Denmark, we want to build an IT infrastructure that enables
� Innovation
� Competition
� Openness
It must be easy for developers to utilize the IT infrastructure in their applications
Open source components and tools plays an important role in this quest – e.g. in
� Accelerating deployment
� Driving down integration cost
The OIOSAML Toolkits helps enablefederation – Identity in the Cloud
� Web Single Sign On for Citizens and employees
� Ability for Institutions and Businesses to do their own authentication of users accessingSoftware-as-Service (SaaS) applications
� Supports OIOSAML 2.0 which is a profile ofthe SAML 2.0 standard
� Consistent with Liberty eGov profile testingcriteria
External Authentication ArchitectureA Service Provider can have the user authenticatedat an external Identity Provider, and potentiallyreceive additional user associated attributes
IdentityProvider
ServiceProvider
ok
Log in OK
+ attributtes
ok
Single Sign On ArchitectureA user can achieve Single Sign On withService Providers that trusts her/his Identity Provider
IdentityProvider
ServiceProvider 2
ServiceProvider
ok
ok
Log in OK
+ attributtes
ok
Integration requirements
IdentityProvider
ServiceProvider
ok
Log in OK
+ attributtes
ok
User must have a browser
where JavaScript is enabled
Identity Provider must support
the ”IdP mode” in OIOSAML
Service Provider must support
the ”SP mode” in OIOSAML
The OIOSAML Toolkits includes Service Providerreference implementations in Java and .Net
Additionally
IdentityProvider
ServiceProvider
ok
Log in OK
+ attributtes
ok
We have released a preconfigured IdentityProvider that can be used for development & testing – also fully open source:
The preconfigured IdP consist ofSimpleSAMLphp on Ubuntu in VirtualBox image
Toolkit capabilities *)� SAML 2.0 Assertions
� Create, modify and access SAML assertions
� Serialize to and from XML
� Generate and verify XML signatures on SAML assertions
� Encrypt and decrypt SAML assertions
� SAML 2.0 Protocol� Create, modify and access SAML request and response messages
� Serialize to and from XML
� Generate and verify XML signatures on SAML messages
� Support persistent pseudonyms at the protocol level
� Perform AttributeQuery
� SAML 2.0 Bindings� Send and receive protocol messages over HTTP
� SAML 2.0 Profiles� Support OIOSAML 2.0 profiles (SSO, SLO only via HTTP redirect,
Attribute and IdP Discovery profiles)
� SAML 2.0 MetaData� Support export and import of SAML 2.0 MetaData
*) Additional capabilities in OIOSAML.JAVA as it is based on OpenSAML 2.0
Mozilla Public License 1.1
The reference implementations have gonethrough interoperability testing before release
OIOSAML.OIO OIOSAML.NET SimpleSamlPHP SP
IT-LOGON-1a ok ok ok
IT-LOGON-1b ok ok ok
IT-SSO-1a ok ok ok
IT-SSO-1b ok ok ok
IT-SSO-2 ok ok ok
IT-SPSES-1 ok ok ok
IT-SLO-1 ok ok ok
IT-SLO-2 ok ok ok
IT-LOA-1 ok Not passed Not passed
IT-TIM-2 ok ok ok
IT-CERT-1a ok ok ok
IT-CERT-1b ok Not passed Not passed
IT-CERT-1c ok Not passed Not passed
IT-CERT-1d n/a n/a n/a
IT-CERT-1e Not tested Not tested n/a
IT-CDC-1 ok Not passed Not passed
IT-ATTQ-1 ok ok Not passed
See full report inthe Documentationsection athttp://www.softwareborsen.dk/projekter/softwarecenter/brugerstyring
We have alsotestedSimpleSAMLphp
In addition a detailed scenario validationreport has been created for OIOSAML.NET
Status
� Reference implementations released summer 2008
� Already being used for seven service provider solutions in Danish federation *)
� Has already helped
� Accelerating deployment
� Driving down integration cost
� Much international interest as well
� More Open Source components for federation coming
� SAML 2.0 SP support in OSS CMS Umbraco using OIOSAML.NET
� Java and .Net Referenceimplementations for identity based web services
This is a question aboutcreating an overall efficientinfrastructure – and howwe best spend the taxpayers money whilecreating it
Federation is similar to creating an efficientrailroad infrastructure
Having different width tracks side-by-side probably isn’t the best way to do it…
Microsoft now also on board with SAML 2.0
“Institutions can now acquire the products that best support their business requirements without concern about "betting on the wrong horse" …. From a national perspective … we believe it will accelerate the deployment of a common infrastructure based on interoperable standards.”
Principles for the Federation
� It is an Open Federation!
� Open and Flexible Architecture
� Standards Based!
� Phased Development
� Extra Support for First Comers
The first phase of the federation delivers Web Single Sign On (SSO)
IdentityProvider
ServiceProvider
ok
Login OK
+ attributtes
ok
Authentication is the responsibility ofan external shared service
Citizen Portal
”Easy” Log-in
Citizen Portal
The first phase of the federation delivers Web Single Sign On (SSO)
The user can take advantage of single sign-on(but can also opt out of SSO)
IdentityProvider
ServiceProvider 2
ServiceProvider
ok
ok
Login OK
+ attributtes
ok
Citizen Portal
Tax Self-service
$$$$
Tax Self-service
Building out the federation
How does a Service Provider (SP) join the federation?
� Well defined proces for joining
� Document suite for SP� Terms & Conditions
� Cookbook
� Policies� Levels of Authentication
� Certificates, Logging,
� Timeout, Time setting
� Integration test
� Operations & Support
� Contingency Plan
Is it fast and cheap to integratea Service Provider?
Limitations in growing the federation
� Scarceness of skills
� Limited budgets
are being adressed through
� Knowledge dissimilation (Pilot, workshops)
� Considering ”Certification” of integration consultants
� Coding samples and tools
� Nudging the market to offer attractively priced ”starter packages”
� Open Source toolkits and reference implementations
� Considering ”technical approval” of hosted services