Ministry of Science, Technology and Innovation, National IT and Telecom Agency IT Architect Søren Peter Nielsen The Role of SAML for Identity Management in the Danish Public Sector OASIS Adoption Forum London London, 28th November, 2006
Dec 31, 2015
Ministry of Science, Technology and Innovation, National IT and Telecom AgencyIT Architect Søren Peter Nielsen
The Role of SAML for Identity Management in the Danish Public Sector OASIS Adoption Forum LondonLondon, 28th November, 2006
Denmark- the Fundamentals
5.5 mill. inhabitants and one of the richest and most equal countries in the world
Four levels of government with divided responsibility for tasks – both horizontal and vertical (EU, central government, counties (14), municipalities (268)
Ongoing major structural reform – fewer regions, larger municipalities
Public sector makes up 1/3 of workforce Consensus culture in a multiparty system
Has PKI-infrastructure with > 700.000 issued certificates to citizens & public/private employees
Danish e-Government Maturity
2005
Denmark has been number one in e-Readiness for the last three years according to the Economist Intelligence Unit and The IBM Institute for Business Value
Recent government decisions – April & June 2006.
Generel E-government in Denmark: In 2012 all relevant written communication between
companies, citizens and the public sector should be electronic.
Open Standards: The Danish Parliament imposes the government to ensure
that the use of IT is based on open standards. The government is required to maintain a set of open
standards (January, 2008). A comply-explain demand to the authorities to follow the
use of open standards in new solutions. Open standards should after January 2008 be the foundation
for the development and procurement of IT to ensure competition.
Danish e-Government so far has been through a Decentralized Approach
Servicecenter
Business services Portal
Business services Portal
Local Gov rental
subsidiary
Local Gov rental
subsidiary
PolicePolice
Tax AuthTax Auth
Local GovCase-sysLocal GovCase-sys
”EasyAccount””EasyAccount”
Mother -I rene
Companyowner
Mother -I rene
Companyowner
Daughter- Louise
Moving
Daughter- Louise
Moving
Son –AndersStudent
Son –AndersStudent
This is just an example – showing a few selected services – It is notrepresentative of the full set of Danish eGov services
Educational loan & support
Educational loan & support
A ”common” Danish family on a ”common” day
Dad -Kenneth
Publicemployee
Dad -Kenneth
Publicemployee
E-Government services are delivered by many different organizations
To give citizens and businesses ”one-stop” access to a de-centralized public sector an underlying coherent identity infrastructure is required
To avoid prescribing usage of certain products this identity infrastructure must be based on open standards
SAML 2.0 has become the "standard-of-choice" for governments deploying a wide variety of identity-based services
Organisation 1Authority 1
Authority 2
Authority 3
Organisation 2
Companies Authority 1
Authority 2
Authority 3
Organisation 2
Organisation 1
Citizens
Companies
Citizens
This presentation will explain the Danish reasons for choosing SAML 2.0
Creating a coherent secure robust effective and flexible public sector identity infrastructure is like eating an elephant
One bite at a time
Important Goals for the First ”Bite of Work” Support the ability of different authorities to
use a shared login-service Single Sign-On (SSO) Establish a structure that can be the basis
for exchanging authorisation information between independent organisations
Embrace the use of different mechanisms for - and levels of - authentication
Resulting Reference Architecture for Cross-organizational Single Sign On
Identitetsinformation
Autenticitetssikringsportal
Autenticitetssikringsservice
c P
c C A
Service
SidTrin 3
Trin 4
Bruger
Trin 1
Sid Trin 2
”Portal”
Identity Provider (IdP)
Service Provider (SP)
Conceptual Architecture is adopted from US Federal e-Authentication initiative
Includes recommendations about•Levels of Authentication•Core user identity attributes•Unique key to link user accounts
SAML 2.0 is the recommended federation standard
Approve
d by D
anish G
overn
ment
IT Arc
hitect
ure C
omm
ittee afte
r
public h
earing in
Autu
mn 2
005
SAML 2.0 is the recommended standard for federation in the Danish public sector Approved by IT Architecture committee in
April 2005 Reconfirmed in March 2006 together with
decision to work for convergence among the different federation standards/specifications
Choice of SAML 2.0 validated by Gartner in October 2006 report
Basis for Recommending SAML 2.0Based on an evaluation of Functionality according to requirements Support for the standard in commercially available products Usage of SAML in other public sector solutions Statements from research and analyst companies Ratified open standard ”Composability” with other ratified standards like XACML
and SPML Future development of the standard Availability of 3rd party Interop Testning/Certification
Challenges of having competing standards - The question is
Should federation be considered an integration technique that is used to allow several organisations share a limited set of applications? – or –
Should federation be considered an underlying necessary infrastructure to allow citizens, businesses and authorities to collaborate broadly?
Can we fulfill the goals in the EU eGovernment i2010 action plan without taking the infrastructure perspective?
This cannot be studied as a single station issue as an individual line issueThis is a question about
creating an overall efficient infrastructure – and how we best spend the tax payers money while creating it
Federation is similar to creating an efficient railroad infrastructure
Having different width tracks side-by-side probably isn’t the best way to do it…
But isn’t it just a question about putting up some gateways?
Well, it can be a tactical solution besides the extra cost being pushed into the federation, besides the the added performance, scalability and security issues
However, currently it can only work for lower level security scenarios as the integrity requirments for higher level security cannot be maintained
Illustration follows
Loginservice (IdP) Attribute
Service
CertAuth
Existingpin-codesuid/pw
Service Provider
- Citizen- Private employee- Public employee
LoginWeb or Localnetwork
Danish public sector shared service requirements for maintainingintegrity of users identity in a gateway scenario
The above is one of the basic use cases for a Danish public sector federated identity concept. The SAML 2.0 standard is for many good reasons the preferred way to support this. However, there is a desire for a gateway function that also includes service requesters supporting only the WS-Federation specification as illustrated on the next slide.
Service Provider
Service Provider
SAML 2.0
SAML 2.0
SAML 2.0
Service Provider
- Citizen- Private employee- Public employee
LoginWeb or Local network
Danish public sector shared service requirements for maintainingintegrity of users identity in a gateway scenario
The desired gateway should allow service requesters to enter the federation using the WS-Federation specification and then convert the WS-Federation supplied token (presumably a SAML 1.1 token as user attributes also should be transferred) to a SAML 2.0 token
Service Provider
Service Provider
Loginservice (IdP) Attribute
Service
CertAuth
Existingpin-codesuid/pw
Loginservice (IdP) Attribute
Service
CertAuth
Existingpin-codesuid/pw
Existingpin-codesuid/pw
- Public employee LoginWS-federation w/ SAML 1.1.token
SAML 2.0
SAML 2.0
SAML 2.0
GatewayWS-FED token
SAML 2.0 token
Service Provider
- Citizen- Private employee- Public employee
LoginWeb or Local network
Danish public sector shared service requirements for maintainingintegrity of users identity in a gateway scenario
The issue for the gateway scenario is when the service provider requires High confidence in asserted identity's validity. This requires the assertion to be signed at the point of origin. However, even if WS-Federation allows for signing the SAML 1.1 token this signature cannot be maintained when being converted to a SAML 2.0 token
Service Provider
Service Provider
Loginservice (IdP) Attribute
Service
CertAuth
Existingpin-codesuid/pw
Loginservice (IdP) Attribute
Service
CertAuth
Existingpin-codesuid/pw
Existingpin-codesuid/pw
- Public employee LoginWS-federation w/ SAML 1.1.token
SAML 2.0
SAML 2.0
SAML 2.0
Gateway
requires High confidence in asserted identity's validity
requires High confidence in asserted identity's validity
requires Some confidence in asserted identity's validity
Current focus for Danishpublic sector federation Establishing a shared public
sector login solution including necessary trust framework
Add Attribute Authority to the reference architecture
Federation of web services Collaboration in Liberty Alliance
eGovernment Special Interest Group Participation from public sector institutions in Finland,
France, New Zealand, Norway, UK, USA, and Denmark Sample work themes:
Public sector input to Legal Templates work Develop eGovernment scenarios Business models for federations Promotion of open standards
Additional Info
Søren Peter NielsenE-mail: [email protected]
Get a document detailing in English the motivations for the Danish public sector recommendation of SAML 2.0 herehttp://www.oio.dk/arkitektur/brugerstyring/english/saml
The Danish definition of a completely open standard:
- Available and free for all
- Stays Available and free
-Freely available and documented in all details
-NEW: Open proces.
Everyone agrees that open standards are goodBut not everyone agrees on the definition of ”open”
Open Standard - The definition
Why open standards?-Gives low entry barriers to suppliers
-Avoid lock-in
-Make it easier for everyone to make an offer
-Cheaper solutions
-More choice
-Help bring about interoperability
-Facilitate communication and information exchange
-Fosters innovation!
Why open standards
Open standardProprietary standard
Low entry barriers to IT suppliers
More suppliers
Competition
Cheaper solutions
Choice
Easier migration to new systems
Easier or cheaper transformation of data
Choice (no supplier lock-in)
No need for common it systems
G2G Interoperability
Choice
Easier communication and information exchange
Interoperability
G2B, G2C, etc.
High entry barriers to IT suppliers
Fewer suppliers
Less competition
More expensive solutions
Less choice
Difficult, expensive or impossible migration to new systems
No need for transformation of data
No choice (supplier lock-in)
Need for/tendency towards one common it system
G2G Interoperability
No choice
Expensive or impossible communication and information exchange
No interoperability
G2B, G2C, etc.
Difficult or impossible transformation of data
e.g. everyone choose ms office suite
…due to high license costs (or no access to the standard at all)
…since the standard is free to use
Two paths to G2G interoperability - benefits and drawbacks
Reference models helps moving forward with adecentralized approach Gives common language and common
understanding for a well defined area Helps identify requirements for new
standards ..and describe interfaces
between different elements Creates a base for interoperability
in an open market Helps creating alignment, removing
redundancy, identifying shared solutions/components
Administration and Mgt
Logging and Audit
Storage
Authentication
AuthorizationIssuing ofCredentials
Administration and Mgt
Logging and Audit
Storage
Authentication
AuthorizationIssuing ofCredentials
The High Level Reference Model forIdentity and Access Management
The Reference model is to be used as a tool forthinking through, creating and sharing processes, services, & technologies for Identity and Access Mgt
A reference model is based on a small number of unifying concepts and is an abstraction of the key concepts, their relationships, and their interfaces both to each other and to the external environment.
Reference models has a broad audience.All ”recipients” are not necessarily know in advance.