Ministry of Science, Technology and Innovation, National IT and Telecom Agency IT Architect Søren Peter Nielsen The Role of SAML for Identity Management.

Ministry of Science, Technology and Innovation, National IT and Telecom AgencyIT Architect Søren Peter Nielsen

The Role of SAML for Identity Management in the Danish Public Sector OASIS Adoption Forum LondonLondon, 28th November, 2006

Agenda

A few facts about Denmark Motivations for choosing SAML 2.0 Current status and initiatives

Denmark- the Fundamentals

5.5 mill. inhabitants and one of the richest and most equal countries in the world

Four levels of government with divided responsibility for tasks – both horizontal and vertical (EU, central government, counties (14), municipalities (268)

Ongoing major structural reform – fewer regions, larger municipalities

Public sector makes up 1/3 of workforce Consensus culture in a multiparty system

Has PKI-infrastructure with > 700.000 issued certificates to citizens & public/private employees

Danish e-Government Maturity

2005

Denmark has been number one in e-Readiness for the last three years according to the Economist Intelligence Unit and The IBM Institute for Business Value

Recent government decisions – April & June 2006.

Generel E-government in Denmark: In 2012 all relevant written communication between

companies, citizens and the public sector should be electronic.

Open Standards: The Danish Parliament imposes the government to ensure

that the use of IT is based on open standards. The government is required to maintain a set of open

standards (January, 2008). A comply-explain demand to the authorities to follow the

use of open standards in new solutions. Open standards should after January 2008 be the foundation

for the development and procurement of IT to ensure competition.

Danish e-Government so far has been through a Decentralized Approach

Servicecenter

Business services Portal

Business services Portal

Local Gov rental

subsidiary

Local Gov rental

subsidiary

PolicePolice

Tax AuthTax Auth

Local GovCase-sysLocal GovCase-sys

”EasyAccount””EasyAccount”

Mother -I rene

Companyowner

Mother -I rene

Companyowner

Daughter- Louise

Moving

Daughter- Louise

Moving

Son –AndersStudent

Son –AndersStudent

This is just an example – showing a few selected services – It is notrepresentative of the full set of Danish eGov services

Educational loan & support

Educational loan & support

A ”common” Danish family on a ”common” day

Dad -Kenneth

Publicemployee

Dad -Kenneth

Publicemployee

E-Government services are delivered by many different organizations

To give citizens and businesses ”one-stop” access to a de-centralized public sector an underlying coherent identity infrastructure is required

To avoid prescribing usage of certain products this identity infrastructure must be based on open standards

SAML 2.0 has become the "standard-of-choice" for governments deploying a wide variety of identity-based services

Organisation 1Authority 1

Authority 2

Authority 3

Organisation 2

Companies Authority 1

Authority 2

Authority 3

Organisation 2

Organisation 1

Citizens

Companies

Citizens

This presentation will explain the Danish reasons for choosing SAML 2.0

Creating a coherent secure robust effective and flexible public sector identity infrastructure is like eating an elephant

One bite at a time

Important Goals for the First ”Bite of Work” Support the ability of different authorities to

use a shared login-service Single Sign-On (SSO) Establish a structure that can be the basis

for exchanging authorisation information between independent organisations

Embrace the use of different mechanisms for - and levels of - authentication

Resulting Reference Architecture for Cross-organizational Single Sign On

Identitetsinformation

Autenticitetssikringsportal

Autenticitetssikringsservice

c P

c C A

Service

SidTrin 3

Trin 4

Bruger

Trin 1

Sid Trin 2

”Portal”

Identity Provider (IdP)

Service Provider (SP)

Conceptual Architecture is adopted from US Federal e-Authentication initiative

Includes recommendations about•Levels of Authentication•Core user identity attributes•Unique key to link user accounts

SAML 2.0 is the recommended federation standard

Approve

d by D

anish G

overn

ment

IT Arc

hitect

ure C

omm

ittee afte

r

public h

earing in

Autu

mn 2

005

SAML 2.0 is the recommended standard for federation in the Danish public sector Approved by IT Architecture committee in

April 2005 Reconfirmed in March 2006 together with

decision to work for convergence among the different federation standards/specifications

Choice of SAML 2.0 validated by Gartner in October 2006 report

Basis for Recommending SAML 2.0Based on an evaluation of Functionality according to requirements Support for the standard in commercially available products Usage of SAML in other public sector solutions Statements from research and analyst companies Ratified open standard ”Composability” with other ratified standards like XACML

and SPML Future development of the standard Availability of 3rd party Interop Testning/Certification

Challenges of having competing standards - The question is

Should federation be considered an integration technique that is used to allow several organisations share a limited set of applications? – or –

Should federation be considered an underlying necessary infrastructure to allow citizens, businesses and authorities to collaborate broadly?

Can we fulfill the goals in the EU eGovernment i2010 action plan without taking the infrastructure perspective?

This cannot be studied as a single station issue as an individual line issueThis is a question about

creating an overall efficient infrastructure – and how we best spend the tax payers money while creating it

Federation is similar to creating an efficient railroad infrastructure

Having different width tracks side-by-side probably isn’t the best way to do it…

But isn’t it just a question about putting up some gateways?

Well, it can be a tactical solution besides the extra cost being pushed into the federation, besides the the added performance, scalability and security issues

However, currently it can only work for lower level security scenarios as the integrity requirments for higher level security cannot be maintained

Illustration follows

Loginservice (IdP) Attribute

Service

CertAuth

Existingpin-codesuid/pw

Service Provider

- Citizen- Private employee- Public employee

LoginWeb or Localnetwork

Danish public sector shared service requirements for maintainingintegrity of users identity in a gateway scenario

The above is one of the basic use cases for a Danish public sector federated identity concept. The SAML 2.0 standard is for many good reasons the preferred way to support this. However, there is a desire for a gateway function that also includes service requesters supporting only the WS-Federation specification as illustrated on the next slide.

Service Provider

Service Provider

SAML 2.0

SAML 2.0

SAML 2.0

Service Provider


LoginWeb or Local network


The desired gateway should allow service requesters to enter the federation using the WS-Federation specification and then convert the WS-Federation supplied token (presumably a SAML 1.1 token as user attributes also should be transferred) to a SAML 2.0 token

Service Provider

Service Provider


Service

CertAuth



Service

CertAuth



- Public employee LoginWS-federation w/ SAML 1.1.token

SAML 2.0

SAML 2.0

SAML 2.0

GatewayWS-FED token

SAML 2.0 token

Service Provider


LoginWeb or Local network


The issue for the gateway scenario is when the service provider requires High confidence in asserted identity's validity. This requires the assertion to be signed at the point of origin. However, even if WS-Federation allows for signing the SAML 1.1 token this signature cannot be maintained when being converted to a SAML 2.0 token

Service Provider

Service Provider


Service

CertAuth



Service

CertAuth



- Public employee LoginWS-federation w/ SAML 1.1.token

SAML 2.0

SAML 2.0

SAML 2.0

Gateway

requires High confidence in asserted identity's validity

requires High confidence in asserted identity's validity

requires Some confidence in asserted identity's validity

Current focus for Danishpublic sector federation Establishing a shared public

sector login solution including necessary trust framework

Add Attribute Authority to the reference architecture

Federation of web services Collaboration in Liberty Alliance

eGovernment Special Interest Group Participation from public sector institutions in Finland,

France, New Zealand, Norway, UK, USA, and Denmark Sample work themes:

Public sector input to Legal Templates work Develop eGovernment scenarios Business models for federations Promotion of open standards

Additional Info

Søren Peter NielsenE-mail: [email protected]

Get a document detailing in English the motivations for the Danish public sector recommendation of SAML 2.0 herehttp://www.oio.dk/arkitektur/brugerstyring/english/saml

The Danish definition of a completely open standard:

- Available and free for all

- Stays Available and free

-Freely available and documented in all details

-NEW: Open proces.

Everyone agrees that open standards are goodBut not everyone agrees on the definition of ”open”

Open Standard - The definition

Why open standards?-Gives low entry barriers to suppliers

-Avoid lock-in

-Make it easier for everyone to make an offer

-Cheaper solutions

-More choice

-Help bring about interoperability

-Facilitate communication and information exchange

-Fosters innovation!

Why open standards

Open standardProprietary standard

Low entry barriers to IT suppliers

More suppliers

Competition

Cheaper solutions

Choice

Easier migration to new systems

Easier or cheaper transformation of data

Choice (no supplier lock-in)

No need for common it systems

G2G Interoperability

Choice

Easier communication and information exchange

Interoperability

G2B, G2C, etc.

High entry barriers to IT suppliers

Fewer suppliers

Less competition

More expensive solutions

Less choice

Difficult, expensive or impossible migration to new systems

No need for transformation of data

No choice (supplier lock-in)

Need for/tendency towards one common it system

G2G Interoperability

No choice

Expensive or impossible communication and information exchange

No interoperability

G2B, G2C, etc.

Difficult or impossible transformation of data

e.g. everyone choose ms office suite

…due to high license costs (or no access to the standard at all)

…since the standard is free to use

Two paths to G2G interoperability - benefits and drawbacks

Reference models helps moving forward with adecentralized approach Gives common language and common

understanding for a well defined area Helps identify requirements for new

standards ..and describe interfaces

between different elements Creates a base for interoperability

in an open market Helps creating alignment, removing

redundancy, identifying shared solutions/components

Administration and Mgt

Logging and Audit

Storage

Authentication

AuthorizationIssuing ofCredentials

Administration and Mgt

Logging and Audit

Storage

Authentication

AuthorizationIssuing ofCredentials

The High Level Reference Model forIdentity and Access Management

The Reference model is to be used as a tool forthinking through, creating and sharing processes, services, & technologies for Identity and Access Mgt

A reference model is based on a small number of unifying concepts and is an abstraction of the key concepts, their relationships, and their interfaces both to each other and to the external environment.

Reference models has a broad audience.All ”recipients” are not necessarily know in advance.

Ministry of Science, Technology and Innovation, National IT and Telecom Agency IT Architect Søren Peter Nielsen The Role of SAML for Identity Management.

Documents

danish government

levels of government

central government

generel egovernment

danish public sectorapproved

use of open standards

public hearing

danish reasons