IT Infrastructure and Implementation Division

Danish National IT & Telecom Agency

IT Architect Søren Peter Nielsen - spn@itst.dk

The OIOSAML ToolkitsAccelerating a common

eGov infrastructure using

open source reference implementations

OSOR.eu eID/PKI/eSignature Community Workshop

in Brussels, 13. November 2008

Agenda

� WHY – Role of OSS in Danish Public Sector

� WHERE - Where does the OIOSAML toolkits help?

� WHAT – What exactly is contained in the toolkits?

� WHICH – Which OSS license is used

� HOW WELL – What kind of Quality assurance

� Status� Whats next

� WHEN – When can youget the toolkits?� Now ☺

Why is Open Source important

In Denmark, we want to build an IT infrastructure that enables

� Innovation

� Competition

� Openness

It must be easy for developers to utilize the IT infrastructure in their applications

Open source components and tools plays an important role in this quest – e.g. in

� Accelerating deployment

� Driving down integration cost

The OIOSAML Toolkits helps enablefederation – Identity in the Cloud

� Web Single Sign On for Citizens and employees

� Ability for Institutions and Businesses to do their own authentication of users accessingSoftware-as-Service (SaaS) applications

� Supports OIOSAML 2.0 which is a profile ofthe SAML 2.0 standard

� Consistent with Liberty eGov profile testingcriteria

External Authentication ArchitectureA Service Provider can have the user authenticatedat an external Identity Provider, and potentiallyreceive additional user associated attributes

IdentityProvider

ServiceProvider

ok

Log in OK

+ attributtes

ok

Single Sign On ArchitectureA user can achieve Single Sign On withService Providers that trusts her/his Identity Provider

IdentityProvider

ServiceProvider 2

ServiceProvider

ok

ok

Log in OK

+ attributtes

ok

Integration requirements

IdentityProvider

ServiceProvider

ok

Log in OK

+ attributtes

ok

User must have a browser

where JavaScript is enabled

Identity Provider must support

the ”IdP mode” in OIOSAML

Service Provider must support

the ”SP mode” in OIOSAML

The OIOSAML Toolkits includes Service Providerreference implementations in Java and .Net

Additionally

IdentityProvider

ServiceProvider

ok

Log in OK

+ attributtes

ok

We have released a preconfigured IdentityProvider that can be used for development & testing – also fully open source:

The preconfigured IdP consist ofSimpleSAMLphp on Ubuntu in VirtualBox image

Toolkit capabilities *)� SAML 2.0 Assertions

� Create, modify and access SAML assertions

� Serialize to and from XML

� Generate and verify XML signatures on SAML assertions

� Encrypt and decrypt SAML assertions

� SAML 2.0 Protocol� Create, modify and access SAML request and response messages

� Serialize to and from XML

� Generate and verify XML signatures on SAML messages

� Support persistent pseudonyms at the protocol level

� Perform AttributeQuery

� SAML 2.0 Bindings� Send and receive protocol messages over HTTP

� SAML 2.0 Profiles� Support OIOSAML 2.0 profiles (SSO, SLO only via HTTP redirect,

Attribute and IdP Discovery profiles)

� SAML 2.0 MetaData� Support export and import of SAML 2.0 MetaData

*) Additional capabilities in OIOSAML.JAVA as it is based on OpenSAML 2.0

Mozilla Public License 1.1

The reference implementations have gonethrough interoperability testing before release

OIOSAML.OIO OIOSAML.NET SimpleSamlPHP SP

IT-LOGON-1a ok ok ok

IT-LOGON-1b ok ok ok

IT-SSO-1a ok ok ok

IT-SSO-1b ok ok ok

IT-SSO-2 ok ok ok

IT-SPSES-1 ok ok ok

IT-SLO-1 ok ok ok

IT-SLO-2 ok ok ok

IT-LOA-1 ok Not passed Not passed

IT-TIM-2 ok ok ok

IT-CERT-1a ok ok ok

IT-CERT-1b ok Not passed Not passed

IT-CERT-1c ok Not passed Not passed

IT-CERT-1d n/a n/a n/a

IT-CERT-1e Not tested Not tested n/a

IT-CDC-1 ok Not passed Not passed

IT-ATTQ-1 ok ok Not passed

See full report inthe Documentationsection athttp://www.softwareborsen.dk/projekter/softwarecenter/brugerstyring

We have alsotestedSimpleSAMLphp

In addition a detailed scenario validationreport has been created for OIOSAML.NET

Status

� Reference implementations released summer 2008

� Already being used for seven service provider solutions in Danish federation *)

� Has already helped

� Accelerating deployment

� Driving down integration cost

� Much international interest as well

� More Open Source components for federation coming

� SAML 2.0 SP support in OSS CMS Umbraco using OIOSAML.NET

� Java and .Net Referenceimplementations for identity based web services

*) Additional solutions utilize OSS SAML 2.0 software (SimpleSAMLphp)

IdP

SP

TokenIssuer

WSCWSP Token

ValidatorWSP Token

Validator

T&C

Trust prior established

The toolkits and reference implementations generally applicablefor federations based om SAML 2.0!!

Get them from the Danish Open Source Software Repository – Softwarebørsen

http://www.softwareborsen.dk/projekter/softwarecenter/brugerstyring

Includes fora for asking question and discussing thetoolkits. A mailing list will be added soon.

My email: spn@itst.dk

This cannot be studied as

� a single station issue

� as an individual line issue

This is a question aboutcreating an overall efficientinfrastructure – and howwe best spend the taxpayers money whilecreating it

Federation is similar to creating an efficientrailroad infrastructure

Having different width tracks side-by-side probably isn’t the best way to do it…

Microsoft now also on board with SAML 2.0

“Institutions can now acquire the products that best support their business requirements without concern about "betting on the wrong horse" …. From a national perspective … we believe it will accelerate the deployment of a common infrastructure based on interoperable standards.”

Principles for the Federation

� It is an Open Federation!

� Open and Flexible Architecture

� Standards Based!

� Phased Development

� Extra Support for First Comers

The first phase of the federation delivers Web Single Sign On (SSO)

IdentityProvider

ServiceProvider

ok

Login OK

+ attributtes

ok

Authentication is the responsibility ofan external shared service

Citizen Portal

”Easy” Log-in

Citizen Portal

The first phase of the federation delivers Web Single Sign On (SSO)

The user can take advantage of single sign-on(but can also opt out of SSO)

IdentityProvider

ServiceProvider 2

ServiceProvider

ok

ok

Login OK

+ attributtes

ok

Citizen Portal

Tax Self-service

$$$$

Tax Self-service

Building out the federation

How does a Service Provider (SP) join the federation?

� Well defined proces for joining

� Document suite for SP� Terms & Conditions

� Cookbook

� Policies� Levels of Authentication

� Certificates, Logging,

� Timeout, Time setting

� Integration test

� Operations & Support

� Contingency Plan

Is it fast and cheap to integratea Service Provider?

Limitations in growing the federation

� Scarceness of skills

� Limited budgets

are being adressed through

� Knowledge dissimilation (Pilot, workshops)

� Considering ”Certification” of integration consultants

� Coding samples and tools

� Nudging the market to offer attractively priced ”starter packages”

� Open Source toolkits and reference implementations

� Considering ”technical approval” of hosted services