IT Infrastructure and Implementation Division
Danish National IT & Telecom Agency
IT Architect Søren Peter Nielsen - [email protected]
The OIOSAML ToolkitsAccelerating a common
eGov infrastructure using
open source reference implementations
OSOR.eu eID/PKI/eSignature Community Workshop
in Brussels, 13. November 2008
Agenda
� WHY – Role of OSS in Danish Public Sector
� WHERE - Where does the OIOSAML toolkits help?
� WHAT – What exactly is contained in the toolkits?
� WHICH – Which OSS license is used
� HOW WELL – What kind of Quality assurance
� Status� Whats next
� WHEN – When can youget the toolkits?� Now ☺
Why is Open Source important
In Denmark, we want to build an IT infrastructure that enables
� Innovation
� Competition
� Openness
It must be easy for developers to utilize the IT infrastructure in their applications
Open source components and tools plays an important role in this quest – e.g. in
� Accelerating deployment
� Driving down integration cost
The OIOSAML Toolkits helps enablefederation – Identity in the Cloud
� Web Single Sign On for Citizens and employees
� Ability for Institutions and Businesses to do their own authentication of users accessingSoftware-as-Service (SaaS) applications
� Supports OIOSAML 2.0 which is a profile ofthe SAML 2.0 standard
� Consistent with Liberty eGov profile testingcriteria
External Authentication ArchitectureA Service Provider can have the user authenticatedat an external Identity Provider, and potentiallyreceive additional user associated attributes
IdentityProvider
ServiceProvider
ok
Log in OK
+ attributtes
ok
Single Sign On ArchitectureA user can achieve Single Sign On withService Providers that trusts her/his Identity Provider
IdentityProvider
ServiceProvider 2
ServiceProvider
ok
ok
Log in OK
+ attributtes
ok
Integration requirements
IdentityProvider
ServiceProvider
ok
Log in OK
+ attributtes
ok
User must have a browser
where JavaScript is enabled
Identity Provider must support
the ”IdP mode” in OIOSAML
Service Provider must support
the ”SP mode” in OIOSAML
The OIOSAML Toolkits includes Service Providerreference implementations in Java and .Net
Additionally
IdentityProvider
ServiceProvider
ok
Log in OK
+ attributtes
ok
We have released a preconfigured IdentityProvider that can be used for development & testing – also fully open source:
The preconfigured IdP consist ofSimpleSAMLphp on Ubuntu in VirtualBox image
Toolkit capabilities *)� SAML 2.0 Assertions
� Create, modify and access SAML assertions
� Serialize to and from XML
� Generate and verify XML signatures on SAML assertions
� Encrypt and decrypt SAML assertions
� SAML 2.0 Protocol� Create, modify and access SAML request and response messages
� Serialize to and from XML
� Generate and verify XML signatures on SAML messages
� Support persistent pseudonyms at the protocol level
� Perform AttributeQuery
� SAML 2.0 Bindings� Send and receive protocol messages over HTTP
� SAML 2.0 Profiles� Support OIOSAML 2.0 profiles (SSO, SLO only via HTTP redirect,
Attribute and IdP Discovery profiles)
� SAML 2.0 MetaData� Support export and import of SAML 2.0 MetaData
*) Additional capabilities in OIOSAML.JAVA as it is based on OpenSAML 2.0
Mozilla Public License 1.1
The reference implementations have gonethrough interoperability testing before release
OIOSAML.OIO OIOSAML.NET SimpleSamlPHP SP
IT-LOGON-1a ok ok ok
IT-LOGON-1b ok ok ok
IT-SSO-1a ok ok ok
IT-SSO-1b ok ok ok
IT-SSO-2 ok ok ok
IT-SPSES-1 ok ok ok
IT-SLO-1 ok ok ok
IT-SLO-2 ok ok ok
IT-LOA-1 ok Not passed Not passed
IT-TIM-2 ok ok ok
IT-CERT-1a ok ok ok
IT-CERT-1b ok Not passed Not passed
IT-CERT-1c ok Not passed Not passed
IT-CERT-1d n/a n/a n/a
IT-CERT-1e Not tested Not tested n/a
IT-CDC-1 ok Not passed Not passed
IT-ATTQ-1 ok ok Not passed
See full report inthe Documentationsection athttp://www.softwareborsen.dk/projekter/softwarecenter/brugerstyring
We have alsotestedSimpleSAMLphp
Status
� Reference implementations released summer 2008
� Already being used for seven service provider solutions in Danish federation *)
� Has already helped
� Accelerating deployment
� Driving down integration cost
� Much international interest as well
� More Open Source components for federation coming
� SAML 2.0 SP support in OSS CMS Umbraco using OIOSAML.NET
� Java and .Net Referenceimplementations for identity based web services
*) Additional solutions utilize OSS SAML 2.0 software (SimpleSAMLphp)
IdP
SP
TokenIssuer
WSCWSP Token
ValidatorWSP Token
Validator
T&C
Trust prior established
The toolkits and reference implementations generally applicablefor federations based om SAML 2.0!!
Get them from the Danish Open Source Software Repository – Softwarebørsen
http://www.softwareborsen.dk/projekter/softwarecenter/brugerstyring
Includes fora for asking question and discussing thetoolkits. A mailing list will be added soon.
My email: [email protected]
This cannot be studied as
� a single station issue
� as an individual line issue
This is a question aboutcreating an overall efficientinfrastructure – and howwe best spend the taxpayers money whilecreating it
Federation is similar to creating an efficientrailroad infrastructure
Having different width tracks side-by-side probably isn’t the best way to do it…
Microsoft now also on board with SAML 2.0
“Institutions can now acquire the products that best support their business requirements without concern about "betting on the wrong horse" …. From a national perspective … we believe it will accelerate the deployment of a common infrastructure based on interoperable standards.”
Principles for the Federation
� It is an Open Federation!
� Open and Flexible Architecture
� Standards Based!
� Phased Development
� Extra Support for First Comers
The first phase of the federation delivers Web Single Sign On (SSO)
IdentityProvider
ServiceProvider
ok
Login OK
+ attributtes
ok
Authentication is the responsibility ofan external shared service
The first phase of the federation delivers Web Single Sign On (SSO)
The user can take advantage of single sign-on(but can also opt out of SSO)
IdentityProvider
ServiceProvider 2
ServiceProvider
ok
ok
Login OK
+ attributtes
ok
Building out the federation
How does a Service Provider (SP) join the federation?
� Well defined proces for joining
� Document suite for SP� Terms & Conditions
� Cookbook
� Policies� Levels of Authentication
� Certificates, Logging,
� Timeout, Time setting
� Integration test
� Operations & Support
� Contingency Plan
Is it fast and cheap to integratea Service Provider?
Limitations in growing the federation
� Scarceness of skills
� Limited budgets
are being adressed through
� Knowledge dissimilation (Pilot, workshops)
� Considering ”Certification” of integration consultants
� Coding samples and tools
� Nudging the market to offer attractively priced ”starter packages”
� Open Source toolkits and reference implementations
� Considering ”technical approval” of hosted services