2. About Solberg
Andreas Åkre
Me
› Work at UNINETT in the Feide team:
the Norwegian Identity Federation for Education and Research
› Blog about Identity research at http://rnd.feide.no
› Initial developer and project leader of
the award-winning SAML software product SimpleSAMLphp.
›!Implemented the collaboration tool Foodle: https://foodl.org
› Been part of building the nordic cross-federation http://kalmar2.org
› Been part of the eduGAIN project - building an European cross-federation.
› Author of the Interoperable SAML Deployment Profile http://saml2int.org
› Now leading an EC-funded research project called «Identity Federations»
within the GÉANT3 Programme.
... where we are building the «Federation Lab».
3. Federation Lab
› Container for useful tools, libraries, debugging, testing and validation.
› Focus on scalability, harmonization, interoperability and usability.
Federation Lab
http://fed-lab.org
Debugger Test IdPs Automated Best-Practice
SP Guides
Testing
DiscoJuice SAMLmetaJS SAML Harmonization
Registry Profiles
for test SPs
4. Scalability: our situation
Interconnecting…
› Tens of Identity Federations
› Hundreds of Service Providers
› Thousands of Identity Providers
5. Dynamic metadata
Basic challenge is about getting scalable dynamic metadata
distribution.
Metadata aggregation
› Metadata is aggregated at federation level and at inter-
federation level.
Cross-
Federation
Federation Federation
SP IdP SP IdP
6. Metadata Challenges
Commercial vendors does not support dynamic metadata
loading :(
AFAIK only SimpleSAMLphp + Shibboleth supports that.
Several implementations of «Metadata aggregators» pops up, and
we need to harmonize these. Therefore we wrote the
› Basic Metadata Aggregation Profile
defining how an aggregatro should handle border-cases.
8. DiscoJuice
› Local Memory (cookie)
› Remote Memory (DiscoReadWrite protocol + IdP Discovery)
› Javascript only, super simple to deploy
› DiscoJuiceJSON compact UI-focused Metadata format
(MDUI friendly)
› Presents logos, searchable keywords, name, descr, country...
› Automatically discovery of country
› HTML5 Geo-location API
› Gracefull non-javascript fallback
› Inline incremental search
› Flexible integration API using JS callbacks.
› Protocol agnostics, demoed with alternative protocols.
9. DiscoJuice Architecture
Service Provider Federation - central
AS AS AS
SP SimpleSAMLphp SimpleSAMLphp
MDX
API Service Provider Metadata aggregator
AS
Application
Foodle
js callback
simple DiscoJuiceJSON
<script ...> DiscoJuice
reference
This deployed architecture is just one example of how DiscoJuice is deployed at a demo service
10. Interoperability
› No chance whatsoever to test all interconnected SPs and IdPs.
› We need to establish a reliable harmonization of deployment
configurations of SAML entities.
› Interoperability issues are not seen by operators, but by real
end-users. In general user error messages in SAML products are
far from userfriendly.
› The metadata format is not sufficient to ensure a compatible
configuration of two products.
11. Where interoperability issues occur
SAML weak points
› Border cases (using less-used SAML elements, and less
common flows)
› Single Logout
› XML Signatures
› XML Encryption
› Assertion Binding (SSL, authentication, etc)
› Software bugs
› Error handling
12. Ensuring interoperability
Take 1: Profiling
Interoperable SAML Deployment Profile [saml2int]
http://saml2int.org
› Requires support for basic features, bindings and protocols
› Discourage use of non-standard features
› Harmonizing configuration of options in SAML
Significantly decreases the chances of interoperability issues.
› Although saml2int is getting attension, it is difficult to validate
configurations. Working more as a dispute resolution.
13. Ensuring interoperability
Take 2: Automated Testing
› Open SP registry allowing anyone to register Service
Providers they would like to test.
› Registry features a new MetadataJS editor.
› Automated SP Testing instatly runs through approx 80
different flows with various SAML options, and reports flaws,
errors and non-reccomended settings.
14. Registry with MetaeditJS
Demo URL
https://fed-lab.org/simplesaml-register/module.php/metaedit2/?
16. Revising saml2int
based upon experience
Experiences from testing Experiences from Experiences from
various products cross-federation Kantara Interoperabilty
through the Tester projects Matrix Testing
saml2int
Revisions
17. Test-suite of Identity Providers
Registered Service Provider shoud be able to access a feed of
test Identity Providers running various SAML software.
Will be setup to fascilitate DiscoJuice for discovery soon(!)
› Feide OpenIdP
›!Federation Lab OpenIdP
› ProtectNetwork IdP
› TestShib
We want more Identity Providers!
Please!