SlideShare ist ein Scribd-Unternehmen logo

GÉANT Federation Lab

Andreas Åkre Solberg
Andreas Åkre Solberg

The GÉANT Federation Lab project presented at a Kantara Initiative Telecommunication ID Work Group meeting at the Telenor offices, Oslo, Norway.

Technologie
1 von 22
Downloaden Sie, um offline zu lesen
Federation Lab https://fed-lab.org Andreas Åkre Solberg UNINETT andreas@uninett.no
About Solberg Andreas Åkre Me › Work at UNINETT in the Feide team: the Norwegian Identity Federation for Education and Research › Blog about Identity research at http://rnd.feide.no › Initial developer and project leader of the award-winning SAML software product SimpleSAMLphp. ›!Implemented the collaboration tool Foodle: https://foodl.org › Been part of building the nordic cross-federation http://kalmar2.org › Been part of the eduGAIN project - building an European cross-federation. › Author of the Interoperable SAML Deployment Profile http://saml2int.org › Now leading an EC-funded research project called «Identity Federations» within the GÉANT3 Programme. ... where we are building the «Federation Lab».
Federation Lab › Container for useful tools, libraries, debugging, testing and validation. › Focus on scalability, harmonization, interoperability and usability. Federation Lab http://fed-lab.org Debugger Test IdPs Automated Best-Practice SP Guides Testing DiscoJuice SAMLmetaJS SAML Harmonization Registry Profiles for test SPs
Scalability: our situation Interconnecting… › Tens of Identity Federations › Hundreds of Service Providers › Thousands of Identity Providers
Dynamic metadata Basic challenge is about getting scalable dynamic metadata distribution. Metadata aggregation › Metadata is aggregated at federation level and at inter- federation level. Cross- Federation Federation Federation SP IdP SP IdP
Metadata Challenges Commercial vendors does not support dynamic metadata loading :( AFAIK only SimpleSAMLphp + Shibboleth supports that. Several implementations of «Metadata aggregators» pops up, and we need to harmonize these. Therefore we wrote the › Basic Metadata Aggregation Profile defining how an aggregatro should handle border-cases.
UI Scalability Foodle Versjon 3.2 ∘ les nyheter om Foodle... ∘ meld deg på foodle sin e-postliste The user must be asked before logging in, Foodle forside Sign in to Foodle Select your Provider where to login. – If there are thousands of Feide HjelpBrukerinnstillingerLogg inn English | Bokmål | Nynorsk | Dansk | Svenska | Suomeksi | Nederlands | Français | Deutsch | Español | Sloven!"ina | #e!tina | Hrvatski alternative answers, making intuitive UI is Brukere i norske utdanningsinstitusjoner Velkommen til Foodle not trivial. Attempts so far, has failed. Protect Network Foodle er en tjeneste for enkle spørreundersøkelser eller meningsmålinger og for å bestemme en møtedato If youpasser for alle. institutional som do not have an account, register here. Du er ikke logget inn. Feide OpenIdP Lag en ny Foodle If you do not have an institutional account, register here. Statusoppdateringer TERENA Secretariat DiscoJuice Statistikk Terena offices Netherlands Foodle har blitt besvart 103 ganger i løpet av de siste 7 dagene. SURFnet BV Mer informasjon Twitter version 1.0 Programvaren Foodle GEANT GIdP for Homeless Personvern i Foodle Feide RnD blogg Centraal bureau voor Schimmelcultures (KNAW) Du er ikke logget inn. Bureau (KNAW) my provider Help me, I cannot find Hogeschool van Arnhem en Nijmegen Show providers in Netherlands Hogeschool Zuyd Show all providers DiscoJuice © 2011, UNINETT Official launch at TNC2011 in May
DiscoJuice › Local Memory (cookie) › Remote Memory (DiscoReadWrite protocol + IdP Discovery) › Javascript only, super simple to deploy › DiscoJuiceJSON compact UI-focused Metadata format (MDUI friendly) › Presents logos, searchable keywords, name, descr, country... › Automatically discovery of country › HTML5 Geo-location API › Gracefull non-javascript fallback › Inline incremental search › Flexible integration API using JS callbacks. › Protocol agnostics, demoed with alternative protocols.
DiscoJuice Architecture Service Provider Federation - central AS AS AS SP SimpleSAMLphp SimpleSAMLphp MDX API Service Provider Metadata aggregator AS Application Foodle js callback simple DiscoJuiceJSON <script ...> DiscoJuice reference This deployed architecture is just one example of how DiscoJuice is deployed at a demo service
Interoperability › No chance whatsoever to test all interconnected SPs and IdPs. › We need to establish a reliable harmonization of deployment configurations of SAML entities. › Interoperability issues are not seen by operators, but by real end-users. In general user error messages in SAML products are far from userfriendly. › The metadata format is not sufficient to ensure a compatible configuration of two products.
Where interoperability issues occur SAML weak points › Border cases (using less-used SAML elements, and less common flows) › Single Logout › XML Signatures › XML Encryption › Assertion Binding (SSL, authentication, etc) › Software bugs › Error handling
Ensuring interoperability Take 1: Profiling Interoperable SAML Deployment Profile [saml2int] http://saml2int.org › Requires support for basic features, bindings and protocols › Discourage use of non-standard features › Harmonizing configuration of options in SAML Significantly decreases the chances of interoperability issues. › Although saml2int is getting attension, it is difficult to validate configurations. Working more as a dispute resolution.
Ensuring interoperability Take 2: Automated Testing › Open SP registry allowing anyone to register Service Providers they would like to test. › Registry features a new MetadataJS editor. › Automated SP Testing instatly runs through approx 80 different flows with various SAML options, and reports flaws, errors and non-reccomended settings.
Registry with MetaeditJS Demo URL https://fed-lab.org/simplesaml-register/module.php/metaedit2/?
Automated Testing DEMO DEMO Microsoft ADFS SimpleSAMLphp
Revising saml2int based upon experience Experiences from testing Experiences from Experiences from various products cross-federation Kantara Interoperabilty through the Tester projects Matrix Testing saml2int Revisions
Test-suite of Identity Providers Registered Service Provider shoud be able to access a feed of test Identity Providers running various SAML software. Will be setup to fascilitate DiscoJuice for discovery soon(!) › Feide OpenIdP ›!Federation Lab OpenIdP › ProtectNetwork IdP › TestShib We want more Identity Providers! Please!
Useful tools: Web-based debugger
Useful tools: Firefox plugin
Best Practice Documents › Single Logout › De-Provisioning › Monitoring and diagnostics (soon)
Tools to come › Automated Testing of Identity Providers (service) › Metadata validation service (service) › Federation Provisioning Engine (software) › Official realeases of software and libriaries: › Firefox plugin: SAMLtracer › DiscoJuice ›!SAMLmetaJS
Thanks http://rnd.feide.no

Empfohlen

Semantic Reasoning in Context-Aware Assistive Environments to Support Ageing ...
Semantic Reasoning in Context-Aware Assistive Environments to Support Ageing ...Semantic Reasoning in Context-Aware Assistive Environments to Support Ageing ...
Semantic Reasoning in Context-Aware Assistive Environments to Support Ageing ...
IPALab
 
Soflomo company presentation
Soflomo company presentationSoflomo company presentation
Soflomo company presentation
Justus Bruns
 
Philips Case EMS March 2010
Philips Case EMS March 2010Philips Case EMS March 2010
Philips Case EMS March 2010
guest49c269
 
Training Article
Training ArticleTraining Article
Training Article
markmcn
 
Abctechno fab
Abctechno fabAbctechno fab
Abctechno fab
Govindan Sridar
 
11مفتاحا للقيادة الناجحة
11مفتاحا للقيادة الناجحة11مفتاحا للقيادة الناجحة
11مفتاحا للقيادة الناجحة
guestbfd7302
 
OpenID Connect Federation
OpenID Connect FederationOpenID Connect Federation
OpenID Connect Federation
Andreas Åkre Solberg
 
Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017
Andreas Åkre Solberg
 

Empfohlen

Semantic Reasoning in Context-Aware Assistive Environments to Support Ageing ...
Semantic Reasoning in Context-Aware Assistive Environments to Support Ageing ...Semantic Reasoning in Context-Aware Assistive Environments to Support Ageing ...
Semantic Reasoning in Context-Aware Assistive Environments to Support Ageing ...
IPALab
 
Soflomo company presentation
Soflomo company presentationSoflomo company presentation
Soflomo company presentation
Justus Bruns
 
Philips Case EMS March 2010
Philips Case EMS March 2010Philips Case EMS March 2010
Philips Case EMS March 2010
guest49c269
 
Training Article
Training ArticleTraining Article
Training Article
markmcn
 
Abctechno fab
Abctechno fabAbctechno fab
Abctechno fab
Govindan Sridar
 
11مفتاحا للقيادة الناجحة
11مفتاحا للقيادة الناجحة11مفتاحا للقيادة الناجحة
11مفتاحا للقيادة الناجحة
guestbfd7302
 
OpenID Connect Federation
OpenID Connect FederationOpenID Connect Federation
OpenID Connect Federation
Andreas Åkre Solberg
 
Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017
Andreas Åkre Solberg
 
Dataporten Workshop
Dataporten WorkshopDataporten Workshop
Dataporten Workshop
Andreas Åkre Solberg
 
Dataporten
DataportenDataporten
Dataporten
Andreas Åkre Solberg
 
Dataporten for Sigma2, Hell
Dataporten for Sigma2, HellDataporten for Sigma2, Hell
Dataporten for Sigma2, Hell
Andreas Åkre Solberg
 
Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)
Andreas Åkre Solberg
 
UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)
Andreas Åkre Solberg
 
Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)
Andreas Åkre Solberg
 
Connect (USIT)
Connect (USIT)Connect (USIT)
Connect (USIT)
Andreas Åkre Solberg
 
Connect (Feide fagdag, Gardemoen)
Connect (Feide fagdag, Gardemoen)Connect (Feide fagdag, Gardemoen)
Connect (Feide fagdag, Gardemoen)
Andreas Åkre Solberg
 
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyenNorsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Andreas Åkre Solberg
 
Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015
Andreas Åkre Solberg
 
Feide Connect SUHS 2014
Feide Connect SUHS 2014Feide Connect SUHS 2014
Feide Connect SUHS 2014
Andreas Åkre Solberg
 
Feide Connect (NOKIOS 2014)
Feide Connect (NOKIOS 2014)Feide Connect (NOKIOS 2014)
Feide Connect (NOKIOS 2014)
Andreas Åkre Solberg
 
Feide Connect TNC2014
Feide Connect TNC2014Feide Connect TNC2014
Feide Connect TNC2014
Andreas Åkre Solberg
 
Feide connect tnc2014
Feide connect tnc2014Feide connect tnc2014
Feide connect tnc2014
Andreas Åkre Solberg
 
SCIM and VOOT
SCIM and VOOTSCIM and VOOT
SCIM and VOOT
Andreas Åkre Solberg
 
Feide Connect (IoU Fagdag)
Feide Connect (IoU Fagdag)Feide Connect (IoU Fagdag)
Feide Connect (IoU Fagdag)
Andreas Åkre Solberg
 
Feide Connect
Feide ConnectFeide Connect
Feide Connect
Andreas Åkre Solberg
 
Feide Connect
Feide ConnectFeide Connect
Feide Connect
Andreas Åkre Solberg
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Andreas Åkre Solberg
 
UWAP Tjenesteplattform
UWAP TjenesteplattformUWAP Tjenesteplattform
UWAP Tjenesteplattform
Andreas Åkre Solberg
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
 

Weitere ähnliche Inhalte

Mehr von Andreas Åkre Solberg

Mehr von Andreas Åkre Solberg (20)

Dataporten Workshop
Dataporten WorkshopDataporten Workshop
Dataporten Workshop
 
Dataporten
DataportenDataporten
Dataporten
 
Dataporten for Sigma2, Hell
Dataporten for Sigma2, HellDataporten for Sigma2, Hell
Dataporten for Sigma2, Hell
 
Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)
 
UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)
 
Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)
 
Connect (USIT)
Connect (USIT)Connect (USIT)
Connect (USIT)
 
Connect (Feide fagdag, Gardemoen)
Connect (Feide fagdag, Gardemoen)Connect (Feide fagdag, Gardemoen)
Connect (Feide fagdag, Gardemoen)
 
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyenNorsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
 
Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015
 
Feide Connect SUHS 2014
Feide Connect SUHS 2014Feide Connect SUHS 2014
Feide Connect SUHS 2014
 
Feide Connect (NOKIOS 2014)
Feide Connect (NOKIOS 2014)Feide Connect (NOKIOS 2014)
Feide Connect (NOKIOS 2014)
 
Feide Connect TNC2014
Feide Connect TNC2014Feide Connect TNC2014
Feide Connect TNC2014
 
Feide connect tnc2014
Feide connect tnc2014Feide connect tnc2014
Feide connect tnc2014
 
SCIM and VOOT
SCIM and VOOTSCIM and VOOT
SCIM and VOOT
 
Feide Connect (IoU Fagdag)
Feide Connect (IoU Fagdag)Feide Connect (IoU Fagdag)
Feide Connect (IoU Fagdag)
 
Feide Connect
Feide ConnectFeide Connect
Feide Connect
 
Feide Connect
Feide ConnectFeide Connect
Feide Connect
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
UWAP Tjenesteplattform
UWAP TjenesteplattformUWAP Tjenesteplattform
UWAP Tjenesteplattform
 

Kürzlich hochgeladen

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 

Kürzlich hochgeladen (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

GÉANT Federation Lab

  • 1. Federation Lab https://fed-lab.org Andreas Åkre Solberg UNINETT andreas@uninett.no
  • 2. About Solberg Andreas Åkre Me › Work at UNINETT in the Feide team: the Norwegian Identity Federation for Education and Research › Blog about Identity research at http://rnd.feide.no › Initial developer and project leader of the award-winning SAML software product SimpleSAMLphp. ›!Implemented the collaboration tool Foodle: https://foodl.org › Been part of building the nordic cross-federation http://kalmar2.org › Been part of the eduGAIN project - building an European cross-federation. › Author of the Interoperable SAML Deployment Profile http://saml2int.org › Now leading an EC-funded research project called «Identity Federations» within the GÉANT3 Programme. ... where we are building the «Federation Lab».
  • 3. Federation Lab › Container for useful tools, libraries, debugging, testing and validation. › Focus on scalability, harmonization, interoperability and usability. Federation Lab http://fed-lab.org Debugger Test IdPs Automated Best-Practice SP Guides Testing DiscoJuice SAMLmetaJS SAML Harmonization Registry Profiles for test SPs
  • 4. Scalability: our situation Interconnecting… › Tens of Identity Federations › Hundreds of Service Providers › Thousands of Identity Providers
  • 5. Dynamic metadata Basic challenge is about getting scalable dynamic metadata distribution. Metadata aggregation › Metadata is aggregated at federation level and at inter- federation level. Cross- Federation Federation Federation SP IdP SP IdP
  • 6. Metadata Challenges Commercial vendors does not support dynamic metadata loading :( AFAIK only SimpleSAMLphp + Shibboleth supports that. Several implementations of «Metadata aggregators» pops up, and we need to harmonize these. Therefore we wrote the › Basic Metadata Aggregation Profile defining how an aggregatro should handle border-cases.
  • 7. UI Scalability Foodle Versjon 3.2 ∘ les nyheter om Foodle... ∘ meld deg på foodle sin e-postliste The user must be asked before logging in, Foodle forside Sign in to Foodle Select your Provider where to login. – If there are thousands of Feide HjelpBrukerinnstillingerLogg inn English | Bokmål | Nynorsk | Dansk | Svenska | Suomeksi | Nederlands | Français | Deutsch | Español | Sloven!"ina | #e!tina | Hrvatski alternative answers, making intuitive UI is Brukere i norske utdanningsinstitusjoner Velkommen til Foodle not trivial. Attempts so far, has failed. Protect Network Foodle er en tjeneste for enkle spørreundersøkelser eller meningsmålinger og for å bestemme en møtedato If youpasser for alle. institutional som do not have an account, register here. Du er ikke logget inn. Feide OpenIdP Lag en ny Foodle If you do not have an institutional account, register here. Statusoppdateringer TERENA Secretariat DiscoJuice Statistikk Terena offices Netherlands Foodle har blitt besvart 103 ganger i løpet av de siste 7 dagene. SURFnet BV Mer informasjon Twitter version 1.0 Programvaren Foodle GEANT GIdP for Homeless Personvern i Foodle Feide RnD blogg Centraal bureau voor Schimmelcultures (KNAW) Du er ikke logget inn. Bureau (KNAW) my provider Help me, I cannot find Hogeschool van Arnhem en Nijmegen Show providers in Netherlands Hogeschool Zuyd Show all providers DiscoJuice © 2011, UNINETT Official launch at TNC2011 in May
  • 8. DiscoJuice › Local Memory (cookie) › Remote Memory (DiscoReadWrite protocol + IdP Discovery) › Javascript only, super simple to deploy › DiscoJuiceJSON compact UI-focused Metadata format (MDUI friendly) › Presents logos, searchable keywords, name, descr, country... › Automatically discovery of country › HTML5 Geo-location API › Gracefull non-javascript fallback › Inline incremental search › Flexible integration API using JS callbacks. › Protocol agnostics, demoed with alternative protocols.
  • 9. DiscoJuice Architecture Service Provider Federation - central AS AS AS SP SimpleSAMLphp SimpleSAMLphp MDX API Service Provider Metadata aggregator AS Application Foodle js callback simple DiscoJuiceJSON <script ...> DiscoJuice reference This deployed architecture is just one example of how DiscoJuice is deployed at a demo service
  • 10. Interoperability › No chance whatsoever to test all interconnected SPs and IdPs. › We need to establish a reliable harmonization of deployment configurations of SAML entities. › Interoperability issues are not seen by operators, but by real end-users. In general user error messages in SAML products are far from userfriendly. › The metadata format is not sufficient to ensure a compatible configuration of two products.
  • 11. Where interoperability issues occur SAML weak points › Border cases (using less-used SAML elements, and less common flows) › Single Logout › XML Signatures › XML Encryption › Assertion Binding (SSL, authentication, etc) › Software bugs › Error handling
  • 12. Ensuring interoperability Take 1: Profiling Interoperable SAML Deployment Profile [saml2int] http://saml2int.org › Requires support for basic features, bindings and protocols › Discourage use of non-standard features › Harmonizing configuration of options in SAML Significantly decreases the chances of interoperability issues. › Although saml2int is getting attension, it is difficult to validate configurations. Working more as a dispute resolution.
  • 13. Ensuring interoperability Take 2: Automated Testing › Open SP registry allowing anyone to register Service Providers they would like to test. › Registry features a new MetadataJS editor. › Automated SP Testing instatly runs through approx 80 different flows with various SAML options, and reports flaws, errors and non-reccomended settings.
  • 14. Registry with MetaeditJS Demo URL https://fed-lab.org/simplesaml-register/module.php/metaedit2/?
  • 15. Automated Testing DEMO DEMO Microsoft ADFS SimpleSAMLphp
  • 16. Revising saml2int based upon experience Experiences from testing Experiences from Experiences from various products cross-federation Kantara Interoperabilty through the Tester projects Matrix Testing saml2int Revisions
  • 17. Test-suite of Identity Providers Registered Service Provider shoud be able to access a feed of test Identity Providers running various SAML software. Will be setup to fascilitate DiscoJuice for discovery soon(!) › Feide OpenIdP ›!Federation Lab OpenIdP › ProtectNetwork IdP › TestShib We want more Identity Providers! Please!
  • 20. Best Practice Documents › Single Logout › De-Provisioning › Monitoring and diagnostics (soon)
  • 21. Tools to come › Automated Testing of Identity Providers (service) › Metadata validation service (service) › Federation Provisioning Engine (software) › Official realeases of software and libriaries: › Firefox plugin: SAMLtracer › DiscoJuice ›!SAMLmetaJS
  • 22. Thanks http://rnd.feide.no