Federation Labhttps://fed-lab.org

Andreas Åkre SolbergUNINETT

andreas@uninett.no

About Me

› Work at UNINETT in the Feide team: the Norwegian Identity Federation for Education and Research› Blog about Identity research at http://rnd.feide.no› Initial developer and project leader ofthe award-winning SAML software product SimpleSAMLphp.›!Implemented the collaboration tool Foodle: https://foodl.org› Been part of building the nordic cross-federation http://kalmar2.org› Been part of the eduGAIN project - building an European cross-federation.› Author of the Interoperable SAML Deployment Profile http://saml2int.org› Now leading an EC-funded research project called «Identity Federations» within the GÉANT3 Programme.... where we are building the «Federation Lab».

Andreas Åkre Solberg

Federation Lab

› Container for useful tools, libraries, debugging, testing and validation.› Focus on scalability, harmonization, interoperability and usability.

Federation Labhttp://fed-lab.org

Best-PracticeGuides

Debugger AutomatedSP

Testing

SAMLRegistry

for test SPs

DiscoJuice SAMLmetaJS HarmonizationProfiles

Test IdPs

Scalability: our situation

Interconnecting…

› Tens of Identity Federations › Hundreds of Service Providers› Thousands of Identity Providers

Dynamic metadataBasic challenge is about getting scalable dynamic metadata distribution.

Metadata aggregation› Metadata is aggregated at federation level and at inter-federation level.

SP IdP SP IdP

Federation Federation

Cross-Federation

Metadata ChallengesCommercial vendors does not support dynamic metadata loading :(

AFAIK only SimpleSAMLphp + Shibboleth supports that.

Several implementations of «Metadata aggregators» pops up, and we need to harmonize these. Therefore we wrote the

› Basic Metadata Aggregation Profile

defining how an aggregatro should handle border-cases.

UI ScalabilityThe user must be asked before logging in, where to login. – If there are thousands of alternative answers, making intuitive UI is not trivial. Attempts so far, has failed.

Logg innBrukerinnstillingerHjelp

Foodle Versjon 3.2 ∘ les nyheter om Foodle... ∘ meld deg på foodle sin e-postliste

Foodle forside

English | Bokmål | Nynorsk | Dansk | Svenska | Suomeksi | Nederlands | Français | Deutsch | Español | Sloven!"ina | #e!tina | Hrvatski

Velkommen til FoodleFoodle er en tjeneste for enkle spørreundersøkelser eller meningsmålinger og for å bestemme en møtedato som passer for alle.

Du er ikke logget inn.

Lag en ny Foodle

Statusoppdateringer

StatistikkFoodle har blitt besvart 103 ganger i løpet av de siste 7 dagene.

Mer informasjonProgramvaren FoodlePersonvern i FoodleFeide RnD blogg

Du er ikke logget inn.

Sign in to FoodleSelect your Provider

FeideFeide Brukere i norske Brukere i norske

utdanningsinstitusjonerutdanningsinstitusjoner

Protect NetworkProtect NetworkIf you do not have an institutionalIf you do not have an institutionalaccount, register here.account, register here.

Feide OpenIdPFeide OpenIdPIf you do not have an institutional account,If you do not have an institutional account,register here.register here.

TERENA SecretariatTERENA Secretariat Terena offices Netherlands Terena offices Netherlands

SURFnet BVSURFnet BV

TwitterTwitter

GEANT GIdP for HomelessGEANT GIdP for Homeless

Centraal bureau voor SchimmelculturesCentraal bureau voor Schimmelcultures(KNAW)(KNAW)

Bureau (KNAW)Bureau (KNAW)

Hogeschool van Arnhem en NijmegenHogeschool van Arnhem en Nijmegen

Hogeschool ZuydHogeschool Zuyd

Help me, I cannot find my provider

Show providers in Netherlands

Show all providersDiscoJuice © 2011, UNINETT

DiscoJuice

Official launch at TNC2011 in May

version 1.0

DiscoJuice

› Local Memory (cookie)› Remote Memory (DiscoReadWrite protocol + IdP Discovery)› Javascript only, super simple to deploy› DiscoJuiceJSON compact UI-focused Metadata format(MDUI friendly)› Presents logos, searchable keywords, name, descr, country...› Automatically discovery of country › HTML5 Geo-location API› Gracefull non-javascript fallback› Inline incremental search › Flexible integration API using JS callbacks.› Protocol agnostics, demoed with alternative protocols.

DiscoJuice Architecture

SimpleSAMLphpService Provider

SimpleSAMLphpMetadata aggregator

DiscoJuice

Service Provider Federation - central

AS

js callback

MDX

DiscoJuiceJSON

ApplicationFoodle

SPAPI

simple<script ...>

reference

AS AS AS

This deployed architecture is just one example of how DiscoJuice is deployed at a demo service

Interoperability› No chance whatsoever to test all interconnected SPs and IdPs.› We need to establish a reliable harmonization of deployment configurations of SAML entities.› Interoperability issues are not seen by operators, but by real end-users. In general user error messages in SAML products are far from userfriendly.› The metadata format is not sufficient to ensure a compatible configuration of two products.

Where interoperability issues occurSAML weak points

› Border cases (using less-used SAML elements, and less common flows)› Single Logout› XML Signatures› XML Encryption› Assertion Binding (SSL, authentication, etc)› Software bugs› Error handling

Ensuring interoperabilityTake 1: Profiling

Interoperable SAML Deployment Profile [saml2int]http://saml2int.org

› Requires support for basic features, bindings and protocols› Discourage use of non-standard features› Harmonizing configuration of options in SAML

Significantly decreases the chances of interoperability issues.

› Although saml2int is getting attension, it is difficult to validate configurations. Working more as a dispute resolution.

Ensuring interoperabilityTake 2: Automated Testing

› Open SP registry allowing anyone to register Service Providers they would like to test.› Registry features a new MetadataJS editor.› Automated SP Testing instatly runs through approx 80 different flows with various SAML options, and reports flaws, errors and non-reccomended settings.

Registry with MetaeditJS

Demo URLhttps://fed-lab.org/simplesaml-register/module.php/metaedit2/?

Automated Testing

DEMOMicrosoft ADFS

DEMOSimpleSAMLphp

Revising saml2int based upon experience

Experiences from testingvarious products

through the Tester

Experiences from cross-federation

projects

Experiences from Kantara Interoperabilty

Matrix Testing

saml2intRevisions

Test-suite of Identity Providers

Registered Service Provider shoud be able to access a feed of test Identity Providers running various SAML software.

Will be setup to fascilitate DiscoJuice for discovery soon(!)

› Feide OpenIdP›!Federation Lab OpenIdP› ProtectNetwork IdP› TestShib

We want more Identity Providers!Please!

Useful tools: Web-based debugger

Useful tools: Firefox plugin

Best Practice Documents

› Single Logout› De-Provisioning› Monitoring and diagnostics (soon)

Tools to come

› Automated Testing of Identity Providers (service)› Metadata validation service (service)› Federation Provisioning Engine (software)

› Official realeases of software and libriaries: › Firefox plugin: SAMLtracer › DiscoJuice ›!SAMLmetaJS

Thanks

http://rnd.feide.no