OpenAthens SP:
Technical Overview

Topics
• The shape and significance of new identity
architectures
• The benefits of OpenAthens SP
• Walk-through demo

The OpenAthens premise
Identity standards are maturing and will
play an essential part in modern web
applications...
...but building practical, yet effective
architectures around them can be a
major challenge

Evolution of identity architectures
• Previously bespoke solutions, based on a variety
of technologies:
– IP authentication
– Username/password
– LDAP
– SQL
– X.509 certificates

Recent changes
• 2 significant changes in last 2-3 years directly
concerned with identity:
1) 'Federation' has become widely accepted as the
future of identity architectures
2) Standards dealing specifically with (federated)
identities have emerged
• These standards are now reaching maturity

Meanwhile...
• The web is reshaping...
• User's concept of online identity has radically
changed
• Web APIs are opening up

The identity
Threats
Identity theft
environment
Phishing
Web 2.0
SAML OpenID
Social networking
Shibboleth
Blogging Wikis
CardSpace XACML
Instant messaging
LDAP WS-*
X.509
User trends Standards/
Protocols
Browser Apache IIS
J2EE .NET PHP
Ruby on Rails
Open Source
Applications

Implications of this
• These changes have meant a bespoke approach
to identity is no longer appropriate
– Standards are too complicated for this!
• A flexible approach to identity is fundamental to
modern web applications

Where does 'identity' fit?
SOAP
Application XML
SQL
Web server Database
HTTP
TCP
Network DNS

Where does 'identity' fit?
SOAP
Application XML
SAML
WS-*
'Identity infrastructure'
OpenID
SQL
XACML Web server Database
HTTP
TCP
Network DNS

So what does this imply?
• Standards facilitate 'layering' of technologies
• People are already talking about an ‘identity
infrastructure'
• Projects addressing this now: Higgins (Eclipse),
Bandit (Novell)

Introducing OpenAthens SP...
• OpenAthens SP contributes to an identity
infrastructure in 3 ways:
1) It provides a set of software components
to support various identity standards
2) It provides the necessary 'glue' to
integrate with an application
3) It provides a supported package to
connect to communities of users

Application
SQL
Platform Audit
LDAP
SAML Shib ... Policy
IdP identity SP identity infrastructure
infrastructure
OpenAthens SP component
Existing or 3rd party component

1) Components
• OpenAthens SP comprises a set of modules
supporting
– Athens
– SAML 1.0/1.1/2.0
– Shibboleth
– OpenID
– MS information cards

2) Integration with applications
• OpenAthens SP is built on a 'data layer' – the
OpenAthens SP platform
• Abstraction
– Application interacts with the platform not
individual modules
• Support for multiple languages and platforms

3) Connecting to users
• The combination of 1) and 2) allows for pre-
packaged solutions for different communities
• OpenAthens SP is available fully supported,
currently in 2 different flavours
– Athens (inc. NHS)
– UKAMF

Application
SQL
Platform Audit
Federation
LDAP
data
SAML Shib ... Policy
SP identity infrastructure
OpenAthens SP component
Existing or 3rd party component

Examples...

Select organisation:
OpenAthens SP finds organisation in SAML metadata:

SAML response:
Platform 'exports' attributes to application:

Summary
• OpenAthens SP can:
– Connect a SP to Athens
– Connect a SP to Shibboleth identity providers in
the UK Access Management Federation
• OpenAthens SP is:
– Supported by Eduserv in the above scenarios
– Actively developing to support the latest
identity standards (eg. information cards)

Where to find out more?
• There’s more information on our website
http://www.athensams.net
• Information and live demos are available on the
stand outside
david.orrell@eduserv.org.uk