• Like
Federation Lab and OpenID Connect
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Federation Lab and OpenID Connect

  • 1,770 views
Published

OpenID Connect test fascility Federation Lab. …

OpenID Connect test fascility Federation Lab.

Presented at NorduNet 2012 in Oslo, Norway.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,770
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
6
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

Transcript

  • 1. Andreas Åkre Solberg Roland Hedberg UNINETT AS Univ. UmeåFederation Lab and OpenID ConnectNorduNet ConferenceOslo, Norway, September 2012
  • 2. Federation Lab✤ Identity toolkit for testing, validation and debugging of Identity Software.✤ Automated testing tool for increasing interoperability between providers and consumers with SAML and OpenID Connect.✤ A GÉANT project (GN3 JRA3T2) in collaboration with Kantara Initiative and the OpenID community. OpenID Testing Commercial (Kantara Intitive) <-> Research and HE (GEANT) Established (SAML) <-> Emerging (OIC) Nordic collaboration (UNINETT and umu.se) Involved in standardization A very important reference implementation
  • 3. Complex End-to-end SystemsMany implementations This is a good thing!Many deploymentsVariying spec interpretion Really difficultSub-set implementations to avoid thisInterop issuesThings stop working for end users.Who to blame? Who can fix it?! - difficult questionThings continues to not workUnhappy users We MUST avoid this, but how?
  • 4. What causes interop issues✤ Flexibility, too many options. Sub-set implementations.✤ Deployment options✤ Yet to be discovered software bugs✤ Unclear specification✤ Poor error handling✤ Lack of feature negotiation or limited language (metadata) of expressing supported features
  • 5. Postel’s Law «Be strict in what you send, but generous in what you receive» Postels Law,1981, RFC793: TCP✤ Will this increase interop?✤ Interop issues less likely to be detected, and may easily pass matrix testing.
  • 6. Typical Matrix TestingTest 4-5 products against each otherValidate that it is possible to configure theproducts to work with each other.Product is certified.Does not really ensure interop in an actualdeployment.
  • 7. ProfilingBy being very excplitit on how to use theprotocols, interoperability increases.saml2int
  • 8. Automated Testing of SAML and OpenID ConnectThis is what we did with Federation LabAn automated client, simulates one entity whiles test the other.Consumer <-> ProviderPerforms about 100 different test flows, and focus ondiscovering things that goes wrong, rather than verifying thatthings may work. Real time testing with detailed feedback Test each provider, and present results. for debugging.
  • 9. Federation Lab contains a set of useful debugging tools for encoding anddecoding messages.
  • 10. Automated testing of SAML Service Providers performs approx 80 testruns with various legal and illegal message flows to verify behaviour ofsoftware.
  • 11. Automated testing of OpenID Connect Providers tests providers, andinvolves an innovative engine for working with human user interactionwith login screens.
  • 12. OpenID Connect Roland Hedberg Univ. Umeå
  • 13. How to find the ‘key’?
  • 14. Different solutions• SAML • Metadata• OpenID Connect • Dynamic discovery and registration
  • 15. Flow differencies IdP AS 4 5 3 3 2 4 UA 6 OPUA 2 1 7 1 9 8 SP RP SAML OpenID Connect
  • 16. Returning attributes• SAML • Static • Response contains 1-n assertions• OIC • Dynamic • Aggregated/distributed claims
  • 17. Thanks for listening. Federation Lab (beta) http://openidtest.uninett.no