About SolbergAndreas Åkre Me› Work at UNINETT in the Feide team:the Norwegian Identity Federation for Education and Research› Blog about Identity research at http://rnd.feide.no› Initial developer and project leader ofthe award-winning SAML software product SimpleSAMLphp.›!Implemented the collaboration tool Foodle: https://foodl.org› Been part of building the nordic cross-federation http://kalmar2.org› Been part of the eduGAIN project - building an European cross-federation.› Author of the Interoperable SAML Deployment Proﬁle http://saml2int.org› Now leading an EC-funded research project called «Identity Federations»within the GÉANT3 Programme.... where we are building the «Federation Lab».
Federation Lab› Container for useful tools, libraries, debugging, testing and validation.› Focus on scalability, harmonization, interoperability and usability. Federation Lab http://fed-lab.org Debugger Test IdPs Automated Best-Practice SP Guides Testing DiscoJuice SAMLmetaJS SAML Harmonization Registry Proﬁles for test SPs
Scalability: our situation Interconnecting… › Tens of Identity Federations › Hundreds of Service Providers › Thousands of Identity Providers
Dynamic metadata Basic challenge is about getting scalable dynamic metadata distribution. Metadata aggregation › Metadata is aggregated at federation level and at inter- federation level. Cross- Federation Federation Federation SP IdP SP IdP
Metadata Challenges Commercial vendors does not support dynamic metadata loading :( AFAIK only SimpleSAMLphp + Shibboleth supports that. Several implementations of «Metadata aggregators» pops up, and we need to harmonize these. Therefore we wrote the › Basic Metadata Aggregation Proﬁle deﬁning how an aggregatro should handle border-cases.
DiscoJuice ArchitectureService Provider Federation - central AS AS AS SP SimpleSAMLphp SimpleSAMLphp MDX API Service Provider Metadata aggregator AS Application Foodle js callback simple DiscoJuiceJSON <script ...> DiscoJuice reference This deployed architecture is just one example of how DiscoJuice is deployed at a demo service
Interoperability › No chance whatsoever to test all interconnected SPs and IdPs. › We need to establish a reliable harmonization of deployment conﬁgurations of SAML entities. › Interoperability issues are not seen by operators, but by real end-users. In general user error messages in SAML products are far from userfriendly. › The metadata format is not sufﬁcient to ensure a compatible conﬁguration of two products.
Where interoperability issues occurSAML weak points › Border cases (using less-used SAML elements, and less common ﬂows) › Single Logout › XML Signatures › XML Encryption › Assertion Binding (SSL, authentication, etc) › Software bugs › Error handling
Ensuring interoperabilityTake 1: Proﬁling Interoperable SAML Deployment Proﬁle [saml2int] http://saml2int.org › Requires support for basic features, bindings and protocols › Discourage use of non-standard features › Harmonizing conﬁguration of options in SAML Signiﬁcantly decreases the chances of interoperability issues. › Although saml2int is getting attension, it is difﬁcult to validate conﬁgurations. Working more as a dispute resolution.
Ensuring interoperabilityTake 2: Automated Testing › Open SP registry allowing anyone to register Service Providers they would like to test. › Registry features a new MetadataJS editor. › Automated SP Testing instatly runs through approx 80 different ﬂows with various SAML options, and reports ﬂaws, errors and non-reccomended settings.
Registry with MetaeditJS Demo URLhttps://fed-lab.org/simplesaml-register/module.php/metaedit2/?
Automated Testing DEMO DEMO Microsoft ADFS SimpleSAMLphp
Revising saml2intbased upon experience Experiences from testing Experiences from Experiences from various products cross-federation Kantara Interoperabilty through the Tester projects Matrix Testing saml2int Revisions
Test-suite of Identity Providers Registered Service Provider shoud be able to access a feed of test Identity Providers running various SAML software. Will be setup to fascilitate DiscoJuice for discovery soon(!) › Feide OpenIdP ›!Federation Lab OpenIdP › ProtectNetwork IdP › TestShib We want more Identity Providers! Please!