This document provides an overview of a seminar on e-identity and e-government hosted by the University of the Aegean. The agenda includes a discussion of the Security Assertion Markup Language (SAML) and its role in exchanging authentication data. It then outlines the architecture and APIs of the STORK2.0 Interconnection Supporting Service (ISS), including how it handles token validation, user selection validation, SAML processing, and attribute saving. The document concludes by inviting participants to a follow-up session for assignments presentations.

1.  i4M Lab
1
ΕΛΛΑΚ Μονάδες Αριστείας (ΜΑ. ΕΛΛΑΚ)
Σχολείο Ανοικτού Κώδικα ΕΛ / ΛΑΚ: e-Identity & e-Government
(Hλεκτρονική ταυτότητα στη Δημόσια Διοίκηση και Τοπική Αυτοδιοίκηση)
UAegean Center of Excellence (CoE) – Open Source Software in Transport
and Shipping
University of the Aegean
Dpt of Financial and Management Engineering & Dpt of Shipping and Transportation Services
Session: II
Stelios Lelis , i4M Lab, UAegean
Harris Papadakis, i4M Lab, UAegean
@ i-nformation M-anagement Lab
i4M Lab

2.  i4M Lab
Ταυτότητα Σεμιναρίου
 Το Πανεπιστήμιο Αιγαίου, στα πλαίσια του έργου Μονάδες Αριστείας
Ελεύθερου Λογισμικού / Λογισμικού Ανοικτού Κώδικα (ΕΛ/ΛΑΚ)1,
διοργανώνει Σχολείο Ανοικτού Κώδικα ΕΛ / ΛΑΚ με θέμα «e-Identity &
e-Government (Hλεκτρονική ταυτότητα στη Δημόσια Διοίκηση και
Τοπική Αυτοδιοίκηση)».
1 Το υποέργο Μονάδες Αριστείας ΕΛ/ΛΑΚ υλοποιείται στο πλαίσιο του έργου «Ηλεκτρονικές Υπηρεσίες για την Ανάπτυξη και
Διάδοση του Ανοιχτού Λογισμικού» του Προγράμματος «Ψηφιακή Σύγκλιση». Το έργο συγχρηματοδοτείται από το ΕΤΠΑ.
2

3.  i4M Lab
Σήμερα 03.11.2015
3
STORK2.0 Interconnection
Supporting Service Architecture,
Aplication Protocol Interfaces,
hands-on experienc
16:00 - 20:00 4 ώρες
Στέλιος Λέλης
Χαράλαμπος
Παπαδάκης

4.  i4M Lab
Online tools και άλλα
 Βασική αναφορά για την ύλη του μαθήματος
 https://openeclass.aegean.gr/courses/OPENSOURCE102/
 Επικοινωνία
 seminar e-mailing list: e-identity-iss-community@googlegroups.com
 Αποθετήριο κώδικα ISS
 https://github.com/adanar/SSS-2.0
 Ομάδα διδασκαλίας και συντονισμού
 Στέλιος Λέλης
 Χάρης Παπαδάκης
 Πέτρος Καβάσαλης
4

5.  i4M Lab
STORK2.0 INTERCONNECTION SUPPORTING
SERVICE ARCHITECTURE, APPLICATION
PROTOCOL INTERFACES, HANDS-ON
EXPERIENCE
Session II
5

6.  i4M Lab
Session II: agenda
 Security Assertion Markup Language (SAML)
 ISS Architecture - APIs
 ISS Hands-on Experience
6

7.  i4M Lab
Session II: agenda
 Security Assertion Markup Language (SAML)
 ISS Architecture - APIs
 ISS Hands-on Experience
7

8.  i4M Lab
SAML – Security Assertion Markup Language
 An XML-based, open-standard data format for
exchanging authentication and authorization data between parties.
 Parties (IdPs, SPs, PEPSes, etc.) exchange SAML documents that
contain SAML assertions
 A SAML assertion contains a packet of security information
“Assertion A was issued at time t by issuer R regarding
subject S provided conditions C are valid”
 On the basis of assertions, SPs make access control decisions – in other
words it can decide whether to provide access to the service to the user.
 SAML documents are signed and their origin cross-checked (circle of
trust)
8

9.  i4M Lab
SAML Assertion Statements
 Assertions contain three types of statements
 Authentication statements
o Assert to the SP that the principal did indeed authenticate with the identity provider
at a particular time using a particular method of authentication
 Attribute statements
o Asserts that a subject is associated with certain attributes.
 Authorization decision statements
o Asserts that a subject is permitted to perform action A on resource R given
evidence E (intentionally limited)
9

10.  i4M Lab
SAML Protocols
 A SAML protocol describes how certain SAML elements (including
assertions) are packaged within SAML request and response elements,
and gives the processing rules that SAML entities must follow when
producing or consuming these elements.
 SAML protocol is a simple request-response protocol
 Autehtncitation Query – Authentication Response
 Attribute Query – Attribute Response
 Authorization Decision Query - Authorization Decision Response
10

11.  i4M Lab
SAML Bindings
 A SAML binding is a mapping of a SAML protocol message onto
standard messaging formats and/or communications protocols.
 SAML SOAP Binding
o specifies how a SAML message is encapsulated in a SOAP envelope, which itself
is bound to an HTTP message
 Reverse SOAP (PAOS) Binding
 HTTP Redirect (GET) Binding
 HTTP POST Binding
o specifies how a SAML message is posted to the party, which itself is bound to an
HTTP message
 HTTP Artifact Binding
 SAML URI Binding
11

12.  i4M Lab
STORK2.0 SAML Protocol
 Extension of the standard SAML2.0 protocol
 Mandatory QAA Level (Quality Authentication Assurance)
 Optional eIDSectorShare, eIDCrossSectorShare, eIDCrossBorderShare
whether an eId can be shared
 Optional <RequestAttribtues> element to allow additional STORK attributes
to be rrequested
 Additional attributes necessary for processing the authentication
12

13.  i4M Lab
STORK
SAML
Example
Part I
13

14.  i4M Lab 14
STORK
SAML
Example
Part II

15.  i4M Lab 15
STORK
SAML
Example
Part III

16.  i4M Lab
STORK2.0 PAL – Personal Attribute List
 Simple object representation of the attributes information transferred
trough SAML documents
 Utilized internally at PEPS, Demo SP, Demo AP and ISS
 Methods for setting and getting attributes
 public PersonalAttribute put(final String key, final PersonalAttribute val)
 public void add(final PersonalAttribute value)
 public PersonalAttribute get(final Object key)
 IPersonalAttributeList getMandatoryAttributes() …
 PersonalAttribute: representation of an attribute
 Fields: name, value, complexValue, required, status, friendlyName
16

17.  i4M Lab
Session II: agenda
 Security Assertion Markup Language (SAML)
 ISS Architecture - APIs
 ISS Hands-on Experience
17

18.  i4M Lab
Struts 2.0 framework
 Supporting Service 2.0 is a Struts 2.0-based web application
 Struts 2.0 is a pull-MVC framework based on Actions. Actions are have
trigger points and results actions
 Example:
<action name="ValidateToken" class="eu.stork.ss.specific.json.RetrieveDummySP">
<result name="success" type="redirectAction">
<param name="actionName">CountrySelector</param>
</result>
<result name="error">/errorPage.jsp</result>
</action>
 action name : Name of the action. Part of the trigger URL (http://server/webapp/ValidateToken)
 Class: the corresponding class containing the execute method to be activated when the corresponding
action is triggered.
 Result name: what happened on success and failure
 Success: automatic struts redirection-to-action trigger
 Failure: display a JSP page

19.  i4M Lab
Supporting Service operation lifecycle
 <!-- Step1: Validate token, create session and set token -->
<action name="ValidateToken“ class="eu.stork.ss.specific.json.RetrieveDummySP">
<result name="success" type="redirectAction"><param name="actionName">CountrySelector</param>
</result>
<result name="error">/errorPage.jsp</result></action>
 <!-- Step3: Validate user selection and create SAML (session must contain TOKEN and PAL) -->
<action name="ValidateSelection" class="eu.stork.ss.ValidateSelection">
<result name="success">/samlRedirect.jsp</result>
<result name="error">/errorPage.jsp</result> </action>
 #Sp return url sp.return=https://stork2.atlantis-group.gr/SP/ServiceRedirect
 <!-- Step4: Validate SAML, save values to PAL (session must contain TOKEN and PAL) -->
<action name="ServiceRedirect" class="eu.stork.ss.ServiceRedirect">
<result name="success" type="chain"><param name="actionName">ReturnToken</param>
</result><result name="error">/redirect.jsp</result></action>
 <!-- Step5: Provided a PAL we save the values and redirect to the SP -->
<action name="ReturnToken" class="eu.stork.ss.specific.json.SaveDummySP">
<result name="success">/tokenRedirect.jsp</result>
<result name="error">/errorPage.jsp</result></action>

20.  i4M Lab
Step1:
Validate token, create session and set token
 Action Name: ValidateToken
 Abstract action class: eu.stork.ss.RetreivePersonalAttributeList
 Specific class: eu.stork.ss.specific.xx.RetrieveDummySP
 Method of interest: IPersonalAttributeList
retrievePersonalAttributeList(String token)
 Retrieve configuration information
 Perform SP communication and retrieve requested attributes
 Construct the corresponding PAL
 Let’s look into the code!

21.  i4M Lab
Step3:
Validate user selection and create SAML
 Action Name: ValidateSelection
 Action class: eu.stork.ss.ValidateSelection
 Constructs the Authentication Request (Main class to represent a request to
the STORK service)
 Uses the STORK SAML engine to encode the PAL into the SAML document
 Retrieves PEPS URL from configuration file
 Sends the request to PEPS (STORK) through user redirection
(samlRedirect.jsp)

22.  i4M Lab
Step4:
Validate SAML, save values to PAL
 Action Name: ServiceRedirect
 Action class: eu.stork.ss.ServiceRedirect
 Receives the SAML document which contains the reply from STORK
 Checks whether the response contains some error code
 Otherwise, decodes the document, retrieving all necessary information, esp.
the PAL
 PAL now also contains the requested attribute values

23.  i4M Lab
Step5:
Provided a PAL we save the values and
redirect to the SP
 Action Name: ReturnToken
 Abstract action class: eu.stork.ssSavePersonalAttributeList
 Specific class: eu.stork.ss.specific.xx.SaveDummySP
 Method of interest: String savePersonalAttributeList(String token,
IPersonalAttributeList pal)
 Constructs the SP request message from PAL
 Performs the necessary communication to the SP
 Retrieves the SP reply
 Redirects the user to the corresponding URL (success or failure)
 Let’s look into the code!

24.  i4M Lab
Session II: agenda
 Security Assertion Markup Language (SAML)
 ISS Architecture - APIs
 ISS Hands-on Experience
24

25.  i4M Lab
ISS Code…
25

26.  i4M Lab
Thank You
 Λέλης Στέλιος
 Χάρης Παπαδάκης
 Αύριο, 05 Νοεμβρίου 2015 @ 16:00
 «Assignments Presentation»
26