The GÉANT Federation Lab project presented at a Kantara Initiative Telecommunication ID Work Group meeting at the Telenor offices, Oslo, Norway.

1. Federation Lab
https://fed-lab.org
Andreas Åkre Solberg
UNINETT
andreas@uninett.no

2. About Solberg
Andreas Åkre
Me
› Work at UNINETT in the Feide team:
the Norwegian Identity Federation for Education and Research
› Blog about Identity research at http://rnd.feide.no
› Initial developer and project leader of
the award-winning SAML software product SimpleSAMLphp.
›!Implemented the collaboration tool Foodle: https://foodl.org
› Been part of building the nordic cross-federation http://kalmar2.org
› Been part of the eduGAIN project - building an European cross-federation.
› Author of the Interoperable SAML Deployment Profile http://saml2int.org
› Now leading an EC-funded research project called «Identity Federations»
within the GÉANT3 Programme.
... where we are building the «Federation Lab».

3. Federation Lab
› Container for useful tools, libraries, debugging, testing and validation.
› Focus on scalability, harmonization, interoperability and usability.
Federation Lab
http://fed-lab.org
Debugger Test IdPs Automated Best-Practice
SP Guides
Testing
DiscoJuice SAMLmetaJS SAML Harmonization
Registry Profiles
for test SPs

4. Scalability: our situation
Interconnecting…
› Tens of Identity Federations
› Hundreds of Service Providers
› Thousands of Identity Providers

5. Dynamic metadata
Basic challenge is about getting scalable dynamic metadata
distribution.
Metadata aggregation
› Metadata is aggregated at federation level and at inter-
federation level.
Cross-
Federation
Federation Federation
SP IdP SP IdP

6. Metadata Challenges
Commercial vendors does not support dynamic metadata
loading :(
AFAIK only SimpleSAMLphp + Shibboleth supports that.
Several implementations of «Metadata aggregators» pops up, and
we need to harmonize these. Therefore we wrote the
› Basic Metadata Aggregation Profile
defining how an aggregatro should handle border-cases.

7. UI Scalability
Foodle Versjon 3.2 ∘ les nyheter om Foodle... ∘ meld deg på foodle sin e-postliste
The user must be asked before logging in,
Foodle forside
Sign in to Foodle
Select your Provider
where to login. – If there are thousands of Feide
HjelpBrukerinnstillingerLogg inn
English | Bokmål | Nynorsk | Dansk | Svenska | Suomeksi | Nederlands | Français | Deutsch | Español | Sloven!"ina | #e!tina | Hrvatski
alternative answers, making intuitive UI is
Brukere i norske
utdanningsinstitusjoner
Velkommen til Foodle
not trivial. Attempts so far, has failed. Protect Network
Foodle er en tjeneste for enkle spørreundersøkelser eller meningsmålinger og for å bestemme en møtedato If youpasser for alle. institutional
som do not have an
account, register here.
Du er ikke logget inn.
Feide OpenIdP
Lag en ny Foodle
If you do not have an institutional account,
register here.
Statusoppdateringer
TERENA Secretariat
DiscoJuice
Statistikk Terena offices Netherlands
Foodle har blitt besvart 103 ganger i løpet av de siste 7 dagene. SURFnet BV
Mer informasjon Twitter
version 1.0
Programvaren Foodle GEANT GIdP for Homeless
Personvern i Foodle
Feide RnD blogg Centraal bureau voor Schimmelcultures
(KNAW)
Du er ikke logget inn. Bureau (KNAW) my provider
Help me, I cannot find
Hogeschool van Arnhem en Nijmegen
Show providers in Netherlands
Hogeschool Zuyd
Show all providers
DiscoJuice © 2011, UNINETT
Official launch at TNC2011 in May

8. DiscoJuice
› Local Memory (cookie)
› Remote Memory (DiscoReadWrite protocol + IdP Discovery)
› Javascript only, super simple to deploy
› DiscoJuiceJSON compact UI-focused Metadata format
(MDUI friendly)
› Presents logos, searchable keywords, name, descr, country...
› Automatically discovery of country
› HTML5 Geo-location API
› Gracefull non-javascript fallback
› Inline incremental search
› Flexible integration API using JS callbacks.
› Protocol agnostics, demoed with alternative protocols.

9. DiscoJuice Architecture
Service Provider Federation - central
AS AS AS
SP SimpleSAMLphp SimpleSAMLphp
MDX
API Service Provider Metadata aggregator
AS
Application
Foodle
js callback
simple DiscoJuiceJSON
<script ...> DiscoJuice
reference
This deployed architecture is just one example of how DiscoJuice is deployed at a demo service

10. Interoperability
› No chance whatsoever to test all interconnected SPs and IdPs.
› We need to establish a reliable harmonization of deployment
configurations of SAML entities.
› Interoperability issues are not seen by operators, but by real
end-users. In general user error messages in SAML products are
far from userfriendly.
› The metadata format is not sufficient to ensure a compatible
configuration of two products.

11. Where interoperability issues occur
SAML weak points
› Border cases (using less-used SAML elements, and less
common flows)
› Single Logout
› XML Signatures
› XML Encryption
› Assertion Binding (SSL, authentication, etc)
› Software bugs
› Error handling

12. Ensuring interoperability
Take 1: Profiling
Interoperable SAML Deployment Profile [saml2int]
http://saml2int.org
› Requires support for basic features, bindings and protocols
› Discourage use of non-standard features
› Harmonizing configuration of options in SAML
Significantly decreases the chances of interoperability issues.
› Although saml2int is getting attension, it is difficult to validate
configurations. Working more as a dispute resolution.

13. Ensuring interoperability
Take 2: Automated Testing
› Open SP registry allowing anyone to register Service
Providers they would like to test.
› Registry features a new MetadataJS editor.
› Automated SP Testing instatly runs through approx 80
different flows with various SAML options, and reports flaws,
errors and non-reccomended settings.

14. Registry with MetaeditJS
Demo URL
https://fed-lab.org/simplesaml-register/module.php/metaedit2/?

15. Automated Testing
DEMO DEMO
Microsoft ADFS SimpleSAMLphp

16. Revising saml2int
based upon experience
Experiences from testing Experiences from Experiences from
various products cross-federation Kantara Interoperabilty
through the Tester projects Matrix Testing
saml2int
Revisions

17. Test-suite of Identity Providers
Registered Service Provider shoud be able to access a feed of
test Identity Providers running various SAML software.
Will be setup to fascilitate DiscoJuice for discovery soon(!)
› Feide OpenIdP
›!Federation Lab OpenIdP
› ProtectNetwork IdP
› TestShib
We want more Identity Providers!
Please!

18. Useful tools: Web-based debugger

19. Useful tools: Firefox plugin

20. Best Practice Documents
› Single Logout
› De-Provisioning
› Monitoring and diagnostics (soon)

21. Tools to come
› Automated Testing of Identity Providers (service)
› Metadata validation service (service)
› Federation Provisioning Engine (software)
› Official realeases of software and libriaries:
› Firefox plugin: SAMLtracer
› DiscoJuice
›!SAMLmetaJS

22. Thanks
http://rnd.feide.no