1 / 24

SAML 2.0 for Identity Management in Danish Public Sector

Learn about the adoption of SAML 2.0 as the standard for identity management in the Danish public sector, its benefits, and the challenges faced in creating a coherent and flexible identity infrastructure.

jameshall
Download Presentation

SAML 2.0 for Identity Management in Danish Public Sector

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Role of SAML for Identity Management in the Danish Public Sector OASIS Adoption Forum LondonLondon, 28th November, 2006 Ministry of Science, Technology and Innovation, National IT and Telecom Agency IT Architect Søren Peter Nielsen

  2. Agenda • A few facts about Denmark • Motivations for choosing SAML 2.0 • Current status and initiatives

  3. Denmark- the Fundamentals • 5.5 mill. inhabitants and one of the richest and most equal countries in the world • Four levels of government with divided responsibility for tasks – both horizontal and vertical (EU, central government, counties (14), municipalities (268) • Ongoing major structural reform – fewer regions, larger municipalities • Public sector makes up 1/3 of workforce • Consensus culture in a multiparty system Has PKI-infrastructure with > 700.000 issued certificates to citizens & public/private employees

  4. Danish e-Government Maturity Denmark has been number one in e-Readiness for the last three years according to the Economist Intelligence Unit and The IBM Institute for Business Value 2005

  5. Recent government decisions – April & June 2006. • Generel E-government in Denmark: • In 2012 all relevant written communication between companies, citizens and the public sector should be electronic. • Open Standards: • The Danish Parliament imposes the government to ensure that the use of IT is based on open standards. • The government is required to maintain a set of open standards (January, 2008). • A comply-explain demand to the authorities to follow the use of open standards in new solutions. • Open standards should after January 2008 be the foundation for the development and procurement of IT to ensure competition.

  6. Danish e-Government so far has been through a Decentralized Approach E-Government services are delivered by many different organizations

  7. To give citizens and businesses ”one-stop” access to a de-centralized public sector an underlying coherent identity infrastructure is required To avoid prescribing usage of certain products this identity infrastructure must be based on open standards SAML 2.0 has become the "standard-of-choice" for governments deploying a wide variety of identity-based services This presentation will explain the Danish reasons for choosing SAML 2.0

  8. Creating a coherent secure robust effective and flexible public sector identity infrastructure is like eating an elephant • One bite at a time

  9. Important Goals for the First ”Bite of Work” • Support the ability of different authorities to use a shared login-service • Single Sign-On (SSO) • Establish a structure that can be the basis for exchanging authorisation information between independent organisations • Embrace the use of different mechanisms for - and levels of - authentication

  10. Resulting Reference Architecture for Cross-organizational Single Sign On ”Portal” Approved by Danish GovernmentIT Architecture Committee after public hearing in Autumn 2005 Identity Provider (IdP) • Includes recommendations about • Levels of Authentication • Core user identity attributes • Unique key to link user accounts Service Provider (SP) Conceptual Architecture is adopted from US Federal e-Authentication initiative SAML 2.0 is the recommended federation standard

  11. SAML 2.0 is the recommended standard for federation in the Danish public sector • Approved by IT Architecture committee in April 2005 • Reconfirmed in March 2006 together with decision to work for convergence among the different federation standards/specifications • Choice of SAML 2.0 validated by Gartner in October 2006 report

  12. Basis for Recommending SAML 2.0 • Based on an evaluation of • Functionality according to requirements • Support for the standard in commercially available products • Usage of SAML in other public sector solutions • Statements from research and analyst companies • Ratified open standard • ”Composability” with other ratified standards like XACML and SPML • Future development of the standard • Availability of 3rd party Interop Testning/Certification

  13. Challenges of having competing standards - The question is • Should federation be considered an integration technique that is used to allow several organisations share a limited set of applications? – or – • Should federation be considered an underlying necessary infrastructure to allow citizens, businesses and authorities to collaborate broadly? Can we fulfill the goals in the EU eGovernment i2010 action plan without taking the infrastructure perspective?

  14. Federation is similar to creating an efficient railroad infrastructure • This cannot be studied as • a single station issue • as an individual line issue • This is a question about creating an overall efficient infrastructure – and how we best spend the tax payers money while creating it Having different width tracks side-by-side probably isn’t the best way to do it…

  15. But isn’t it just a question about putting up some gateways? • Well, it can be a tactical solution besides the extra cost being pushed into the federation, besides the the added performance, scalability and security issues • However, currently it can only work for lower level security scenarios as the integrity requirments for higher level security cannot be maintained •  Illustration follows

  16. Loginservice (IdP) AttributeService Existingpin-codesuid/pw CertAuth Danish public sector shared service requirements for maintainingintegrity of users identity in a gateway scenario SAML 2.0 Service Provider SAML 2.0 Login Web or Localnetwork - Citizen- Private employee- Public employee SAML 2.0 Service Provider The above is one of the basic use cases for a Danish public sector federated identity concept. The SAML 2.0 standard is for many good reasons the preferred way to support this. However, there is a desire for a gateway function that also includes service requesters supporting only the WS-Federation specification as illustrated on the next slide. Service Provider

  17. Danish public sector shared service requirements for maintainingintegrity of users identity in a gateway scenario SAML 2.0 Service Provider Login Web or Local network - Citizen- Private employee- Public employee SAML 2.0 SAML 2.0 Gateway WS-FED token  SAML 2.0 token Service Provider LoginWS-federation w/ SAML 1.1.token - Public employee The desired gateway should allow service requesters to enter the federation using the WS-Federation specification and then convert the WS-Federation supplied token (presumably a SAML 1.1 token as user attributes also should be transferred) to a SAML 2.0 token Service Provider

  18. Danish public sector shared service requirements for maintainingintegrity of users identity in a gateway scenario requires High confidence in asserted identity's validity SAML 2.0 Service Provider Login Web or Local network - Citizen- Private employee- Public employee SAML 2.0 requires Some confidence in asserted identity's validity SAML 2.0 Gateway Service Provider LoginWS-federation w/ SAML 1.1.token - Public employee requires High confidence in asserted identity's validity The issue for the gateway scenario is when the service provider requires High confidence in asserted identity's validity. This requires the assertion to be signed at the point of origin. However, even if WS-Federation allows for signing the SAML 1.1 token this signature cannot be maintained when being converted to a SAML 2.0 token Service Provider

  19. Current focus for Danishpublic sector federation • Establishing a shared publicsector login solution including necessary trust framework • Add Attribute Authority to the reference architecture • Federation of web services • Collaboration in Liberty Alliance eGovernment Special Interest Group • Participation from public sector institutions in Finland, France, New Zealand, Norway, UK, USA, and Denmark • Sample work themes: • Public sector input to Legal Templates work • Develop eGovernment scenarios • Business models for federations • Promotion of open standards

  20. Additional Info • Søren Peter Nielsen • E-mail: spn@itst.dk • Get a document detailing in English the motivations for the Danish public sector recommendation of SAML 2.0 herehttp://www.oio.dk/arkitektur/brugerstyring/english/saml

  21. Open Standard - The definition • The Danish definition of a completely open standard: • - Available and free for all • - Stays Available and free • Freely available and documented in all details • NEW: Open proces. • Everyone agrees that open standards are good • But not everyone agrees on the definition of ”open”

  22. Why open standards • Why open standards? • Gives low entry barriers to suppliers • Avoid lock-in • Make it easier for everyone to make an offer • Cheaper solutions • More choice • Help bring about interoperability • Facilitate communication and information exchange • Fosters innovation!

  23. Proprietary standard Open standard Two paths to G2G interoperability - benefits and drawbacks …due to high license costs (or no access to the standard at all) …since the standard is free to use High entry barriers to IT suppliers Difficult or impossible transformation of data Low entry barriers to IT suppliers Easier or cheaper transformation of data Fewer suppliers Expensive or impossible communication and information exchange Difficult, expensive or impossible migration to new systems No need for common it systems More suppliers Less competition e.g. everyone choose ms office suite Easier communication and information exchange Competition Need for/tendency towards one common it system Easier migration to new systems Less choice No interoperability G2B, G2C, etc. More expensive solutions No choice (supplier lock-in) Choice Cheaper solutions Choice (no supplier lock-in) Interoperability G2B, G2C, etc. Choice No choice No need for transformation of data G2G Interoperability G2G Interoperability

  24. A reference model is based on a small number of unifying concepts and is an abstraction of the key concepts, their relationships, and their interfaces both to each other and to the external environment. Reference models helps moving forward with adecentralized approach • Gives common language and common understanding for a well defined area • Helps identify requirements for new standards • ..and describe interfacesbetween different elements • Creates a base for interoperability in an open market • Helps creating alignment, removing redundancy, identifying shared solutions/components Reference models has a broad audience.All ”recipients” are not necessarily know in advance.

More Related