Gotze.eu

Tag: SAML

  • Microsoft and Danish Government in New Identity Deal

    A year ago, my former collegue Søren Peter Nielsen wrote, on behalf of the Danish government, a letter to Microsoft. Seems he got a response, and I’m sure it’ll interest XMLGrrl and many others, that an announcement was made yesterday: Agreement between the National IT and Telecom Agency and Microsoft: Agreement concerning partial support of the SAML 2.0 standard.

    “The ongoing dialog between the National IT and Telecom Agency and Microsoft has resulted in an agreement on partial support of the SAML 2.0 standard in Microsoft’s forthcoming version of their federation product named Active Directory Federation Services 2”, the agency writes.

    The text agreed upon is as follows:

    “The Danish public sector has chosen SAML 2.0 as their federation standard. Microsoft products use WS-Federation and WS-Trust as the foundation of their federated identity architecture. The Danish government has agreed that the SAML 2.0 token format is sufficient to provide basic interoperability between WS-Federation and SAML 2.0 environments as a common assertion format, without loss of authentication integrity.

    To support interoperability between WS-Federation and SAML 2.0 based products Microsoft has agreed to support the SAML 2.0 token format in the future release of Active Directory Federation Services code-named Active Directory Federation Services “2”. Microsoft will provide the Danish public sector Centre of Service Oriented Infrastructure with pre-release code to help analysis and planning of solutions for integrating WS-Federation-based clients in the Danish federation, and to collect feedback on the feature implementation.

    In addition, the co-authors of WS-Federation (including Microsoft) have submitted the specification to OASIS for standardization. This step further enables interoperability between federated environments that deploy SAML 2.0-based products and those that deploy WS-Federation-based products.”

    In commenting the agreement, the agency writes: “With this agreement a possibility for inclusion of Microsoft based clients in a common public SAML 2.0 based federation has opened”, and notes:

    The integration will require the standard based login solutions to be expanded with a special integration code. The solution is therefore a pragmatic tactical integration solution, but with the above-mentioned partial SAML 2.0 support from Microsoft it is expected that the integration can be done without influencing the individual “Microsoft Active Directory Federation Service” user organizations.

    The agency notes that more iinformation on the concrete possibilities will be published as the National IT and Telecom Agency’s Centre for Service Oriented Infrastructure receives pre-release code from Microsoft that can be integration tested.
    The agency elaborates a bit more on the deal:

    It is still desired, that Microsoft support all of the SAML 2.0 standard in their products, but the above-mentioned agreement are a good first step towards more convergence among standards for transverse user management.

    The National IT and Telecom Agency also sees the filing of the WS-Federation (WS-FED) specification for standardization in OASIS as a step that can promote convergence among federation standards.

    It should be stressed that it does not mean that the WS-Federation specification is recommended equally to SAML 2.0 for common public solutions.

    When the results of the standardization with WS-Federation become available (expectedly in the end of 2008) it might be relevant to do a new assessment but for now the SAML 2.0 it is still the only standard, which is recommended as a federation standard for Danish common public solutions.

    So, there we have it.

    I want to congratulate Søren Peter on a job well done. Stand firm on SAML 2.0, the open ecosystem needs it. And thanks to Microsoft for listening to customers (but why only partial support?).

  • Standards, Security, and Sectors

    OASIS Adoption Forum

    I’m going – are you? The third annual OASIS Adoption Forum is held in London on 27-29 November. The forum is themed Enabling Efficiency between Government, Business and the Citizen: Managing Secure Interactions in Sector Applications, and the list of presenters is very impressive. Also note that a Workshop on the State and Future of PKI has just been announced being part of the event. There will be sessions about adoption of OASIS standards such as SAML, XACML, and WS-Security.

    OASIS Adoption Forum “seeks to educate and expose security leaders and professionals to the tools, standards and implementations that are transforming security interactions and relationships between citizens, businesses, governmental institutions and agencies. With increasing threats encompassing everything from hacking to identity theft, providing a secure environment must be a major objective for companies, governments, and organizations worldwide. The success you enjoy tomorrow depends on the security decisions you make today”.

  • Digital Identity Management – Challenges and Benefits

    Amir Hadziahmetovic has published his MSc in IT thesis, which he made under my supervision. It is in English and is called Digital Identity Management – Challenges and Benefits (Download PDF). Besides giving a nice introduction to and analysis of Identity Management, Amir makes some interesting observations about the identity management situation in Denmark. I recommend everyone to read this good thesis.

    I’ve extracted a few central paragraphs introducing the project:

    The main research problem is how to find the optimal model that will solve Digital Identity (DI) management and the data interchange for electronic business in new network economy. The problem lies in unknown path of how to make choices for interoperable DI, and how to find the optimal strategy to implement chosen model. The research will commence with exploring the area of general Digital Identity Management, continue with analyzing platform for interoperable management and exchange of DIs, including implementation challenges, and end with listing the benefits of having such a platform implemented.

    Imagine the sewerage management of a bigger city where each building block has a container for waste waters instead of a city-wide sewerage system. Without drain-pipes connecting the containers, every now and then a container would fill up, and for emptying a pump-trucks would be needed. They would pump out the content from a container, and spill it out at some depot outside the town. This would be very complex system of containers and trucks, difficult to control and manage. Some of the containers would certainly get overfilled, causing flooding and bad smell. With the growth of the city, the system would get even more unreliable. Therefore the majority of today’s cities have outspread sewerage system, which connects the depots, automating the spill of waste waters.

    The similar problem modern business has with today’s DI management: Identity data in containers, filling up quickly; the system unable to exchange data with other systems; difficult to maintain and automate the spill of data. To enable development of electronic business, more reliable system for DI management is required.

    Business trends today push organizations toward strengthening of cooperation and linking of business processes between them. Many companies and governments are tending to expand their activities by integrating online services and systems, and letting external users access internal data. Individual users want comfortable Web experience, and minimal effort in getting tailor-made products and services. Inability of today’s IT systems to match these trends is choking present development of business. Strengthening of cooperation and linking of business processes is putting pressure on IT systems and belonging infrastructure, requiring that Digital Identity data is created in unified fashion, and safely exchanged between organizations.

    Digital Identity Management (IM) is a fundamental part of integrated company systems and online services. It defines who has access to what in some cases, and identifies customers and users of the services in other cases. IM architecture of today has to evolve from predominantly silo to common, interoperable architecture, based on open standards. This kind of architecture is a fundament for Federated IM, where identities are safely exchanged.

    This project will try to look at Digital Identity Management, technology and architecture in relation to business goals and strategies. The main concepts of Digital Identity Management will be addressed i.a. concepts like Federated Identity, Single Sign-On (SSO), and Open Standards. The report will present a study of business and technical implications of Federating Identity, where Identity management is the central issue.

    An analysis of the practical as well as architectural aspects of Federated Identity will be covered. An analysis of open standards for interoperability will be covered, especially those advised by Danish National IT and Telecom Agency and their Reference Model for Identity. The report will focus on standards from the Model such as Role-Based Access Control (RBAC), Security Assertion Markup Language (SAML), Lightweight Directory Access Protocol (LDAP) and Public certificates for electronic services – OCES Digital Signature, but also will discuss alternatives. Finally privacy issues will be considered.

    The fundamental objective of any enterprise IT system must be full support to business flexibility and agility in ever-changing business environment. The ultimate goal of this project is to perceive the challenges of the IM evolution path, and to show how Identity Management supports connection between the systems and the processes, providing users with better web experience.

    Method: The project will list general theoretical issues, comparing different views on these issues, and presenting own reasoning.

    The obstacles in relation to acceptance of Reference Model for Identity will be analyzed. The analysis will be based on empirical research including feedback from involved organizations, interviews with individuals from selected organizations, conferences, and forums.

    Again: Download Amir’s thesis (PDF).