Federation Lab and OpenID Connect
This document summarizes a presentation about the Federation Lab and OpenID Connect. The Federation Lab is an identity toolkit that automates testing of identity software to increase interoperability between providers and consumers using SAML and OpenID Connect. It is a GÉANT project in collaboration with industry and research partners. The presentation discusses challenges like interoperability issues that can arise from complex identity systems with many implementations and deployments. Federation Lab addresses this by performing over 100 automated test flows on identity providers to discover errors. It also provides debugging tools. The presentation contrasts identity flows and attribute returning between SAML and OpenID Connect. In closing, the Federation Lab testing tool is made available for participants to use.
Federation Lab and OpenID Connect
- 1. Andreas Åkre Solberg Roland Hedberg UNINETT AS Univ. Umeå Federation Lab and OpenID Connect NorduNet Conference Oslo, Norway, September 2012
- 2. Federation Lab ✤ Identity toolkit for testing, validation and debugging of Identity Software. ✤ Automated testing tool for increasing interoperability between providers and consumers with SAML and OpenID Connect. ✤ A GÉANT project (GN3 JRA3T2) in collaboration with Kantara Initiative and the OpenID community. OpenID Testing Commercial (Kantara Intitive) <-> Research and HE (GEANT) Established (SAML) <-> Emerging (OIC) Nordic collaboration (UNINETT and umu.se) Involved in standardization A very important reference implementation
- 3. Complex End-to-end Systems Many implementations This is a good thing! Many deployments Variying spec interpretion Really difficult Sub-set implementations to avoid this Interop issues Things stop working for end users. Who to blame? Who can fix it? ! - difficult question Things continues to not work Unhappy users We MUST avoid this, but how?
- 4. What causes interop issues ✤ Flexibility, too many options. Sub-set implementations. ✤ Deployment options ✤ Yet to be discovered software bugs ✤ Unclear specification ✤ Poor error handling ✤ Lack of feature negotiation or limited language (metadata) of expressing supported features
- 5. Postel’s Law «Be strict in what you send, but generous in what you receive» Postel's Law,1981, RFC793: TCP ✤ Will this increase interop? ✤ Interop issues less likely to be detected, and may easily pass matrix testing.
- 6. Typical Matrix Testing Test 4-5 products against each other Validate that it is possible to configure the products to work with each other. Product is certified. Does not really ensure interop in an actual deployment.
- 7. Profiling By being very excplitit on how to use the protocols, interoperability increases. saml2int
- 8. Automated Testing of SAML and OpenID Connect This is what we did with Federation Lab An automated client, simulates one entity whiles test the other. Consumer <-> Provider Performs about 100 different test flows, and focus on discovering things that goes wrong, rather than verifying that things may work. Real time testing with detailed feedback Test each provider, and present results. for debugging.
- 9. Federation Lab contains a set of useful debugging tools for encoding and decoding messages.
- 10. Automated testing of SAML Service Providers performs approx 80 test runs with various legal and illegal message flows to verify behaviour of software.
- 11. Automated testing of OpenID Connect Providers tests providers, and involves an innovative engine for working with human user interaction with login screens.
- 12. OpenID Connect Roland Hedberg Univ. Umeå
- 13. How to find the ‘key’?
- 14. Different solutions • SAML • Metadata • OpenID Connect • Dynamic discovery and registration
- 15. Flow differencies IdP AS 4 5 3 3 2 4 UA 6 OP UA 2 1 7 1 9 8 SP RP SAML OpenID Connect
- 16. Returning attributes • SAML • Static • Response contains 1-n assertions • OIC • Dynamic • Aggregated/distributed claims
- 17. Thanks for listening. Federation Lab (beta) http://openidtest.uninett.no