These two days I browsed the sourceid open source Identity Management Project, read some articles about SAML and ID-FF, a little gap than expected, some disappointment, here a little summary.
1. Introduction to open standards SAML, liberty, and WS-Federation
As we all know, in the same security domain, Single Sign-On (SSO) can be implemented by writing user identity information in the cookie of the user's browser. However, in cross-domain environments, the cookie mechanism will become invalid, how can I share user identity information? The following standards are proposed and constantly improved to solve this problem.
SAML 1, 1.0
The Security Assertion Markup Language is an extensible language for securely exchanging User information between security domains. SAML defines a security token format (called an assertion), as well as 'profiles' that define methods of using these assertions to provide web Single Sign-On. in addition, SAML defines a SOAP protocol through which assertions may be served. SAML defines three types of assertions-authentication, attribute, ant authorization.
SAML 1, 1.1
This specification mainly incorporates feedback and errata from the SAML 1.0 specification.
SAML 1, 2.0
SAML 2.0 is currently in the requirements definition phase, and the exact scope is not clear. the SAML Technical Committee plans to add support for processing of the things in Liberty's ID-FF 1.2. this specification is still in early stages, but is expected to ineffecate a significant portion of liberty Phase 2/idff 1.2.
Liberty Phase 1 (idff 1.0)
Liberty Phase 1 extends SAML 1.0 by adding its own profiles for how to wield SAML assertions. these additional profiles add support for account Federation, identity Provider introduction, pseudo donym identity mapping and global logout. the Liberty Alliance model defines roles within a Federation-an identity Provider (IDP) and a service provider (SP ).
Liberty Phase 1 (ID-FF 1.1)
This specification mainly incorporates feedback and errata from the ID-FF 1.0 specification.
Liberty Phase 2 (ID-FF 1.2)
This set of standards extends ID-FF with new functionality, such as one-time assertions of identity (for anonymity), affiliate relationships, and mechanisms for sites to talk about employees and MERs (via SAML assertions ).
Liberty Phase 2 (ID-WSF 1.0)
This set of standards extends the existing liberty framework with functionality for discovering and offering identity-relates services. profile access mechanisms are specified as an initial service, allowing for access to user attributes. liberty Phase 2 defines limits of its messages and Protocol bindings in terms of SAML 1.1, and uses WS-Security for securing soap messages.
Liberty Phase 3
This set of standards are still in the elaboration stage, but it is expected that ID-WSF will be extended with new services built on top of attribute exchange, such as a digital wallet and Calendaring/address book services.
WS-Security
This specification defines mechanisms for providing security token-based integrity and confidentiality on Web Service (SOAP) messages. Several security tokens are defined, as well as a mechanic for associating them with messages.
WS-Security Extensions (WS-trust, WS-Policy, WS-Federation)
This collection of specifications is an evolving set of web service-oriented mechanisms for layering authentication, authorization, and Policy authentication SS both a single and multiple security domains. WS-Federation defines a framework for Federation. profiles will be developed subsequently to specify the details for implementation.
2. Introduction to sourceid open source project
Sourceid is an open source project for enabling identity Federation and crossboundary security. sourceid focuses on products of integration and deployment within existing web applications, products, or services. in addition, sourceid provides a high level of developer functionality and customization and is designed to shield the integrator and enterprise from needing to understand the complexities of Federation, or the rapidly evolving federstandards.
Currently, this project provides users with free Java Development kits (Toolkit) for SAML 1.0 and 1.1, ID-FF 1.1 and 1.2, and. Net Development Kits for SAML 1.0 and 1.1, ID-FF 1.1. However, the Federation server-pingfederate on the server can only be downloaded for trial use, which is a pity.