These two days browsed the Open source Identity Management project of SourceId, and read some articles about SAML and ID-FF, some disappointments than expected, some disappointment, here is a little summarized.
1. Introduction to Open Standard SAML, Liberty and WS-Federation
As is well known, in the same security domain, single sign-on (SSO) can be implemented by writing user identity information in the cookie of the user browser, but in a cross-domain environment, the cookie mechanism will fail, how to implement user identity What is information sharing? The following criteria are in order to solve this problem and constantly improved.
SAML 1.0The Security Assertion Markup Language is an extensible language for securely exchanging user information between security domains. SAML defines a security token format (called an assertion), as well as 'profiles' that define methods of using these assertions to provide web single sign -on. in Addition, SAML Defines A Soap Protocol Through Which Assertions May Be Served. Saml Defines Three Types of Assertions - Authentication, Attribute, Ant Authorization.
SAML 1.1this Specification Mainly Incorporates Feedback and Errata from The Saml 1.0 Specification.
SAML 2.0SAML 2.0 is currently in the requirements definition phase, and the exact scope is not clear. The SAML technical committee plans to add support for many of the things in Liberty's ID-FF 1.2. This specification is still in early stages, but is Expected to incorporate A Significant Portion of Liberty Phase 2 / IDFF 1.2.
Liberty Phase 1 (IDFF 1.0) Liberty Phase 1 extends SAML 1.0 by adding its own profiles for how to wield SAML assertions. These additional profiles add support for account federation, identity provider introduction, pseudonym identity mapping and global logout. The Liberty Alliance model defines Roles WITHIN A FEDERATION - An Identity Provider (IDP) And A Service Provider (SP).
Liberty Phase 1 (ID-FF 1.1) This Specification Mainly Incorporates Feedback and Errata from the ID-FF 1.0 Specification.
Liberty Phase 2 (ID-FF 1.2) This set of standards extends ID-FF with new functionality, such as one-time assertions of identity (for anonymity), affiliate relationships, and mechanisms for sites to talk about employees and customers (via SAML assertions) .Liberty Phase 2 (ID-WSF 1.0) This set of standards extends the existing Liberty framework with functionality for discovering and offering identity-relates services. Profile access mechanisms are specified as an initial service, allowing for access to user attributes. Liberty Phase 2 Defines Many of Its Messages and Protocol Bindings In Terms of SAML 1.1, And Uses WS-Security For Securing SOAP MESSAGES.
Liberty Phase 3This set of standards are still in the elaboration stage, but it is expected that ID-WSF will be extended with new services built on top of attribute exchange, such as a digital wallet and calendaring / address book services.
WS-SecurityThis specification defines mechanisms for providing security token-based integrity and confidentiality on Web Service (SOAP) messages. Several security tokens are defined, as well as a mechanism for associating them with messages.
WS-Security Extensions (WS-Trust, WS-Policy, WS-Federation) This collection of specifications is an evolving set of Web Service-oriented mechanisms for layering authentication, authorization, and policy across both a single and multiple security domains. WS- Federation Defines A Framework for Federation. Profiles Will Be Developed Subsequently To Specify The Details for Implementation.
2. SourceID Open Source Project Introduction
SourceID is an open source project for enabling identity federation and crossboundary security. SourceID focuses on ease of integration and deployment within existing Web applications, products, or services. In addition, SourceID provides a high level of developer functionality and customization and is designed to shield The INTEGRATOR AND Enterprise from Needing To Understand The Complexities of Federation, or the Rapidly Evolving Federation Standards. This project provides users with freeka development kits (Toolkit), and SAML. 1.0 and 1.1, ID-ff 1.1 .NET development kits. However, the server-side Federation Server - PingFederate is only available to download trial, which is too regrettable.
