Security/identity · 2007-02-20

It’s a saml world, after all

Nope, that’s not a typo. I kept thinking about that silly tune when I saw the panel assembled for an RSA conference session called “SAML 2.0 — Standard-of-Choice in the Public Sector”, hosted by Brett McDowell. The speakers represented identity management initiatives in the US, Denmark, Finland, and the UK. The slides were simply covered with little flags. [UPDATE: The slides have now been posted, proving my point. :-) ]

I’d already been thinking about something Andre Durand remarked on recently:

When a critical mass of companies mandate standards for cross-domain SSO, we will have hit the tipping point for federated SSO. Having seen a few companies already cross that line, there is a formula. What we need to do now is hone it down and then hit the repeat button.

I had meant to comment at the time, since I know of a number of such mandates myself, but conference preparations (and getting sick) swamped me. Now I’m glad I waited, because the people on this panel had some of their own to share, and made a lot of excellent points that, I think, support Andre’s contention. And what they’re mandating is SAML2.

I thought it would be interesting to share what I heard. I’ve got ridiculously complete notes from the session in the extended entry (and don’t forget to check out the Liberty Alliance site’s adoption section, particularly the e-government page if you’re particularly interested in public-sector deployments), but here’s a taste of what the panelists were saying:

Søren Peter Nielsen, representing the Denmark National IT and Telecom Agency [UPDATED to fix name of agency] (info on their selection of SAML is here and I blogged on it here and here)

Based on these requirements, picking SAML 2.0 really was a slam-dunk decision.

Tero Pernu, representing the Finnish Board of Taxes (case study here):

The Finnish case study is a bit more broader than the Danish one. This one includes also the [Liberty Identity] Web Service Framework.

Conn Crawford
, Strategic Projects Officer of the Sunderland (UK) City Council:

We need some sort of stability around our open standards.

Georgia Marsh, Deputy Program Executive of the US General Services Administration E-Authentication Initiative:

We don’t just go and adopt anything that’s cool…. Many of our customers have told us, in many ways, that they’re ready for SAML 2.0.

[I worked from a private recording to make these notes. Anything not in quotes is a rough paraphrase. Anything in quotation marks is a real quote that’s as accurate as I could make it, barring minor transcription cleanup. Anything in brackets is a comment or observation from me. Anything is bold is just a good point that I thought it was useful to highlight. If anyone has corrections to offer, please don’t hesitate to send them along.]

Brett McDowell (BMcD):

This panel will discuss why governments are deploying SAML2 for federation, and we’ll explore the use of open standards to meet regulatory requirements. Governments are one example of an enterprise. SAML2 was the result of convergence of SAML V1.x, Liberty ID-FF, and Internet2 Shibboleth.

[About half the audience raised their hands saying said they were familiar with SAML2 and its benefits, and about 20% said they were in planning or pre-planning for deployment.]

The market has been growing around SAML. One clear driver has been the Liberty Interoperable program, with about 80 certifications made through it so far. Deployers can request Liberty Interoperable certification in their RFPs. Over 1 billion identities and devices are Liberty-enabled. The IDDY awards program started last year. [Two of the three winners in 2006 had public-sector deployments.]

Søren Peter Nielsen (SPN):

Denmark has a decentralized approach: If you’re responsible for a service, you’re responsible for the IT for it; this means the average citizen will have to interact with many separate apps, which lends itself to federation. In 2004, it set up these requirements:

  1. Any authority with an external-facing solution must be able to share a login service (authn) with others
  2. There can’t be just one centralized service; there’s a need for redundancy.
  3. It must be possible to share authorization info too.
  4. Support for different authentication methods must be possible

The fact that the US GSA E-Authentication Initiative chose SAML was one factor in Denmark’s choice. The choice had to be an open standard; three factors were important here:

  • The standard must be supported by commercially available products, to validate it technically and commercially.
  • The standard must be open, for many reasons, but importantly they can’t ask citizens to use one standard that limits their choices; it must not be tied to a single vendor.
  • The standard must be proven interoperable through third-party interop testing; they can’t ask stakeholders to be the ones to figure out if the different suppliers work together.

“Based on these requirements, picking SAML 2.0 really was a slam-dunk decision. There was no alternative to it. We took this decision in 2005.”

Tero Pernu (TP):

“The Finnish case study is a bit more broader than the Danish one. This one includes also the Web Service Framework. And as you can see, this solution has been up and running since 2005. The authorization part of the project was finished in 2006.”

This identity management effort had goals to increase productivity and support an information society program. The big challenge was to support a smoother taxation process. E-filing was started in Finland in the late 1990’s but wasn’t very secure or smooth, and didn’t have a good audit trail. The previous ID system was proprietary and didn’t support any standards, or web services; they needed an open and standard solution.

SAML2 was attractive partly because of its layered security model: transport and message security. It also has a strong developer community, which welcomed Finnish tax board participation. Katso is the nickname for the nationwide Finnish authentication system.

[He showed a process view of how e-filing of employers’ payroll taxes has changed.] The process has been getting more automatic. They went from 80% manual to 0% manual, going from paper forms/diskettes, to web forms, to SAML2 + FTP, to SAML2 and ID-WSF V2.0.

Conn Crawford (CC):

He’s the only one on panel representing a local government perspective! [One other guy in the audience was also from a local government.]

He’s grateful to Liberty for the opportunity to be at the table. Sunderland is a small city in the northeast region of England; it’s as far away from London as possible, without being Scottish. :-) It includes the small village of Washington, George W’s ancestral home.

Local government has 80% of transactions that “don’t touch the center”; it’s responsible for community well-being in a way that’s distinct from homeland-security types of concerns. They are more concerned with growth and prosperity of the region. Sunderland’s identity work started in 1999 with the regional smart card idea; they didn’t talk about trust services yet, but rather “transformational government” or T-government.

When they looked at smart cards and their infrastructure, and how to persuade others to build it, they had to talk to various sectors (global banks, transport infrastructure players). It took till 2002 to succeed in pressing their agenda for different sectors to hook up identity transfer across systems.

“We’re making small investments in the Northeast, but we can’t afford to keep making small investments; we need some sort of stability around our open standards.”

Others coming on board in the federation cause a need for small adjustments on both sides, and stable standards are helpful for joining forces.

The process of making a technology choice was relatively slow and ad hoc; they first chose SAML V1.1. It wasn’t because it was the only game in town, but were influenced by others having made the same decision. They needed transparency and a wide and growing vendor community, which gives choice to deployers.

Their goal is to hand over the running of the trust infrastructure, and move on to building new tools citizens can use on top, to manage the well-being of people and businesses in the region.

“And that means we were respecting privacy and respecting the services which actually enable the citizen, the individual, to scrutinize government.”

They’re at the point now where they’re building reference implementations; in March this will be complete.

Upgrading from SAML V1.1 has produced some difficulty; they hope people can follow their progress on the web as this goes. XACML support has been one point of interest in making the SAML2 decision.

Georgia Marsh (GM):

“With a few exceptions …, any of these presentations could have been given by any of us because we’ve all reached the same conclusions about commercial off-the-shelf products, about being standard-based, and certainly the sharing of not always going back and reinventing the wheel.”

They were mandated to come up with a framework for secure transactions with citizens, the federal government, and other governments; they chose federated identity.

The US is a little different from some other countries; it has no formal national ID, and so there’s a question about getting the necessary credentials in people’s hands in other ways.

Their federation has been operational since October 2005. The relying parties (RPs) are federal agency applications, and some federal agencies issue credentials. There are 4 levels of credential depending on risk: PKI is used for the higher ones and SAML for the lower ones, but the federation itself is technology-agnostic. Currently there are about 36 RPs and 6 credential service providers. In the 1.5 years since they went live, they’ve had lots of lessons; some have been about SAML1, and why SAML2 is going to be better to adopt.

“We don’t just go and adopt anything that’s cool. There has to be a really good business reason, and our customers have to tell us so. And many of our customers have told us, in many ways, that they’re ready for SAML 2.0 because it was going to enable them to do many more things than they could right now. The benefits are also great for the federation …. The portal [in place now] is going to go away because of the richness of SAML 2.0. Once that goes away it means that there’s going to be one less moving part for us …. Additionally, it simplifies our operational existence, and it’s going to be much more user-friendly.

Scenarios for higher education, health care, and other areas will benefit from SAML2 as well.

The US government runs its own interop lab for sandbox testing and other testing for its members; it also does testing of SAML-conforming products.

“We will not adopt any new scheme unless there are at least three products that implement it.”

Ensuring that their own deployment profiles work with vendor products helps them and also the vendors; in April 2007 another round of product testing will start and, thereafter, there will be new deployments among credential service providers.

BMcD: What were the SAML differentiators from other standards, candidate standards, and technologies?

SPN: In 2004-2005, there was SAML V1.1, there was Shibboleth, and there was Liberty [ID-FF]; not much was known about the latter.

“And there was something going on in the WS-* stack that we really couldn’t get our arms around, because it wasn’t out in the open. There was a specification, but there were no products implementing WS-Federation, and what we really saw was, it was well-documented that there were limitations with all the others, that we could see that SAML 2.0 would solve. And we saw also the industry coming together — even at this conference [interop testing that took place at RSA 2005], there was interoperability demonstrated before the standards were ready. And the thing is …, when we decide to go for something in the public sector, the government, we can’t just switch after six months because that wasn’t the way to go. And here, really, SAML 2.0 was the way we could see that strategically had a way forward.”

CC: Shibboleth was a big driver; he works with universities in the community, and they use Shib. SAML2 offers the opportunity to reinforce that. The city government issues student cards, and this will grow to include usage in the university administration too.

BMcD: Role of the private sector in your choice?

GM: There are two sides to this. Some commercial credential service providers are in the federation that had already migrated to SAML2; also, the initiative is looking at “alignment in identity management period”, so many initiatives involved various vendors that want to provide end-to-end solutions, and SAML is a way to do that. The industry is maturing, and signatures and PKI and SAML are all coalescing at the center. They are also finding out which bells and whistles the agency customers need and bringing that info to vendors.

SPN: With respect to privacy, they wanted to be sure that federation and privacy were compatible; they learned how this was possible from observing airlines and others who had already done it. They do want to be inclusive of the private sector; they had been inwardly focused at first to get efficiency gains, but they are now thinking of all of society, with small-to-medium businesses and private companies and everybody benefiting.

BMcD: What part does the Liberty Identity Web Services Framework [ID-WSF] play in your plans?


“In Finland, there are quite efficient net banking systems. They provide a username, permanent password, and one-time password. It’s not very convenient, but it’s a secure and quite reliable system. And the problem with that is that it’s only a browser-based solution, and our goal was to provide as easy an approach to the enterprises as possible. So we decided to figure out how they could benefit on their investments on their IRP systems. So by using the Web Services Framework we could provide such a solution …. When they are federated and, for instance, the payroll system has the necessary interfaces, they can log in to [the] IRP system and the e-filing straight through from the IRP system without going through tax portals’ services. So it’s so convenient and very easy to use and it’s there, the technology is there, and there are already existing solutions, and they are trying to leverage that to all other e-governmental services also. So let’s say that, for instance, if Oracle has a business suite, and they will provide a Web Service Framework, then it’s applicable to e-government services in Finland right away — they just federate.”

CC: Regarding user-centricity: Are they going to compel the user to take this up? How can they attract investors to build solutions? They want to add payment solutions to smart cards, ticketing solutions, identity management solutions, citizen access to leverage banking and telecoms infrastructure, and more. ID-WSF allows them to think about how to create commercial and business frameworks that can be supported by standards. In addition they have to set up the community and the vision.

BMcD: All the panelists represent government agencies that have joined Liberty.

SPN: They needed to take ownership of their own architecture, and for this to work well and influence the standards, it was essential to be able to join Liberty. They saw it as the ideal place to come to share requirements. They encourage other standards initiatives to make sure it’s an open process, not just approving a specification once it’s done.

GM: Getting together in such a forum to dialogue and to standardize approaches among the various government parties has been valuable; some US agencies do a lot of business with other countries, and interoperating and federating with each other is important.

CC: Sunderland now has a signed friendship agreement with US government! Joining a much broader community is helpful, and Liberty has been helpful — and it’s free for government members to join. [This extends to all non-profits.]

BMcD: Can you talk about privacy regulation and other regulatory pressures?

TP: The EU is a huge privacy regulator, and Finland has long history on protecting privacy; SAML is in line with these goals.

SPN: SAML2 allows a range of privacy settings depending on the use cases.

CC: It allows us to increase scrutiny and accountability. Seeing the picture of enhancing and articulating trust and privacy values was important, as is compliance with EU directives. They like knowing that future challenges can be taken care of.

“We’re not just leaving this to chance — privacy is at the heart of our design at the moment.”

GM: The lifecycle process they use requires fulfilling regulatory requirements, and customers demand this.

BMcD restating audience question: The FFIEC guidelines are looking for multi-factor authentication for financial transactions; where is government looking to intervene on multi-factor?

GM: Credential service providers are financial institutions. The GSA’s Credential Assessment Framework document vets authentication methods; two-factor will be included as one requirement for Level 2 assurance.

SPN: They have operated with four levels, adopted from the US, which adopted them from the UK; in strong authentication matters, they’ve been following the lead of NIST.

CC: Government doesn’t always act in perfect concert, and local governments don’t have as much impact here; stronger authentication comes down to very personal services, such as child protection and business. They feed back requirements and drivers to the national government level; they feel the national government needs to be moving faster and to make it low-cost for end users.

BMcD: Within 30 days of the FFIEC guidelines being published, Liberty formed a Strong Authentication Expert Group. Last year this group did gap analysis and requirements gathering. Liberty is on track to produce the ID-SAFE framework for interoperable strong authentication, leveraging SAML2 and ID-WSF; this will include interoperability testing so that
financial institutions can distribute strong authentication information successfully.