Snapshot: SAML IOP Past, Present, and Future

rainer-hoerbeOur guest blogger today is Kantara Member Rainer Hörbe. Rainer has been a contributor, architect and standards editor for the Austrian eGovernment federation. In the European cross-border eHealth federation project epSOS he served as security policy adviser.  As a Member of Kantara Initiative, OASIS, and ISO SC27 he is engaged in developing models and standards in federated identity management.

Snapshot: SAML IOP Past, Present, and Future

I was invited to speak at the “Borderless eID workshop” on Nov 18th in The Hague to represent Kantara Initiative and discuss a harmonized approach for technical specifications in Europe, for example a uniform standardized SAML profile. The workshop allowed for each presenter to spend 5 minutes discussing the below:

  • Rainer Hoerbe (Kantara Initiative): [technical interoperability using a harmonized SAML profile]”.
  • Nils Fjelkegård (Swedish government) [interoperable national trust frameworks]
  • Frank Leyman (Belgian government): [national eID and public/private sector]
  • Mirjam Gerritsen (Dutch government and e-Recognition): [Compliance with STORK Assurance Levels]
  • Herbert Leitold (Austrian government and STORK): [Mandates for persons and organizations]

One can get a quick snapshot of SAML interoperable products and services landscape here.  Now, for my part of the agenda, I told a story that began with a timeline of SAML, progressed to explain benefits & threats, and concluded with an outlook toward the future.  The timeline looks as follows:

SAML2IOP-IMG

  • SAML was predominantly forged by OASIS, Liberty Alliance (which later evolved to become Kantara) and received major support from the Shibboleth people.
  • OASIS SAML 1.0: no interoperability; 1.1: was frequently deployed in enterprises or bilateral federations.
  • SAML 2.0 merged back to the Liberty Alliance fork. Around that time the focus moved to scalability in large federations with the WebSSO use case. This required the introduction of standardized configurations (metadata) and conformance profiles.
  • Liberty Alliance conducted Interop events to certify products, Kantara Initiative continues to provide certification services.
  • Beginning with the US eAuth (later FICAM) profile, Kantara developed the Kantara eGov SAML 2.0 profile, that is actually a general federation profile.
  • During the last couple of years an ecosystem of products, tools and libraries has been growing around the Kantara eGov SAML 2.0 Interop Profile and related deployment profiles such as Saml2Int. Saml2Int continues its life-cycle within the Kantara Federation Interoperability WG (FIWG).
  • Not adhering to technical interoperability can bite back at deployment time (see HealthCare.gov)
  • Large SAML federations (mostly from research & education and government) usually rely on a SAML profile that is derived from Kantara eGov Interop Profile, scaling up to thousands of IdPs and SPs.
  • Future: The plan is to merge the Kantara Interop Profile into the SAML 2.1 specs where Kantara will continue to provide testing program for SAML as well as other established and emerging protocol.

Varying community efforts to harmonize around SAML continue. If you would like to learn more and contribute to ongoing harmonization and certification efforts, I encourage you to join KantaraeGovWG and FIWG.

Disclaimer: opinions expressed are that of the guest blogger and not necessarily reflective of a Kantara Initiative formal organizational position.