A student’s username/password combination (their credentials) used to be valid just on university or college campuses. With the advent of identity federation, the use of such credentials can be extended outside the university boundaries. The technology allows us to use our local login for outside applications. The technology does not just allow this, but it keeps everything secure and in line with privacy regulations.
Key concepts in this area are ‘service providers’ and ‘identity providers’. It is a separation of function that is not needed inside a single organisation.
An identity provider (IdP) is a party that is responsible for maintaining identity information about its users. In other words, the identity provider is responsible for all user administration. This role is taken by all universities and colleges in the BELNET R&E Federation.
A service provider (SP) is a party that is offering a service to the end users. This could be a website with scientific information or a download service offering software at student reduction. Any ‘online resource’ could fit this description. The service provider will be using information released by the identity provider in order to provide the service.
Gluing it all together : use a middleware!
The US Research Network Internet2 has pioneered in the area of identity federation. They have developed their own system, called Shibboleth. It is a set of software components, aptly called Shibboleth identity provider, Shibboleth service provider and some other central components to glue it all together. The Shibboleth components are released under an open source license.
The development of Shibboleth provided good input for standardisation in the area: the Oasis standard SAML2.
SAML is short for Security Assertion Markup Language, and it is based on XML. It defines the structure of SAML messages exchanged between IdP and SP. It also defines how these messages can be transmitted over the Internet. SAML makes extensive use of XML signatures and encryption to guarantee security of the messages exchanged.
The metadata and the discovery service
SAML2 metadata is a XML document describing technical bits of all IdPs and SPs in the federation. Every IdP and SP needs the metadata for good operation. Without the metadata, an SP doesn’t know how to encrypt messages sent to a given IdP. It wouldn’t know which server is responsible for a given IdP. And it wouldn’t know which IdPs are available in the federation. The metadata is maintained by the federation operator: BELNET.
Another service BELNET is running to ensure good operation is the discovery service. Whenever a user is accessing a protected resource, the SP doesn’t know yet which IdP the user is belonging to. The user will have to select its own organisation from the list of available IdPs. This selection is done at the discovery service, also called WAYF (Where Are You From?). The discovery service can be standalone and generic, or it can be integrated with any given SP. BELNET is operating the standalone Discovery Service.
Every IdP is revealing some information about the user, in the form of attributes. One’s name and birthday are attributes, but also one’s affiliation with the organisation. If a service provider only needs to know whether someone is a student at the university, then that’s the only attribute that has to be released by the university’s IdP.