Announcing New Sparkling SAML 2.0 Debugger

I’ve done a rewrite of the old webbased SAML 2.0 debugger, which will help you to decode the various SAML bindings for easier debugging SAML messages.

I hope you like it.

This tool is part of the Federation Lab suite of test, validation and debugging tools for Identity protocols, such as SAML and OpenID Connect. Please contact me about any problems or bugs with the tool.

You may also be interested in the SAML-tracer Firefox Plugin.

Announcing online JWT Debugger tool

JSON Web Token (JWT) is a really nice IETF spec for encoding, signing and encrypting a set of claims using JSON. JWT is a standalone spec that is already used several places, but is also an essential part of the emerging OpenID Connect.

Today I’m anonuncing a online JWT debugger tool that allows you to decode and encode JWTs. This tool is part of the Federation Lab test and debugging suite for identity protocols. The Federation Lab also contains testing tools for OpenID Connect and SAML.

This is considered a beta version, and I’ve not quality controlled the output. The tool is also currently limited to the HS256 algoritm, but if people like the tool we may add more algoritms. Please give feedback if the tool does not work as expected or you have feature requests.

Federated OAuth 2.0 SAML VOOT Chat Proof of Concept

Today I’m demoing a proof of concept chat service making use of federated Login and cross-federated group exchange with the VOOT protocol. The chat application is written in Javascript, and is making use of HTML5 WebSockets for Real time communication. The server side is running on Node.js.

The javascript client is using OAuth 2.0 implicit grant with the JSO library we recently released. The user access token is requested with a specific scope for having access to groups. The access token is cahced in localstorage, and send to the chat server during the first registration message. The VOOT provider is done using a new PHP OAuth 2.0 library we have not released yet. It supports using MongoDB and Mysql for storage.

This is only a simple demo of what cross-federated real-time collaboration software can be like. Next step could be adding WebRCT video or audio, file, slide sharing etc.

See also:

OpenID Connect Test Facility Preview Available

We’re happy to announce that today we’re making a technology preview of the OpenID Connect Test Facility publicly available.

Start right away to test your OpenID Connect Provider:

This is an early preview of a pretty complex set of software, so we’re asking you to be patient, and please report to us any issues. You can do that by posting to our github issue tracker or email me directly.

This test facility has been made possible by myself and Roland Hedberg, an effort as part of the GÉANT Identity Federation project in collaboration with the Kantara Initiative and the OpenID Community.

Here is a video demo of how it all works:

Identity Federations Status Report – January 2012

GÉANT Identity Federations currently have a lot of ongoing activities. Here is a summary of what we are working on, and the current status.

Federation Lab › Test Federation

Goal:

allow new SPs and IdPs to easily connect to a set of available entities that are available with no contract neccessary. Self-maintained.

Activity expected to be done April 2012.

Miro: Nothing to update.

Federation Lab › Monitoring and statistics

Miro: As I promised we’ve done preparations for using f-ticks with SSP in production in our federation. I’ll be able to report on that next month.

Federation Lab › SAMLtracer

A significant patch reveiced from Mark Dubrovnic. Some of the patches incorporated, some left. Including UI updates, and support for import export.

Some planned features: Notifications of SAML artifacts, support for IdP Discovery protocol.

Federation Lab › OpenID Connect

We’re making progress. In Februrary we’ll be able to connect the front-end test run UI with the backend test tool, and present to visible results.

There is an interop event in San Fransisco, then a new OpenID Connect meeting in Paris next to IETF. Roland is attending to IETF + Kantara meeting. Andreas might as well. We will have some demo available before that.

The backend test tool is able to produce test results for the initial simple test cases, it is tested against several OpenID Connect Provider implementations.

We’re planning on preparing test fascility for OAuth 2.0 in addition to OpenID Connect. That tool might be very useful for the VOOT work.

RedIRIS will perform an implementation of OpenID Connect that will be coordinated with the test fascility. RedIRIS already have experience and a library for Oauth 2.0, and will make use of that. They will also make an simpleSAMLphp module to make it very easy for enabling OpenID Connect support in an existing IdP or SP running SSP.

VOOT

Leif: Setup http://openvoot.org and prepared a drafted IETF templated spec.

Foodle: no updates.

UNINETT has implemented OAuth 2.0, and tested against Leifs implementation. Some problems, but we made it work. OAuth 2.0 support will be integrated into Foodle, this spring.

SurfNet: Ready to exchange OAuth keys with Foodle, is ready to also consume groups from Foodle as a client. Will implement OAuth 2.0 in second half of 2012.

Renater: Has already completed sympa VOOT OAuth 1.0 based implementation. OAuth 1.0 based implementation is made publicly available. Prepared to test against Foodle and SurfNet. Working on OAuth 2.0. Exepcted to be ready March 2012.

SAML2int

The SAML2int profile is being transferred to Kantara Initiative: Federation Interoperability WG.

Scot is will apply some minimal changes contribued by Ian Young.

Federated Provisioning

Mads Freek have been hired by Wayf to work on – mostly – Stinus.

Stinus is the ‘Federated provisioning and de-­provisioning’ project originally proposed by WAYF, SURFnet & JANET as per the enclosed pdf.

A description – one month old – of the architecture is available here: http://code.google.com/p/stinus/wiki/StinusOverview?show=content

I expect to have a pre-poc up an running in week 6 and expect to update the description to reflect some recent changes – mostly the use of Gearman both inside core and as the protocol between Stinus components.

Working prototype within 2 weeks.

Wayf will ensure comatibility with connectors used from the Sun provisioning Framework, that also used in Netherlands. Wayf and SurfNet is in dialogue.

Remco has already done some work on Federated Provisioning, will also do much work in the year to come, but it will be funded by another project. Remco will share a deliverable related to the work on the mailinglist.

DiscoJuice

No updates.

Moonshot

Technology is settling down, more mature, and spec.

Most activity on supporting customers on piloting activities.

Piloting activities around these areas:

  1. Classic e-Science fascilities. SSH access, visitors with physical access to console.
  2. UK National Grid Services.
  3. Cancer Research UK: for microsoft exchange, file sharing, etc. Large organization, divded into 5 institutes.
  4. UK National Health Services. Interested in starting piloting.

Likely initial most important use case: federated login to regular desktops (between different, unrelated MS Active Directory domains), not just applications

Other topics

  • Hot topic: GEANT 3+
  • Convention in Madrid for activity leaders, 27th February.
    • Trained on methodology for GN3+ methodology.

Next meeting in the beginning of March

VOOT in real life – Federated Groups Proof of Concept

VOOT is a protocol for federated collaboration groups. It allows one service, such as Foodle, to make use of groups of people from a remote group providers, such as SurfNET’s SURFconext.

VOOT is a minimal subset of the group related features of the OpenSocial REST API.

VOOT is hearby proven to work in real life. Actually, Foodle is now connected with SURFconext, and here is a walkthrough of how it all works.

Foodle have a concept of groups; each group have a separate overvidew page listing all Foodles associated with the group, but also calendar availability for the group participants, list of the participants and also file sharing. A group page looks like this:

All users of Foodle may setup and manage their own groups. Here is how the group administration looks like:

This has all been part of the stable Foodle release running foodl.org for quite some time.

Remote group providers

What is new, is that instead of managing the groups within Foodle, you may now hook up to remote group providers using VOOT.

Here is the UI for that:

When connecting to SURFconext, we’re sent to the SURFconext platform, and we’re authenticated over there as well. Single Sign-On makes this user experience not that bad. We need to accept toward SURFconext that Foodle from now on may access your group memberships – this is a one time consent operation.

That’s it. Now we’re connected.

Behind the scene, Foodle have now a cached access token associated with your federated user account. It can keep track of a bunch of access tokens, each for one of the configured remote group providers that you have connected to.

We’re heading over to Surf Teams to manage some groups, and we setup a new group GEANT VO team.

Notice, here is a group of people including people from more than one federation! GÉANT eduGAIN to the rescue.

We’re heading back to the Foodle front page.

Yay! GEANT VO team, a group that is hosted remotely shows up along with all the other local groups! The group is not provisioned to Foodle in some batch operation (as you’re used to hear about from other projects). Foodle does live queries against SURFconext, keeping no local shadow object, but a direct reference to SURFconext.

And, now let’s see what we can use that group for. First, let’s head over to the group page:

The member list is retrieved from SURFconext with Display Names and email addresses. Foodles may be associated with this remote group, and file sharing is aware of remote groups as well.

When creating new Foodle’s you may choose to add that Foodle to a group page, and as you see remote groups are listed together with the local ones:

Aggregated FreeBusy Across Domains. Check.

These days we’re working on a cross-domain group protocol. Currently under the nick-name VOOT.

Foodle is one of the showcase applications for cross-domain groups, and we’re adding a few group releated features to Foodle to show how cross-domain groups can be useful.

I’ve also spend some time working on calendaring; and obviously scheduling things are one of the core features of Foodle, so we added a aggregated freebusy view for cross-domain groups.

Here it is:

The screenshot above shows you a group (eduGAIN) that can be accessed in any application supporting VOOT, and the view shows freebusy information from people from 6 different organisations, each with it owns calendar systems.

The default resolution is looking for 1 hour time slots of availability, but this can be set by the user. Here is a view where we look for 5 hours consecutive availability:

In the group management view, we’ve included a freebusy icon showing the current freebusy status of the group participants. Here from the UNINETT group (automatically populated based upon attributes from the federation):

Freebusy feed information has mostly been autoconfigured based on a template system per organisation – the intension is that the user should not really have to deal with that.

That said, the user may very well setup his/her own calendar feeds – people often have private and custom calendars.