maarten koopmans surfnet, [email protected] oasis adoption forum 2006

Real Life Solution, Real Life Problems: A-Select, An Open Source Federated Identity Management

Solution

An Identity 1.0 story

Maarten KoopmansSURFnet, [email protected]

OASIS Adoption forum 2006

mailto:[email protected]

High-quality Internet for higher education and research

In the beginning…

Well, the 90’s: a chip card for higher education.

It failed miserably.

http://images.google.co.uk/imgres?imgurl=http://www.physorg.com/newman/gfx/news/card-chip.jpg&imgrefurl=http://www.physorg.com/preview153.html&h=210&w=170&sz=7&hl=en&start=3&tbnid=xy6fjuUuxgt4hM:&tbnh=106&tbnw=86&prev=/images%3Fq%3Dchip%2Bcard%26svnum%3D10%26hl%3Den%26lr%3D%26sa%3DN


… (2)

Tests with mobile phones and e-banking (token based in NL).

Piggybacking in 2001-2.

http://www.nokia.nl/nl/telefoons/modellen/6288/index.html


Authentication middleware, 2002

Authentication middleware that could act as a switch between multiple authentication methods and added SSO as a bonus.


A-Select 1.0 Q4-2002

First lesson: choose your project name carefully! Authentication selection.

We’ll just call it A-Select “for now”.


1.0 features

• SSO• Multiple authentication methods• Simple “Cross” mode, full identity shared between

domains

3 universities, 30.000 users.

They liked it. We invested.


A-Select in 2002


A-Select in 2002 (2)


The marketing dilemma

How do you get the other universities to use this?

Encourage usage outside and within higher-ed


The question then becomes:

Why don’t you use it?


2002-3: versions 1.1 – 1.3

• Logging• APIs and protocol improvements• Better user database support • More AuthSPs


A-Select in 2003


2003: Build a community

• E-government chose A-Select, as did the public libraries

• System integrators

• More universities.

Some 100.000 users in NL


2004: Strengthen the community• e-government becomes DigiD, keep them on board• Work together with libraries• Add features:

– fail over– more application integration components

Open standards are becoming very important with Shibboleth and SAML, especially for higher education


2004: A-Select diffusion

Encourage usage via diffusion program: target 100,000 users by the end of 2006.

Result: >> 200,000 users in higher ed and more are coming!

Activities:• Documentation• Integration components• On site support• Project consultancy


2005: Towards a Federation

Release 1.4.1: integrating a lot of contributions from the community, massive clean-up of the codebase

Release 1.4.2: Adding a simple yet flexible authorization engine and attribute acquisition (using, CGI, SOAP, LDAP)


A-Select in 2005


2005: Digid more and more visible

First cities are using Digid as an A-Select based IdP

First tests with online tax forms with Digid as IdP

http://www.digid.nl/


2006: Federation for real

Release 1.5: adds SAML 1.1 with Shibboleth profiles. A-Select can act as IdP for Shib-protected resources.

From 2007 onwards Digid mandatory for online tax forms

Millions of users.

http://www.digid.nl/


Federation in 2006

users identities central federation components resources

(SAML)

SAML


Winding down

• Apache style licensed• 98% Java based code• > 5 authN Methods• Healthy market and community• millions of users• Incremental growth has paid of: from authN to

federation middleware• Open source is a viable model for “NL as a company”


What’s next

• 1.6• WS-* support• SAML 2.0 support• A-Select starter kit (with Linux, reverse

proxy, ...)


Expanding internationally

Open standards important for collaboration!

Thank you, OASIS!


Questions / discussion

[email protected]

maarten koopmans surfnet, [email protected] oasis adoption forum 2006

Documents