interfedoperation

Interoperating WS-FederationJens Jensen, RAL

OGF31/Taipei

What it is

• WS-Federation: OASIS standard• Version 1.2 (May 2009)• Two modes

– “normal” mode – SOAP– Passive mode – web

• So federating access rather than federation

Protocol Summary

• Bring together IdPs and SPs• Similar to Shib, but looser

federation• More flexible in some ways

– E.g. redirects to other IdPs– Metadata discovery– Establishing trust between trust

domains

Basic Operation

“Federation” – metadata discovery

Objective – Plan A

• STS in Azure• IdP running inside Azure

– (could have been Pistoia customer)• SP running at RAL

– Needed OS SP for Apache– Using pingidentity for Apache

Result

• It didn’t work, went on to Plan B• We made it better, but not working

– Ran out of time/funding– Could pick up again later– Made squillions of lab notes (mostly

paper)

Specifics• Open Source client not maintained

– Using old namespaces– Written for Apache 2.0 (should work for

2.2)– Needed some work to build (done

partly outside the Apache build framework)

– Not RFC2616 compliant (HTTP/1.1)• Redirects failed

– Expected different SAML content

Specifics

• The STS SAML not 100% matching WSFED1.2 SAML– But this was relatively easy to fix– SAML fairly stretchy

• Debugging redirects took time– Server said “error occurred” but not what –

probably a security feature

Lessons Learned – no surprise

• Need both Java and C (or C++) implementations

• Interoperating, mature, maintained• Test suite needs publishing

– As part of OS code

Debugging

• Only possible with source code– Documented (and non-obfuscated)– Compilable

• Work orthogonal to hosting environment

Debugging

• Inspecting over SSL sockets nearly impossible– Which is a feature

• Debug at client or server– Browser plugins – eg TamperData for

Moz

Whither then?

• Made good progress, could pick up again– Contribute back upstream?

• Other OS SPs available (untested)– GENESIS II, but in Java

• Needs interest in community to thrive