1. Andreas Åkre Solberg Roland Hedberg
UNINETT AS Univ. Umeå
Federation Lab and OpenID Connect
NorduNet Conference
Oslo, Norway, September 2012
2. Federation Lab
✤ Identity toolkit for testing, validation and debugging of Identity
Software.
✤ Automated testing tool for increasing interoperability between
providers and consumers with SAML and OpenID Connect.
✤ A GÉANT project (GN3 JRA3T2) in collaboration with Kantara
Initiative and the OpenID community.
OpenID Testing
Commercial (Kantara Intitive) <-> Research and HE (GEANT)
Established (SAML) <-> Emerging (OIC)
Nordic collaboration (UNINETT and umu.se)
Involved in standardization
A very important reference implementation
3. Complex End-to-end Systems
Many implementations This is
a good thing!
Many deployments
Variying spec interpretion
Really difficult
Sub-set implementations to avoid this
Interop issues
Things stop working
for end users.
Who to blame? Who can fix it?
! - difficult question
Things continues to not work
Unhappy users We MUST avoid this, but how?
4. What causes interop issues
✤ Flexibility, too many options. Sub-set implementations.
✤ Deployment options
✤ Yet to be discovered software bugs
✤ Unclear specification
✤ Poor error handling
✤ Lack of feature negotiation or limited language (metadata) of
expressing supported features
5. Postel’s Law
«Be strict in what you send,
but generous in what you receive»
Postel's Law,1981, RFC793: TCP
✤ Will this increase interop?
✤ Interop issues less likely to be detected, and may easily pass matrix
testing.
6. Typical Matrix Testing
Test 4-5 products against each other
Validate that it is possible to configure the
products to work with each other.
Product is certified.
Does not really ensure interop in an actual
deployment.
7. Profiling
By being very excplitit on how to use the
protocols, interoperability increases.
saml2int
8. Automated Testing of SAML and OpenID Connect
This is what we did with Federation Lab
An automated client, simulates one entity whiles test the other.
Consumer <-> Provider
Performs about 100 different test flows, and focus on
discovering things that goes wrong, rather than verifying that
things may work.
Real time testing with detailed feedback
Test each provider, and present results. for debugging.
10. Automated testing of SAML Service Providers performs approx 80 test
runs with various legal and illegal message flows to verify behaviour of
software.
11. Automated testing of OpenID Connect Providers tests providers, and
involves an innovative engine for working with human user interaction
with login screens.