Posts filed under ‘SAML’

Authenticating the Queen’s subjects

I’m just back from attending eGovernment 2008 in Canberra. For me, the big draw was an opportunity to attend a three hour workshop focussed on the UK’s Government Gateway. I sure wasn’t disappointed- the insights into the Government Gateway were quite an eye opener.

Attending the conference also led me to reflect on how online authentication is working for the Queen’s subjects in the UK, Australia, and New Zealand. It’s quite fascinating how each of them reflect diverse approaches and are also very much a product of their times.

First, Australia. Still very PKI focussed, as in standard X.509 certs in the user’s computer. There are some good intentions from the federal policy body AGIMO (Australian Government Information Management Office) to move on to solutions that work for people (not computers) but the mindset of the average government official is definitely digital certs.

A good example of this focus is the success of VANguard. VANguard’s authentication service is probably best described as an authentication broker whose main function is to allow for interoperability of digital certs issued by various CAs. This is a good step so that businesses (it’s mostly business-focussed) can use the same digital cert with multiple RPs. It’s a back-end hub so that various front-ends and portals, such as bizgate in South Australia, can draw on its functionality. Still, it has all the limitations inherent in the old PKI designs.

It’ll be interesting to see how AGIMO’s proposed National e-Authentication Framework will differ from their existing AGAF (Australian Government e-Authentication Framework) which is separate for businesses and individuals.

Back to the UK’s Government Gateway. From the outside, so much of the focus has been on the UK’s plans for a national identity card that people, including me, can’t distinguish the good stuff they have done and are continuing to do in the online authentication space from the bad. Jim Purves, Head of Product Strategy in the Cabinet Office gave terrific insights into the chequered history of the Gateway as well as plans going forward.

The Gateway is very privacy-protective, very focussed on providing authentication and SSO for the UK Government’s online services. They are introducing SAML 2 soon but that also has the downside of continued support for all the current protocols. They’ve had some significant funding challenges in the past but now have “strategic investors” from within government so the future is bright. Trust and confidence in the Gateway is at an all-time high.

Purely speculative on my part but I think they’ve got a big cloud on the horizon- when the national identity card folks come calling. That could potentially lead to a fundamental change in approach. That’s the unfortunate steamrolling impact of the national identity card. Also interesting how they handle pan-European interoperability but, with a strong Liberty Alliance foundation, I imagine they are well placed to handle that.

So, how does NZ stack up? The proper comparison is with the GLS or Government Logon Service (which will be re-branded igovt later this year). There’s no doubt that the GLS is the most privacy-protective of the lot and has all the right moving bits.

Once the IVS or Identity Verification Service and then GOAAMS or Government Online Attribute Assertion Meta System is added to igovt, then it’s a whole new ballgame for NZ.

But, there is clearly one area that the GLS should look at- adding a web services (ID-WSF) capability in addition to the current browser re-direct (ID-FF). That will provide many new opportunities off the same infrastructure, such as acting as an authenticating receiver for XML messages. The UK’s Government Gateway currently does that for all electronic tax filings direct from standard tax and accounting packages.

All in all, interesting times and much thinking…


July 2, 2008 at 11:45 pm 1 comment

Worth keeping an eye on…

… how the Identity Governance Framework (IGF) continues to evolve. There’s a recent Liberty webcast by Phil Hunt of Oracle New Standards to Protect Privacy Through Governing Policy to get a good feel for the state of play.

… how CardSpace and U-Prove integration pans out. Paul’s conjectured integration is food for thought. So is the comment to his post by Christian Paquin (now part of Microsoft’s Identity and Access Group) that”One design goal (at least, for me) will be to minimize the integration changes for all participants involved in the data flow.”

… how identity-based encryption continues to progress. Interesting article in The Register about a research paper released at the Eurocrypt 2008 conference describing a new cryptographically strong “primitive” that advances functional encryption. Functional encryption tries to simplify things over PKI by allowing data to be encrypted using attributes directly tied to the recipients.

… the fascinating discussions at Liberty’s Privacy Summit. An interesting recent presentation by Sun’s Robin Wilton is a good example which gives a good overview of the ‘Ladder’, ‘Onion’ and ‘Silo’ models.

April 24, 2008 at 9:40 pm 3 comments

Thank you Mahalo

If you’re like me and come across an article or news item about search engines, you quickly skip to the next thing. After all, Google’s already got that sorted, right? Why worry about two-bit wannabes?

So, when I came across a blog post in TechRepublic called Sanity check: Can Mahalo save us from Google, Digg, and Wikipedia? I smiled at what was obviously a provocative title (that’s polite for “cheap trick”) and started moving on. But… the post kept getting more and more interesting; blogger Jason Hiner kept getting more and more persuasive.

His basic point is that Google is great for problem solving but not that hot for information gathering.

Intrigued, the next step was to check out Mahalo (“thank you” in Hawaiian), a human search engine in beta from the controversial Jason Calacanis. Mahalo’s “goal is to hand-write and maintain the top 50,000 search terms.”

Jason Hiner had based his article on doing a search for “WiMAX” across Google, Wikipedia, and Mahalo. I did the same by first searching for OpenID and immediately saw his point.

Right at the top it says “Also try: Yahoo OpenID” and then gave seven links that were spot on. It also had well laid out Guide Note, News, Criticisms, Blogs and Commentaries, Related Searches, and User Recommended Links.

Good stuff for people in information gathering mode.

Contrast that with the Google search for OpenID which suddenly started looking to be a bit of a scattergun result.

What Mahalo is trying to do is of course not unique. Ask tried and failed to scale the model. Yahoo! Answers is another approach to human-assisted search services while Google’s Knol is yet another twist.

It is still early days for Mahalo but I think it’s worth keeping an eye on. Even if the search term you are looking for isn’t one that Mahalo’s editors have covered, such as SAML, it caters for the long tail by displaying results from Google with tabs for other search engines, YouTube,, etc.

Anyone surprised that OpenID is covered but not SAML or Liberty Alliance?

February 19, 2008 at 11:42 pm 2 comments

NZ: CardSpace – SAML interop

One of the two new projects that the Microsoft New Zealand Innovation Centre is funding involves integration of Windows CardSpace with SAML 2.0.

The project is to make the Authentication Programme’s all-of-government shared services, called “igovt”, accessible via CardSpace. According to Microsoft, “this technology will enable users to safely provide their digital identity to online services.”

Working on the project will be Microsoft’s Mark Rees together with Kiwi IT firm Datacom over the next four months. Igovt is based on SAML and the Microsoft-funded project will go some way in implementing CardSpace-SAML interoperability.

CardSpace and igovt make a great combination.

CardSpace provides an intuitive and natural user interface for people to manage their identity and authentication to online services. As CardSpace (and other identity selectors) progress towards the tipping point and CardSpace itself gets refined, a new paradigm for accessing secure online services is brewing.

On the other hand, igovt provides people with the option to verify their identity to NZ government agencies, online and in real-time, to a high level of confidence. In addition, igovt lets people use a single logon (password, token, etc.) to access all online government services. All of this with the highest levels of privacy protection.

When people verify their identity, one of the core design principles of igovt is for people to fully understand and view what identity information is being sent to the agency (Service Provider). In addition, active consent is a critical element of privacy protection. Currently this requires a browser re-direct to the igovt website, something that CardSpace will admirably eliminate, without any reduction in user control or privacy protection.

December 3, 2007 at 10:02 pm Leave a comment

Concordia & interoperability

I was looking at the meeting notes from the Concordia workshop held last month in conjunction with Digital ID World. It’s clear that the project is gathering momentum.

The areas that were identified as A-priority tasks represent some major issues facing deployers and are worth listing (details are available in the meeting notes):

  • WS-Federation/SAML
  • Infocards/SAML
  • IdP discovery
  • WS-Federation/SAML metadata lessons
  • WS-Federation/SAML metadata distribution and lifecycle
  • Interop endpoints

Already there has been some progress in the telecon of 9 October. So, for people interested in interoperability issues, it’s worth keeping an eye on the work.

A colleague presented a use case at the September workshop covering the work being done in New Zealand. One of the interesting things, from my perspective, was to see how the roadmap has evolved to cover a wider range of identity attributes with parallel increase in use of the Liberty Alliance specs.

I thought the final slide was interesting as it examines the case for convergence over interoperability. Both Concordia and the industry in general has settled for interoperability but my colleague made some excellent points why the goal of convergence still remains important to deployers:

  • “Interoperability solves a business problem today, but…
    – Ongoing fight against divergence
    – Requires Interop elements (explicit or implicit)
    – Creates future work to manage
    – Difficult to manage across organisational boundaries
  • Convergence prevents business problems tomorrow…
    – Simplicity”

Having said that, it’s probably fair to say that out-of-the-box interoperability between identity protocols is a difficult enough (but worthy) immediate objective.

October 18, 2007 at 8:47 pm Leave a comment

Liberty Alliance: NZ case study

Liberty Alliance has just published a case study called New Zealand Sets the Pace for SAML 2.0 Deployments (pdf, 249 KB). It represents a lot of effort put in by my colleagues and Liberty- well done guys!

The Case Study is quite comprehensive and contains updated information about the work that the New Zealand Government is doing in the area of identity management and authentication. It also highlights the natural synergy between organisations deploying user-centric federated identity management systems and Liberty.

In my first post to this blog, I had mentioned “User-centric Information Sharing: A key enabler to transform government” as an area of interest in NZ going forward. The Case Study has some more information related to this in the section called Developing the Notion of Attribute Authorities.

September 14, 2007 at 8:51 pm Leave a comment

Austrian ID system

There are many things to like about Austria’s national identity system. A good overview is the presentation given at Liberty Alliance’s eGovernment Workshop held in Brussels earlier this year.

First, the absence of an external national unique identifier. Every person gets assigned a unique personal identification number (Source-PIN) that is under his/her own control. Each governmental sector is provided its own specific identifier for that person (Sector Specific PIN) which is derived from the Source-PIN using a one-way cryptographic function.

Secondly, their Citizen Card is more of a concept in that it can be issued in a variety of smartcard form factors, for example a Bank Card or Health Card or even a mobile phone.

The Citizen Card contains both limited personal information (first name, last name, date of birth, Source-PIN) as well as the person’s public key information. The card can therefore be used for both authentication and electronic signatures.

Thirdly, their system is based on open standards, specifically SAML (v1.0 Browser Artifact Profile with plans to go to v2.0).

Finally, the system meets the test that Identity 2.0 experts love. These experts argue that the issuer of the identity credential (government) should not know where the person chooses to establish his/her identity. So, if a person goes to a video/DVD rental store and uses the Citizen Card to prove his/her identity, government has no business in knowing or tracking that. The Austrian system passes that test.

Ironically, in my personal opinion, it is also its major weakness. This is one area that I differ from the Identity 2.0 experts.

As a national identification system, I believe there needs to be a way for government to inform places where an identification credential is used in the event of proven identity fraud. It is not enough to stop future use of a fraudulent identity (say by means of a revocation list in the PKI infrastructure) but an ability to proactively unwind transactions based on that fraudulent identity.

There seem to be a few more minor issues but they are comparatively minor. The first is that all the person’s attributes (first name, last name, and date of birth) are available to everyone to whom identity is proven. Notwithstanding the fact that there is a very small amount of personal information on the Card, there are cases where even these attributes are not required and therefore should not be given. For example, to buy alcohol and prove the person is 18+.

Secondly, it is not clear how the person’s attributes stored on the Card can be easily changed or updated, e.g. in case of a change of name or administrative error.

Finally, as with all smartcards used for online authentication, the need for smartcard readers to access the digital certificate. However, it may be that widespread availability of smartcard readers (one for every computer) is not a problem in Austria.

Overall, there are many, many positive things about Austria’s national identity system that other countries can learn from.

August 16, 2007 at 9:21 pm 5 comments

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter