SourceID：SAML与ID-FF标准的实现

这两天浏览了一下SourceID这个开源的Identity Management项目，看了一些关于SAML和ID-FF的文章，比期待的有点差距，有些失望，这里稍微总结一下。

1.  开放标准 SAML，Liberty 和 WS-Federation 介绍

众所周知，在同一安全域中，单点登录（SSO）可以通过在用户浏览器的Cookie中写入用户身份信息实现，但在跨域的环境中，Cookie机制将会失效，此时如何实现用户身份信息的共享呢？以下的这些标准正是为了解决这个问题而提出和不断完善的。

SAML 1.0
The Security Assertion Markup Language is an extensible language for securely exchanging user information between security domains. SAML defines a security token format (called an assertion), as well as ‘profiles’ that define methods of using these assertions to provide web single sign-on. In addition, SAML defines a SOAP protocol through which assertions may be served. SAML defines three types of assertions – Authentication, Attribute, ant Authorization.

SAML 1.1
This specification mainly incorporates feedback and errata from the SAML 1.0 specification.

SAML 2.0
SAML 2.0 is currently in the requirements definition phase, and the exact scope is not clear. The SAML technical committee plans to add support for many of the things in Liberty’s ID-FF 1.2. This specification is still in early stages, but is expected to incorporate a significant portion of Liberty Phase 2/ IDFF 1.2.

Liberty Phase 1 (IDFF 1.0)
Liberty Phase 1 extends SAML 1.0 by adding its own profiles for how to wield SAML assertions. These additional profiles add support for account federation, identity provider introduction,pseudonym identity mapping and global logout. The Liberty Alliance model defines roles within a federation – an Identity Provider (IDP) and a Service Provider (SP).

Liberty Phase 1 (ID-FF 1.1)
This specification mainly incorporates feedback and errata from the ID-FF 1.0 specification.

Liberty Phase 2 (ID-FF 1.2)
This set of standards extends ID-FF with new functionality, such as one-time assertions of identity (for anonymity), affiliate relationships, and mechanisms for sites to talk about employees and customers (via SAML assertions).

Liberty Phase 2 (ID-WSF 1.0)
This set of standards extends the existing Liberty framework with functionality for discovering and offering identity-relates services. Profile access mechanisms are specified as an initial service, allowing for access to user attributes. Liberty Phase 2 defines many of its messages and protocol bindings in terms of SAML 1.1, and uses WS-Security for securing SOAP messages.

Liberty Phase 3
This set of standards are still in the elaboration stage, but it is expected that ID-WSF will be extended with new services built on top of attribute exchange, such as a digital wallet and calendaring/address book services.

WS-Security
This specification defines mechanisms for providing security token-based integrity and confidentiality on Web Service (SOAP) messages. Several security tokens are defined, as well as a mechanism for associating them with messages.

WS-Security Extensions (WS-Trust, WS-Policy, WS-Federation)
This collection of specifications is an evolving set of Web Service-oriented mechanisms for layering authentication, authorization, and policy across both a single and multiple security domains. WS-Federation defines a framework for federation. Profiles will be developed subsequently to specify the details for implementation.

2. SourceID开源项目介绍

SourceID is an open source project for enabling identity federation and crossboundary security. SourceID focuses on ease of integration and deployment within existing Web applications, products, or services. In addition, SourceID provides a high level of developer functionality and customization and is designed to shield the integrator and enterprise from needing to understand the complexities of Federation, or the rapidly evolving federation standards.

目前该项目为用户免费提供了SAML 1.0 和1.1，ID-FF 1.1 和1.2 的Java开发工具包（Toolkit），以及SAML 1.0 和1.1，ID-FF 1.1的.Net 开发工具包。但服务器端的Federation Server - PingFederate  则是只能下载试用，这点太令人遗憾了。