PingFederate as an Identity Router

I was over in Barcelona recently and met with Hans Zandbelt (hans.zandbelt@surfnet.nl) and Jaap Kuipers (jaap.kuipers@surfnet.nl).  Both of these gentlemen work for SURFnet, the national research and education network in The Netherlands.

Hans and Jaap have built an interesting business by connecting many of the identity providers and service providers in the Dutch higher education and research area. Most interestingly however, I discovered that they were able to take PingFederate (out-of-the-box), and with only a few small additions, turn it into a full-fledged identity router (identity gateway) with on-the-fly protocol translation. Below I've documented a bit of what they did.

SURFfederation (http://federatie.surfnet.nl)

• SURFfederation is comprised of a community of identity providers and service providers who have all agreed to the same federation policy, and distributed infrastructure in the Dutch higher education and research area
• IdPs are SURFnet customer institutions (universities, high schools, research institutes, other non-profit governmental organizations)
• SPs are content providers, mostly in the educational area (Elsevier, EBSCO, SURFdiensten, but also the institutes themselves)
• To connect IdPs with SPs, SURFnet offers a centralized federation hub capable of translating (on-the-fly) between multiple federation protocols such as SAML 2 and WS-Federation
• Both IDPs and SPs hook up to the central federation gateway using the federated IdM product and protocol of their choice 

History

• Many institutions in the Dutch educational sector, until recently, have used a proprietary, but open source server called “A-Select” for web-based SSO. Think of A-Select as similar to Shibboleth, but it doesn’t use SAML, instead opting for a proprietary protocol (A-Select-Cross)
• A-Select educational market penetration = ~10%
• A-Select can act as a federation gateway between A-Select-cross IdPs/SPs and Shibboleth SPs
• IDFF/SAML1-2/WS-Fed extension to A-Select as a gateway have been foreseen but are hard to realize (difficult specs, no certification, no compliance) and hard to keep up 

Use Case

• All interactions are for SP initiated SSO (SP list at the IDP does not fit the centralized model that we want to support)
• Both IdPs and SPs connect to a central federation hub that deals with subscriptions, policies and the different federated IdM protocols and products
• IdP Discovery is resolved by having a list of IdPs displayed at login at all SPs.
• No fancy protocol features are deployed, only authentication and attribute exchange! (lowest common denominator between all IdM protocols&hellip

Current State

New Developments

• Combining A-Select with PingFederate allowed SURFnet to achieve additional standard protocol support in a certified way
• With only a few modifications, SURFnet was able to configure PingFederate as a  federation gateway, or ‘federation router’ for SAML2 and ADFS
• Furthermore, SURFnet was able to make a small extension to A-Select, effectively enabling it to connect with PingFederate using the PFToken IDP/SP interfaces. This integration allowed SURFnet to realize a full fledged federation gateway speaking all of the required protocols.

New Functional View  -- coming December 1

SP initiated SSO steps

• Select is configured as PingFederate application endpoint for both IDP/SP SSO and SLO
• In SP-initiated SSO, PingFederate forwards the request to A-Select through the IDP SSO application endpoint
• Select presents a list of IDPs in the SP-initiated SSO scenario
• User selects an IDP and based on the type of the IDP the request is either handled by A-Select or re-directed back to PingFederate to the SP SSO application endpoint with an IdPEntityId parameter

What About PingFederate

• PingFederate could be positioned as a fully functional standalone federation gateway for SAML 2 and ADFS by embedding the sample code modified by SURFnet
• Other Ping Identity customers could hook-up SAML 2 IdPs and SPs to ADFS IdPs and SPs (and soon Shibboleth IdPs and SPs) together through a central gateway by deploying PingFederate out-of-the-box
• IdP discovery problem would be addressed in the PingFederate product (by offering the list of IdPs)