Minutes 2012-10-17 (1st meeting)

Date and time: 2012-10-17 9:00 – 9:50  (Location: F2F Brussels/Telco)


  • Robert Ott (Clavid, CH)
  • Peter Groeneveld (Logius, NL)
  • Keith Uber (Ubisecure, FI)
  • Leif Johannson (NORDUnet, SE)
  • Wim Geurts (Logius , NL)
  • Victoriano Giralt (University Malaga, ES)
  • Christoph Dornbierer (AdNovum, CH)
  • Fulup Ar Foll (Kuppinger, DE/FR)
  • Patick Curry (BBFA, UK)
  • Jan Vanhaecht (Deloitte, BE)
  • Rainer Hörbe (Consultant, AT) (Convener + Notetaker)

1. Presentation “The Need for SAML Profile Harmonization” (Rainer Hörbe)

Slides and text

2. Patrick Curry, British Business Federation Authority

2 areas: a) employees in supply chains, b) consumers that interact with business. My interest is employees in high assurance space LoA3 and above. Requirements are to deal with risks of complexity and risk of compliance Penalty regime ITAR (Boing 2 cases with 1billion $ each; average fine was 18m $, people went to jail, companies were banned from federal contracts. Penalties had US and extraterritorial impacts.

Primary Aerospace & Defence companies have been working internationally, in projects which are military like Joint Strike Fighter and civil like A380 with global supply chains.

PKI is used for AuthN purposes + SAML assertions which contain AuthN + Role information.

This includes 300k-400k companies and has a huge economic impact. The top companies spent 400m $ to sort out this infrastructure and support federation. The achieved the ROI within 18 months. 47% reduction in hacking was recording, significant improvement of reuse in information capabilities. Reuse across other sectors is starting in health, law enforcement, transport, legal and financial sectors. There are now requirements to interoperate with the government’s identity proofing and verification process.

3. Leif Johannson, NORDUnet

Geant (one of the big Framework Programme 7 projects) established and is now operating a cross-national federation in the higher education sector named eduGain, which is actually like STORK. Scale: aggregated operational metadata shows 5000 SPs and 5000 IdPs, worldwide. The reason we are running this in parallel to STORK is because we think that we cannot get STORK to work for us. There are interoperability issues, and by our scale STORK is a small player, and their use cases simple do not correspond to our operational needs. There is significant interest from our members to use citizen credentials, specifically in the student enrolment phase. That would be a big money saver. The hassle we have today is not the big money Patrick mentioned from his area, but for our line of business the amounts of money are still very significant.

The way we grew to the current size of 5000 SPs and 5000 IdPs was based on using a strict SAML profile focused on interoperability. Members are operating using the SAML2Int profile since 2006, which is a narrowly scoped deployment profile of the SAML eGov 2.0 profile – actually both were developed in conjunction. It is designed to support 100,000s of entities in a federation at minimal deployment costs.

One more remark. I had lunch with the project leader of eduGain and he said that he recently mentioned the inability if eduGain to get traction with STORK to the person responsible for eduGain in the European Commission. That person (I cannot recall his name) said that it is a failure of STORK not to connect with a federation that had demonstrated to scale up to the size that STORK wants to grow to.

4. Introduction of participants

  • Kick Willemse apologized for being unavailable for this call. He is involved in a number of identity management projects and developments, like the OpenID foundation. From a European context he thinks it is important to share knowledge and try to harmonize the STORK SAMLmessages that will be exchanged between EU countries in the near future. At this moment there is a gap between the country specific SAML profiles and harmonization.
  • Peter Groeneveld from Logius, The Netherlands. Technical Architect of eHerkenning (eRecognition) program, focus on e-authentication of people working in behalf of companies, in particular in the business space.
  • Keith Uber is from Ubisecure Solutions in Helsinki, Finland. We are the technology supplier for the government in the area of Ministry of Tax, Ministry of Labor and  Security Office. Our platform is the backbone for authN and authZ for about 80 services. We provide strong authN, delegation and power of attorney. It is a mature system based on SAML running since 2007. There is another gateway in FI looking after STORK, and I am concerned about this, as my requests to find out more about it have not been answered.
  • Wim Geurts: Architect at Logius as Peter, working on the authN of civilians. I joined to learn about the interoperability issues.
  • Victoriano Giralt from University of Malaga and other roles, like coordinator of the federation of Andalusian Universities and member of the SEDDIC network working on eID. I believe that STORK is a real good thing for the HE sector, like supporting the Bologna Process by identifying students whom we have never seen before with a trustworthy identity when the arrive at a service. Or for other things like e-passport the record of education. All those things are connected to a SAML federation somewhere, which has become the standard transport for identity. Actually we do have STORK integrated thanks to the bridge we operate for the SAML federation, where Rediris had made a connection to the PEPS. I think that STORK is a wonderful thing.
  • Christoph Dornbierer from AdNovum, Switzerland. We are a software engineering company with a security focus. I am member of the SwissID standardization platform, responsible for the SAML part. SwissID is a high-quality authentication token plus some well-know attribute providers.
  • Fulup Ar Foll. Some know my history in that field; I was vice-chair for the Kantara eGov WG when we worked on the SAML eGov profile V2. I am now with Kuppinger+Cole. My interest in this group is because I am working on a project in Brittany with the focus on reuse of identities between the public and private sector. The difference our approach to most of you is that we are focusing on lower levels of security, like LoA 1 and 2. Although we are planning to use OIDC as well, SAML interoperability is a key issue for us. We are on the same track, that interoperability is the issue for deployment. If it is easy it will be successful, if it is complex it is going to fail.
  • Thomas Gundel sent his apologies and this statement by mail: “The main issue I see is, that STORK SAML profiles (and levels of assurance) are not compatible with the Kantara eGov profile and hence the Danish OIO SAML profile, which the Danish eGov infrastructure is built upon. We use OIO SAML for authentication / web SSO of citizens and businesses / employees to every eGov service, and are currently increasing the scope with identity-based web services, powers of attorneys and user privileges in SAML Assertions.
    It would be a burden for Danish eGov infrastructure to participate in STORK as long as the STORK profiles are proprietary and not supported by COTS products available in the market.
  • Jan Vanhaecht. Deloitte consultant in Belgium, primarily as architect for the federal government’s IAM platform, where we are serving as a centralized IDP for citizens in Belgium, serving G2G and G2C. There is now growing interest in G2B. We are serving 450 Relying Parties in our Circle of Trust, among which are communities and semi-private institutions. This hub is the basis where we are looking into providing the Belgium link to the STORK network. We are looking into bringing the interface into line with the set of commercial products we have invested into. The biggest challenge currently is the communication of the authZ/role membership which can depend on the organizational context. E.g. when I am working in my Deloitte vs. state representative role.

5. Charter, organizational issues and further activities

Rainer: There were a number of background discussions before the meeting. To make that process transparent I suggest moving the discussion to a mailing list and wiki.

Regarding the formal structure and infrastructure like wiki, conference bridge and mailing list I talked to Nicole Harris about REFEDS hosting this group as a working group. This proposal was welcome by her. [Remark: Nicole missed the call due to some urgent operational incident] I will send out details about this proposal per mail and wait for opinions and objections.

Leif: I would suggest making a face-to-face meeting to have a more intensive discussion. What about REFEDS in November or end of October in DC?

Rainer: REFEDS will be in the week of November 19th in Budapest. I will propose a few options and send out a Doodle poll to find a date for the F2F.

6. AOB

Meeting adjourned at 8:55