VMM - SAML Proxy

Januari 2014 till March 2014
Content:  
     

Management Summary

The Identity & Access Management (IAM) architecture for VMM is composed of three major domains, being Digital Entity Management, Rights and Privileges Management and Access Management. This architecture will operate in a federated capacity, meaning the different functionalities in each of these domains will be positioned either within VMM or with external partners (such as IDM/ACM of the Flemish Government). However, there is a need for flexibility to ensure maximum indepence of external service providers such as eIB.

An important characteristic of this setup is the delegation of user management. The users will be part of organisations, and as such, their management will be the prerogative of those organisations, reducing the workload of the services within VMM. This also augments confidentiality as users are added by people who know them. The functional benefits of the federated and delegated IAM are more important than the reuse and flexibility of the solution. This translates into the primary phase of the project focusing on a minimal integration with VO IDM/ACM in order to act as a capability for implementing a complete solution.

The module to develop in this phase of the project focuses on the authentication and accounting part of the triple A standard in security, leaving the authorization functionalities for later phases. Authentication is the process in which the identity of the user is verified, typically by demanding information (for example a username/password combination) containing a specific digital identity. Authorization specifies those functionalities used by the system to determine what actions are available to a certain user. Accounting is the verification of actions performed by said users. The digital identity will be verified by use of the SAML2-protocal where VO IDM/ACM will take on the role of Identity Provider (IDP), returning the verification of the digital identity, as well as several course-grained attributes which can be used in authorization steps later on in the process.

The administration of all operational details (such as certificate governance) is to be set up as well during this phase of the project, in order to ensure minimal impact on business continuity in case of change. This includes all regulatory compliances and powers of attorney.

Team Composition

The strategy for fast delivery of this component was to use a core team of only two people, dedicated full time to this development. I performed the project manager and architectural tasks, while one developer (Jasper Vandemalle) wrote the code. The testing was automated and test scenarios were designed based on input from an Ethical Hacker.

This project was a direct application of some of the lessons learned during the Crosspoints Bank Integration project with regards to how the SAML protocol is leveraged within the application landscape of the Flemish regional government. Not only how the SAML messages are constructed (for example VO IDM/ACM does encryption on the level of the attribute within an assertion), but also how an integration dossier to request the wanted access rights, must be published towards the proper authorities. These lessons learned also comprised of the procedures of how to procure a Government CA certificate to use as key for signing or encrypting data. These certificates can be procured from FedICT.

Project SOA Security Public Sector