CEIC Junta de Andalucía

The Consejería de Economía, Innovación y Ciencia of the Junta de Andalucía approached PRiSE and Opentia to entrust them with the design of a system that allows to send information between their applications in agreement with standards and reduce the cases where the were sending user/passwords pairs.

The best technology for this case was SAML 2, because it allows to send information between applications in an standard way.

At the moment of the start of the project, it didn't exist an Identity Provider available in the Consejería. Because of that, it was decided to develop a Security Token Service (STS) in accordance with the standard WS-Trust 1.4 that was published by OASIS. This service will receive RequestSecurityToken messages with unsigned SAML assertions from authorized applications that would be exchanged for the SAML assertions signed by the STS.

Escenario

The message sended by an application to the STS included an username/password pair. Because of the SOAP format of the messages, the pair would be transmitted using the Username token profile of Web Services Security (WS-SEC) always under secure channel HTTPS. As the use of the STS increases in the Consejería, it would be necessary to analize if it would be neccesary to add other authentication methods or trust mechanisms between the applications and the STS.

Besides, this project included the definition of five profiles for the information's transmission with SAML2 depending on the authentication method of the user.

These profiles define the SAML assertion's format depending on the authentication in the application that request the signuature of the assertion. Them are the following:

  • User/password profile
  • X.509 Certificate profile
  • @firma processed X.509 Certificate profile
  • NIF y locator profile
  • NIF Profile