Technical Specification including Description of IdP / SP...
Transcript of Technical Specification including Description of IdP / SP...
Document name: SP5/ WP52 Page: 0 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
Technical Specification including
Description of IdP / SP and Identity
Token Formats
D52.2
This document is issued within the frame and for the purpose of the FutureID project. This project has received funding from the
European Union’s Seventh Framework Programme (FP7/2007-2013) under Grant Agreement no. 318424.
This document and its content are the property of the FutureID Consortium. All rights relevant to this document are determined by
the applicable laws. Access to this document does not grant any right or license on the document or its contents. This document or
its contents are not to be used or treated in any manner inconsistent with the rights or interests of the FutureID Consortium or the
Partners detriment and are not to be disclosed externally without prior written consent from the FutureID Partners.
Each FutureID Partner may use this document in conformity with the FutureID Consortium Grant Agreement provisions.
Document Identification
Date 18/08/2014
Status Final
Version 0.6
Related SP / WP SP5/ WP52 Document Reference
D52.2
Related Deliverable(s)
D52.1, D52.3. D24.1, D44.3
Dissemination Level PU
Lead Participant ATOS Lead Author Juan Carlos Pérez Baún Charles Bastos Rodriguez
Contributors IFAG, CA, ATOS Reviewers Heiko Roßnagel (FHG) Frank-Michael Kamm (G&D)
No
t to
be d
istr
ibute
d o
uts
ide t
he F
utu
reID
Co
nso
rtiu
m
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 1 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
1 Executive Summary
The main objective of this deliverable D52.2 is to specify the interfaces and modules for the
integration of Atos e-Learning Services for Enterprises into FutureID infrastructure.
This document provides the technical specification of AIS and the Atos e-Learning integration
interface as well as the basic AIS architecture description, explaining the components and both
their functions and their connection with FutureID elements. It shows the Atos e-Learning
architecture and the breakdown components. Also it explains how the communications
established between the AIS components and the FutureID elements takes place. It describes
the used technologies and the supported multimedia contents by Atos e-Learning.
In conclusion this deliverable will be the guidance for developing the AIS and the integration
interface of Atos e-Learning Services for enterprises into FutureID.
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 2 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
2 Document Information
2.1 Contributors
Name Partner
Monika Dravik
Pawel Bulat
CA
Detlef Houdeau IFAG
Charles Bastos Rodriguez
Miguel Colomer Pastor
Nuria Ituarte Aranda
Juan Carlos Pérez Baún
ATOS
2.2 History
Version Date Author Changes
0.1 12/03/2014 Juan Carlos Pérez Baún Initial Draft version
0.11 11/04/2014 Juan Carlos Pérez Baún TOC and tasks
0.14 08/05/2014 Nuria Ituarte Aranda
Miguel Colomer Pastor
Juan Carlos Pérez Baún
Charles Bastos
Rodriguez
Included Atos content
0.15 14/05/2014 Juan Carlos Pérez Baún Tittles and ToDo’s
updated after initial
conference call
0.16 06/06/2014 Juan Carlos Pérez Baún
Nuria Ituarte Aranda
Added sections 8.1 and
9
0.20 10/06/2014 Pawel Bulat
Juan Carlos Pérez Baún
Added contribution
from CA on section 7.
0.21 25/06/2014 Monika Dravik
Juan C. Pérez Baún
Added contribution
from CA on section 8.2.
Updates sections 5, 8.1
and 9.1.
0.3 22/07/2014 Detlef Houdeau
Juan C. Pérez Baún
Updates in section 6
from IFAG.
0.31 25/07/2014 Detlef Houdeau Added content section
6.1 and 6.2
0.4 28/07/2014 Miguel Colomer Pastor
Charles Bastos
Rodriguez
Juan Carlos Pérez Baún
Authors’ revision
0.5 18/08/2014 Heiko Roßnagel (FHG)
Frank-Michael Kamm
(G&D)
Updates from reviewers
0.6 12/09/2014 Charles Bastos
Rodriguez
Revised terminology
legacy AIS
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 3 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
Juan Carlos Pérez Baún
2.3 Table of Figures
Figure 1: FutureID architectural components. ....................................................................................... 12 Figure 2: Types of AIS in FutureID infrastructure. ................................................................................. 13 Figure 3: STORK and FutureID interaction. ............................................................................................ 15 Figure 4: Session Manager – Receive function ...................................................................................... 16 Figure 5: Session Manager – Send function ........................................................................................... 17 Figure 6: Flow of attributes for authentication process. ....................................................................... 18 Figure 7: Atos e-Learning Platform 3 layer architecture. ...................................................................... 23 Figure 8: Atos e-Learning Platform full architecture. ............................................................................ 24 Figure 9: Atos e-Learning elements’ interaction. ................................................................................... 25 Figure 10: Components of Atos e-Learning user interface. .................................................................. 25 Figure 11: Authentication process for Atos e-Learning. ....................................................................... 28 Figure 12: Components of Atos e-Learning storage interface. ............................................................ 29 Figure 13: High level overview of the flow of communications. ........................................................... 31 Figure 14: Atos e-Learning integration into FutureID overview. .......................................................... 32 Figure 15: AIS connectors with FC available .......................................................................................... 33 Figure 16: AIS connectors without FC .................................................................................................... 33 Figure 17: Integration Interface between A and AIS. ............................................................................. 34 Figure 18: Apache modular architecture ................................................................................................ 35 Figure 19: Apache layering architecture ................................................................................................. 36 Figure 20: FutureID integration using Apache modules ....................................................................... 37 Figure 21: Connection between the Apache specific AIS implementation components and Atos e-
Learning (A) ........................................................................................................................................ 39
2.4 Table of Tables
Table 1: Attributes of authentication request and response (Broker service) .................................... 18 Table 2: Attributes of authentication request and response ................................................................ 34
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 4 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
2.5 Table of Acronyms
A Service Provider Application
AB Authentication Backend
AF Access Filter
AIS Application Integration Service (a relying party implementation)
AJAX Asynchronous JavaScript And XML
BS Broker Service
BSD Berkeley Software Distribution
CSS Cascading Style Sheets
DB Data Base
DOM Document Object Model
FC FutureID Client
DHTML Dynamic HTML
HTML HyperText Markup Language
HTTP HyperText Transfer Protocol
IdP Identity Provider
LIS Legacy Integration Service
PEPS Pan European Proxy Server
PHP Hypertext Preprocessor
RSS Really Simple Syndication
SAML Security Assertion Markup Language
SCT Simple Credential Transformer
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 5 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
SSL Secure Sockets Layer
SSO Single Sign On
STORK Secure idenTity acrOss boRders linKed
TLS Transport Layer Security
UI User Interface
WYSIWYG What You See Is What You Get
XML eXtensible Markup Language
YUI Yahoo User Interface
2.6 Referenced Documents
[1] - Authentication module for apache,
https://modmellon.googlecode.com/svn/trunk/mod_mellon2/README
[2] - Luis A. Colón and Anthony Trivino, Apache Server Architecture, Computer Architecture,
Spring 2008
[3] – DSO support, Apache HTTP Server Version 2.2, http://httpd.apache.org/docs/2.2/dso.html
[4] - The Apache Software Foundation, http://www.apache.org
[5] - Architecture, http://docs.moodle.org/dev/Moodle_architecture
[6] – ADOdb Database Abstraction Library for PHP, http://adodb.sourceforge.net/
[7] – General Core APIs, http://docs.moodle.org/dev/Core_APIs
[8] - Büchner, Alex. "Chapter 3 - The Moodle System". Moodle Administration: An Administrator's
Guide to Configuring, Securing, Customizing, and Extending Moodle. Packt Publishing. © 2008.
[9] – Codec, http://en.wikipedia.org/wiki/Codec
[10] - FutureID_D21.04_WP21_v1.1_Reference_Architecture, https://dms-
prext.fraunhofer.de/livelink/livelink.exe?func=ll&objaction=overview&objid=3841750
[11] - FutureID Deliverable D41.2 “Interface and module specification and documentation” WP41
Identity Broker, https://dms-
prext.fraunhofer.de/livelink/livelink.exe?func=ll&objaction=overview&objid=3523992
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 6 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
[12] – FutureID_D44.3_WP44_Technical_Specification_for_AIS, https://dms-
prext.fraunhofer.de/livelink/livelink.exe/overview/4353210
[13] - FutureID_D52 01_WP52_Requirements for FutureID components in Business Scenarios,
https://dms-prext.fraunhofer.de/livelink/livelink.exe?func=ll&objaction=overview&objid=3858403
[14] – Multimedia plugins filter, http://docs.moodle.org/27/en/Multimedia_plugins_filter
[15] - XMLDB Documentation, http://docs.moodle.org/dev/XMLDB_Documentation
[16] – JavaScript YUI Moodle, http://docs.moodle.org/dev/YUI#The_Basics
[17] – OpenSSL Criptography and SSL/TLS Toolkit. http://www.openssl.org/source/license.html
[18] – OpenSAML. https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoLicense
[19] – PHP, http://www.php.net/
[20] – Resources, http://docs.moodle.org/27/en/Resources
[21] – TinyMCE HTML Editor, http://www.tinymce.com/
[22] - Apache Tomcat, http://tomcat.apache.org/
[23] – URL resource, http://docs.moodle.org/27/en/URL
[24] - Usage of web servers for websites, W3Techs – Web Technology Surveys,
http://w3techs.com/technologies/overview/web_server/all
[25] – Yahoo User Interface library, http://yuilibrary.com/
[26] – FutureID_D41.3_WP4_Implementation of the Identity Broker in Dispatcher Mode,
https://dms-prext.fraunhofer.de/livelink/livelink.exe?func=ll&objaction=overview&objid=4238561
[27] – EC Review Period 1 Outline WP52, https://dms-
prext.fraunhofer.de/livelink/livelink.exe?func=ll&objaction=overview&objid=3574067
[28] – FutureID_D21.5_WP21_Analysis of relevant Business and Use Case, https://dms-
prext.fraunhofer.de/livelink/livelink.exe?func=ll&objaction=overview&objid=3522498
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 7 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
3 Table of Contents
1 Executive Summary 1
2 Document Information 2 2.1 Contributors ................................................................................................................... 2 2.2 History ........................................................................................................................... 2 2.3 Table of Figures ............................................................................................................. 3 2.4 Table of Tables .............................................................................................................. 3 2.5 Table of Acronyms ......................................................................................................... 4 2.6 Referenced Documents ................................................................................................. 5
3 Table of Contents 7
4 Project Description 9
5 Introduction 10 5.1 Scope .......................................................................................................................... 10
6 FutureID architecture 12 6.1 FutureID architecture overview .................................................................................... 12 6.2 FutureID and STORK connection ................................................................................ 14 6.2.1 Authentication Backend (STORK Backend) ................................................................. 15
6.2.2 Attributes in the Authentication process ....................................................................... 17
7 Atos e-Learning technologies 19 7.1 Type of contents .......................................................................................................... 19 7.1.1 Images ........................................................................................................................ 19
7.1.2 Audio ........................................................................................................................... 19
7.1.3 Linking to a sound file online elsewhere ...................................................................... 19
7.1.4 Embedding a sound file in its own player ..................................................................... 20
7.1.5 Video ........................................................................................................................... 20
7.1.6 Linking to an external online video............................................................................... 20
7.1.7 Uploading a video for students to download ................................................................ 20
7.1.8 Embedding a video in its own player ........................................................................... 20
7.1.9 Embedding audio and video ........................................................................................ 20
7.1.10 Available players ......................................................................................................... 20
7.1.11 Legacy media players.................................................................................................. 21
7.2 Technologies ............................................................................................................... 21
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 8 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
7.2.1 JavaScript ................................................................................................................... 21
7.2.2 YUI-library ................................................................................................................... 21
7.2.3 TinyMCE HTML Editor ................................................................................................. 22
7.2.4 PHP ............................................................................................................................. 22
8 Atos e-Learning Platform Architecture 23 8.1 Components ................................................................................................................ 25 8.1.1 Atos e-Learning User Interface .................................................................................... 25
8.1.2 Atos e-Learning Core .................................................................................................. 25
8.1.3 Authentication plugins ................................................................................................. 27
8.1.4 Storing data Interface .................................................................................................. 29
8.2 Communications and flows .......................................................................................... 30
9 Integration of Atos e-Learning into FutureID 32 9.1 Integration interface ..................................................................................................... 32 9.2 Integration using Apache server modules .................................................................... 34 9.2.1 Apache architecture - Modules .................................................................................... 35
9.2.2 Integration Atos e-Learning services for enterprises – FutureID .................................. 36
9.2.3 Description of the components .................................................................................... 37
9.2.4 Messages flow............................................................................................................. 38
9.2.5 Apache server configuration ........................................................................................ 39
10 Conclusion 41
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 9 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
4 Project Description
The FutureID project builds a comprehensive, flexible, privacy-aware and ubiquitously usable
identity management infrastructure for Europe, which integrates existing eID technology and
trust infrastructures, emerging federated identity management services and modern credential
technologies to provide a user-centric system for the trustworthy and accountable management
of identity claims.
The FutureID infrastructure will provide great benefits to all stakeholders involved in the eID
value chain. Users will benefit from the availability of a ubiquitously usable open source eID
client that is capable of running on arbitrary desktop PCs, tablets and modern smart phones.
FutureID will allow application and service providers to easily integrate their existing services
with the FutureID infrastructure, providing them with the benefits from the strong security offered
by eIDs without requiring them to make substantial investments.
This will enable service providers to offer this technology to users as an alternative to
username/password based systems, providing them with a choice for a more trustworthy, usable
and innovative technology. For existing and emerging trust service providers and card issuers
FutureID will provide an integrative framework, which eases using their authentication and
signature related products across Europe and beyond.
To demonstrate the applicability of the developed technologies and the feasibility of the overall
approach FutureID will develop two pilot applications and is open for additional application
services who want to use the innovative FutureID technology
Future ID is a three-year duration project funded by the European Commission Seventh
Framework Programme (FP7/2007-2013) under grant agreement no. 318424
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 10 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
5 Introduction
This task defines and implements the proof-of-concept of a hosted Service for the FutureID
framework. This includes a relying party application (e.g. eGovernment applications or private-
sector applications) as well as a set of identity providers. A technical landscape and mock up
service in the Atos e-learning Services for Enterprises is set up, and demonstrates how to set up
and consume FutureID identity services.
5.1 Scope
The goal of this document is to provide the technical specification of AIS and the Atos e-
Learning integration interface. This deliverable will be the basis for document 52.3 whose aim is
to implement this component. Therefore this document will be the guidance for developing the
Apche specific AIS implementaton and the integration interface of Atos e-Learning Services for
enterprises into FutureID.
The starting points are the requirements identified in [13] and the general architecture shown in
document [10]. The pilot applications have been also taken into account.
Two types of AIS can exist as [10] shows, the first type of AIS (FutureID AIS) will be
implemented by the project. Inside the FutureID AIS two specific implementations will be
developed, a JBoss specific one and an Apache specific AIS implementation. The present
document uniquely considers Apache specific AIS implementation, which consists of software
components based on Apache server and implemented by FutureID. The Apache specific AIS
implementation satisfies the Atos e-Learning requirements and the market needs, since many
Service Providers are using Apache as an application server. JBoss specific AIS
implementation will be described in [12]. Developing both JBoss and Apache AIS, would cover
most of the application server market.
An outline of the included sections is described next:
Section 6 – FutureID Architecture-Context and AIS integration: this section contains the basic
AIS architecture description, explaining the components and both their functions and their
connection with FutureID elements. An overview about the connection between STORK, the
identity provider, and the FutureID infrastructure, and a list of attributes needed for the
authentication process is also included.
Section 7 – Atos e-Learning technologies: establishes the type of multimedia contents and
technologies that Atos e-Learning will use.
Section 8 – Atos e-Learning platform architecture: this section describes the Atos e-Learning
architecture, explaining each component. Also it includes how and where the communication
established between the AIS components and the FutureID elements takes place.
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 11 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
Section 9 – Integration of Atos e-Learning into FutureID: this section will explain how Atos e-
Learning will be integrated into FutureID through Apache specific AIS implementation. It will
describe the services that will perform AIS component. It contains detailed description of every
AIS module including the functionality and operational environment of all of them. It will describe
at a high level the modular Apache architecture, focusing on modules that are involved in the
integration process.
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 12 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
6 FutureID architecture
6.1 FutureID architecture overview
Figure 1 displays the overview of all relevant architectural components of the FutureID platform.
A detailed up-to-date description is available in [10] and [12].
Figure 1: FutureID architectural components.
The key building blocks of the FutureID architecture are
- User platform, with the elements
- ABC – Engine
- Broker Service
- FutureID Client
- User Agent
- Service Provider, with the elements
- Access Filter
- Simple Credential Transformer
FutureIDBroker
TS
SCT
User Platform
FC UA
Service Provider
AAA
BS
TS
FSFSLIS
ABCV
UAS
BS
CV
AF
AIS
SCT
FutureIDBroker
BS
STORK (PEPS)
IdP (WS-*)
IdP (SAML)
IdP (OAuth)FutureID
Broker
Existing Simple Credential Transformers
Additional Complex Credential Transformers
ABCE
TS
Trusted Third Parties
Contractual RelationshipTrust Relationship / Registered Account
TS
TSA
BS
TS
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 13 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
- (Service Provider) Application(s)
- Trust Services
- Broker Service
- Application Integration Service
- FutureID Broker, with the elements
- Universal Authentication Service
- Trust Service
- Broker Service
- Legacy Integration Service
- Trusted Third Parties, with the elements
- Identity Provider
- STORK Pan European Proxy Service
- FutureID Broker
In this view the FutureID Broker and the (various) Service Provider maintain a contractual
relationship. In the case of the ATOS e-Learning use case it would be only the e-Learning
service provider.
The relaying party implementation, based on the application integration service can be realized
in two directions, as shown in Figure 2:
Legacy Service Provider and;
FutureID Service Provider.
For additional information about the AIS components and its functionalities, see D44.3 [12].
Figure 2: Types of AIS in FutureID infrastructure.
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 14 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
The relevant stakeholders are the Service Provider, the User, and optionally, a user-chosen,
external FutureID Broker.
The Service Provider uses a FutureID AIS as an authentication front-end for its application(s).
The AIS breaks down into several components. In particular, the access filter AF is mandatory
and specifically developed in the FutureID project. Further, the AIS comprise one to several
simple credential transformers SCTs. These are either FutureID developments or suitable third
party components. The AF and all SCTs use the same session library SL. Optionally, SCTs can
use the FutureID trust service TS to determine whether presented credentials are trustworthy.
The user platform always provides a plain vanilla web browser called User Agent UA that is
capable of executing JavaScript. Optionally, the user runs the FutureID client FC. The FC
always contains a solver and executor component S&E. In the case where the FC is absent, the
user chooses a trusted external FutureID Broker who provides the S&E component that acts in
the interest of the user.
The AIS covers two major roles in the FutureID architecture: a) intercepting unknown users and
requesting the FutureID infrastructure to authenticate them and b) receiving and validating
credentials in order to set up authenticated sessions for users.
In more detail, in the former role, the UA requests a resource provided by the application A. The
request is intercepted by AF. If the user is already known, the request is passed to A.
Otherwise, AF issues a FutureID Authentication Request (FAR) through the UA to the S&E. The
AF uses the SL to determine whether a user is already known.
In the latter role, the S&E presents a user or session credential to the SCT suitable for this
credential. The SCT verifies the credential and, on success, sets a user session by calling
according services of the SL. In the verification process, the SCT can call TS services to
determine whether the presented credential originates from an issuer who is trustworthy
according to the SP’s trust policy. Once an authenticated session is established, the SCT
redirects the user to the originally requested resource of A. A more detailed description is also
available in [12].
The ATOS e-learning platform is embedded between the user platform and the service provider
and uses the hypertext transfer protocol (HTTP).
6.2 FutureID and STORK connection
The STORK (Secure idenTity acrOss boRders linKed) project was developed with the mission to
establish an interoperability platform for existing electronic identifications in Europe. The STORK
platform allows European citizens to establish e-relations with foreign governments using their
national credentials.
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 15 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
STORK provides a SAML-based interface. The authentication backend for STORK must convert
the data received by the generic authenticate call coming from the Broker Core to the
appropriate data structure that can be consumed by STORK. The data structure is called
STORKAuthnRequest.
The bridge between the STORK authentication backend and the Broker Service is displayed in
chapter 6.2.1. The following figure represents the integration of the STORK server infrastructure
and FutureID:
Figure 3: STORK and FutureID interaction.
6.2.1 Authentication Backend (STORK Backend)
The Broker Service (BS) will be involved in the connection with STORK through the STORK
Authentication Backend (AB) component, as depicted in Figure 3. In order to initiate the
authenticate request to STORK a service called Authenticate Session Proxy has been
developed.
This service acts as an intermediary between the broker core and the STORK AB. It thereby
frees the backend to keep state due to the Authenticate interface it has to implement. Instead it
can request the initiating Authenticate message via a REST interface in this service. Instead of
getting a new Authenticate request after the authentication made by STORK finished, the
service must actively send a message containing the AuthenticateResponse message to this
service (see section 6.3 in Deliverable 41.3 [26]).
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 16 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
The following figure presents the Receive function information flow.
Figure 4: Session Manager – Receive function
The next figure presents the Send function information flow.
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 17 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
Figure 5: Session Manager – Send function
As shown on the previous figures, the service defines two functions send () and receive ().The receive function returns an Authenticate message for a given session id. The send function takes an AuthenticateResponse and provides it to the broker. In the send call
the Sessionidentifier (optional in the schema) element must be set in order to match the session.
6.2.2 Attributes in the Authentication process
The attributes sent by the user to AIS are both the mandatory attributes and the optional
attributes selected by the user (see step 3 of section 6.1 of [13])
The AIS will send the following attributes (Table 1) to BS in the FutureID authentication request
(see section 7.1 and 8.2 of [11]). Then this FAR reaches the BS through the user.
Attribute Mandatory Optional
AcademicTitle X
FirstName X
LastName X
Street X
StreetNumber X
City X
State X
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 18 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
Country X
ZipCode X
Nationality X
DateOfBirth X
IDType X
IDIssuer X
IssuingState X
IDValidUntil X
eIdentifier X
Age X
AgeVerification X
Table 1: Attributes of authentication request and response (Broker service)
The BS will connect with STORK and the information contained in the attributes received on the
response from STORK is mapped to the BS response. Finally the AIS will receive an assertion
from the BS. The flow can be seen in Figure 6.
Figure 6: Flow of attributes for authentication process.
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 19 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
7 Atos e-Learning technologies
Atos e-Learning Services for Enterprises (e-Learning Marketplace Platform) has been chosen as
a valid test case to demonstrate the viability of FutureID components in business scenarios,
specifically with regards to Internet of Services [27].
The focus of the Atos e-Learning platform is on offering to enterprise customers a reliable e-
Learning enterprise solution, which will lower the training costs for the organizations, provide a
faster delivery and a more effective learning for e-Learning users (organization employees and
outside organization clients) [28].
Both organization employees and clients subscribed to the e-Learning courses will have access
to the e-Learning services through Future-ID.
7.1 Type of contents
Atos e-Learning supports many types of multimedia contents as audio, video and images.
Students can easily download resource files to a local computer or watch the multimedia
contests online in the browser. Teachers can add files or links to the contents hosted on another
server. The sections below describe exactly the technical aspects of multimedia content
supported by the "Atos e-learning" system.
7.1.1 Images
Atos e-Learning allows teachers and students to upload and display images from a variety of
sources. Course pages can be enhanced with images in each section. Assignments can include
images for extra clarification. The system accepts .jpg, .png, .svg and .gif formats.
7.1.2 Audio
Teachers and students could add sound files to the courses. Atos e-Learning will accept the
following audio file formats:
.mp3
.aac
.wma (Windows Media Audio)
.ra (Real Media)
7.1.3 Linking to a sound file online elsewhere
You can simply link to the relevant page by choosing Add a resource>URL [23] and pasting in
the relevant link given you by the site.
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 20 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
7.1.4 Embedding a sound file in its own player
The system includes a built-in mp3 player. If the relevant Multimedia plugins filter [14] is enabled
by the administrator and within the course, sound files embedded into the text editor will play
inline.
There is the possibility to embed sound file in any editable text area.
7.1.5 Video
One of the most powerful content is video which allows students e.g. to learn how to improve
their language skills by watching native speakers interact.
7.1.6 Linking to an external online video
You can simply link to the relevant page by choosing Add a resource>URL [23] and pasting in
the relevant link.
7.1.7 Uploading a video for students to download
Users can add video files to resources in a simple way, whence the other students can
download them to their own computers.
7.1.8 Embedding a video in its own player
Atos e-Learning has built-in video player called Flowplayer. If the multimedia plugins filter
[14] is enabled by the administrator, videos embedded into the text editor will play inline
in Flowplayer;
Anywhere that TinyMCE text editor is available; it is possible to embed a video;
MP4 files are not supported by the Flowplayer
7.1.9 Embedding audio and video
Audio and video may be embedded in a course in the following ways:
As a file resource [20];
As a URL resource [20];
In a lesson popup;
In any text area using text editor.
The media file link is then replaced with an appropriate multimedia player which can play the
resource.
7.1.10 Available players
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 21 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
YouTube (displays videos hosted on youtube)
Vimeo (displays videos hosted on vimeo)
.mp3 - MPEG Audio Stream, Layer III
.flv - Flash video
.f4v - Flash video
.swf - Macromedia Flash animation File (Adobe, Inc.) 1
.ogg - HTML 5 audio
.acc - HTML 5 audio
.mp3 - HTML 5 audio
.webm - HTML 5 video
.m4v - HTML 5 video
.ogv - HTML 5 video
7.1.11 Legacy media players
The following legacy media player formats are also available but not recommended for general
usage:
.mov - QuickTime player (requires QuickTime player or codec [9])
.mp4 - QuickTime player (requires QuickTime player or codec)
.m4a - QuickTime player (requires QuickTime player or codec)
.mpg - MPEG animation - QuickTime player (requires QuickTime player or codec)
.wmv - Windows media player (Microsoft)-not guaranteed to work in browsers other than
IE and non-Windows systems
.avi - Windows media player - not guaranteed to work in browsers other than IE and non-
Windows systems
7.2 Technologies
7.2.1 JavaScript
The official JavaScript (JS) library for Atos e-Learning is the Yahoo User Interface
(YUI) framework [16]. Although lesser known, it is an extremely capable, powerful, fast, and well-
documented library. System also includes a number of its own YUI modules to extend the core
YUI library and uses the TinyMCE HTML editor.
7.2.2 YUI-library
1 Only used in trusted texts as it has potential security issues
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 22 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
The Yahoo User Interface Library (YUI) is a free, open source JavaScript library created in 2005
an available under BSD license. YUI library is written in JavaScript and CSS including a set of
tools for event management and DOM manipulation, AJAX and DHTML techniques are also
widely used [25]. It has been regularly improved including enhancements such as jQuery. It
means make faster and easier the development process, which allows building richly interactive
web applications. Therefore Atos e-Learning services for enterprises leverages these features to
provide a worthy interface.
The environments that YUI Library targets include the most widely used browsers such as
Internet Explorer, Chrome, Firefox or Safari and even Android as operating system.
7.2.3 TinyMCE HTML Editor
TinyMCE is a platform independent web based Javascript HTML WYSIWYG editor control
released as Open Source under LGPL [21].
TinyMCE has the ability to convert HTML Text Area fields or other HTML elements to editor
instances.
7.2.4 PHP
PHP is a widely-used open source general-purpose scripting language that is especially suited
for web development and can be embedded into HTML [19]. It is the language in which Atos e-
Learning is developed. It is integrated with your web server. The web server detects php pages
(by their extension) and sends them to PHP for execution. PHP must be installed and configured
properly for Atos e-Learning to work effectively (or at all).
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 23 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
8 Atos e-Learning Platform Architecture
Atos e-Learning Platform follows a typical three-tier model architecture as Figure 7 depicts. In
which the user interface (UI), business logic included in PHP libraries and data storage and data
access through DB libraries and File libraries, are developed and maintained as independent
modules [5].
Figure 7: Atos e-Learning Platform 3 layer architecture.
It means that the Atos e-Learning platform is built as a modular system; it contains an
application core surrounded by several plugins to provide specific functionality, as Figure 8
shows.
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 24 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
Figure 8: Atos e-Learning Platform full architecture.
Atos e-Learning is designed to be highly extensible and customizable without modifying the core
libraries. When customization or extension of Atos e-Learning is required adding new plugins or
modifying already existing ones should be enough in order to upgrade Atos e-Learning platform.
In addition Atos e-Learning includes configuration files that facilitate the customization process.
In some cases removing standard plugins can be needed.
The interaction of these elements in Atos e-Learning architecture is explained next and depicted
in Figure 9 [8]:
1. A user makes the request through the web browser;
2. The web server receives the request and makes the PHP call to the appropriate module;
3. The PHP module calls the database;
4. Then, the PHP module returns a response based in the retrieved data;
5. Finally the web browser receives the information to be displayed to the user.
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 25 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
Figure 9: Atos e-Learning elements’ interaction.
8.1 Components
8.1.1 Atos e-Learning User Interface
Atos e-Learning user interface (UI) is designed and standardised with the aim to make it user-
friendly, improve the usability and create a highly interactive web application.
With these objectives the YUI library (see section 7.2.2) is included in the UI core. YUI includes
a few of core CSS resources.
View logic is kept apart from the business logic thanks to the existence of two layers. The visual
aspect of both Atos e-Learning platform and courses is controlled by the external layer created
by a specific kind of plugins called Theme. This kind of plugins changes the look and feel of both
courses and the site. Then a set of PHP classes retrieves the data and generates the HTML
code displayed to the user Figure 10.
Figure 10: Components of Atos e-Learning user interface.
8.1.2 Atos e-Learning Core
The Atos e-Learning Core contains all the key components that the plugins require to work with.
The basic infrastructure that Atos e-Learning provides includes [13]:
Courses and activities;
Course enrolment;
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 26 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
Users;
User functionality;
Additional capacities;
Logs and statistics;
8.1.2.1 Core APIs
The core libraries [7] provide the tools to carry out the features described above. There is a
group of general libraries used by almost all plugins:
Access API: determines what the log in user is allowed to do. Is an extendible library with
new capabilities;
Data manipulation API: in charge of read and write to DB in both consistent and secure
way;
File API: controls the storage of files (see section 8.1.4.2);
Form API: establish and manage user data through web forms;
Logging API: manages how to include information in log files and how to create reports;
Navigation API: modifies the navigation tree;
Page API: manages how the page elements will be displayed to the user adding
JavaScript;
Output API: provides the HTML for the page;
String API: manages the language text strings to be shown to the user;
Upgrade API: is in charge of how to installs and upgrades itself;
Moodlelib API; central library containing services for general purposes and general
constants.
Next group contains a selection of widely used libraries:
Admin settings API: provides the configuration options for each plugin;
Availability API: grants access to activities and courses;
Backup API/Restore API; they manage how to transform course data into XML for
backup objectives, and how to turn it back the other way, respectively.
Calendar API: manages events in the calendar;
Enrolment API: handles course students;
Media API: embeds multimedia items such as audio, video, and Flash;
Task API: allows task in the background. Either on a regular basis or once off.
There are a group of core APIs that supports the Activity modules which are the most important
type of plugin in the Atos e-Learning application:
Activity completion API: communicate to the system the completion of activities;
Advanced grading API: used for grading of assignments;
Groups API: manage groups and their activity;
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 27 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
Gradebook API: manages the gradebook and provides an interface for detailed grading
information;
Plagiarism API: checks files in order to avoid plagiarism through external services;
Question API: manages questions from a question bank.
8.1.2.2 Plugins
All APIs described in the previous section 8.1.2.1 are the basis to implement the different
plugins. Plugins are modules that provide specific functionality. There are about 20 different
kinds of plugins. Next the more relevant ones are explained.
Activity modules plugins: provide the principal activities in course, such as forums,
assignments, quizzes and so on;
Admin tools plugins: plugins created to be used for site administration.
Blocks plugins: add usuful tools and information to course pages;
Course formats plugins: determine and change the layout of course resources. Allows to
organise the content of the course;
Filters plugins: process and modifying texts. Changes formats, changes words, include
links to media resource into the site for showing the media, and so on;
Gradebook plugins: allow view and edit grades in different types of reports. Also export
and import grades data to external sites and from outside sources in distinct formats;
Messaging plugins: allow user to send and redirect messages to external places in
different formats (email, SMS, etc);
Plagiarism plugins: define and connect with external Plagiarism Prevention services;
Question plugins: import/export question definitions from/to the question bank, manage
different type of questions and monitor the user interaction with questions;
Quiz plugins: control the access of quizzes and show the report results in different
manner;
Repositories plugins: allows users to search and retrieve contents into a course from
external repositories;
Themes: set the look and feel of the course or site through the use of HTML and CSS.
Users plugins:
o Authentication plugins: allow connection to external sources of authentication,
see section 8.1.3;
o Enrolment: manage and customize how the people could enrol a course;
8.1.3 Authentication plugins
When a user tries to log in the authentication plugins control the process. Authentication plugins
allows connecting to external authentication systems such as STORK, Facebook or LinkedIn
among others. Atos e-Learning will use the FutureID platform for authentication purposes and
STORK as external identity provider. Authentication plugins are placed in the auth folder.
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 28 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
Figure 11: Authentication process for Atos e-Learning.
Figure 11 shows the process when the user clicks on the Login link and is explained next:
1. The default login page (/login/index.php) is displayed, or, if the Alternate Login URL
on the “Manage authentication” page has been set, that URL will be displayed:
a) The session parameters are checked;
b) The authentication FutureID plugin (auth_futureID) is loaded or redirect to an
alternative login URL.
2. If the user was already logged in and the session is valid the system grants access to the
requested resource;
3. If the session is not valid or absent, the user will be redirected to an alternative login
URL;
4. This URL is intercepted by the AF, an AIS component. The AF asks the user to choose
an authentication provider;
5. The user selects the authentication provider, FutureID in this case;
6. AF triggers the FutureID Authentication Request (FAR);
7. The FutureID Broker addresses the FAR to the right identity provider;
8. The external Identity Provider (STORK) will ask the user credentials;
9. The user provides his/her credentials to STORK;
10. STORK provides the credential assertion to the FutureID Broker;
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 29 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
11. The AIS receives the credential assertion and sets the session and attributes variables
through the SCT, another AIS component;
12. The handler code of the alternative login page runs:
a) Determines whether the authentication was successful by checking the session
and user attributes, if not, sends the user back to the login page with an error
message;
b) Redirects the user based on his/her original page request.
8.1.4 Storing data Interface
The data related to Atos e-Learning courses, users, roles, grades and so on is mainly stored in
database. There is other information that is stored in specific directories or files (Figure 12).
Figure 12: Components of Atos e-Learning storage interface.
8.1.4.1 Database
The whole Atos e-Learning database is the sum of tables belonging to each plugin and the core
tables. The total number of tables included in the database could reach about 300, depending on
the number of courses and the information needed.
Atos e-Learning platform uses a MySQL database where the data are stored and uses
phpMyAdmin open source software to manage it over the web.
The database structure is defined in install.xml files inside the DB folder in each plugin. The
install.xml files contain comments that should explain the purpose of each table and column.
In order to create, modify, delete tables and retrieve data from the database Atos e-Learning
Platform have tools and API’s for defining and modifying tables as well as methods for getting
data in and out of the database [15]:
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 30 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
XMLDB is a powerful database abstraction layer, which allows work on MySQL or others
database such as Oracle or SQL Server. Contains the database definition in a XML
format (install.xml file). In this way creation, modification and deletion of database objects
is possible through DDL Library;
DDL Library: Data Definition Language Library that allows handle database objects, it
means create, modify, remove tables and fields and establish indexes and constraints.
SQL statements: All the statements needed to include, modify, select and delete
information from the database. These actions are carried out by the DML library;
DML Library: Data Manipulation Language Library contains all the methods in carge of
handling the records of the DB;
ADOdb Library: is a database abstraction library for PHP that receives requests from
both DDL and DML libraries and perform the required actions, returning the results to the
requesting library. This library supports a huge number of DB such as MySQL, Oracle,
DB2, Microsoft SQL Server,SQLite, Sybase among others. It means that a change in the
DB doesn’t mean multiple changes in the application code [6].
8.1.4.2 File API
The rest of the information is stored in a so-called Atos e-Learning Data Directory. All of those
data related to uploaded resources such as files, pictures, presentations or videos are stored in
that secured data directory which cannot be accessed by the public.
In order to get access to these files a link is stored in the database. Files are stored according
the SHA-1 hash value of their content.
The File API provides Atos e-Learning application, in connection to various plugins, several
capacities such as manage the storage of files and how to provide those files to the user.
8.2 Communications and flows
The AIS is aimed to be an integration component that enables service providers to be easily
plugged into the FutureID infrastructure. It verifies if the user is authenticated and if not it
redirects him to perform authentication. After authentication is performed it passes user
attributes to the service provider.
The AIS might be an independent component however it is recommended to run the AIS on the
same server as the service provider application. This approach minimizes the opportunity to
intercept the communication between the filter and the application. Messages are sent directly to
the receiver (the application) without additional intermediaries, preventing them from being read
or modified from external sources. This makes the integration process much more secure
causing less vulnerability.
Following this way of thinking the AIS will work as a filter that catches requests sent to the
application and perform some additional logic. In the current case the service provider is the
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 31 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
application and the AIS is the Access Filter that intercepts requests send by the User Agent to
the Application and redirect the user to perform authentication.
The high level overview of the flow of communications is depicted on the picture below.
Figure 13: High level overview of the flow of communications.
The Figure 13 presents following steps:
1. The request to the Application is caught by the Access Filter. If there is no security
context for this User Agent or there is an old one, a new one has to be created.
2. The user is redirected to the Solver within the FutureID client or to the remote solver in a
case when there is no FutureID client. The Access Filter creates a FutureID Authenticate
Request (FAR) that contains information about required user attributes, application
service, authorized authentication methods, and preferred intermediary servers.
3-6 The Solver creates authentication plans and the user is redirected via the Broker to
appropriate Identity Provider to perform authentication and fetch required attributes.
7-8 After the authentication process is completed the Broker converts user attributes to appropriate data structures.
9. The user is redirected to the Application. 8. The Access Filter catches the request and validates the authentication permissions. After
successful verification the access to the application is granted and values of required
attributes are passed to the application.
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 32 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
9 Integration of Atos e-Learning into FutureID
Figure 14 depicts an overall view of Atos e-Learning Platform integration into FutureID
infrastructure.
Figure 14: Atos e-Learning integration into FutureID overview.
As defined in section 10.2 in [13], the FutureID AIS component is in charge of controlling
communication between the Atos e-Learning platform and the FutureID infrastructure. Atos e-
Learning Platform can be integrated with FutureID implementing an Apache specific AIS
implementation. The Apache specific AIS implementation is developed by a Web Application
server (Apache) module, based on auth_mellon and adapted to FutureID requirements. It will
contain the AF and SCT components. More detailed information about FutureID AIS
components can be found in deliverable [12].
Atos e-Learning platform will connect with the AIS, the connector between the application and
the Broker Service, through an Integration Interface. This integration component should be
developed in PHP as Atos e-Learning is.
9.1 Integration interface
The FutureID AIS is used by the Service Provider as an authentication front-end for its
application(s) A, as stated in section 6.1.1 from [12].
The building components of this FutureID AIS will be the AF, the SCT and both use the same SL
embedded in the application server.
The next two figures (Figure 15 and Figure 16) show the AIS components and the connections
with the other FutureID infrastructure components. On one hand Figure 15 depicts the
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 33 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
connections when the FC is present and Figure 16 depicts the situation when the FC element is
absent. In section 6.1.1 from [12] detailed information is already given. With the aim of FC
detection a JavaScript component is developed, an example of this component can be found in
Appendix from [12].
Figure 15: AIS connectors with FC available
Figure 16: AIS connectors without FC
The application has an interface to access session data as can be seen in Figure 17. This is the
mechanism used by the application to access identity attributes.
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 34 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
Figure 17: Integration Interface between A and AIS.
The attributes sent by the user to AIS are both the mandatory attributes and the optional
attributes selected by the user as Table 2 shows (for more details see section 6 from [13] and
section 7 from [11]).
Generic Attribute
AcademicTitle
FirstName
LastName
Street
StreetNumber
City
State
Country
ZipCode
Nationality
DateOfBirth
IDType
IDIssuer
IssuingState
IDValidUntil
eIdentifier
Age
AgeVerification
Table 2: Attributes of authentication request and response
Once the AIS receives an assertion from the BS, the attributes needed and the identifier are set
in a server variable as a session data. This information will be retrieved by the php interface
before granting access to the requested resource by the user.
9.2 Integration using Apache server modules
Currently, Apache is used by 60.5% of the websites as shown in the study made by W3Techs
[24] , thereby, a good number of Applications are using Apache. As a result, Apache specific AIS
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 35 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
implementation has a structure based on Apache modules and thus integrates a good number of
these Application Services such as Atos e-Learning services for enterprises.
9.2.1 Apache architecture - Modules
The open source Apache HTTP Server [4], commonly referred to as Apache, is a web server
application that supports a variety of features. Most of these features are implemented as
compiled modules which extend the core functionality, Figure 18.
Figure 18: Apache modular architecture
Apache supports many scripting languages such as PHP, Perl, Tcl, Python and supports J2EE
(using Tomcat [22]). It can be executed in several operating systems such as Unix, FreeBSD,
Linux, Solaris, Novell NetWare, OS X, Microsoft Windows. Apache allows Virtual hosting, that is,
with one Apache installation many different websites can be served many different websites.
Apache is easy to configure. The configuration is based on configuration files (httpd.conf,
access.conf, .htaccess, .htpasswd.
Apache architecture is based on modules; Figure 19 below shows the schema of Apache
layered architecture. The Apache modular structure is the following:
Basic module: Core. This module provides the basic functionality such as request allocating or connection management;
The Apache modules.
They are the added extensions to the server which handle a lot of the other types of processing the server must achieve such as doing user Authentication. The modules can be separate out in two groups:
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 36 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
o Multi-processing modules These modules accept requests that arrive through the ports and direct the requests to the responsible submodules. The modules are: mpm_common, perchild, prefork;
o Additional modules - mod_access: acces control - mod_alias: URLs redirection - mod_rewrite – URLs rewritting (converts dynamic pages such as php into
static html web pages) - mod_auth_ldap – User authentication using LDAP server - mod_perl – Dynamic pages in Perl - mod_php – Dynamic pages in PHP - mod_python – Dynamic pages in Python - mod_ruby – Dynamic pages in Ruby - mod_ssl – Secure communications via TLS
The specific modules that are going to be included are defined in the server configuration
(httpd.conf file) using directive LoadModule.
The apache server architecture was designed to be highly customizable for programmers to
modify it for their needs. The configuration files permits to customize Apache using the needed
modules of the apache server. New modules can be created using Apache API modules.
Modules can be recognized from configuration files and will be called when the commands are
found through the proper procedure [2].
Figure 19: Apache layering architecture
9.2.2 Integration Atos e-Learning services for enterprises – FutureID
Based on the Apache modules architecture, the integration of applications such as Atos e-
Learning services for enterprises with FutureID can be performed. For this end, it has been used
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 37 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
the mod_auth_futureID which belongs to the AIS component. It will be created to provide the
authentication using SAML, and FutureID Authentication Request (FAR) protocol.
The Figure 20 shows the architecture integration for FutureID using Apache mod_auth_futureID.
Figure 20: FutureID integration using Apache modules
9.2.3 Description of the components
The components of the architecture integration depicted in Figure 20 are the following:
Apache mod_auth_futureID is the authentication module for apache (additional module)
that will be developed for the integration. This component will authenticate the user
against a SAML 2.0 IdP, and will grant access to directories depending on attributes
received from the IdP [1]. It communicates with the identity provider, which is FutureID.
This component would contain the conceptual modules of AIS called:
o Simple Credential Transformer (SCT). SCT is a SAML assertion consumer;
o Authentication Filter (AF). AF is an access filter.
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 38 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
The mod_auth_futureID module will generate environment variables with the session
information needed by Atos e-Learning application (and only accessible by Atos e-
Learning application).
The mod_auth_futureID functionalities are the following (according to [12]):
1. Access filter. It intercepts the request made by the UA to an Application from a SP.
This functionality is performed by AF component within AIS.
2. Creation of FutureID requests. This functionality is performed by AF component
within AIS and its goal is to prepare the authentication requests (FAR) for sending
them to the Solver (within S&E)
3. Response validation. This functionality is performed by SCT component within AIS
4. User Session creation. This functionality is performed by SCT component within
AIS
Five services will be created within the mod_auth_futureID to address these
functionalities.
Apache subprocess environment: this component will process the specific request for the
applications (e.g. Atos e-Learning services for enterprises). These sub processes can be
performed with PHP.
OpenSAML library. This library (3rd party library) is a set of open source C++ & Java
libraries meant to support developers working with the Security Assertion Markup
Language (SAML). It will be used by mod_auth_futureID to send SAML requests and
receive SAML assertions. OpenSAML is licensed under the Apache License [18].
Open SSL library (3rd party library). Libssl (Secure Sockets Layer toolkit) package is part
of the OpenSSL project's implementation of the SSL and TLS cryptographic protocols for
secure communication over the Internet. The OpenSSL toolkit is licensed under an
Apache-style licence, it stays under a dual license, i.e. both the conditions of the
OpenSSL License and the original SSLeay license apply to the toolkit [17].
CoT Mgmt: Circle of Trust management this component will define the circle of trust,
which in this case is FutureID.
Session Mgmt: Session management. This component will establish the session and will
be managed internally.
Backend Abstraction: it indicates the backends that will support the functionality, in this
case is a file system. The configuration files will contain variables which will store the
configuration.
The mentioned libraries OpenSSL and OpenSAML must be installed to carry out the
development of mod_auth_futureID.
9.2.4 Messages flow
1. The user request access to Atos e-Learning services for Enterprises and contacts with
apache mod_auth_futureID;
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 39 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
2. The AF intercepts the request (acting as an access filter) and checks if the session
exists, in this case the session doesn’t exist, so the user must authenticate, and the AF
generates the SAML authentication request that is sent to FutureID BS. FutureID acts as
Identity Provider. FutureID in turn, ask for the user authentication to STORK;
3. The SAML assertion is received by SCT, the assertion contains the attributes. SCT
creates the session;
4. The user is authorized;
5. The attributes are delivered to Atos e-Learning services for enterprises via mod_php and
the user now can access to Atos e-Learning services for enterprises;
6. Once the user is authenticated, every time he wishes to access to any service of Atos e-
Learning Services for Enterprises, the AF will detect that the session exists and will give
access to the user.
Figure 21 depicts the connexion between the components belonging to AIS and the Atos e-
Learning application.
The AF and SCT components included in the mod_auth_futureID element will use a common
Session Library (SL) that will cover the session management ([10] and [12]).
The mod_php component will be in charge of providing the attributes, coming from the SCT, to
the Atos e-Learning application.
Figure 21: Connection between the Apache specific AIS implementation components and Atos e-Learning (A)
9.2.5 Apache server configuration
In addition to perform the development of mod_auth_futureID and install the needed libraries
OpenSSL (libssl) and OpenSAML, the Apache Server Configuration must be accomplished.
Once the mod_auth_futureID has been developed, it must be loaded using Apache Server
configuration.
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 40 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
The created module will be compiled as DSO (Dynamic Shared Object) and added using the
Apache Extension Tool (apxs) [3].
The configuration steps that should be carried out are the following:
1. Build and install a distributed Apache module mod_auth_futureID.c, into its own
DSO mod_auth_futureID.so:
$ ./configure --prefix=/path/to/install --enable-auth_futureID=shared
$ make install
2. Build and install a third-party Apache module, mod_auth_futureID.c into its own
mod_auth_futureID.so:
$ ./configure --add-
module=module_type:/path/to/3rdparty/mod_auth_futureID.c \
--enable- auth_futureID =shared
$ make install
3. Configure Apache for later installation of shared modules:
$ ./configure --enable-so
$ make install
4. Build and install a third-party Apache module, mod_auth_futureID.c, into its own DSO
mod_auth_futureID.so outside of the Apache source tree using apxs:
$ cd /path/to/3rdparty
$ apxs -c mod_auth_futureID.c
$ apxs -i -a -n foo mod_auth_futureID.la
To activate the module in Apache it will be used the LoadModule directive in httpd.conf in
conf/ directory under the server root.
LoadModule auth_futureID_module mod_auth_futureID.so
This directive loads the Apache module mod_auth_futureID.so adding this module to
Apache’s internal list of known modules. Auth_futureID_module is the name of the external
variable of type “module” in the module’s source code.
The file httpd.conf is processed once on the server’s start-up and on restarting.
Shaping the Future of Electronic Identity Technical Specification including Description of IdP / SP and Identity Token Formats
Document name: SP5/ WP52 Page: 41 of 41
Reference: D52.2 Dissemination: PU Version: 0.6 Status: Final
10 Conclusion
The main objective of this deliverable D52.2 is to establish the technical specifications of Apache
specific AIS implementation and the Atos e-Learning integration interface with FutureID
infrastructure.
It has been mentioned that two types of AIS can exist as D21.4 shows, the first type of AIS
(FutureID AIS) will be implemented by the project. Inside the FutureID AIS two specific
implementations will be developed, Apache specific AIS implementation and JBoss specific AIS
implementation. This document establishes the technical specifications for Apache specific AIS
implementation. JBoss specific AIS implementation specifications have been described in D44.3
[12].
In order to avoid redundant information related to the AIS components section 6 is focused on
how the Service Provider (Atos e-Learning) and the Identity Provider (STORK) interact with the
FutureID infrastructure through the Apache specific AIS implementation. Also, mandatory and
optional attributes needed by the SP and provided by the IdP during the authentication process,
are established in this section.
Section 7 describes the types of content that Atos e-Learning Platform uses and the
technologies involved.
How the components of Atos e-Learning platform interact with the components of Apache
specific AIS implementation during the authentication process is described in section 8.
Finally section 9 shows a detailed description of the integration components and establishes the
flow of messages between the different components.
Therefore both sections 8 and 9 provide enough information to be taken into account when the
development of Apache specific AIS implementation and the integration of Atos e-Learning into
FutureID infrastructure take place. In this way Deliverable 52.2 eases the developing of the
Apache specific AIS implementation components and how to interact with the services providers
and the identity providers.