ZXID.org - Open Source IdM for the Masses TAS3.eu - Trusted Architecture for Securely Shareable Services (with Privacy) IoS - Internet of Subjects
ZXIDP.org - Free and Open
  IdP as a Service
- Any user, any SP can join.
ZXID Home - Open Source IdM for the Masses - TAS3 Reference Implementation - Internet of Subjects PDS, PTM

Download Source (Apache2 licensed)
zxid-1.42.tgz 20160227 - Sig and hash algos made configurable, HTTP Action header fix, UMA and OAUTH work
zxid-1.22.tgz 20141009 - Multivalued attribute matching, valgrind cleanups, changed URL config to BURL
zxid-1.18.tgz 20131126 - Windows and dietlibc support fixes, zxid_httpd
Old releases
 git clone git://zxid.org/zxid (Anon GIT)
 git clone git://zxid.org/pd (Anon GIT)
 Please write author for commit access.

Download Binaries
Binaries and Packages Page
Windows, some Linux distros

ZXID mailing list
zxid.user@lists.unh.edu archives


All ZXID documentation as one convenient 300 plus page monolithic book.

Deploy SAML on Apache w/o programming

Nitty gritty on all options

Circle of Trust
Set up a Circle of Trust (aka Trust Network or Federation)

Install from package or source

zxid_simple() -- Easy API for SAML

API Reference -- Every Function

Program like pros (and fix your own problems)

Make Identity Web Services Calls using ID-WSF

Secure Logging
Digitally signed logging facility

Java -- Using ZXID from Java

Net::SAML -- Using ZXID from Perl

php_zxid -- Using ZXID from PHP

Using zxididp to implement IdP, Discovery, IDMapping, and People Services

Crypto and Cert Tutorial

FAQ -- Frequently Asked Questions

QA & Test Coverage

LCOV Report on 0.73 (20101219)
Line-by-line test coverage now at 63.0%

TAS3 Tests

TAS3 & IoS Reference Implementation
TAS3 Official, ZXID-TAS3 (local)
TAS3 Architecture Docs

Write to Sampo Kellomäki (sampo % zxidp.org) No spam, please!


TAS3 Architecture Explained (Video, 15min)


Conor Cahill said back in 2006:

IMNSHO, better go Liberty up front and have the confidence that you do not need to upgrade later - or run two parallel systems. The Liberty (or SAML 2.0) system is comprehensive and addresses every use case anyone has thought so far. The percieved complexity is really an implementation issue and not underlying property of the spec. Since we provide an implementation, the "complexity" is not customer problem.

Scott Cantor and Peter Williams said on 5.11.2010 on wsf-dev@lists.openliberty.org

Peter Williams said:
I'm guessing that, in the culture that admires dumb clients, that what holds ECP (and cardspace) back is the inability to convince server vendors to commoditize this role for a browser.

That, among other things, like the obsession with reinventing all things XML in a misguided effort to dumb down security technologies so that the wrong people can implement them.    -- Scott

What is it?

mod_auth_saml: An Apache httpd auth module that does SAML SSO. No programming, just configure Apache, see receipe. Web Master - you need this because it is a config only install, no programming.

SSO servlet and Java libzxidjni.so: A Java JNI extension that wraps libzxid. Also supplied: zxidsrvlet.java that implements SP SSO as servlet, directly integrateable with existing application under servlet engine, e.g. Tomcat.

php_zxid: A PHP extension that wraps libzxid. Also supplied: zxidhlo.php that implements SP in mod_php environment.

Net::SAML: Perl module wrapping libzxid. Also zxidhlo.pl example, implementing SP in mod_perl environment, is supplied.

zxididp: Full featured Identity Provider and Discovery Service, as deployed by ZXIDP.org

libzxid C library for SAML 2.0 federated Single Sign-On (SSO) and ID-WSF Web Services. Many other language bindings are supported through SWIG. IdM Hacker - you need this because it supports all relevant protocols, you will study it and you will contribute patches (thanks).


  • 1.22 (20141009) is most stable release prior to OAUTH2 work
  • 1.02 (20110725) stable "1.0" release.
  • 0.82 (20110310) is 1.0 Release Candidate. As of 0.41 (20091120) the package has been mature for doing SSO and other SP related tasks. It also supports perl and mod_perl by way of Net::SAML module, PHP5 (and php4) using php_zxid.so, as well as Java using libzxidjni.so. The Java support includes SSO servlet to be used with Tomcat or other application server.
  • mod_auth_saml is fully production grade and can be used to implement SSO to Apach httpd just by configuring (no programming needed).
  • zxididp, including ID-WSF Discovery, is beta grade.
  • ID-WSF 2.0 WSC and WSP roles are release grade.
  • XACML PEP role is release grade.
  • Details
    • General SAML 2.0 encoding and decoding of messages in C
    • Net::SAML perl module that gives access to the C functionality
    • php_zxid.so extension for php5 (and php4) roughly equal to Net::SAML
    • libzxidjni.so extension for Java roughly equal to Net::SAML
    • zxidsrvlet.class for Tomcat enviroment, giving SSO
    • SAML 2.0 metadata handling and support for Well Known Location method
    • Specific logic for Single Sign-On and Federation using artifact, post, and simplesign-post profiles
    • Single logout, defederation, and NameID management
    • Some session management and ability to handle discovery bootstrap, ability to start Java HttpSession, ability to pass information from SSO to WSC.
    • SP role as a CGI written in C, perl under mod_perl and CGI, php under mod_php, Java / Tomcat, shell script CGI, and as Apache httpd auth module (mod_auth_saml)
    • IdP role written in C
    • Command line WSC testing tool (zxcall)
    • ID-WSF 2.0 Discovery WSC role in C, perl, php, and Java
    • ID-WSF 2.0 Discovery Service (WSP) role in C
    • General ID-WSF 2.0 WSC role in C, perl, php, and Java
    • General ID-WSF 2.0 WSP role in C, perl, php, and Java
    • Encoders and decoders for SAML 2.0 (most mature), SAML 1.1, Liberty ID-FF 1.2, Liberty ID-WSF 1.1, Liberty ID-WSF 2.0, XACML 2.0, and many more.
    • XACML 2.0 PEP role in C, perl, php, and Java
    • XACML 2.0 PDP role in C, but without XACML rule evaluation engine (i.e. we use proprietary rules)

TAS3.eu - Trusted Architecture for Securely Shareable Services (with Privacy) ZXID is the Refecence Implementation of the Core Security Architecture of TAS3.

IoS - Internet of Subjects ZXID aims at providing open source implementation of the Internet of Subjects Personal Data Store (IoS-PDS).

OpenLiberty.org - Secure Identity Web Services ZXID is member of OpenLiberty.

Kantara Initiative - Shaping the Future of Digital Identity ZXID supports Kantara Initiative.

ISTI-CNR LabSE ZXID AXIS2 integration by ISTI-CNR LabSE.

Get a Yubikey ZXID supports strong authentication using Yubikey USB token from Yubico.

[Bertolino12] A. Bertolino, et al.: "Enhancing Service Federation Trustworthiness through Online Testing", IEEE Computer, January 2012 (vol. 45 no. 1) pp. 66-72, 2012. DOI

Run-time dependencies

OpenSSL - Cryptography and SSL/TLS Toolkit ZXID uses OpenSSL for all of its crypto (your distro should already have this).

CURL groks those URLs ZXID uses libcurl as HTTP(S) client (your distro should already have this).

zlib ZXID uses zlib for compression (your distro should already have this).

Full regeneration dependencies
(usually not needed to compile ZXID)

ZXID uses Plaindoc to generate code (xsd2sg.pl) and documentation (pd2tex).

SWIG - Interface Generator ZXID uses SWIG to generate its language bindings.

Other Projects by Sampo

NATO STANAG 5066 implementation Open5066.org, local copy.

SMIME utility and perl module here

Net::SSLeay perl module here.

Copyright © 2006-2016 Sampo Kellomäki. All Rights Reserved. Updated 20160227.