openLiberty
 

ZXID Home - Open Source IdM for the Masses - SAML SSO

Sampo Kellomäki (sampo@iki.fi)

What is it?

ZXID - SAML & ID-WSF Enabled
  • Sampo's presentation in 1st European Identity Conference, Munich, May 10, 2007 (similar presentation was given in Liberty eGov day during Brussels meeting in April 2007). Slides.

  • Buttons, banners, and other promotional materials, here

Dependencies

To compile ZXID you need:

  1. openssl-0.9.8e or later. See www.openssl.org. Most Linux distros are sufficient.

  2. zlib from zlib.net. Your distro is sufficient.

  3. libcurl from http://curl.haxx.se/, version 7.15.5 (probably your distribution is fine). It needs to be compiled to support HTTPS.

  4. HTTPS capable web server, such as Apache (see my receipe), with CGI support. Or Jef Pozkanzer's mini_httpd available from http://www.acme.com/ software/mini_httpd/

Platforms

  • Linux: supported (ix86)

  • FreeBSD: supported, see port in http://www.freshports.org/ security/zxid/

  • Solaris 8: supported (Sparc)

  • Mac OS 10 (Darwin): supported (Power PC & ix86)

  • Windows 2k: preliminary support using MinGW (I am not knowledgeable enough in Windows to help you if you hit troubles)

ZXID is developed on ix86 Linux with POSIX as a goal, any modern system should work. You will need GNU make. I use gcc-3.4.6 as a compiler so others (such as gcc-4) may need minor tweaking.

ZXID Project has vastly more ambitious goals. See the ZXID Project chapter in documentation (PDF).

Conor Cahill of Intel (formerly AOL) said back in 2006:

IMNSHO, better go Liberty up front and have the confidence that you do not need to upgrade later - or run two parallel systems. The Liberty (or SAML 2.0) system is comprehensive and addresses every use case anyone has thought so far. The percieved complexity is really an implementation issue and not underlying propery of the spec. Since we provide an implementation, the "complexity" is not customer problem.

Try it out immediately

In this space we host links to IdPs that work with ZXID and to ZXID test sites you can use to get a feel for yourself. There is no guarantee that these sites stay up:

Freely downloadable IdPs you can install and test against

Aims of ZXID Project

ZXID aims at full stack implementation of all federated identity management and identity web services protocols. Initial goal is supporting SP role, followed by ID-WSF WSC, WSP and IdP roles. We aim at supporting US GSA E-Auth profile.

ZXID is light weight, has a small foot print, and is implemented in C. It is suitable for both high performance (e.g. 300 SSO/sec on normal hardware without acceleration) and embedded applications. Scripting languages are supported using SWIG, including Perl, PHP and Java. The "full stack" nature of ZXID means it's self contained and has minimal external library dependencies (see downloads).

Targeted Federated Identity Standards

Targeted ID Web Services Standards

Targeted Authorization Standards

Approach

ZXID consists of C libraries. Some of these libraries are generated from schema grammar descriptions using a tool called xsd2sg.pl, part of Plaindoc distribution. Other libraries that express flows and processing rules are hand-written. The language bindings, other than C, are generated automatically using swig(1), see http://swig.org/.

Status

0.63 (20100908) is 1.0 Release Candidate. As of 0.41 (20091120) the package has been mature for doing SSO and other SP related tasks. It also supports perl and mod_perl by way of Net::SAML module, PHP5 (and php4) using php_zxid.so, as well as Java using libzxidjni.so. The Java support includes SSO servlet to be used with Tomcat or other application server.

mod_auth_saml is fully production grade and can be used to implement SSO to Apach httpd just by configuring (no programming needed).

zxididp is beta grade.

zxididp ID-WSF Discovery functionality is alpha grade.

ID-WSF WSC and WSP roles are beta grade.

XACML PEP role is beta grade.

So far we have

Documentation

Documentation starts from README.zxid (PDF) file. There is also low level source code derived documentation in API Reference

I also encourage you to read the source, especially headers. Starting from c/zx-sa-data.h, zxid.h, zxid.c, and zxidsimp.c will be most instructive.

All the specifications supported by ZXID are freely available on the net. Try

Support

Mailing list and forums

Bugs

Mail the author until we get bug tracking set up. Or volunteer.

Developer access

Anonymous GIT read only: <<html: <a href="git://zxid.org/zxid">git clone git://zxid.org/zxid</a> >>

For commit we use git over ssh, but access needs to be manually configured and is not anonymous. If you contribute significantly, I will bother. Others can send patches (diff -u) to me - a good way to show you are worthy of git access. I've heard some mixed experiences about open source sites like sourceforge. If you run such site and want to host ZXID Project, please contact me.

If you just always want the latest stable source: get the tar ball from the downloads section. Trust me, this is still so much in flux that only the tar ball snapshots are in any usable state. git access just to get latest source would be pointless.

Commercial Support

Following companies provice consultancy and support contracts for ZXID:

Previous Releases

Some Links

Acknowledgement

The research leading to these results has received funding from the European Community's Seventh Framework Programme (FP7/2007-2013) under grant agreement number 216287 (TAS3 - Trusted Architecture for Securely Shared Services - www.tas3.eu).

FAQ | Roadmap | Wiki
Code Repository | Licensing | Specs