James Stewart has published a post about how GDS decides when it's ok not to publish source code. The identity assurance programme operates within the approach outlined by James.
We do publish information about our design, but we don’t publish code that would reveal specifics about our implementation of the design. As James explains, 'we don’t publish information about the implementation of the design because it would allow people to create a duplicate and practise hacking it without our being able to detect that activity.'
To give an example of how we publish information about our design, we published our SAML profile in November 2013 whilst we were in alpha. We're planning to update it soon to reflect our most up to date thinking following our private beta. Using an open standard such as SAML 2.0 allows departments working with us to use a variety of products, including open source solutions, to interoperate with us. We've checked to make sure that open source products can be used to integrate with us.
We do want to make our work as transparent as possible, and we will over time release parts of our code that we think are safe and useful to publish. We will be looking at this issue more over the coming months once we have completed the work to launch our service into public beta.