Dave Kearns' IdM Newsletter — TriCipher Offers Fast OpenID Support for SaaS Providers

TriCipher, a leading provider of Internet identity services, announced today that myOneLogin Identity Services now accepts OpenID in addition to SAML, ADFS and other federation protocols. Using myOneLogin, Software as a Service (SaaS) providers can quickly become OpenID relying parties, enabling them to accept credentials from OpenID identity providers like Google Apps.

Robin Wilton - Future Identity — What is copyright for?

Something is rotten, it would seem, at the heart of copyright legislation.

Otto von Bismarck definitely had a point when he remarked (allegedly, at least), that "the less people know about how laws and sausages are made, the easier they sleep at night". That said, if there are unnatural acts being committed in either process, there must be a point at which it's better to know than not to know.

This article, by Bill Thompson, rightly highlights the dangers of allowing copyright law to degenerate into an unregulated mess, devoid of due process and subject to partisan abuse. That far I agree with him. However, I disagree that the best response is to re-draft the law so that it redresses the balance in favour of the data consumer, as opposed to the copyright holder.

The problem with that approach is that we are all, increasingly, publishers of data and (ideally) copyright-holders... of the information we disclose about ourselves. In fact, I have often made the comment that the rights which so irritate us when they are officiously enforced by media pubishers, are exactly those rights which we would dearly love to be able to enforce when they relate to our personal information. If the laws are to be re-drafted, the aim should not be to rebalance the rights of data consumers and data publishers per se... but to ensure that the rights currently accorded to the 'traditional' holders of copyright are extended to all of us.

In other words, it's time that the laws on publishing were extended to protect all those who publish, and not just those who published before Web 2.0 came along.

Unfortunately, if we adopt Bismarck's attitude to the law-making process, instances such as the international Anti-Counterfeiting Trade Agreement (ACTA) and the UK Digital Economy Bill (DEBill) make one thing quite clear: if you wait until the process has finished before worrying about the result, it will be too late.

Pat Patterson - Huawei — A Weekend in Xi’an

I’ve been in Xi’an, northern China, for the past few days, visiting Huawei’s site here. Since my trip ran across the weekend, I found myself with a couple of days to explore the area.

Following Geoff’s lead, on Saturday morning, I headed out to bīngmǎ yǒng, better known in English as the Terracotta Warriors. I had the hotel, Days Xi’an, arrange a ride for me – the most expensive component of the trip at ￥380 (approx $60), but both car and driver were at my disposal for nearly six hours. After a two hour drive through the Xi’an traffic then a few miles of countryside, I arrived at the site to be greeted by an English-speaking guide named Jay, whose excellent service was an absolute bargain for ￥100 ($15). Admission was a very reasonable ￥90 ($13 or so).

Jay walked me round the initial display of a giant marionette warrior (pictured above), made for the 2008 Beijing Olympics, a pair of bronze chariots and other artifacts, then showed me to the 360 degree cinema for a 20 minute film introducing some of the historical background to the commissioning of the Terracotta Army by Qin Shi Huang, the first emperor of a unified China. and its accidental discovery in 1974 by a local farmer digging a well. Amazingly, although the location of the imperial tomb was well known, there had been no historical record of the army itself, so the find came as a complete surprise.

After the film, it was time for the main event – ‘Pit Number 1′ – and what an incredible sight it was – rank upon rank of larger than life warriors, vintage 210 BC. Pit 1 alone contains an estimated 8000 infantrymen, each an individual with different faces, hair and physique. I spent some time walking around the perimeter, just taking it all in. At this point, what was most impressive was the sheer scale of the army – it was only when I saw a couple of the warriors up close in the adjoining display area that I realized the craftsmanship that went into each one.

I took a series of pictures of the ‘Lucky Warrior’ – a kneeling archer – the sole statue found intact, all the others having suffered from the collapse of the wooden roof of the tomb. You can see all of the photos in my Flickr set from the day, but here is possibly the most interesting picture – the sole of the Lucky Warrior’s shoe – complete with three different tread patterns, for the heel, mid-section and front of the sole. When you see the craftsmanship that went into a single warrior, then realize that there are over 8,000 of them, it’s easy to believe that it took 700,000 workers some 40 years to complete!

The tour was rounded off by a visit to the official museum store, where I had an order from Jim for an ‘Old General’. I succumbed to temptation and came away with Jim’s general, an infantryman for myself, and a jade bracelet for my wife, Karen. Ah well; it’s only money, I suppose.

Saturday evening, I went out with Tom, one of the Xi’an engineers, and we discovered the Little Sheep Mongolian hot pot restaurant, where we had an excellent meal of thinly sliced lamb, cooked at the table in a spicy broth, washed down by a couple of bottles of Tsingtao.

Sunday started wet, so I left my ‘real’ camera at the hotel and set off with only my iPhone to take pictures. A mistake as it turned out, as the day dried up soon after lunch – oh well – the iPhone did pretty well, in the event. First order of the morning was to find a source of China Mobile topup cards for my prepay phone, then I relaxed for a couple of hours at the Starbucks next to the hotel with a Chai tea and free wifi – bliss! After lunch I met up with Asen, another Huawei engineer based in Xi’an, and we headed out for a walk around central Xi’an.

Xi’an has the most complete city wall in China, with eight and a half miles of fortifications forming a rectangle around the city center. Right now, the wall is decorated for Yuánxiāojié, or the Lantern Festival, and we walked about a mile and a half along the southern section, photographing the decorations. Coming down off the walls, we happened on a market stall selling chops (name stamps) and I had a ‘monkey’ (my birth year) chop carved with my ‘Chinese name’ – 潘德生. Heading north, we came to the Bell Tower, pretty much the center point of the city. ￥40 ($6) bought a ticket that also included admission to the nearby Drum Tower.

The interior of the Bell Tower houses an exhibition of ancient Chinese pottery showing an amazing level of artistry, while the exterior gives an excellent view of the city including the four gates in the city walls. The Drum Tower contains exhibitions of antique furniture and, not surprisingly, drums. Again, you can walk around the outside of the tower, this time gaining a view of the Muslim Hui quarter of Xi’an.

Leaving the Drum Tower, Asen and I entered the heart of the Muslim quarter, a bustling, colorful street market that seemed mainly focused on grilled beef and chicken kebabs, or chuànr. After a wander around, we chose a restaurant to sample some chuànr and pào mó, a tasty soup of cubed flatbread and beef, washed down with a little more Tsingtao.

I must admit, I didn’t expect Xi’an to have so much to offer. I knew of the Terracotta Warriors, of course, but I was still surprised at the modest grandeur of central Xi’an. If I’m lucky enough to return, I plan to spend a couple of hours circumnavigating the city walls, this time with my ‘proper’ camera

Paul Madsen — Talk to your doctor

Marc Canter - Broadband Mechanics — Dashboard containers and a distributed architecture

I received this comment on my post on fiber optic connectivity from Michael Flynn of the Global Mandala project:

Marc, this is a great article. I’m looking forward to exploring ways in which the Global Mandala Project might be able to work with your vision of Citizen Dashboards, not just as part of our giving portal but also as a tool to provide a monetizable purpose to social networking. I wonder if the shared servers you refer to might not be mobile servers aka smartphones? Could a peer to peer web of servers based on a distributed architecture of mobile phones be a possible wireless network? the problem I see with the open network concept is the UI you engage with it through when every individual entity wants to protect its brand? Your thoughts?

Let me answer Michael’s questions, one at a time:

1.   Absolutely mobile devices and the software running on them - can serve as individual “servers” - for some kinds of applications and services.  Call it “wireless network” or “distributed architecture” - I think you’re getting the  point.

Individual’s dashboards not only serve as a storage of their own person data, but their groups, communities and networks data - as well.  And it’s more than storage.

Interoperability, friending, accessing other’s data, collaboration of all sorts - will all happen via one’s “dashboard”.  It already is.

2.  Obviously entity’s will want to protect and evolve their brands, but I think that exclusion from the distributed world will hurt you more, than creating a closed, propriety brand. The very nature of being open - is hanging with all the open peeps.  Those who choose to remain closed - will be shunned.  And if they want that as their brand, then God bless them.

This is where the notion of “dashboard containers” comes in.  Think of them as a new set of microformats embedded in each dashboard’s page.  These containers would describe who owns the dashboard, how it’s configured, what are it’s social graph and list fo contacts and what is the content associated with their dashboard.  And media too!  Dashboard containers will serve as a level playing field normalizer effect - so ALL dashboards can connect to each other!

Via two-way APIs.

Paul Madsen — Social faux pas

Scott Kveton — Joining the SAO

It was only last week that I was talking about what I was going to be up to next. I’m excited to announce that as of today, I’ll be serving as the interim President of the Software Association of Oregon (SAO) for the next 90 days.

In January I joined the SAO’s board of directors with a very large freshman class of board members. When then-President Harvey Mathews recruited me to join the board last year, he was doing so because of my engagement with the local independent developer and consulting groups here in Portland. I was excited to bring a growing segment of software developers perspective to the board and my first few months on the board have been quite enjoyable as the organization continues to expand its programs.

With Harvey stepping down and me spinning up my own consulting business, the timing seemed right for me to interview for the interim President role and the search committee agreed. I firmly believe there is a great opportunity to link up the experience of current SAO members with that of the entrepreneurial spirit and drive of the independent developer community here in the Northwest.

I’m really looking forward to working with the amazing staff of the SAO to continue its fantastic mission. More to come.

Johannes Ernst - NetMesh — Curl broken in OSX?

Wasted two hours today attempting to HTTP POST some content with a client certificate using curl on OSX Snow Leopard. It somehow would not show its cert to the Apache server.

In an act of desparation, I tried the exact same command with the exact same client certificate on Linux, and it worked.

So I downloaded MacPorts, built curl from there on OSX, and it works. No idea what happened, Google is of no help. I’m mostly posting this that others with my problem can find it.

Lakshman Abburi - Sun — windows cross-platform authentication + WinSSO auth module on AM/OpenSSO

1. When the logged-on user requests a resource from the Web server, it sends the initial HTTP GET verb.

2. The Web server, running the SPNEGO Token Handler code, requires authentication and issues a 401 Access Denied, WWW-Authenticate: Negotiate response.

3. The client calls AcquireCredentialsHandle()and InitializeSecurityContext() with the SPN to build the Security Context that requests the session ticket from the TGS(KDC).

4. The TGS/KDC supplies the client with the necessary Kerberos Ticket (assuming the client is authorized) wrapped in a SPNEGO Token.

5. The client re-sends the HTTP GET request + the Negotiate SPNEGO Token in an Authorization: Negotiate base64(token) header.

6. The Web server's SPNEGO Token Handler code accepts and processes the token through GSS API, authenticates the user and responds with the requested URL.





Process flow for Windows Desktop SSO module in AM code



1. When the logged-on user (browser client) requests a protected resource from the Web server, it sends the initial HTTP GET verb.

2. The policy agent intercepts the request, sees SSO token in cookie is not present. It redirects it to the web server hosting Sun Access Manager which has WinSSO auth module code (SPNEGO Token Handler code).

3. The Web server, running the SPNEGO Token Handler code (Access Manager Windows desktop SSO auth module), requires authentication to access that resource. So Access Manager code on web server issues a 401 Access Denied, WWW-Authenticate: Negotiate response to the browser client.

4. The browser client calls AcquireCredentialsHandle()and InitializeSecurityContext() with the SPN to build the Security Context. In this process, SPNEGO capable browser requests the session ticket from the Ticket Granting Server (TGS - could be windows domain controller or unix kdc server). This direct interaction between browser and KDC will provide
a) Ticket Granting Ticket (TGT - if not already present)
b) Kerberos or NTLM ticket depending upon configuration. Note AM works only with Kerberos ticket. AM does not support NTLM ticket.
This is wrapped in a SPNEGO token which is presented to AM.

5. The TGS/KDC supplies the client (browser) with the necessary Kerberos Ticket (assuming the client is authorized) wrapped in a SPNEGO Token.

6. The client re-sends the HTTP GET request + the Negotiate SPNEGO Token in an Authorization: Negotiate base64(token) header to Windows Desktop SSO module of Access Manager running on Unix web server.

7. The SPNEGO Token Handler code in Windows Desktop SSO module of Access Manager running on Unix web server accepts and processes the token through GSS API, authenticates the user. After successful authentication, AM prepares SSO Token in a cookie.

8. AM sends back response to browser with HTTP code - 200. Now browser has SSO Token wrapped in a cookie.

9. Browser sends HTTP Get request to web server hosting policy agent so that it can handle the protected resource request.


References:
===========
MSDN Article-1
MSDN Article-2
MSDN Article-3
OpenSSO doc Article-1

Identity 360 - Imprivata — Alegent Health Turns to Imprivata for Secure Access to Electronic Medical Records in a Virtual Desktop Environment

Imprivata OneSign Provides More Than 11,000 Clinicians with Fast Access to Patient Data from Anywhere in the Health System

Lakshman Abburi - Sun — OpenSSO Windows Desktop SSO sequence diagram

George Fletcher - AOL — OpenID 2.0 Provider support live @ AOL

I'm excited to announce that the AOL Identity Services team has fully deployed OpenID 2.0 Provider support. Directed identity flows are now enabled so just entering 'aol.com' into an OpenID field will start the authentication flow. In addition to directed identity, this release also supports "check immediate" flows, SREG, AX, UI (popup browser), PAPE (as required by the ICAM OpenID 2.0 Profile) and of course the ICAM OpenID 2.0 Profile itself.

We have also improved the UI making it much cleaner and easier to follow. One feature of this new UI is a page that allows the user to choose, when first visiting a new site, whether to use their public OpenID (http://openid.aol.com/<username>) or an opaque one. Of course, this choice isn't necessary if the user provides the relying party their full OpenID or the relying party specifically requests an opaque identifier (via PAPE policy). I'd really appreciate feedback on whether this "privacy" feature is helpful to users or just adds more confusion.

In addition to the existing SREG support, the same attributes will be supported via Attribute exchange. There is equivalent support for the http://axschema.org URIs but only partial support for the Information Card URIs as there weren't direct equivalents for all of the attributes. Here is what is currently supported.

http://axschema.org/namePerson/friendly
http://axschema.org/contact/email
http://axschema.org/birthDate
http://axschema.org/person/gender
http://axschema.org/contact/postalCode/home
http://axschema.org/contact/country/home
http://axschema.org/pref/language
http://axschema.org/pref/timezone

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country

Suggestions or requests for specific attributes are always welcome. One point of clarification regarding email addresses and verification. The current implementation defaults the email address to the user's AOL provided email address but does allow the user to change the value returned to the relying party.

While there is still a lot to do, it feels really good to finally reach this milestone.

Dave Kearns' IdM Newsletter — Time for spring -- and conference season

The Experts Conference and the European Identity Conference soon to get underway

Dave Kearns' IdM Newsletter — Courion Announces Incorporation of India Technology Center

The Pune technology center will support the company's Courion Connector Program by adding to an already industry-leading library of more than 250 connectors. These connectors integrate the Access Assurance Suite with key enterprise applications to further improve support for specific industries such as healthcare, financial services, manufacturing and others.

Dave Kearns' IdM Newsletter — Taking control of unstructured data

How data governance and defining ownership can be key to managing the problem of access to unstructured data

Jackson Shaw - Quest — True story: Ah, we don’t have 6,000 contractors working here.

I had a great response to my earlier true story so I thought I’d relate another one. Plus, I’m on vacation and it’s easier to recount stories than deep-think authorization, why Novell - or Banyan for that matter – were unsuccessful despite having awesome products, etc. So here goes…

I think this took place in the winter of 1998 or 1999. I was a young VP of Sales at Zoomit Corporation tagging along on a final proof of concept for one of the largest heavy equipment manufacturers in the United States. We were asked to integrate the company’s telephone system, Windows NT directory (this was before Active Directory!), their mainframe system and employee database into our meta-directory product. If you ever done something like this you know that you set up your connectors to each of these systems and then spend the bulk of your time mapping individual identities across the various namespaces.

In this particular case we successfully mapped (“joined”) around 60,000 employees but we found that there were approximately 6,000 names that we couldn’t find telephone numbers for. Many of these names were listed in the mainframe and being an old “mainframer” I was suspicious that they had so many mainframe accounts with no associated telephone number. Our conclusion was that the employee database didn’t include their contractors.

When we met for the final review we presented our results and told them we found 6,000 names that were not associated with a telephone number and were not in the employee database. “Did you forget to give us access to the contractor database or was this a test of our engineers?” The company’s representatives looked at each other and finally their director said “We don’t have a contractor database. And, ah, we don’t have 6,000 contractors working here.”

It turns out that their mainframe staff never deleted or disabled any employees who left the company. Apparently, this had been going on for years. Now the obvious security problem had manifested itself when someone was re-hired and a few years later they were still able to log-on to the mainframe with their old credentials – exactly what happened in the previous true story. However, there was a very interesting side effect of the company finally deleting all those old accounts: Once the accounts were deleted from RACF - the mainframe security database – many batch jobs failed to run and the company got back some of their mainframe computing power. So here they were running gosh knows how many jobs that no one was ever bothering to look at. Amazing.

I’m on vacation next week too so I’ll see if I can troll around the memory banks for a few more oldies but goodies. In the meantime, here’s a picture of a new friend of mine down here in Manasota Key, Florida…

Anil Saldhana - Red Hat — Internet is Freedom

An absolutely brilliant presentation by Lawrence Lessig on the topic of "Internet is Freedom" to the Parliament of Italy.


http://blip.tv/file/3332375

The "Internet is Here". It is not going away. Whatever we need to do to make it safe, we have to do.

Please do not forget to watch the entire episode. About 30 mins.

Pat Patterson - Huawei — Bookmarks for March 11th 2010

These are my links for March 11th 2010:

• Monitoring SOAP Messages Made Easy With JAX-WS RI 2.0.1 | Java.net – Documents a couple of system properties that make a HUGE difference to debugging SOAP apps
• How to Trust Any SSL Certificate From a Java Client App – REALLY useful stuff when you just need to get things working.

JISC Access Management Team — FAM for Public Libraries?

I had a very interesting discussion yesterday with a colleague about how it might be possible to make federated access management work for public libraries. As usual, it gets down to the the two basic questions of access management:

• Who is managing credential information to allow authentication?
• Who is authorised to access the resource?

I’ll deal with the second question first as it is perhaps the more interesting. I know very little about how public libraries license electronic resources, but I do know that many are underused. To give you an idea of how the extent of information available online at libraries - have a look at Manchester Public Library’s e-resources.

Manchester Public Library currently manages access via library barcode number - i.e. you have to be a member of the library to access that resource. Interestingly, Manchester City Council is actually responsible for the identity management - you get passed to their website to login and then passed on to the resource.

I wonder if the licence for Manchester Public Library is for library members, or is based on some other criteria? The reason that this is an interesting question is that anyone in the UK is entitled to join Manchester Public Library. I can join from my home in Surrey online, and quickly get access to all of those resources. Fantastic for me! Not a great business model for the publishers. The only reason this is not a real issue is because very few people exploit these access paths.

A different model for public libraries may be not to look at licensing for members, but licensing regionally. Pricing is normally agreed based on regional population, but conversely access is offered to members - a set of criteria that does not add up.

So that is authorisation. Now, authentication.

It does make sense for public libraries to look at using FAM. Barcode access processes are often clunky, often insecure and it is yet another system for both libraries and publishers to have to manage.

If public libraries continue to offer access based on membership, the library or a body related to that library would have to run an Identity Provider in a federated access management environment, as they have the membership information. It may be possible for some libraries to make use of the work being undertaken by Local Authorities to provide federated access for schools - but there will still be technical implementation costs.

A more interesting model might be to exploit the planned interfederation between the UK federation and the Government Gateway. This will allow people with a ‘citizen’ credential within the Government Gateway to access resources within the UK federation. If we then assume that these citizen accounts contain some sort of standard location information (i.e. I live or work within the boundaries of Greater Manchester) it would be very easy to authorise all users against a regionally negotiated licence as opposed to a member negotiated licence. This could be achieved with very little expenditure on technical infrastructure by libraries, local authorities or publishers, but would require a change in the way the libraries negotiate licences. That surely has to be an interesting approach to explore?

Dave Kearns' IdM Newsletter — Mozilla Discusses The Future Of Online Identity Management

This concept project will develop a new way to access your accounts on different websites. It will try to develop a protocol definition that sites can use to define and maintain their account-and-session management features, and a browser implementation of this protocol. Once realized, this technology will enable users to simplify the process of accessing their accounts on supported websites.

Paul Madsen — New line of greeting cards

Jackson Shaw - Quest — Elliott Associates and the takeover of Novell

Very interesting blog post by Andy Updegrove on this topic that you may want to read. I’ve included a few paragraphs below:

…Elliott is in a far better position than Novell's board and management, or of a technology company that may make a bid, so long as Elliott retains self-discipline and walks when the bidding exceeds the internal calculation that it has already certainly made that reflects a prudent purchase.

But these other chess players do have their own advantages.  First up, no one at Novell is going to want to be acquired by Elliott.  Why?  Because Elliott will almost certainly want to break Novell up and sell the pieces.  Indeed, while it has offered $2 billion for Novell, it has already acquired over 8% of Novell at a significant discount off that per-share bid number.  And Novell has almost $1 billion in cash.  So the rewards of a quick hit, followed by a quick breakup, make far more sense than trying to turn around the business of a company that has been struggling to reinvent itself for over 15 years.

What that means is that one would imagine that Novell's talent will be heading for the exits in droves if the Elliott bid looks like it might succeed.  Even if Elliott convinces the target that it plans to run the Company in the long term, the prospect of being managed by a fund with a reputation as a "Vulture Capitalist" better known for buying distressed third world debt is hardly likely to inspire loyalty.

Check out the rest of Andy’s post. It is well worth the read.

Paul Madsen — RFC 2119

Identity 360 - Imprivata — SILICON.COM (UK) - Alder Hey CIO on Going Paperless, Face-Recognition Tech and Putting Off Lorenzo

http://www.silicon.com/management/cio-insights/2010/03/10/alder-hey-cio-on-going-paperless-face-recognition-tech-and-putting-off-lorenzo-39745569/

Dave Kearns' IdM Newsletter — Versatile authentication – break-through for mass adoption of strong authentication?

Reusing existing strong authentication technologies for more use cases makes things cheaper. Being able to use expensive very strong authentication where required but relying on other, cheaper, and appropriate technologies in other use cases reduces costs. Logistics for reused strong authentication technology is cheaper. All use cases, including external users like customers and suppliers, can be supported.

Dave Kearns' IdM Newsletter — Identity Governance Builds Buzz at Gartner IAM Summit

Two years ago, it was difficult to find many people who clearly understood the difference between what they were getting from their provisioning vendor and a true identity governance solution, so we spent a lot of time on basic education.

Paul Madsen — Trust negotiation

Paul Madsen — Trust negotiation

Courion — Study: Employees Continue to Put Data at Risk

Courion Access Assurance Blog

Based on a recent study by the research firm Ponemon Institute it was reported that, "Despite the best efforts of IT departments, business managers continue to disengage, or turn off, their laptops' encryption solution - exposing company information to thieves should the computer go missing."  This is a concern, especially given the increase in sensitive data being made more broadly available (electronic health records, mobile computing...) and the continuing reports of lost or stolen laptops, but there was some that I found even more concerning...

In the report was the statement, "33% of IT practitioners believe encryption makes it unnecessary to use other security measures, whereas 58 percent of business managers believe this to be the case".  One third of the IT people and over half of the business people believe that encryption is the only security measure needed? Without effective management of access, how can you truly protect sensitive information in an organization?  It's like locking a door and not being sure who has a key.

In the report Dr. Larry Ponemon does state, "This study shows that business managers may be overly reliant on encryption to keep confidential information safe and secure".  That's absolutely true and it's clear that the combination of preventive AND detective controls are required to effectively manage the risk of inappropriate access to information.

The goal of any Access Assurance strategy is to assure that only the right people get the right access to the right resources and are doing the right things with it.  So, are you taking a balanced approach?

blog.courion.com

Daniel Raskin - Sun — Make Me a Sandwich!

Identity 360 - Imprivata — Infosecurity Europe Stand # H40

Join Imprivata at Infosecurity Europe. At this conference, information security professionals will meet for a 3 day event, addressing the challenges of today while preparing for those of tomorrow.

Dave Kearns' IdM Newsletter — Google heats up OpenID

OpenID and OAuth will work in tandem to provide single sign-on to third-party applications that are OpenID relying parties. In fact, the recommendation from Google is that application developers simply provide a button that says "Sign in using a Google Apps account" instead of presenting a log-in box.

Anil Saldhana - Red Hat — Oasis Identity In The Cloud Technical Committee

I am pleased to have ignited the establishment of a new Technical Committee called as "Oasis Identity In The Cloud" at the Oasis standards consortium. Prominent security experts in the industry were gracious to participate in the initial brainstorming group I created.

You can read more on the charter here: IDCloud Charter

Apart from Red Hat, the proposers of the TC include Microsoft, IBM, CA, Novell, Rackspace, SafeNet, Yaana Technologies along with a few prominent individuals in the security/identity space. I am sure the proposer list will grow in a few days.

If you are an Oasis member or your company is an Oasis member, you should definitely look at joining this effort.

More details and a call for participation will be announced by the Oasis consortium in a few days.

Keywords: Oasis Cloud Security.

Jackson Shaw - Quest — True story: After being away 2 years I wish I was de-provisioned!

This is a true story. Names have been changed to protect the innocent.

I had lunch with my friend “Jason” from Universal Widgets last week. We hadn’t talked for more than two years and Jason’s first comment was “Did you know I left Universal to go work for Galactic Widgets but I’ve gone back to Universal Widgets?” I was surprised because I had missed out on what my friend was up to for more than two years. But, here we were back at the beginning again. Anyway, we had a good discussion about what each of us were up to but the most interesting part of Jason’s story was his answer to this question: “How was your return to Universal?”

Jason answered that they hadn’t allocated his desk to anyone else so it looked as if a “Jason shrine” had developed while he was gone. “But the worse part of my return was that I was able to logon with my old userid and password!” Where had I heard this before? However, rather than agreeing with me Jason’s comment was: “The worse part was when I started Outlook and I had 25,000 unread messages!”

I guess there can be some things even worse than a security compromise with not being de-provisioned and that’s coming back to two years worth of unread e-mails! I think Jason is still too busy deleting messages to answer his phone…

Neil Wilson - UnboundID — Large result sets in the LDAP SDK

One of the things that I think is particularly nice about the UnboundID LDAP SDK for Java is the way that it allows you to perform a search and have it collect the matching entries in a list that is available in the search result. However, this is really only well suited for cases in which you're sure that you won't get a huge number of entries returned because otherwise the need to hold all of the matching entries at once can cause significant memory problems.

However, if you are going to be dealing with large search result sets, then the LDAP SDK provides a couple of additional APIs that may be of use. The SearchResultListener interface defines methods that can be invoked whenever an entry or reference is returned by the server that allows you to act on that entry or reference as soon as it is received. I've had a number of people ask for an example of how to use this interface, so I've created a simple program, WriteAttrToFileUsingListener.java, that you can use to accomplish this. It's a pretty simple program that performs a search to retrieve all entries containing a specified attribute, and then writes all of the values for that attribute to a specified output file. It's a little more complex than it absolutely needs to be in order to demonstrate just the SearchResultListener interface, but it also serves as a nice example of the LDAPCommandLineTool API that you can use to easily write command-line utilities that need to talk to a directory server.

We also have another class, LDAPEntrySource, which can be used to make dealing with large result sets easier. This class provides an implementation of the EntrySource API (which makes it easy to iterate across entries in a common way regardless of how they were obtained, like returned as search results or read from an LDIF file), and you can treat it kind of like an iterator across search entries. I've created another version of the example program, WriteAttrToFileUsingEntrySource.java, that demonstrates how to use the LDAPEntrySource as an alternative to SearchResultListener to achieve the same result.

Ludovic Poitou - Sun — Oracle and Sun Directory Services...

Mark Wilcox, principal product manager for Oracle Virtual Directory has posted an initial update with regards to Oracle and Sun directory services.
Nothing really detailed so far, but it's good place to post your comments on the Oracle + Sun Identity Management Strategy and more specifically regarding directory services.

To me and my coworkers, the most important messages are :

We are going to continue to offer both Oracle Internet DirectoryAND Sun Directory Server Enterprise Edition

and

OpenDS will remain an open-source project

Details are still being discussed and ironed out, but I hope to be able to share them soon. Stay tuned !

Technorati Tags: directory-server, dsee, identity, ldap, opends, oracle

Ludovic Poitou - Sun — The basics of Flash Memory

These days, everybody get excited with Solid State Disks, flash memory and the performance improvements they have over other mass storage solutions.

We've been running some benchmarks of Sun Oracle Directory Server 7.0 leveraging new Sun flash based hardware modules. Before we go in details about their benefits, my colleague Brad Diggs posted a very educational article on the basics of Flash Memory to set a common understanding of the technology.

Read on and get ready for more data points on how ZFS and Flash Memory can improve Directory Server performances and scalability.

Technorati Tags: directory-server, dsee, ldap, performance, zfs

Ludovic Poitou - Sun — Directory Service Performance Optimization Strategy: Data Priming

Directory servers usually run for long period of times and have stable performances as all caches are warmed by the traffic. But how to get optimum performances as fast as possible right after starting the server ? Brad Diggs has published Directory Data Priming Strategies, another blog post added to the series of articles on Sun (now Oracle) Directory Server Enterprise Edition 7, ZFS and Flash Technologies.

Technorati Tags: directory-server, dsee, ldap, performance, zfs

Phil Windley - Kynetx — The Power of Pull

This week on the Technometria podcast, Scott and I talk to David Siegel, the author of The Power of Pull. David talked to me one or two times quite a while back about identity as he was researching this book, but I didn't really know what the book was about or why he cared about identity. In appreciation, he sent me a copy of the book when it came out and I left it sitting on my desk for a number of weeks before I picked it up. When I did, I was blown away.

I'm certain that the podcast won't do justice to the material in the book--you have to read it for the full impact--but maybe it will give you and idea of why this is such an important work.

For years, we've heard about the semantic web and mostly it's been a bunch of talk about RDF, ontologies, and so on. David's talking about the semantic web, but he does it by telling us how our lives will change when data is portable and systems can manage it without constant interaction with us. These changes--and they're inevitable--will change everything from health to commerce to how we play golf. What struck me as I've read the book was the shear ubiquity of the impact.

The title, Pull, comes from the central idea of the book that more and more people will pull things to them, rather than being at the receiving end of a push. I wrote about what that will mean to commerce in a blog post called Building Fourth Party Apps with Kynetx where I borrowed Doc Searls metaphor of the sewage pump as an apt descriptor for the current regime.

When I think of the changes that the Internet has caused in the last 15 years, I'm amazed, but I also realize that we're just getting a good start. There are myriad changes yet to happen and David has done a great job in this book of laying out what the next set of changes are likely to be, why they'll happen, and what it will mean for individuals and businesses.

The bottom line: this is the most interesting tech book I've read in a long time. I bought eight copies and spread them around the office because I wanted everyone at Kynetx to read it. You should read it too.

Ludovic Poitou - Sun — OpenDS Tab Sweep

It's been a while since I last posted an OpenDS tab sweep. So here's a list of news and pointers related to our open source LDAP directory server.

PCQuest Top Story this month is about the Top 10 Enterprise Open Source Apps, which include OpenDS and an article on Managing Identities with OpenDS.

The OpenDS project is starting to demonstrate its maturity. Several startups and software companies are now officially supporting OpenDS.

iConcur Software delivers new Axiom a Requirements management tool integrates by default with OpenDS.

Bonitasoft, the leader in open source Business Process Management (BPM) and a Grenoble based company, uses OpenDS for testing its support of LDAP repositories and praises it to its own customers, for its ease of use. Ask @rodrigue !

Symeos, another high profile French startup is building its Symeos Appliance Framework on open source projects including GlassFish, OpenSSO and OpenDS.

Janua, a French IT services company specialized in identity projects has included OpenDS in its product offering and has just launched a new site for its LDAPTools.

Sopera, a german company building open source SOA is integrating OpenDS in its development tools and offering, as shown on the screenshot below (courtesy of SpringSource)

Also in the recent days a couple of new LDAP browsers appeared.

• Symlabs announced a Free LDAP Browser, tested to work against many directory servers including Sun Directory Server Enterprise Edition, Oracle Internet Directory and OpenDS. The browser is currently available for Solaris, Linux and Windows.
• For the developers who are using NetBeans, Allan Lykke Christensen is rapidly developing a Maven-based NetBeans module for exploring LDAP services from within NetBeans. The plugin works well with OpenDS, but is currently only offering a read only view of the data.

Finally, in a introductory article titled Microsoft Azure for the Dummies, Ernest regrets the lack of flexibility in the PaaS plans from Microsoft and suggest that Java based OpenDS directory Server as a good alternative for running your own LDAP service on MS infrastructure.

Technorati Tags: directory-server, identity, ldap, opends, opensource, software

Chris Ceppi - Ping Identity — Google Apps Marketplace - Seamless is the Move

I walked out of the Google Apps Marketplace launch last night in Mountain View convinced of a couple of things. One, Google consistently gives out cool schwag, caters well, and runs some of the best lit PR events in the tech space. Perhaps as important, with the new Marketplace, Google has extended the same degree of hospitality on the Apps front and in doing so, they have established a new standard for how business users should expect to use applications. The Google Apps Marketplace is a retail storefront and a set of APIs that enables a bundling of tightly integrated SaaS applications. The apps demoed last night represented a range of business processes from Intuit's payroll to Atlassian's product management to a force.com CRM app from Appirio - all showed seamless integration with Google Apps such as GMail, Calendar, Chat and all kept the user completely in the browser for all tasks.

From an Identity standpoint, Google has positioned Single Sign On as a default integration point. 

The Apps Marketplace model lets users move into and out of all manner of secured business applications without logging in over and over. Removing logins from the flow is a huge step forward in usability. By putting SSO front and center, Google has established seamless SSO integration across multiple apps as an expected part of the user experience - other competing Cloud platforms will likely follow suit. More tightly integrated apps and less logins is all good news for end users.

On a personal note, it's great to see the vision for seamless access to Cloud applications that we have been working on at Ping Identity get mainstreamed by Google. We've collaborated closely with the team at Google to develop secure solutions that make it simple for SaaS vendors to plug into the Google Apps Marketplace. Look us up if you'd like more detail on how it all works.

Marc Canter - Broadband Mechanics — Spring break @ Case week

This is when everyone can get work done - when the students are away!

Congrats to John Slanina on a job - in Youngstown!

“Take away my people, but leave my factories and soon grass will grow on the factory floors……Take away my factories, but leave my people and soon we will have a new and better factory.” - Andrew Carnegie

BloggerCon redux

The Buzz campaign

The year Open Data went worldwide

MidVentures25 got some press

Jon Medved on Entrepreneurism b’Israel

5 reasons why your company should be distributed

Universities and Open Access - interview with David Weinberger

Dave is upset that they watered down Alice, made it more palatable for American/mainstream palettes. My daughters enjoyed it - regardless.

NYTimes is hiring

JayCut - white labeled on-line video editor with Open APIs

Penton Publishing is bankrupt - just walked away from $270M in debt

100 mbps coverage coming - en masse

IronMan 2 trailer

Prezi, Reaktor 5, CrowdSpring, JayCut, the NYC Data mine, Open Clip Art Library, sfe

Marc Canter - Broadband Mechanics — Case Connection Zone in the WSJ

The project we’re working on here at CWRU was written up in the WSJ today.  Unfortunately I can’t link to the full article, as it’s behind a paywall.

In it Lev Gonick (the CIO of CWRU) explains that we’re working on figuring out the recipes for success of ultra high-speed connectivity.

“What do you DO with a 1G connection?”

That is the question.

Now for some answers.

What we launch in late May ‘10 won’t be the final answer, but it’ll be a beginning.

By combining advanced health, energy, education and safety services, a personalized News page and a social network, with blogging, activity streams, live-video help, groups with media sharing we hope to start to answer the question.

Now throw in some compelling local content and services and you’ve got yourself a full fledged ultra high-speed dashboard 2.0.

And that is what is required of every Digital City.

Dave Kearns' IdM Newsletter — Axiomatics, European Entitlement Management specialist, accelerates its US expansion by hiring top IAM analyst Gerry Gebel

Former VP and Service Director for Burton Group Identity and Privacy Strategies, Gerry Gebel, has joined leading entitlement management experts, Axiomatics. Gebel brings more than 25 years of relevant experience to the company both from the Burton Group and from his time in the financial services industry.

Dave Kearns' IdM Newsletter — The business of business is trust

The role of government, Jánszky says, is simple: Stop trying to build walls around the consumer and instead focus on passing laws that enable companies to use personal information, provided they do so in a responsible way and with the full content and oversight of the consumer.

Dave Kearns' IdM Newsletter — SAML vs. XACML for Authorization: VHS versus Betamax?

Who will win the war? I don’t know but there’s something to be said about the fact that progress is being made faster with SAML than XACML.

Jackson Shaw - Quest — SAML vs. XACML for Authorization: VHS versus Betamax?

I’ve had my first customer discussion around implementation of a SAML-based authorization system. Yes, I said SAML – not XACML. There are lots of companies out there building XACML management products. Axiomatics and BitKoo come to mind but while customers have been discussing the potential use of XACML I have yet to run into a customer who is actually writing applications that use XACML. But I have run into my first customer who is already using SAML for the authentication side of an application and now wants to enable attribute-based authorization via SAML. Why SAML? Because they are already using it for authentication.

Is SAML the right “thing” for authorization? Hmmm, I guess if I were a purist I’d say “No” but since I’m a pragmatist I’d say “If it works for your application then use it”. In either case, this brings me to wonder about SAML and XACML from an authorization perspective. Will there be a Betamax versus VHS war in the authorization space? Hard to say. I know Microsoft will be support SAML tokens with the release of ADFS V2 later this quarter. They won’t be supporting XACML.

Who will win the war? I don’t know but there’s something to be said about the fact that progress is being made faster with SAML than XACML. Draw your own conclusions…As they say, time will tell.

JISC Access Management Team — Can you solve this problem for me?

I have a bunch of spreadsheets. Each spreadsheet represents one institution. Each spreadsheet contains a list of resources that institution subscribes to.

I want to turn this around so that I end up with one spreadsheet with each resource as column, and each institution that subscribes to that resource underneath it.

Can anyone suggest ways to make this happen?

Anil Saldhana - Red Hat — Picketlink v1.0.2 is released

Project Page: PicketLink

If you are looking for SAMLv2, WS-Trust and OpenID support for your web applications, then PicketLink is the destination. PicketLink has deeper bindings with JBoss Application Server and Apache Tomcat. But we do offer support for any generic web container.

PicketLink is also the ideal choice for Single Sign On for Seam Applications.

Get it here.

Please stay tuned for more information on this release.

======================

Release Notes for PicketLink Federated Identity
Includes versions: PLFED_1.0.2

** Feature Request
* [ PLFED-5 ] Seam authentication filter: add OpenID support

** Bug
* [ PLFED-19 ] FileBasedMetadataConfigurationStore.loadTrustedProviders keeps trustedFile locked for some indeterminate period
* [ PLFED-25 ] FileBasedMetadataConfigurationStore trusted providers file has improper extension
* [ PLFED-13 ] HTTP_Redirect binding: query string parameter SigAlg is not filled properly

** Task
* [ PLFED-7 ] PicketLink STS - parse the OnBehalfOf contents of WS-Trust request

** Release
* [ PLFED-44 ] Release PL Fed 1.0,2
=====================================

Some new exciting features for Seam and PicketLink integration from Marcel:

http://community.jboss.org/wiki/HowtoaddSAMLandOpenIDauthenticationtoyourSeamapplication


http://community.jboss.org/wiki/ExternalauthenticationexampleusingSSOCircle


http://community.jboss.org/wiki/ExternalauthenticationexampleusingOpenSSO


PicketLink's Seam Module V1.0.2: many new features!

Note from Marcel: It's a big leap forward. The sample app is now a proof that the Seam module of PicketLink integrates well with external SAML and OpenID identity providers. And installing it in a JBoss AS 5.1 server is as simple as deploying the war file. I'm looking forward to the experiences of the community when using it.

Documentation:

http://community.jboss.org/en/picketlink?view=documents

If you are looking for a cheat sheet to run SAML on JBoss AS5.1, take this cheatsheet.

Note:
1. All software has bugs. If not, they are lying.
2. Feedback is greatly appreciated.

Identropy — A Busy Week at Both HIMSS and RSA Conferences

 I am just returning from a week of travel and conference activity, which start for me in Newark, NJ on Monday March 1, from there to Atlanta, GA for the HIMSS Conference 2010 (north of 25,000 attendees), and then on to San Francisco, CA on Wednesday March 3 for the last 2 days of RSA Conference 2010 (about 16,000 attendees), and then back home in NJ on Friday March 5. In all, last week was very busy but very productive for me.

It was good to see a lot of familiar faces as well as new ones, and to see that despite the economy, both of these conferences seem to be well-attended, with tons of vendor participation, and great sessions all around. Maybe this is an uncommon economic indicator (worthy of mention in the NY NPR radio show by Brian Lehrer). This time around I must confess that I spent most of my time outside of the conference session and exhibits meeting with colleagues, prospective customers and friends. For me, this was one of the most productive conference trips I've had in a few years.  Since my focus is always on identity and access management, it is exciting to see the convergence of business [and in many cases technical] requirements and various trends across industries, which drive the need for identity and access management as both an enabler and risk mitigation approach.

At the HIMSS conference, a theme that was very top of mind was "meaningful use" which is driving a lot of vendors and healthcare providers towards electronic health record (EHR) technology, and specifically, the 45 CFR Part 170 specifications. It is clear the US Government incentives for those providers (both professionals and hospitals) that can demonstrate adherence to the meaningful use guidelines is generating momentum.

I had the opportunity to present at HIMSS, thanks to our partner Novell. My topic was "Identity Assurance in Healthcare: what does it mean to you?" (below is my slide deck)

While the 45 CFR Part 170 criteria was published on December 30, 2009, it is interesting to see that at the heart of the requirements regarding authentication, specifically §170.210 "Standards for health information technology to protect electronic health information created, maintained, and exchanged", is the issue of identity assurance, which was captured very cleverly in the 1993 New Yorker cartoon by Peter Steiner, where one dog with a paw on a computer's keyboard tells another: "On the Internet, nobody knows you're a dog".  For well over 15 years, this very issue: knowing, with certainty, who is at the end of the keyboard, has been one of the biggest challenges in the enablement of true paperless transactions and trusted online services in all industry verticals. And healthcare has been no exception.

Inevitably, these requirements and standards will impact the way healthcare information systems will operate and interconnect, whether they are new or legacy, and inaction will most likely not be an option.

Dave Kearns — European Identity Conference 2010

Less than two months to go until the 4th annual European Identity Conference, and registration is now open! Once again, as last year, I'll be delivering an opening keynote as well as hosting two session tracks.

On Tuesday (5/4/10), I'll keynote on "Convergence: Better Control, Lower Cost". Since it's the keynote between a break and Kim Cameron, I should at least get those who want to come early to get a good seat for Kim!

On Wednesday (5/5/10), I'll continue the "convergence" theme with a track called "Value Through Convergence - Consolidate for Better Value, Efficiency and Security".This will feature a conversation with Martin Kuppinger ("5 Quick-Wins to Leverage your Existing Identity Infrastructure through Convergence"), a conversation with Kim Cameron ("Converging User-centric & Enterprise-centric IDs") and two panel discussions: "Converging Data Governance and Access Governance," and "Establishing an Advanced Level of Enterprise Identity Maturity."

Then, on Thursday (5/6/10) I'll tackle "Cloud Platforms & Data Portability". This track will feature an intro talk ("Data Statelessness and the Continuum of Individuals' Data Portability on the Web") by XMLgrrl herself, Eve Maler. We'll follow this up with two great panels: "Social Data Portability," and "Business/Cloud portability."

There'll be other great sessions, also - there always are. Plus, the Deutsches Museum in Munich is a fabulous venue. I hope to see you there.

Anil Saldhana - Red Hat — Is OpenSSO alive?

Reading Rich Sharples post and also this post saying Oracle kills OpenSSO Express, I am left to wonder if OpenSSO as an open source project is alive? Let me ping Pat Patterson and see if he knows anything.

It is always sad to see any open source project unplugged from the community.

I do hope majority of the migrations from OpenSSO adopt our open source project called PicketLink, rather than adopt some commercial solution. At PicketLink, we have strived hard (yeah, really really hard) to keep things as simple and nimble as possible.

Info on PicketLink v1.0.2.

Identity 360 - Imprivata — Webinar Demo: An Introduction to Imprivata OneSign

In this webinar, you will learn firsthand how Imprivata OneSign can help your organization strengthen user authentication to desktops, applications and networks; streamline application access; and simplify the process of compliance reporting.

Dave Kearns' IdM Newsletter — Can authentication be both strong and flexible?

Whether you want to place a bid at Bay, check your bank balance online or your credit rating at Schufa or Experian, or access your corporate SAP account: Instead of asking you to please enter your user name and password, chances are the system nowadays will demand some other method of authentication like a token or a smartcard, or it may offer to scan your finger or iris.

Identity 360 - Imprivata — MVSITE (BLOG) - Imprivata Introduces OneSign Secure Walk-Away to Help Hospitals Increase Patient Safety and Secure Unattended ...

http://mvsite.com/computer_hardware_software_technology/new-media-lab-offers-high-tech-equipment.html

Identity 360 - Imprivata — INFO4SECURITY (UK) - Healthcare Division for Imprivata

http://www.info4security.com/story.asp?sectioncode=12&storycode=4124286&c=1

Identity 360 - Imprivata — DIGITALID NEWS - QUESTIONS RAISED ABOUT BIOMETRICS USABILITY IF DATA IS HACKED

http://www.digitalidnews.com/2010/02/25/questions-raised-about-biometrics-usability-if-data-is-hacked

Identity 360 - Imprivata — St. Croix Regional Medical Center Secures Access to Electronic Medical Records with Imprivata

Imprivata OneSign® Integrated with Fingerprint Biometrics Provides Fast and Secure Access to Patient Health Information

Rakesh Radhakrishnan - Sun — Must Attend event in May at Munich

A premier IDM and GRC event in May 2010. Registration is OPEN!! Do not Miss it.

Identity 360 - Imprivata — E-HEALTH INSIDER (UK) - Imprivata Brings Secure Walk Away to UK

http://www.e-health-insider.com/news/5701/imprivata_brings_secure_walk_away_to_uk

Identity 360 - Imprivata — CRN - 10 Hot Security Products For Health Care

http://www.crn.com/healthcare/223101372;jsessionid=FBGZUMQOAEFD1QE1GHPCKHWATMY32JVN?pgno=8

Identity 360 - Imprivata — HEALTHCARE INFORMATICS - Bits and Bytes from HIMSS10

http://www.healthcare-informatics.com/ME2/dirmod.asp?sid=349DF6BB879446A1886B65F332AC487F&nm=Blogs&type=Blog&mod=BlogTopics&mid=67D6564029914AD3B204AD35D8F5F780&tier=7&id=9858E9FEBA4C4DAA8C781919B34A7

Jackson Shaw - Quest — Windows Licensing in a Unix, Linux, Apple Mac, Java and Web World

Caution: I only play a Microsoft licensing expert on TV. However, I do have 6 years of experience in this area both working on Windows licensing and answering licensing questions while I worked at Microsoft.

Last week, during the RSA Conference, I had the opportunity to meet many customers and partners – always one of the most favorite parts of my job. One pleasant dinner at the Town Hall restaurant in San Francisco was memorable in what our customer had been told his Microsoft licensing requirements would be if he integrated his Unix and Linux systems with Windows and Active Directory. So, rather than pull all the relevant information together in an email I figured I write a blog post explaining the licensing, with references, and send him a link to this blog article. Perhaps someone else will benefit from this, too. Now, on to the questions:

Q: Do you need to purchase Windows client access licenses (CALs) for the Unix, Linux or Mac systems you are integrating with Windows and Active Directory?

A: Generally, no. I say generally because when you set up your Windows servers during installation you get asked if you want to set up your server for device-based CALs or user-based CALs. Nearly every customer I have worked with sets up their servers for user-based CALs. If you use user-based CALs then you do not need to purchase any additional CALs for the Unix, Linux or Mac systems that you integrate with Active Directory. The text directly below is cut-and-paste from this page on Windows Server 2008 R2 Client Licensing. Clearly, “Windows CAL for every named user accessing your servers from any device” is the way to go. (Licensing for previous versions of Windows Server are identical.)

Device-based or User-based Windows Client Access Licenses

There are two types of Windows Client Access Licenses from which to choose: device-based or user-based, also known as Windows Device CALs or Windows User CALs. This means you can choose to acquire a Windows CAL for every device (used by any user) accessing your servers, or you can choose to acquire a Windows CAL for every named user accessing your servers (from any device).

The option to choose between the two types of Windows CALs offers you the flexibility to use the licensing that best suits the needs of your organization. For example:

• Windows Device CALs might make most economic and administrative sense for an organization with multiple users for one device, such as shift workers.
  
• Whereas, Windows User CALs might make most sense for an organization with many employees who need access to the corporate network from unknown devices (for example, when traveling) and/or an organization with employees who access the network from multiple devices.
  

Q: My customers and suppliers are authenticating to Active Directory via a web service (Java, .Net, SAML, ADFS, etc.). I have insertyournumberhere of customers and suppliers who will be using this web service. Do I need a Windows CAL for each person who uses this web service or web application?

A: No. You must have a Windows CAL for anyone who could be reasonably classified as an employee, temporary worker or a contractor. However, for customers, suppliers or others who are “at arms-length” you do not need a Windows CAL. Again, the text below is pulled from the same page on Windows Server 2008 R2 Client Licensing. The relevant text is contained in the 3rd bullet below which discusses “external users” and the Windows Server 2008 External Connector license. The External Connector license costs $1,999 per server but this is far cheaper than purchasing Windows CALs for a large number of external users.

Client Access Licensing Requirements

Every user or device that accesses or uses the Windows Server 2008 or Windows Server 2008 R2 server software requires the purchase of a Windows Server 2008 Client Access License (Windows Server CAL) except under the following circumstances:

• If access to the instances of server software is only through the Internet without being authenticated or otherwise individually identified by the server software or through any other means
  
• If access is to Windows Web Server 2008 or Windows Web Server 2008 R2
  
• If external users are accessing the instances of server software and you have acquired a Windows Server 2008 External Connector license for each server being accessed
  
• For up to two devices or users to access your instances of the server software only to administer those instances
  
• If you are using Windows Server 2008 R2 solely as a virtualization host (you will still require CALs for your appropriate WS edition running in the virtual machine(s) )
  

It pays to be educated about these lesser known Windows licensing details – you could save yourself a ton of money and aggravation.

Mike Jones - Microsoft — Information Card Standard Approved!

I’m thrilled to announce that the Identity Metasystem Interoperability Version 1.0 specification has been approved as an OASIS standard, with 56 votes in favor and none against. This standard benefitted substantially from the input received during the process. Numerous clarifications were incorporated as a result, while still maintaining compatibility with the Identity Selector Interoperability Profile V1.5 (ISIP 1.5) specification.

While this is often said, this achievement is truly the result of a community effort. While by no means a comprehensive list, thanks are due to many, including the OSIS members whose diligent efforts ensured that Information Cards are interoperable across vendors and platforms, the Information Card Foundation members for their adoption and thought leadership work, and the IMI TC members, including co-chairs Marc Goodner and Tony Nadalin, and Mike McIntosh, who was my co-editor. Paul Trevithick and Mary Ruddy get enormous credit for starting and leading the Higgins Project, as does Dale Olds for the Bandit Project. Kaliya Hamlin and Phil Windley were instrumental behind the scenes by running the IIWs. Axel Nennker has been a tireless force, producing both ideas and software, as has Pamela Dingle. Jamie Lewis, Bob Blakley, and Craig Burton all provided insightful guidance on the practical aspects of birthing a new technology. Arun Nanda deserves enormous thanks for doing the heavy lifting to produce the ISIP 1.0 spec. And of course, none of this would have occurred without the leadership and vision of Kim Cameron. Thanks one and all!

Anil Saldhana - Red Hat — Project PicketBox (Security for Java Applications)

I would like to introduce you to Project PicketBox, a security framework for Java Application developers.

Project Page: PicketBox


What does it provide?
An API that can provide the following security features:
* Authentication using JAAS.
* Authorization (Coarse Grained and Fine Grained).
* Audit
* Security Mapping.


What is the latest version?
Latest version for download is 3.0.0.Beta3
Since PicketBox is derived out of "JBoss Security" v2.0 code base, we have chosen to start with v3.


Where I can read the documentation?
You can read it here: PicketBox Overview


Does it provide annotations?
Yes, it does provide Security annotations. (PicketBoxSecurityAnnotations)


Who is planning to use PicketBox?
* The Seam Development team has immediate plans to use PicketBox for Seam v3.
* PicketBox will be available in JBoss Application Server v6.0 M3 and beyond.

Dave Kearns' IdM Newsletter — Talking end-to-end identity management for the cloud (AuthN/AuthZ)

AD FS provides Web SSO for on-premise and internet browser based applications. FIM 2010 provides enterprise identity management in the form of provisioning, synchronization, and workflow. Both are products of the Microsoft ForeFront Security Suite.

Vittorio Bertocci - Microsoft — Using the “Windows Identity Foundation and Windows Azure passive federation” lab with the February2010 Windows Azure Tools

Quite a lot of you guys are trying to use the “Windows Identity Foundation and Windows Azure passive federation” lab (available in the Identity Developer Training Kit, Windows Azure Platform Training Kit and standalone) with the latest version of the Windows Azure Tools for Visual Studio. The dependency checker in the versions of the lab currently available, however, checks for the November release of the Windows Azure tool and gets quite upset if it doesn’t find it.

Eventually we are going to release new versions of the above with updated system requirements, but if you want to go through the lab TODAY with the latest Windows Azure bits all you need to do is changing one of the cmdlets in the setup:

Current CheckAzureToolsForVS.ps1 file:

$res1 = SearchUninstall -SearchFor 'Windows Azure Tools for Microsoft Visual Studio 2008 1.0*' -SearchVersion '1.0.21016.3' -UninstallKey 'HKLM:SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\';

Fix to apply on CheckAzureToolsForVS.ps1 file:

$res1 = SearchUninstall -SearchFor 'Windows Azure Tools for Microsoft Visual Studio 2008 1.*' -SearchVersion '1.0.21016.3' -UninstallKey 'HKLM:SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\';

Note, the requirement for VS2008 still stands.

Happy HOL-ing!

Vittorio Bertocci - Microsoft — The IdElement on Zune Marketplace and iTunes

If you are on the go, doing groceries or sweating on a treadmill, and all of a sudden you feel that you *absolutely* must  get NOW your dose of claims-based goodness… we’ve got you covered!

The oh-so-lucky owners of Zune HDs will be able to get a quick fix in crystal-clear OLED awesomeness via the Channel9 main feed podcast; in few days the direct IdElement feed should appear. That works with pre-HD Zunes as well, or course.

There’s more: thanks to Caleb’s notification and Duncan’s assistance, the IdElement is now available via iTunes as well :)

Paul Madsen — Stupid is as stupid does

Phil Hunt - Oracle — Not just write once, run anywhere, but delpoy and deliver anywhere too!

"Not just write once, run anywhere, but delpoy and deliver anywhere too."

That statement is a quote from Nandini Ramani, Director of Java Development at Oracle (formerly Sun), recently talking about the need for JavaFX in this video. Instead of dealing with the many types of display devices, mobile phones, etc, JavaFX provides a platform for abstracting away the complexities of the myriad of displays and desktops.

I can't help but think how the same problem occurs for application developers writing applications that consume and use personal information. Just as applications have to deal with differing displays, keyboards and keys, identity applications have to deal with different methods of transfer and differing ceremonies (e.g. with user-centric protocols) with each exchange of information, and even differing modalities (as I described last year).

Developers that want applications to deploy and deliver anywhere, have to consider how to support the huge variety of data stores, network configurations, and protocols (LDAP, federated, user-centric), and as well as information governance and assurance issues.

Just as abstracting implementations into layers helps JavaFX, layered abstraction is a key cornerstone to how we are developing the ArisID API going forwards.

Nishant Kaushik - Oracle — A Twittorial on Trust Frameworks

(Updated to reflect provisional status of OIX approval per this – thanks to Brett for telling me)

I just got back home from the RSA Conference in San Francisco this week, where the topic of Trust was second only to all things Cloud. While sessions on Identity Management were few and far between, there was lots of interesting news coming out of the conference (like the U-Prove announcement). I tweeted about the announcements that concern Trust Frameworks, a way for one site (Relying Party) to trust the identity, security, and privacy assertions/claims from a different site (Identity Provider) acting on behalf of a user.

The first announcement was on the launch of the Open Identity Exchange (OIX), a (yet another) non-profit organization (coming out of the OpenID Foundation and Information Card Foundation) that is dedicated to building trust in the exchange of online identity credentials across public and private sectors. The second announcement was regarding the US Federal Government’s Identity, Credential, and Access Management (ICAM) Trust Framework Evaluation Team (TFET) provisionally approving both OIX and Kantara Initiative as a Trust Framework Provider to certify online identity management providers to U.S. federal standards for identity assurance (read more here).

Trying to digest all of this was a little difficult, so as I was stuck in traffic on my way home from the airport, I found myself riveted by a twitter exchange that was flying fast and furious between Paul Madsen (everyone’s favorite source for biting identity musings) and Brett McDowell (till recently Executive Director of the Kantara Initiative, and now technology evangelist at Paypal, one of the first IdPs certified by OIX – so you can see he has unique insight). I have reproduced it here for everyone’s benefit (with their permission, of course).

paulmadsen ICAM is one federation willing to deal with multiple trust frameworks. Will others?

brettmcdowell @paulmadsen ICAM isn’t actually dealing with multiple trust frameworks. It’s all just NIST SP800-63 w/ various means to prove you comply.

paulmadsen @brettmcdowell ICAM is ‘accepting’ OIX, KI-IAF, InCommon . To me those are all trust frameworks (ie certification programs)

brettmcdowell @paulmadsen ah, but what is a “trust framework”? The criteria for trust itself (M04-04 & 800-63) or the method for demonstrating compliance?

brettmcdowell @paulmadsen P.S., in the Kantara case, IAF has criteria as well, but it’s been “mapped” to prove comparability to US Federal requirements.

paulmadsen Components of a trust framework – policies, accreditation, certification, admin, metadata infrastructure, keg parties….

paulmadsen @brettmcdowell if everybody agrees on 800 63 for the former, trust frameworks are distinguished by the latter

brettmcdowell @paulmadsen IAF/OITF (frameworks) differentiated by criteria, KI/OIX (.org’s who certify) differentiated by due diligence on applicant

paulmadsen @brettmcdowell thus KI (conditionally) approved for up to non-crypto LOA3 …

brettmcdowell @paulmadsen M04-04 & SP800-63 is like the “spec”, IAF is like the SCR, and OIX is a registry of those asserting compliance to the spec

brettmcdowell @paulmadsen “non-crypto” is another misleading term/issue. It rules out “pure PKI” but not “signed” assertions (SAML) or claims (IMI)

paulmadsen @brettmcdowell but IAF is more than an extra level of policy detail on top of 800 63 criteria. And OIX is more than a registry

brettmcdowell @paulmadsen for KI to be approved for AL3 PKI & AL4 in US Gov, it needs to cross-certify with the Federal Bridge

brettmcdowell @paulmadsen re: “but IAF is more than” and “OIX is more than” Paul, cut me some slack, this is Twitter, some nuances are going to be lost!

paulmadsen @brettmcdowell point was less about the ‘crypto’ part, and more that diff frameworks may target different parts of ‘assurance space’

paulmadsen @brettmcdowell that’s why I avoid all subtleties & nuances

brettmcdowell @paulmadsen I wouldn’t draw conclusions (or battle lines) regarding trust frameworks just yet. Remember the OIX RFI dialog w/KI is ongoing

paulmadsen @brettmcdowell as I complained to @ve7jtb , want to see matrix laying out components of a generic framework, specific instances mapped on

brettmcdowell @paulmadsen that sounded like a proposal not a complaint. I accept your matrix proposal. Looking forward to reading it when you finish

And of course, Paul had to have the last word, and it was typically Madsen-istic.

paulmadsen @brettmcdowell you know, my wife made that same interpretation 16 years ago. Must be more precise

Hopefully that exchange was illuminating, and gave you enough pointers to standards and topics that might help deepen your understanding of Trust Frameworks. It certainly has given me a lot to think about. While RSA may have been weak on identity related discussions, these announcements are likely to have a huge impact on the identity landscape going forward.

Tags: Brett McDowell, ICAM, Kantara Initiative, Open Identity Exchange, Paul Madsen, Trust Frameworks, User-Centric Identity

Share This:

Phil Windley - Kynetx — Amazon Products in KRL: A New Distribution Model

The first Web service that Amazon put up, years ago, was the ECommerce API that allowed API access to Amazon's product information. That API has gone through several name changes and is now called the Product Advertising API. Thousands of people have used this API to add data about products--and the opportunity to buy them--to their Web sites.

That's the problem, of course. You can use it on your Web site, but you can't conveniently use them in a browser extension to build client-side community apps because your Amazon developer keys would be exposed to the world. The most recent build of KRL changes that by making the Amazon Product Advertising API (PAA) available as a library. That means that it's possible to use Kynetx to build client-side applications that use the PAA without exposing your developer tokens. That opens up a whole host of possible uses for Amazon product information that were difficult to achieve before.

Here's a video that shows this at work:

Of course, to create client-side applications that people will install and use requires more than just pumping more product at them. The KRL integration of PAA includes the ability to access all the user-generated reviews, product information, photos, and other product data that would allow a developer to create a first-rate experience that adds real value for people who download and use their apps.

KRL makes using PAA easy. To get started, you simple put your Amazon developer secrets and associate ID in the meta block of your application:

meta {
  key amazon {
    "token"        : "absjj99a9ad9ad8799",
    "secret_key"   : "absjj99a9ad9ad8799abs79999a9ad9ad8799",
    "associate_id" :  "windleyofente-20"
  }
}

These are stored securely in the cloud and not divulged to users of the application.

The KRL Amazon library has two primary methods: ItemSearch and ItemLookup. With ItemSearch the search index is a parameter and additional parameters depend on the particular index. ItemLookup takes an Amazon product ID (ASIN) as it's primary parameter. Here's an example:

amazon:item_lookup({"ItemId" : "B00008OE6I",
                "response_group" : "ItemIds" })

The response is returned as JSON so that you can use JSONPath to pick it apart and use it. Here's a piece of the response to the previous query:

"Item" : {
            "OfferSummary" : {
               "LowestUsedPrice" : {
                  "Amount" : "3999",
                  "CurrencyCode" : "USD",
                  "FormattedPrice" : "$39.99"
               },
               "TotalRefurbished" : {},
               "TotalUsed" : "8",
               "TotalCollectible" : {},
               "TotalNew" : {}
            },
            "ASIN" : "B00008OE6I"
         }

Here's a video showing a little more about how this is done and giving a working example.

You can install the example that we used for the first video or just view the source code using the app detail page in the Apps Directory. Here's the documentation for the Amazon library.

The Amazon integration with KRL allows Amazon developers to build client-side application that use Amazon product data without exposing the Amazon developer credentials--something that's been hard in the past. KRL is designed to make using online data like Amazon or Twitter easy and quick. We'll be annnouncing some other major data and service integrations over the next few weeks as we gear up for Kynetx Impact in April. Come join us.

Marc Canter - Broadband Mechanics — 1st weekend of March blogging - ‘10

Once again Zynga proves that…..

Yahoo makes good on their open promises!  Yahoo Contacts connects to Facebook Connect! I wonder if I can import a client’s mail list of 15k names?

TiVO rising - coolio new Internet rev 4 & they just won a $300M judgement against Echostar!

Permanent World Encyclopedia - by H.G. Wells (circa 1938)

WHAT!  Apple acting like an evil company!  No!  Tell me it isn’t so!

The Guardian’s Police API!

What is Hadoop?

Collinwood will finally get it’s giant Red center!

The future of higher education - Lev is quoting Frank Zappa

MyPad, MySchmad - this is what Microsoft has percolating….

I really like John Battelle’s weekly blog summary posts. His combo of linking and commentary is what I strive for.

How many YEARS did I spend pitching virtual trade shows?  And here they are - finally appearing!  Conference vendors shoudl think long and hard about keeping up the momentum of their brand and the conversations - 24/7/365. Loic?

The other BigDave is partying in NYC

NOTE to iDEA Institute peeps: BloggerCon format!

NOTE TO SELF: Learn Reactor and Reichatron!

prezi, StatusNet, BBYIDX, Foodspotting,

Anil Saldhana - Red Hat — AS5: Specifying Security Domain Configuration

Historically, JBoss AS has provided the DynamicLoginConfig service to specify your security domain configuration (JAAS login modules). Starting JBoss AS 5.0, we provide a simplified xml version of that as follows:

You will need to create a xxx-jboss-beans.xml file and then you can define your login modules as follows:
===================================
<?xml version="1.0" encoding="UTF-8"?>

<deployment xmlns="urn:jboss:bean-deployer:2.0">

<application-policy xmlns="urn:jboss:security-beans:1.0" name="web-test">
<authentication>
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">anonymous</module-option>
<module-option name="usersProperties">u.properties</module-option>
<module-option name="rolesProperties">r.properties</module-option>
</login-module>
</authentication>
</application-policy>

<application-policy xmlns="urn:jboss:security-beans:1.0" name="ejb-test">
<authentication>
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">anonymous</module-option>
<module-option name="usersProperties">u.properties</module-option>
<module-option name="rolesProperties">r.properties</module-option>
</login-module>
</authentication>
</application-policy>

</deployment>


==================================

We still support the DynamicLoginConfig mbean definition approach also. But the afore mentioned approach is simpler.

DZone Article: http://server.dzone.com/articles/security-features-jboss-510

Frequently Asked Questions:
1. Where do I place the xxx.properties files for the UsersRolesLoginModule?
You can place them under the conf directory.

Burton Group — Catalyst Europe is Coming Up Fast!

Blogger: Bob Blakley

We hit the stage for Catalyst Europe on April 19.  If you haven't already made your plans to join us in Prague, we've got a little treat for you at the end of this post.

We're going to focus this year on the emerging identity architecture.  If you're looking, you can see this identity architecture around you already, in offerings from mainstream identity vendors like Microsoft and Oracle, but also in offerings from smaller firms like Gluu, Unbound ID, Radiant Logic, and others.

The elevator-pitch version of the story is this: licensed provisioning software packages compete in a market for identity management systems.  User-centric identity providers compete in a market for identity providers.  What enterprises need is neither a market for identity management systems nor a market for identity providers - what they need is a market for identities.

Federation technology, directory virtualization, and contextual access control can be combined to create a technical architecture on top of which this market for identities can emerge.  The market for identities has many advantages, but getting there will take time and it will take work.  We'll lay out the roadmap in Prague.

If (like me) you're a last-minute kinda person and you haven't registered yet, here's your reward for waiting: use the promo code "INSIDER" during registration, and you'll get your ticket for the discounted price of only 995 Euro.

Sign up today and we'll see you there!