Virtual Identity Dialogue

As you may have seen elsewhere Oracle released an update to the Fusion Middleware 11g bits this includes the current 11g IDM products (Oracle Virtual Directory, Oracle Internet Directory and Oracle Identity Federation).

The release is named 11.1.1.2 and can be downloaded here.

For OID and OIF it's basically a bugfix update for R1. For OVD besides the usual bugfixes - we also added several new features. It's why I've informally nicknamed this release OVD 11g - the Director's Cut.

Here are 3 key enhancements in this release:

1 - Ability to search both primary and secondary adapters in a split-profile (aka Join adapter). A split-profile is where attributes for a single entry are split between 2 or more sources (for example username, password in Active Directory, jobcode in HR database). Applications can now search on these entries (they have always been able to view or update) as if they were a single source without needing to copy into a single store. The ForkJoin plug-in provides this functionality.

2 - Hide entries from search results based on a filter. Sometimes customers need to hide entries from being returned from an adapter based on some criteria outside of an ACL. For example maybe the need to prevent "classified=Top Secret" or "doNotPublishInAddressBook=

Posted via email from Virtual Identity Dialogue

As you may have seen elsewhere Oracle released an update to the Fusion Middleware 11g bits this includes the current 11g IDM products (Oracle Virtual Directory, Oracle Internet Directory and Oracle Identity Federation).

The release is named 11.1.1.2 and can be downloaded here.

For OID and OIF it's basically a bugfix update for R1. For OVD besides the usual bugfixes - we also added several new features. It's why I've informally nicknamed this release OVD 11g - the Director's Cut.

Here are 3 key enhancements in this release:

1 - Ability to search both primary and secondary adapters in a split-profile (aka Join adapter). A split-profile is where attributes for a single entry are split between 2 or more sources (for example username, password in Active Directory, jobcode in HR database). Applications can now search on these entries (they have always been able to view or update) as if they were a single source without needing to copy into a single store. The ForkJoin plug-in provides this functionality.

2 - Hide entries from search results based on a filter. Sometimes customers need to hide entries from being returned from an adapter based on some criteria outside of an ACL. For example maybe the need to prevent "classified=Top Secret" or "doNotPublishInAddressBook=true" entries from being returned. While many customers have implemented this behavior before using one of our sample plug-ins (I think it's the first sample I ever wrote) - it's now productized with the  HideByFilter plug-in.

3 - Improved Microsoft compatibility. OVD will now support binds where the DN is not a valid DN (like a username) and can add a memberOf attribute to any person entry using the UPNBind and VirtualMemberOf plug-ins.

You can read more about these plug-ins and the additional new features I didn't cover here in the "What's New" section of the documentation.

Posted via email from Virtual Identity Dialogue

I'll be joined by Alex Petrushko from our partner Identigral to talk about how Oracle Virtual Directory can improve your identity management implementation. Alex will be speaking about how a large telco provider used OVD to reduce time it takes to deploy new applications.

The webcast will be live at:
Nov 19, 2009
12:00 p.m. Eastern/ 9:00 a.m. Pacific (60 minutes)

I believe it will also be available for replay as well.
Register for the Webcast

Posted via email from Virtual Identity Dialogue

I wasn't able to make it to Internet Identity Workshop this week because I would like to know the thoughts on Facebook Connect. It appears that more and more sites are now allowing you to use your Facebook account to authenticate you.

The experience in my opinion may make this Facebook's killer app (though my wife's obsession with Cafe World, makes me wish I had paid more attention to Flash development back when it first emerged).

The reason is that - I simply clicked on the Facebook icon on the site I was accessing. And because I happened to be logged into Facebook at the time - I I was granted access. If you are not logged in, you are presented with the familiar Facebook login in a screen. And it then connects you - NO REDIRECTS.

I fell out of my chair. I didn't think that would be possible. But yet, there it was.

And of course the Connect process is potentially prone to phishing attacks but we've been dealing with those for a long time now. So even if you were a bank and wanted to use Facebook Connect -if you combined it with an anti-fraud solution like Oracle Adaptive Access Manager including potential secondary pin (so you would have 2-factor authentication without needing to manage millions of additional passwords) - it's not any less secure than current systems.

I'm not sure of the technology behind it. And I know that the bulk of my friends on Facebook - wouldn't care. And if I was running a consumer-facing business that needed authentication for whatever reason - I would strongly consider rolling the dice on just supporting Facebook Connect backed up with traditional local accounts. And tell the other big-guns out there - if you want to play in my space - you have to give me an experience like Facebook Connect.

Posted via email from Virtual Identity Dialogue

I'm trying out http://www.posterous.com which is a nifty new service I found about via This Week In Startups. Basically it radically simplifies blogging. You send an email to post@posterous.com and bingo you have a blog. No preregistration is necessary. In fact if you don't need to edit your blog - you never ever log into anything.

Plus it will post anything - blogs, photos, video, audio (the latter as attachments). And it supports autoposting which hopefully will make it easier for me to post more frequently. It also means duplicate blogging but that's ok - because it means I can have an IDM blog that is hosted on Oracle and one that is not in case I need the latter in the future.

((tag: marktest))

Posted via email from Virtual Identity Dialogue

I'm testing new blog update software.

Sent from my iPhone

Posted via email from Virtual Identity Dialogue

I will be co-presenting on two sessions at OOW.

The first is Getting More out of Siebel and PeopleSoft Applications with Oracle Directory Services on Oct 13 (Tuesday) at 4pm in Moscone South 236.

The second is Microsoft Active Directory and Windows Security Integration with Oracle Database  on Oct 14 (Wednesday) at 10:15 am also in Moscone South, Room 236.

We will also have a booth in the Identity Management section.

Hard to believe it's the end of September.

Anyway we (and by we, I mean Olaf Stullich my fellow PM here in directory services) updated our white paper on Centralized Oracle Database User Management aka Enterprise User Security.

The most prominent change is to highlight we now also support Novell eDirectory with OVD EUS.

Over the Labor Day weekend, we took a quick trip to visit my parents who still live in Waco, TX (I now live up near Plano, Tx). During the weekly post-church (which primarily serves as social network to organize lunch and dinners during the week) lunch - my parents and parents friends (most of whom, I've known for 20 or more years) got to celebrate the primary accomplishment of Labor Day weekend.

Which is that I finally got my Mom on Facebook. That was much harder than I thought because of lack of updates on the Mac but it did allow me to watch all of the college football games I wanted :).

But what really struck me as funny was that everyone at the table was all playing Farm Town on Facebook. This is a game where you get to plant different crops, raise animals, etc and of course harvest them.

As we were breaking up to go our separate ways - it occurred to me, that the conversations were probably very similar 100 years ago (my parent's church is over 100 years old as a prairie church).

Basically the common phrase was:

"I need to go home and harvest my crops".

Except in 1909 they meant this:

And in 2009 that means this:

I don't do much .NET development these days but I saw this posted on Planet Identity yesterday so I thought I would pass it along for anyone who reads this but maybe doesn't subscribe to the Planet Identity feed.

Zetetic - Zetetic.Ldap - Bringing LDAP + LDIF tools to .NET

It's a new general purpose LDAP API for .NET that at least at first glance feels similar to UnboundID's new LDAP API.

While it's good to see new development in this space - we are trying to move developer identity development into a simpler API via our upcoming ArisID Beans API. Hopefully I will be able to share more about this API soon but as usual - until it's released, I can't publicly talk about it.

However, I can give a slightly more concrete teaser - my goal with ArisID is to make it so that it's like Java Persistence Architecture (JPA) for Identity. Meaning - developers can focus on writing business objects and then just run an IDE extension that creates the proper meta-data (e.g. the CARML file) for it so that an IGF identity provider can provide the data to the client.

It's my belief that if a developer can write something like:

public class MyCustomer {

String customerName;

String customerAddress;

String customerIdentifier;

Boolean isGoodCustomer;

}

That should be basically all they need to do to really worry about when building identity data into their applications.

Until then API like Zetetic.Ldap can help reduce some of the pain at a lower level.