I thought I would comment on something he wrote and then toss in my own general thoughts.

Jackson wrote "Hint, if you aren’t working on a Kindle app for the iPad you’d better be!".

To which I would point out - worse case scenario - since the iPad supports existing iPhone apps - the existing Kindle app should work. Same as B&N Nook app and Stanza.

Though maybe the better question will be  - will Amazon/B&N upgrade the app to be as slick as what the iBooks app looked like on the demo?

Personally I'm not sure if I really want that metaphor but I appreciate the marketing aspect of it.

And I'm not completely sure that iPad will kill Kindle or the Nook. After all - the iPod hasn't completely killed the MP3 or mobile phone alternatives either. In particular if a low-price (under $100) emerges because the battery life and easier on the eyes screen is good enough features to justify owning a dedicated eReader if you read lots of books. I know not many people read as voracious as I do - but there are still plenty of people who like to read.

But I am pretty sure I'll be buying my own IPad as soon as one comes out - with the goal of it at least being able to be used as my travel PC.

--

Posted via email from Virtual Identity Dialogue

But I want to highlight the summary for Directory Services and have a reference post for people to use as comments.

First - Oracle Virtual Directory will be our virtual directory.

Second - We are going to continue to offer both Oracle Internet Directory AND Sun Directory Server Enterprise Edition.

Third  - OpenDS will remain an open-source project

I welcome all of our new Sun colleagues to Oracle. And I look forward to talking to everyone to get feedback and discuss our future direction.

Posted via email from Virtual Identity Dialogue

MDM is an industry standard data solution that provides a single source of truth for customer information. It's particularly useful for large organizations who have customer data in lots of different repositories such as telco or higher education. It's complimentary to a provisioning solution - MDM provides a clean source of truth for a provisioning system. But MDM is not optimized for activities like password management or related account activities. Within Oracle we market our MDM solutions as Oracle Customer Hub.

There are two integration points:
1 - Authentication for MDM
2 - Use MDM as an OVD Data Source

The authentication use case is pretty simple - OVD can be used as the LDAP server for the Siebel MDM application. For example if you have 2 LDAP servers containing users who need access Siebel MDM, you can use OVD.

The more interesting use case is MDM as an OVD Data Source. For example lets say you want to build a web application that provides different level of features based upon customer status (e.g. basic vs premier customer). This data is managed in MDM and OVD can use this data to create an LDAP group without needing to copy the data into another LDAP store. Thus as soon as the MDM status changes, the access control permissions are changed automatically at the same time.

We refer to this capability as Identity Publisher.

There are two papers on this subject:
Integrating Oracle Virtual Directory with Siebel and Oracle Customer Hub
Configuration Instructions for Siebel, Oracle Customer Hub and Oracle Virtual Directory

Posted via email from Virtual Identity Dialogue

Over the weekend via TechCrunch I believe I have discovered the solution to all three headaches- MightyMeeting.

Here is what MightyMeeting does. You upload your PPT to MightMeeting. You then invite people to watch the presentation via email. They have 2 ways to view the presentation - via Web (which is basically a secure flash app) or mobile (currently IPhone/itouch or Android). 

Then as you advance the slides, their slides advance.

I gave it a try yesterday in the office and it was pretty slick.

In particular what I'm thinking is that for something like OOW - I will use the web client to project on the screen and use the iPhone to drive the deck. That way I can get into the audience and make a better connection.

Posted via email from Virtual Identity Dialogue

The lesson in particular is that whenever humans are involved they will not always act as you predict. Players who are better on paper (and Madden) will suddenly disappear on the field. The coach will call a play asking a slow running back to try and run a sweep designed for a faster player.

The quarterback will get nerves and panic and forget what color his jersey is.

What does this have to do with identity management and of course virtual directories?

If you put a system in place to manage identity information like your HR system that people are trained on, has the proper security and backups and audit reports - you should reuse those systems. That way it reduces the chances of the data becoming misused or out of compliance. It also allows you to stretch your dollars because you can reuse the data you already are managing.

A virtual directory like Oracle Virtual Directory makes it easier to re-use this data because it can directly access the HR data without needing to copy it into another system. Thus your portals, single sign-on and databases can be deployed faster and more easily without having to worry about if the data is accurate and secure.

Posted via email from Virtual Identity Dialogue

Of course on one hand we are no where near as advanced in manned space flight as described in those books.

But I think there is more than a kernel of truth to the title of the 2010 movie - "The Year We Make Contact." Though I doubt it will be with any alien monolith.

Instead 2010 is when globally mobile phones really explode both in terms of smart-phone and the low-end. 

Already in 2009 we saw mobile phone subscriptions hit 4 BILLION. There are 7 Billion people on the planet. Which means there is only very few other technologies that have type of reach - we call them fire and the wheel.

While I'm constantly amazed at seeing how the lowly mobile phone has helped improve lives of people in particular in the poorer parts of the world, I want to focus a bit more on the smart-phone market.

This week there were two major phone related announcements.

The first was of course the Google Nexus One. My thought on it is that I agree with one of the TechCrunch op-eds on it - that Google and Apple are tag-teaming the telcos in how we buy our phones. In particular in the next couple of years as new chips emerge that can put multiple radios into a single slim device will make it much easier for handset manufacturers to have one device that can work with multiple providers. I don't think either Google or Apple will knock the other one out. But they could knock some of the other players out. Though with 4 billion consumers in the world - you could probably make a nice business with a very small subset of that even if it meant that nobody in the US has ever heard of you.

The second was the launch of AppMakr. AppMakr lets you convert RSS feeds into a branded, dedicated iPhone application for about $200 US. Meaning you can sell it or give it away for free on the Apple iTunes store. With or Without ads. Since I've made a personal goal for 2010 to actually publish my personal fiction - AppMakr really intrigues me. I foresee it as a cheap way to provide a branded delivery mechanism of short-stories/novellas - something not really easily done with other self-publishing mechanisms. I know it's limited to Apple (though that's still a sizable market) but I wouldn't be surprised if it wasn't extended to at least Android and possibly others in the future.

There is of course implications to identity in all of this but I don't have anything concrete on that to share at the moment.

Posted via email from Virtual Identity Dialogue

Posted via email from Virtual Identity Dialogue

I had used Thunderbird 2 before but I had given it up - in fact I had pretty much moved to Outlook as my primary desktop email client. We also have Zimbra for Web-mail which is nice but sometimes acted wonky in my browser.

In particular I like the new search in Thunderbird 3. It's VERY fast. Fast enough that I have shutdown Google Desktop and forgotten about XOBNI.

So if you are looking for a desktop mail client - with good search. I would suggest giving Thunderbird 3 a try.

Posted via email from Virtual Identity Dialogue

Alright for the nitty gritty.

First - I think it is important to put Google ChromeOS into context. Because it's still early and only the uber-geeks are trying it out - the reviews have tended to be viewed by that community with what they want in an OS. Which is not the audience Google ChromeOS is aimed for.

That out of the way here is what the user experience was like:

1 - You start the machine
2 - You are prompted to login with your Google credentials.
3 - You are logged in what seemed like a second. The screen is really just Chrome browser with the home tab set to your Gmail. A second tab is already opened to your Google calendar.

You can then browse as normal. In the name of research - I then played a game of Bejewled online which is the latest casual game addiction. Because my wife is closer to the target audience of ChromeOS than I am - this was important. Because if a computer that came out today couldn't play Bejewled - she would not use it. So yes, I played the game in the name of research. Sometimes research requires sacrifices like this.

But overall - the OS was a lot more polished than I expected. Of course much of it is built on existing bedrock - Linux, Chrome browser and Google's services. And to be candid - my gut feeling on just playing with it this morning was similar to the feeling I got when I first got a chance to play around with Apple OS X at the first ApacheCon a decade ago. That this - while not completely polished - was going to be a game changer.

I'm not going to say that ChromeOS will kill Windows. But just as OSX drove a lot of requirements for Vista/Windows 7 - ChromeOS could do the same thing here. And as Martha Stewart would say "That's a good thing."

For example imagine your environment that assumed you were always on a network (not entirely far-fetched) but could gracefully handle when you were not. That instead of assuming all of your documents (whether those were docs, spreadsheets, video, music, etc) were going to be default local - were instead stored online. 

You can of course already do much of this today - I for the most part live this. All of my mail exists in the cloud (personal mail in Google, work mail in Oracle Beehive). My project tracking list is managed in Toodledo. My notes for just about everything in Evernote. All of my new work related documents are being stored in Oracle Beehive workspaces. I'm trying (again) to write a novel. This time using Google Docs - primarily so that I can write on it wherever I am without worrying about having the latest chapter with me.

But - while this is possible - it does require dedicated work to use. That's why I'm optimistic about the world moving to a natively integrated cloud OS.

Identity management will have to play to a key role for this to function. For example - to give you the most flexibility about where your documents are stored you will want an Identity Rights Management product to make sure only authorized people can access the docs. There will have to be numerous behind the scenes federated authentication (whether that federation is SAML or something else like OpenID or OAuth) and of course identity attributes will need to be virtualized because that data could literally be - anywhere.

Posted via email from Virtual Identity Dialogue

Initially I was looking at ProjectLocker  which offers hosting for Subversion (or GIT) because I really don't want to run by own Subversion server. While fiddling trying to get JDeveloper to work with ProjectLocker - I discovered I could configure JDev to use its own local repository.

This is great for personal type projects. I get good version control but I don't have to run my own Subversion server. 

Posted via email from Virtual Identity Dialogue

Posted via email from Virtual Identity Dialogue

In particular he's trying to promote the use of SAML Attribute Query as the way to provide callback in Federated Provisioning:
"
In the scenario Nishant describes where the original Assertion doesn't contain all the attributes/claims they want for provisioning, in a SAML implementation why couldn't the SP service initiate the Assertion Query profile to retrieve the desired additional attributes from the IdP service?
"
I think it's important to keep in mind the real competition isn't between SAML or OAuth or SPML. Rather the real competition is to convince people that they shouldn't be doing manual data entry (and storage) of person/identity data. That it is in fact queryable. That's the big hurdle.

Then the second hurdle is actually how to implement this. While SAML Attribute Query would seem to be a preferred choice (standard, most if not all federation products support it) - I think it's still too hard for the average developer to deploy a solution.

For example - he is something I would like to see details on:

How would a PHP developer write a SAML Attribute Query back to a SAML IDP that worked with any server that supported SAML 2?

Posted via email from Virtual Identity Dialogue

Just to make sure everyone understands what we are talking about - let's use an example use case where federated provisioning could be required:
Acme Medical Tools has entered an agreement with an online CRM provider. The CRM provider supports the use of SAML to authenticate the Acme Medical Tools users. However, for Acme Medical Tools to be able to use this CRM provider they must have a local account in the CRM provider's database. Federated provisioning would allow these accounts to be dynamically created and updated using an agreed upon method.

There are basically 2 methods to support federated provisioning:
1 - The CRM system could use attributes provided in the SAML assertion from the IDP 
2 - The CRM system can request the attributes from the IDP using a separate request

I would like to point out that we have customers who have done both scenarios. I even wrote the example being used in our current on-demand demonstration for 11g Identity Management. And in the first case - it is possible that SPML could be used on the SP (the CRM provider) (e.g. the federation server gets the attributes and then calls SPML to create/update the record).

But in regards to the where OAuth could possibly be used is in the 2nd scenario.
As shown by this diagram:

So for example the CRM system would make a "Web Service" (I put in quotes because this could be SOAP or REST, standard (like DSML) or proprietary ) call back to the IDP to fetch the user's attributes.

This Web Service would need some type of authentication/authorization to enable it.  And I think the question is whether OAuth could be a solution besides the usual suspects (e.g. username/password, certificates, some other esoteric WS-* security system nobody except the people who wrote the Mayan calendar understands).

OAuth does have some distinct advantages:
1 - It's very simple to implement - it's more like implementing an application-specific, one-time use password - so small shops with less expertise can implement solutions
2 - It doesn't require certificates (it's almost 2010 and managing/signing certificates is still very difficult
3 - Because OAuth tokens have a native time-to-live capability could simplify the process of renewing service agreements 

To make the discussion easier to follow here is a simple diagram that shows basic OAuth steps.

Nishant correctly points out that OAuth expects an end-user involved. This is because the initial use case OAuth was designed to solve was to eliminate the need for 3rd party services to have your password to access those services. For example if you wanted to create a T-Shirt on CafePress using a photo you had on Flickr - OAuth could be used to access your Flickr account from CafePress without CafePress needing your actual Flickr password. The OAuth token could also have a "time-to-live" attached to it so that for example CafePress could only have access to your Flickr data for 4 hours.

He then wonders if IGF policies could be used. It's an interesting idea on the IGF spec and one we'll have to explore further if people do want to use OAuth for these types of scenarios. The other benefit that IGF could offer to this picture besides defining the spec is that policies could be natively known to the client application via the ArisID API. The API is the area of IGF where I have been spending most of my IGF related time lately and hopefully will be able to share more about that soon.

The other component that comes to mind is that OAuth services will need to be able to allow individuals to map tokens to user identies besides themselvs. For example the Acme Medical Tools federated business manager authorizes the CRM service to access the Acme Medical Tools People Web Service but wants to insure the OAuth token corresponds to the CRM Service - not the actual business manager.  That is an area where other access management components can play a part - entitlements, access management, secure authentication.

This is also potentially related to the new User Managed Access (UMA) initiative in the Kantara Initiative. The goal of UMA is to make it easier for consumers to better manage the data relationships with their vendors. This is not only about privacy but also about enabling new business cases. For example if you are looking to buy a new car - instead of starting the usual searching and maybe asking your friends - you could post a "Personal RFP" that listed your requirements. Federated Provisioning would be needed so the dealerships could get information about you to do their own analysis. UMA would define the protocol around publishing the RFP and how the dealerships could access your data and how you can manage that relationship.  The project was started by Eve Maler and I'm participating as a consulting, non-voting member because as I told Eve - I'm one of a small minority who understands - Identity 2.0, SOA and CRM. 

Hopefully I've shed some more light on the subject for people to think about. I would really like to know if your organization has been looking at federated provisioning and/or OAuth.

Posted via email from Virtual Identity Dialogue

The first video shows a very brief introduction to Oracle Directory Services Manager connecting to OVD 11g.

The second video shows how to create a very common scenario - aggregating 2 different LDAP directories into a single view.

I would recommend watching them in full-screen mode because they will be easier to read that way.

Posted via email from Virtual Identity Dialogue