Wednesday Jan 16, 2008

Multi-Protocol Federated Identity

Burton Group to prove multi-protocol federated identity can work by ZDNet's Chris Jablonski : Burton Group is going to demonstrate the first multi-protocol federal identity system to prove that multiple federated identity protocols and standards can coexist at its Catalyst Conference North America 2005 on July 13, in San Diego. "Enterprises deploying federated identity are faced with a mix of standards and protocols, including multiple versions of SAML, Liberty Alliance ID-FF, and Shibboleth, plus products that are starting to support the WS-Federation passive profile," said Gerry Gebel, Burton Group senior analyst. "Participants in this event will demonstrate how partners can share identity information regardless of their chosen federated identity product."
Kim Cameron, Microsoft's chief identity architect, believes that Microsoft has an important role to play in enabling identity, rather than seeing it as a revenue center. Well, I'm not too sure about that philosophy, but do believe that Identity, Access & Policy Managemnent are key components in todays technology marketspace. For starters, "federation" is a means by which individuals or machines authenticate themselves using their credentials, and then be able to access resources in other enterprises and/or organizations without having to authenticate themselves all over again. Sounds like single sign on, doesnt it. Well, It is single sign on in a way. just extended to span outside of the enterprise that the individual belongs to. The Liberty Alliance has released it's specifications of how identity management systems should work. The Liberty Alliance, as the name suggests, is a coalition of about 70 major industry players, including Sun Microsystems, AOL/Time Warner, Hewlett-Packard, and other major players in market sectors like telecom, wireless, and finance. Sun being one of the foremost of the industry leaders in evangelising this technology now has Microsoft working in conjunction towards a singular vision. VISION: The Network Is The Computer
Sun was founded with one driving vision. A vision of computers that talk to each other no matter who built them. A vision in which technology works for you, not the other way around. While others protected proprietary, stand-alone architectures, we focused on taking companies into the network age, providing systems and software with the scalability and reliability needed to drive the electronic marketplace.
Anyway, getting back to the subject of multi protocol federated identity systems, I'd like to see this burton group report on Shibboleth, Liberty Enabled Systems, SWITCHaai & WS-Federation all interoperate !!! After all this report is not published just for fun aye ! In the midst of all this, If I could quote Craig Barrett :
"When you have common interfaces, common protocols, then everyone can innovate and everyone can interoperate. Companies can build their businesses, consumers can expand their choices, the technology moves forward faster, and users get more benefit."
So very true wasnt he ? All this reminds me of the simple rule : IF "A" trusts "B", and if "B" trusts "C", inadvertently, "A" trusts "C".. emm.. now that's a translation from my old math school formula of "A=B=C". SO IF we apply that to the following:
IF this is true, and IF this is true, then we probably should see something in the likeness of a SUN-IBM interop soon ;-) After all the much awaited move was done quite a while ago. I guess that we're just awaiting an answer from IBM.
MAN !!! am I dying to obtain a copy of this report... You betcha !!

Tuesday Jan 15, 2008

Federated Security: The Shibboleth Approach


The open-source Shibboleth System extends Web-based applications and identity management for secure access to resources among multiple organizations

The Shibboleth System includes two major software components: the Shibboleth Identity Provider (IdP) and the Shibboleth Service Provider (SP). These two components are deployed separately but work together to provide secure access to Web-based resources. A step-by-step description of the Shibboleth sign-on process follows. While the details may vary based on deployment choices, the steps below are typical. The players include the user, who wants to use a protected Web resource; the resource provider Web site, which has installed the Shibboleth SP software; and the user's home organization, which has installed the Shibboleth IdP software.

  • The user navigates to the Web resource using her browser. The resource site is protected, hence requires information about the user in order to decide whether access is permitted.
  • The Shibboleth SP software redirects the browser to a "navigation" page (called a WAYF, for "where are you from"), which presents the user with a list of the organizations whose users may access the resource.
  • The user selects her home organization, and the browser is sent to the home organization's Web site running the Shibboleth IdP software. This site uses a Web sign-on method chosen by the home organization. The user now sees the familiar login Web page of her home organization, enters her username and password, and selects the Login button.
  • The Shibboleth IdP software sends the browser back to the original resource site and includes in the message some security information called an "assertion" that proves the user signed on. The Shibboleth SP software on the resource site validates the assertion and then requests additional information (attributes, such as "faculty" or "student in Film327") about the user by making a request to the home organization's Shibboleth IdP service.
  • The Shibboleth SP receives the user's attributes from the home organization's IdP and passes them along to the resource provider's Web application. The application uses those attributes and its access policy to decide whether the user's access is permitted or denied, displaying the appropriate page to the user's browser.
Often, many of these steps can be skipped. The WAYF can set a cookie in the user's browser so that the user doesn't see that page the next time through. If the home organization's Web authentication service uses single sign-on and the user already has a session with it, the login page won't be seen. In many cases the user can get access to the resource without seeing any intermediate Web pages at all. The process above resembles other Web sign-on schemes. In the rest of this section we present the features that distinguish the Shibboleth System.
Please Read the Complete Publication at

SHLIBERTY : Liberty Alliance

With Identity Management, Federation etc being the buzzwords of this gen, I believed that having a strong open source federated identity platform to develop from would be a great gift. First it was Andre Durand with SourceID. and now, Steven Carmody, The "Mr. Shibboleth Of All" gave an introductory presentation on Shibboleth, an inter-institutional approach to federated authentication. Shibboleth targeted at the eduction sector is showcased on internet2. Mr. Carmody also pointed out that Shibboleth is poised for a real wide-scale adoption. NSF would be adopting Shibboleth for its fastlane service on July 30th as part of the United States Government's e-Authentication initiative. Shibboleth is Internet2's access control architecture which complements cas. Renee Woodten Frost, Internet2's Associate Director of Middleware and Security, provided an introduction to Shibboleth, during the Midwest Regional Conference. Then there's Guanxi, the JAVA implementation of the SAML Spec and complies with the Shibboleth Profile extensions developed as part of an Internet2 project. The next release os CAS may use Shibboleth. I shall be following developments on both CAS and Shibboleth. It would be nice if you folks contributed to information gathered on this topic by commenting on this post, as it would make aggregation of the subject matter easier. I shall keep you posted on this forefront as I keep learning more. Cheers for now. UPDATE: Please Read my post on Federated Security: A Shibboleth Approach

Saturday Nov 04, 2006

User-Centric Identity Webcast

A FYI Reminer & a cross-post from superpatterns. The reason I'm crossposting this is because I believe that this is something important and something that everybody should participate in as the info that this webcast would provide you would prove extremely valuable.
There's a lot of buzz around 'user-centric identity' right now the notion of involving users in the management of their personal information and its use, rather than leaving it to some enterprise or other organization. The folks at the Liberty Alliance have written a whitepaper entitled 'Personal Identity' that shows how Liberty's Identity Federation Framework (ID-FF) and its successor SAML 2.0 can be used to implement user-centric identity for example, a user providing their own identity services via a Liberty-enabled device such as a cellphone. It's a good read. it starts from the basics, so you should be able to follow it even if you're new to Liberty and SAML. vOn the same topic, John Kemp of Nokia and my esteemed colleague Hubert Le Van Gong will be presenting a webcast on April 12 2006 at 8am Pacific. PLEASE NOTE: Registration is required and limited to the first 100 respondents! The last webcast on the Liberty People Service 'sold out' very quickly, so get in there straight away if you're interested. If you're too late, don't despair - the webcast will be available in archive form after the event. I'll update this entry with the URL once it's online. To register for the webcast, follow these steps.
  1. Go to
  2. Under the heading Attend a Meeting, click Register
  3. Search for centric
  4. Select User Centric Identity: Success Today and click on the Register Button. (Don't bother clicking on the link - it doesn't lead anywhere useful!)
  5. Fill out the required information and click Register Now at the bottom of the page.
Please email Tricia DeHart of the Liberty Alliance Project with any questions.

for everything on Identity, JCAPS, SOA, WebServices, Security, Single Signon, Federation, Provisioning, Virtualization, Optimization, Debugging, Workflows, Compliance, MySQL and more... WAY MORE....

[this is a group blog]


« June 2016