Thursday Mar 30, 2006

Transcending Boundaries with Federated Identity

If you're an 'information technology leader' then you're probably already subscribed to Sun's Inner Circle newsletter, so you've probably already read 'Transcending Boundaries with Federated Identity' - an interview with my fellow architect, Rajeev Angal.

Rajeev presents a thorough grounding in federated identity - what it is, why you should care and how to get started. If you're trying to get a grip on what federation is all about, this is a great place to start.

By the way, there seems to be a glitch with the feedback form at the bottom of the article. If you'd like to comment, then please do so here and I'll ensure it gets back to Rajeev and the Inner Circle crew.

Thursday Mar 23, 2006

Liberty User-Centric Identity Whitepaper and Webcast

There's a lot of buzz around 'user-centric identity' right now - the notion of involving users in the management of their personal information and its use, rather than leaving it to some enterprise or other organization. The folks at the Liberty Alliance have written a whitepaper entitled 'Personal Identity' that shows how Liberty's Identity Federation Framework (ID-FF) and its successor SAML 2.0 can be used to implement user-centric identity - for example, a user providing their own identity services via a Liberty-enabled device such as a cellphone. It's a good read - it starts from the basics, so you should be able to follow it even if you're new to Liberty and SAML.

On the same topic, John Kemp of Nokia and my esteemed colleague Hubert Le Van Gong will be presenting a webcast on April 12 2006 at 8am Pacific. PLEASE NOTE: Registration is required and limited to the first 100 respondents! The last webcast on the Liberty People Service 'sold out' very quickly, so get in there straight away if you're interested. If you're too late, don't despair - the webcast will be available in archive form after the event. I'll update this entry with the URL once it's online.

To register for the webcast, follow these steps.

  1. Go to
  2. Under the heading Attend a Meeting, click Register
  3. Search for centric
  4. Select User Centric Identity: Success Today and click on the Register Button. (Don't bother clicking on the link - it doesn't lead anywhere useful!)
  5. Fill out the required information and click Register Now at the bottom of the page.

Please email Tricia DeHart of the Liberty Alliance Project with any questions.

Tuesday Mar 14, 2006

Project Liberty Adoption - Wow!

Wow - I just looked at the new Project Liberty market adoption page. It seems we've been hiding the Liberty light under a bushel - particularly when you look at adoption in the Telecommunications and Online Service Provider segments. One of the strengths of the Liberty specifications is that they can become transparent infrastructure - AOL users don't need to know that Liberty's Web Services Framework (ID-WSF) is being used to link AOL's services with third-party applications. On the other hand, this doesn't lend itself to market awareness.

Congratulations and thanks to Britta, Lauren and the rest of the Liberty Business and Marketing Expert Group (BMEG) for driving this to completion, and to all Liberty members who contributed information. If you know of a Liberty deployment that is not listed, then please submit it online. As you can see from the current list, you can be listed anonymously or even not at all. In the latter case, the information is still valuable for aggregate measures such as 'total number of Liberty-enabled devices and identities'

Tuesday Feb 28, 2006

Liberty on the Desktop - 12" Remix

I sprinkled a little magic pixie dust on Hubert's 'User-centric Identity, Liberated' slides - catch the new version here

Wednesday Feb 22, 2006

Liberty on the Desktop

Fellow Sun architect Hubert Le Van Gong has put together a stellar demo that shows how the Liberty protocols can be put to use in a 'user-centric' fashion:

Briefly, the demo shows a wine merchant site using a Java applet to gather identity data supporting a wine purchase - age, shipping address and payment details. In the demo, the user authenticates to a financial institution, which acts as identity provider, referencing attribute providers that actually manage the different (intersecting) sets of user data.

This brings us to a classic trade-off - Hubert's demo could equally have been implemented with identity and attribute providers running on the user's own machine - there is nothing in the Liberty protocols that constrains the location of these functions. Having your financial institution (or wireless operator or employer or...) be your provider allows you to leverage their infrastructure from wherever in the world you happen to be. On the other hand, having providers running locally on your own machine gives you more control over your data, but only from one machine. Pick the most appropriate model for your situation - the important thing is that you have a choice.

Tuesday Jan 24, 2006

Sun Eats Its Own Liberty Dog Food

One question that I'm often asked by customers is "How is Sun using the Liberty Alliance Project specifications?". Well, my stock answer is 'BIPAC'. The Business Industry Political Action Committee provides expert policy analysis, research and communications on campaigns and elections, and fosters business participation in the political process. Sun employees can access political information on the BIPAC website - who their elected representatives are, their voting record etc.

Now, this is obviously sensitive stuff, with huge implications for privacy. The 'old way' of accessing BIPAC would have involved a regular batch process to synchronize identity information from Sun to BIPAC; Sun employees would authenticate at BIPAC with their Sun ID and a BIPAC-specific password. In this old model, BIPAC would know exactly who I was and would be able to build a profile of my activity on the site. Not only that, I'd have another password to write on a post-it note and stick to my monitor remember.

The 'new way' of accessing BIPAC authenticates employees at Sun (using Sun Java System Access Manager) and uses Liberty ID-FF to give employees single sign-on to BIPAC. Now - here's the clever bit - no personal information is transmitted in the single sign-on process. BIPAC have no idea who I am - all they know is that I am an authenticated Sun employee. BIPAC can then use ID-WSF to retrieve a strictly limited set of attributes, including my zip code. So now, all Sun know is that I am a Sun employee in 90210 (well, I can dream). They have everything they need to tell me who my elected representatives are at every level up to Dubya, but no more. They don't know who I am, since they don't need to know who I am. This document gives some more detail on the deployment. Here I am demonstrating the system at a Liberty eGovernment Forum last year in Dublin:

Looking at the wider context, this was an ideal first deployment of Liberty for Sun. A real need for Liberty's privacy features combined with low risk - BIPAC is a valuable service, but not critical to Sun's core business. Watch this space for news as we roll Liberty and SAML out across Sun's other business partners, and, if you're at the RSA Conference next month, be sure to catch Sun's Yvonne Wilson at IMP-101 'Implementing Federated Identity: What Products Do You Need?'. Yvonne is an architect in Sun IT and will be covering our BIPAC integration in her presentation.

Monday Jan 23, 2006

Sun Does Windows - Interoperability Delivered

Late last year I recorded a segment for a Sun 'Net Talk' feature. The feature - Sun Does Windows - Interoperability Delivered went live a couple of days ago. Bill Vass (Sun's CIO), Benjamin Baer (Director, Partner Operating System Marketing), John Tollefsrud (N1 Architect) and Matt Wolf (Senior Product Marketing Manager, Windows on Sun) give an overview of some of the various touch-points between Sun and Microsoft products - I present the Sun/Microsoft Web SSO Interoperability demo in segment 17. This is essentially the same demo that Don Schmidt of Microsoft and I presented back in May 2005, but you get to see more of the actual demo applications this time round. Of course, the rest of the Net Talk is all new, so it's worth watching in its entirety.

Tuesday Jan 03, 2006

My Thinking on Bloggers and Federated Identity

James McGovern, Enterprise Architect at The Hartford, posted a series of questions on federation and blogging just before Christmas. My Christmas vacation started just after he posted that entry, so I haven't had a chance to respond before today. So - here goes... Remember the disclaimer: these thoughts are my own and do not necessarily reflect the official line of Sun Microsystems, the Liberty Alliance or, indeed, reality . Oh - and my cut'n'paste didn't preserve links in the quotations from James' original. Sorry.

Pat Patterson of Sun, commented on one of my comments I left in his blog and only partially responded to my rant that folks in the blogging community need to take an enterprise view to identity and not just evangelize the Liberty Alliance...

I think you're mischaracterizing the 'blogging community' a little there, James. I don't see Kim Cameron doing much evangelizing on behalf of Liberty .

Figured the best way to make my point would be to ask these same bloggers to respond in their own blogs, answers to the following questions:
  • The Liberty Alliance is a wonderful organization that is working towards interoperability but doesn't have as a charter the notion of community formation as this typically occurs within a specific industry vertical. Examples include the SAFE initiative in pharma and Securities.Hub on Wall Street. Do bloggers who work for software vendors have any duty to enable (or at least talk about) the notion of best practices around community formation at an industry vertical level? If so, do they strictly talk in terms of case studies of what has occured in the past or provide guidance to verticals that haven't yet walked this path?

Wow. Well, personally, I certainly don't feel qualified to enable or talk about best practices in community formation at an industry vertical level. In a previous life, I was involved with Identrus, a consortium of financial institutions working first to enable global authentication of business partners, then to establish a secure payment initiation system, but I worked on the architecture and implementation of the specs. (Heh - I just found this on the Identrus site. The iPlanet brand is long gone, of course, as are some of the listed products. I worked on iPlanet Trustbase Transaction Manager, the last version of which end-of-lifed in Feb 2003.) Anyway - perhaps Robin Wilton, also a Trustbase alumni, would have a few thoughts on vertical community formation, since he was more on the business side of things.

  • Identity Bloggers pretend that notions such as Sarbanes Oxley don't exist (or at least never mention them). Do they think that federations also need the notion of attestation? If so, don't you think this will become an impediment to corporate adoption of federated identity for many verticals?

Have you read Sara Gates' (Sun's VP of identity management) blog recently? Sara is very interested in Sarbox and compliance - in fact, she wrote this article recently comparing compliance demands to seatbelt laws.

I think that identity management has a huge part to play in compliance. In fact, Sun has a product dedicated to auditing compliance - Identity Auditor. You are spot on in highlighting the need for attestation in federation. I think this will be an area that Liberty will turn to in future.

  • SAML 2.0 is a good move to increase interoperability and should be implemented in all security oriented products. Maybe you can tell us why within the enterprise we should use SAML 2.0 between say Active Directory and RACF vs. sticking with tried and true approaches such as Kerberos?

You use the appropriate tool for the job. Where there is a tried and true approach then use it. For example, if you are implementing single sign-on between some group of websites in the same internet domain, then it would be madness to use SAML 2.0 rather than simply deploying a web-based access management product such as Sun's Access Manager. However, if you are implementing single sign-on between siloed (silo'd?) divisions of an enterprise, each with its own identity management infrastructure, or between an enterprise and a trading partner, then SAML 2.0 is the appropriate tool for the job.

  • The Liberty Alliance can only point to a handful of Fortune 100 enterprises (non-software) that have joined. Its primary makeup is most of software vendors. Maybe you could tell us why an Enterprise Architect that works for a Fortune 100 enterprise would request for next years budget the annual dues for membership vs spending it in other areas?

Well - one motivation would be to redress the balance . Seriously, though, with Liberty membership you're buying a voice in the standards setting process - the ability to ensure that enterprise concerns are heard.

  • Do you think that enterprises are well-served by consolidating identity stores vs keeping them spread all over the place and doing SAML? If consolidation is a good thing, why wouldn't it be a good idea to consolidate identity within Active Directory?

Consolidation is a great thing, though I would counsel Sun's Directory Server over Active Directory, of course. However, consolidation isn't always possible:

  • In the case of an acquisition or merger, consolidation can be a costly and time-consuming process. It's still worthwhile, but often an interim solution is needed to bridge identity infrastructures.
  • Legislation may preclude consolidation - for instance, a multinational corporation may not be able to store all identity data in one location. Or even provide access to more than a strict subset across national boundaries.
  • Consolidation isn't always feasible - Radovan Semančík talks about this in a recent blog entry.
So - I would say, consolidate as far as possible (or sensible) and use federation to bridge to disparate environments.

  • Should SXIP, LID and SAML exchange tokens from one system to those in another or should they continue to do their own thing with their own tokens? If the later, could this really be considered an identity metasystem according to Kim Cameron's laws of identity?

Ah - user-centric identity. I can't really comment here - I keep an eye on what folks like Sxip and Netmesh are up to (e.g. YADIS), but I can't pretend to any expertise. Chuck Mortimore (Sxip) and Johannes Ernst (Netmesh) (to pick two almost at random) are much better qualified than I am to speak on thse issues. And, of course, the mighty Kim Cameron would be best placed to judge whether this is a metasystem according to his definition.

  • If you want corporations to embrace the notion of federated identity, wouldn't it require more than simple "look at me" interoperability demos and for all the vendors in this space to create some publicly available notion of "reference architecture" above and beyond what exists in Project Liberty?

We've done some work in this area, but much more remains to be done. Yes, I know that particular paper addresses a set of telco use cases, but the principles apply across industry boundaries.

  • Acknowledgement that not all problems are technology related and consider asking the Liberty Alliance to take on social / governmental issues related to identity in the same way that Richard Stallman does for the Free Software Foundation. Examples include mechanisms that will allow an industry vertical to form communities without the appearance of collusion. What about certain countries such as Italy that create laws that violate current thinking on identity? Have you seen this article?

Have you been to the Liberty website recently? There are vertical industry sections on Identity Theft Prevention, Healthcare, Guidelines on subjects from the implications of EU Data Protection and Privacy Law for Establishing a Legal Framework for Identity Federation to federation enabling 401(k). This is all there for the taking - no membership required.

Liberty Alliance's Public Policy Expert Group "drives dialogue with global government and nongovernment groups concerned with the many issues pertaining to identity and data management". For instance Benefits of Federated Identity to Government.

Read Robin Wilton's Esoterica for regular articles on social / governmental issues relating to the Liberty Alliance, Sun and identity management in general.

  • More thinking on how identity changes based not on the person but their interaction? Examples may include the notion of "six degrees of separation" or minimally the practice of role affliation?

Not a topic I can really address in a bullet point reply, but, yeah - interesting. Is a role an identity?

  • How should we think about SmartCards within our own infrastructure and how it plays with federated identity? I know MS is doing this for their own employees.

Well, smartcards as an authentication mechanism play nicely with federated identity. A SAML assertion can (in fact, usually does) identify the mechanism by which the user authenticated, so architecting systems that require smartcard authentication to access a given set of resources is perfectly possible.

  • Should we have a mechanism for discovery of capabilities for various identity systems? Should it be YADIS? Something else?

Good question. Is this what Kim's metasystem will turn out to be? Will YADIS do this? Is there room for more than one metasystem? In that case, do we need a metametasystem???

  • Any thoughts on how federated identity can integrate with Digital Rights Management?

I'm going to play the "not Sun's opinion" card here... In the light of Sony's recent DRM nightmares, I think DRM needs a total rethink. Can DRM work at all? Should content providers' business models change to reflect the realities of the digital world?

  • Any thoughts on how Liberty Alliance can embrace the notion of a Virtual Personality?

What do you mean by 'virtual personality'. I just checked the Identity Gang's lexicon and even they haven't figured out what it means yet.

  • What if we decided to externalize identity and put it on a spacecraft headed to pluto? Dont take this question seriously.

I'd go back to coding technical analysis systems. Don't take this answer seriously.

  • How come pretty much all of the identity bloggers don't support trackback in their blogs? Is it because they haven't yet figured out how to protect their own identity or that of others?

The short answer is trackback spam. I provide trackback links. Sometimes they work. Sometimes the spam load is so heavy we just turn them off. There is no easy solution right now. I believe the user-centric guys are working on this...

Friday Dec 09, 2005

ADFS, WS-Federation and SAML in the enterprise

James McGovern left an interesting comment on my previous entry concerning WS-Federation and SAML 2.0.

James says

A customers perspective is slightly different than what you suggest in your posting. MS is doing the right things with WS-Federation. After all, if you consider that 99.9% of all Fortune enterprises and their B2B partners have AD installed, they would eliminate not only the need for SAML but for enterprises to buy yet another piece of software that really should be bundled with the OS in order to solve for problems across enterprises. Federated identity conversation is somewhat consumer focused. Would be great if participants could put on an enterprise lens when considering solutions....

Thanks for the comment, James. I think you're right, up to a point. Microsoft is doing the right things, from the perspective of MS themselves and 'MS shops'. If you have a pure MS infrastructure, then WS-Federation and ADFS are great news. If you have a mixed environment, and some or all of your business partners have a mixed environment, then this is good news, but it could have been so much better. After all, if MS had issues with the way SAML worked in their environment, they could have contributed to the SAML 2.0 process in OASIS and we would have had the 'grand convergence' of federation specs. But, for their own reasons, they chose not to engage there.

I spent Monday with one of our biggest enterprise customers. They have selected SAML 2.0 for web single sign-on across their various departments and divisions and with external partners. WS-Federation makes no sense for them as they have no MS SSO infrastructure - it's all Sun, IBM and Oracle (Oblix). In common with the 99.9% of Fortune enterprises you mention, they do have AD as a NOS directory, so ADFS support for WS-Federation rather than SAML just complicates their lives.

Leaving aside the question of whether federation technology should be bundled with the OS, the fact is that Microsoft are only now beginning to fill the gaps in federation. They have chosen to do so using proprietary specifications (remember, WS-Federation is a specification, not a standard) rather than an existing open standard with wide adoption. It will be an interesting couple of years as enterprises make their choices. But again, choosing products using a common standard would have been so much better than having to bet on a spec.

Thursday Dec 08, 2005

Update on WS-Federation, SAML 2.0

I posted my previous blog entry as feedback to Patrick Harding's SAML 2.0 article in Network World. Patrick was kind enough to reply this morning, saying that Network World TechUpdate articles focus on a single technology which, in this case, was SAML 2.0 rather than the wider topic of Federated Web SSO. Never mind that writing about the convergence of federation technology into SAML 2.0 without mentioning WS-Fed is like not mentioning the elephant in the room.
Anyway, Patrick gave me his permission to post his excised paragraph:
What about WS-Federation? Anyone using Microsoft's upcoming Active Directory Federation Service will be using WS-Federation, as it is the protocol supported by ADFS. WS-Federation will likely become the second important federation protocol going forward, even though the primary focus of the WS-\* initiative is web services. While one could argue the industry would be better off with a single standard, having two is a whole lot better than having seven.
I can't agree more - taking the pragmatic view, we now have a converged standard for federated web single sign-on supported by the entire industry save a single vendor. Perhaps Microsoft could one day join us at OASIS in bringing the benefits of WS-Federation to SAML

Wednesday Dec 07, 2005

SAML 2.0 simplifies federation

Patrick Harding of Ping Identity has written an article on SAML 2.0 for Network World. It's a useful resource, describing both the SAML 2.0 specifications (at a high level) and the convergence of standards and specs that led to them. However, it's a little strange that Patrick makes no mention of WS-Federation, especially since Ping support WS-Federation in a number of their products.
Why so coy, Patrick???

Tuesday Oct 18, 2005

Building Identity-Enabled Web Services

I recently coauthored a technical article on Liberty ID-WSF, JSR 196 and Sun Java Studio Enterprise entitled Building Identity-Enabled Web Services. The article just went live at - here is a slightly adapted version of the intro:

Last October, the article Federated Identity: Single Sign-On Among Enterprises introduced identity federation as it relates to single sign-on (SSO) and demonstrated how Security Assertion Markup Language (SAML) and the Liberty Identity Federation Framework (ID-FF) offer standard mechanisms for crossdomain SSO. That article also briefly described the Liberty Alliance Project's Identity Web Service Framework (ID-WSF) and its capabilities for identity-enabling Web services.

At a technical session at JavaOne 2005 in San Francisco, we delved into ID-WSF and the new developments in the Java Community Process and in Sun's products that enable you to efficiently build identity-enabled Web services. This article recaps the content of that session. Specifically, you'll learn the following:

  • How Liberty ID-WSF identity-enables Web services
  • How components that are based on the J2EE platform, such as JSR 196, insulate you from the mechanics of ID-WSF
  • How Sun Java Studio Enterprise will automate the creation of identity-enabled Web services

Liberty Alliance Sponsors' Meeting - Singapore

I'm here for the week in Singapore, meeting with other Liberty Alliance members. Last night was the member reception - dancing girls and a snake charmer. This is the closest I've been to a snake this size!

Tuesday Oct 11, 2005

Speaking on Identity, Interoperability, Web Services at JavaOne Tokyo 2005

I co-presented two sessions at JavaOne in San Francisco in June. I'm honoured to be invited to repeat them at JavaOne Tokyo next month. Here are the details:

Session ID: JITO000-05
Session Title: Developing and Deploying Secure Identity Web Services in a Federated Environment
Session Abstract: The Liberty Alliance Project (LAP) defines specifications to address cross business web single sign-on (ID-FF) and provides a framework for building web services (ID-WSF). These specifications are by far the most comprehensive security framework available today to build secure identity-enabled web services. ID-WSF addresses the need to build interoperable, identity-based, identity-consuming, and standard web services.This session focuses on developing client- and server-side components of a secure identity web service based on Liberty ID-WSF specifications and deploying them in a Liberty-enabled environment. This session covers several Java™ standard technologies: Java 2 Platform, Enterprise Edition (J2EE™ platform), XML parsing, JAX-RPC, XML digital signing and encryption, and others, such as Liberty Java APIs built on top of SAML and WS-Security.
Date: Tuesday November 8 2005
Time: 5:00pm - 5:45pm

Session ID: JTES205-03
Session Title: Multiple Platforms, Single Identity: Interoperable identity
Session Abstract: Single sign-on between an enterprise’s web-based resources, such as applications based on Java™ 2 Platform, Enterprise Edition (J2EE™ platform) and .NET, has existed in proprietary form for some time. The need to allow access across enterprise boundaries prompted the development of standards, such as SAML and Liberty ID-FF for identity federation, providing capabilities such as single sign-on and account linking across enterprise boundaries.This session provides a brief overview of the standards for identity federation, shows how to integrate SAML and Liberty ID-FF with J2EE platform Security, and explains how Java technology-based access management products, such as Sun Java System Access Manager, can provide interfaces even into a .NET infrastructure such as Active Directory.
Date: Thursday November 10 2005
Time: 3:00pm - 3:45pm
So - come along and find out the latest about getting your J2EE infrastructure interoperating with AD and .NET, and implementing ID-WSF web service providers and consumers in Java.

Monday Oct 10, 2005

Sun Federation Manager Demonstration

My previous job at Sun (until January 2005) was as technical product manager for Access Manager. The main reason I moved back to engineering to take a technical architect role was so that my business card didn't read like a tongue-twister :-). Anyway - I still dabble on the technical marketing side, helping out when things get busy over there, like last month's technical sales training boondoggle event in Las Vegas - two days of lectures and labs bringing together Sun's identity management marketing team and the Sun system engineers (=sales engineers) affiliated with identity management.
My contribution (no - I didn't get to go to Vegas!) was a new front end for the Federation Manager Liberty Identity Federation Framework (ID-FF) single sign-on (SSO) sample. This sample, shipped with Federation Manager, shows how to get Liberty ID-FF SSO working between an Identity Provider and a Service Provider. Out-of-the-box, this sample comprised a set of functional, yet plain, JSPs. I re-used some old demo layouts to give the sample a bit of pizazz so the SEs could take something away as the basis for a demo. I was going to just put up a few screenshots here to walk you, the reader, through a simple SSO scenario, but then I realised that it would actually be less work to use Qarbon's Viewletbuilder to whip up a flash presentation. So - here it is - just click on the screen below and discover the magic of federated single sign-on...

Click to view Flash presentation



« July 2016