Monday Jul 27, 2009

OpenSSO Express Build 8 and OpenDS SE 2.0

Flashing through the ether this morning was a press release covering OpenSSO Express 8 and OpenDS SE 2.0. Since OpenDS SE 2.0 was released a week or two ago, my colleague Ludo Poitou has documented its arrival and some of its new features in a series of blog posts:

Ludo calls out assured replication, an extension to the existing loose consistency multi-master replication feature that brings tighter consistency of data between replicas, as the biggest innovation in OpenDS 2.0; I know it's making an impact because, the very next day after OpenDS 2.0 was released I was approached by an attendee at the Community Leadership Summit singing its praises!

Over in OpenSSO-land, we're putting the finishing touches to OpenSSO Express Build 8, due for release in a couple of weeks time. This release will include our new Mobile One Time Password feature, the Fedlet for .Net and a new task flow for enabling single sign-on to Salesforce.com and a whole host of other goodies, so watch this space for its availability!

So, what's an Express Build? Well, as I mentioned when we released OpenSSO Express Build 7, back in April, Express Builds are supported 'snapshots' of development between full 'OpenSSO Enterprise' releases, allowing customers to get support on new features without waiting months for the full release. The key difference between Express builds and Enterprise builds is that fixes to Express builds are rolled into the next Express build, along with new features, while Enterprise builds have 'bug fix only' service packs and hot patches available for paying customers. Obviously, Express builds aren't for everybody, but we're finding that they work well for a lot of folks. There's lots more information and a FAQ at the OpenSSO wiki.

Sunday Jul 19, 2009

Shhhh - get into the Sun Hospitality Suite at Burton Catalyst 2009 FREE

I blogged last week about Sun's hospitality suite at the Burton Catalyst conference in San Diego later this month (July 29th to be exact). I included a priority code in that post that would get you a discount off Catalyst conference registration; well, with a bit of digging I've unearthed the code that will get you a pass to get into the hospitality suites (NOT the sessions, mind) absolutely free (and, as we all know, there's nothing better than free, right?). Just register at the Burton site with super-duper secret priority code sun1du0w - and, shhhhh - don't tell them you got it here

Tuesday Jul 14, 2009

Coming Up - Burton Catalyst Conference 2009 - and Don Bowen - in San Diego!

There's DIDW, IIW and even the SSO Summit, but, for me, the premier identity conference of the year is still Burton Catalyst. I've been going since (if I remember correctly) Burton Catalyst Europe, 2002, in Munich, and it's always a great industry gathering, with thought provoking sessions and fun hospitality suites (so much better than an expo floor!).

This year, from July 27th-31st, Catalyst returns to San Diego, at the Hilton San Diego Bayfront Hotel, and Sun's identity team, as usual, is hosting it's very own hospitality suite, on the evening of Wednesday July 29th. The theme for 2009 is Hip Hop - East Coast vs West Coast.

We'll have a break-dancing crew, 'signature East Coast/West Coast munchies', a whole bunch of demos, one-to-ones with Sun's identity domain experts (and me), and much, much more. It promises to be a VERY fun night. If you haven't yet registered for Catalyst, here's some good news, Burton are offering discounts on registration for 'Sun friends' - register at the Burton site with super-secret priority code sunFriend and we'll see you on the night!

Switching gears slightly, it was at my very first Catalyst, at Munich, back in 2002, that I first met Don Bowen, then (again, if my memory serves me) technical product manager for Sun Directory Server. We worked together in product management for a couple of years, and remained very close friends when I returned to engineering in early 2005.

If you know Don at all, you'll be aware that he's been fighting brain cancer since late 2007. In characteristic Don style, he's not taking it lying down, but battling away in great spirit, documenting the journey in regular blog entries. It's inspiring stuff, and puts most people's day to day travails into pretty sharp perspective. Anyway, the good news... make that GREAT news, is that Don will be at Catalyst this year, and a few of us have organized a post-hospitality suite get together to share a few beers and (if past experience is anything to go by) a lot of laughs with Don. It's on Wednesday July 29th, the same night as the Sun hospitality suite, at Henry's Pub, 614 5th Ave (between G St and Market St), about 15 minutes walk north of the Hilton. Full details are at the Meetup page we created for the event. Please RSVP if you're planning on joining us!

UPDATE Eve also covers the Project Concordia workshop being held on the Monday: Use Cases Driving Identity in Enterprise 2.0: The Consumerization of IT and the Cloud SSO Interop Demo, in which Sun is participating with OpenSSO. Two more reasons to be in San Diego the last week of July!

UPDATE 2 Get into the Sun hospitality suite FREE!

Wednesday Feb 25, 2009

Security Geek Irony

On going to the RSA Conference website:

Saturday Feb 14, 2009

Federated Provisioning - Liberty to the Rescue???

I thought I'd throw my hat into the ring of the current federated provisioning discussion (Ian, Nishant, Ian again, James) ...

Looking at the contentious #2 in Nishant's post, the Liberty Alliance standardized one approach to this several years ago with ID-WSF.

To recap the scenario:

Suppose two companies, Acme and Omega enter into a federation agreement, whereby employees of Acme will be able to access a service at Omega using their Acme credentials. There are two scenarios here for federated provisioning.

[...]

Acme decides that they are not going to decide beforehand which employees are allowed to access Omegas service. Instead, a link to the service is available on Acmes intranet, and whenever a user decides to go to the service, they should be given an account. In this case, no pre-provisioning is taking place. Instead, the provisioning has to occur in real-time, when the user accesses the service via the intranet link for the very first time.

The idea here is that when Omegas federation server encounters the incoming SAML token for a new user, it would recognize that the user does not have a federated account, and send the SAML token to Omegas provisioning server. The provisioning server would create the account right then and there, and return the necessary result back to the federation server so that the federation server can proceed to grant the user access.

Now, in my Liberty-tinged version, when sending a new user to Omega, Acme includes a reference to their Employee Profile (EP) service - essentially the service's endpoint URL - in the SAML assertion. This endpoint reference serves as both a description of where to find the service and permission for Omega (when sent as part of the signed SAML assertion) to invoke that service.

On receiving the assertion, Omega send a signed request to the EP service, the request containing the SAML assertion it just received. Now, the EP service knows that Omega is entitled to access that employee's data, since it has a signed SAML assertion, issued by Acme itself, that says exactly that (via the presence of the EP endpoint reference). The EP can return exactly the data required (this will have been configured according to the underlying contract between Acme and Omega).

Finally, if desired, the EP can leave a marker in the employee's account that says 'account provisioned at Omega', so that Acme doesn't send the EP reference in every SAML assertion. Alternatively, Acme could deliberately send the EP reference every time. Or even reset the marker when the employee's account changes in a significant way (say, her purchasing limit is changed) so Omega can fetch the new employee data.

In scenarios where manual intervention is required on the Acme side, the EP service can return a response that says "Come back later", and the Omega service relay that to the user.

Of course, de-provisioning is a different kettle of fish, but the advantage of federated access to services is that, once the employee is gone from the Acme end, he has no way to access the Omega service anyway, so de-provisioning is a little less urgent than if the employee was logging in to Omega directly.

Like I said, ID-WSF has been around for years. Perhaps it hasn't had much adoption because businesses weren't encountering the problems that it solves. Seems like that might change now...

Sunday Feb 01, 2009

Referential Integrity, Ted & Alice

For whatever reason, James hasn't moderated-in my comment on his Random Thoughts for 2009-01-18, so here it is in blog entry form...

For some reason, James has a bee in his bonnet over referential integrity and LDAP. I'm really not sure where he's coming from here - both OpenDS and OpenLDAP offer referential integrity (OpenDS ref int doc, OpenLDAP ref int doc), and Sun Directory Server has offered it for years (Sun Directory Server ref int doc). Does this answer your question, James, or am I missing something?

By the way, if you're wondering about the title of this post, it's an allusion to the mighty Half Man Half Biscuit's 1986 track Architecture and Morality, Ted & Alice, which itself was a play on the titles of Orchestral Manoeuvres in the Dark's 1981 album Architecture & Morality and the 1969 movie Bob and Carol and Ted and Alice. If there was any justice in the world, there'd be a neat link back to the world of identity here, but there isn't, so there's not...

Tuesday Jan 20, 2009

Desktops in the Cloud

Crack Sun identity management field operatives Paul Walker and Joachim Andres have put together an amazing demo of Sun's identity stack working with Sun xVM and Secure Global Desktop to provision (and disable!) 'Desktops in the Cloud' to end users. It's an integration tour de force, bringing together a whole slew of Sun products into a whole that is much more than the sum of its parts. Cool soundtrack too - well worth 12 minutes of your time. Oh - and make sure you view 'full screen', so you can properly see what's happening - there's quite a lot going on!

Saturday Jan 17, 2009

Identity Management Buzz TV Videos from DIDW 2008

At DIDW 2008 last September, Daniel Raskin, Nick Wooler and I, among others, recorded a series of videos covering various aspects of identity management. I just went and watched the first in the series - a fascinating discussion between Daniel and Felix Gaehtgens of Kuppinger Cole - 'Open Source in Identity'.

One thing I noticed, on looking through the series, is that the number of views varies widely between the videos - from as little as 22 to more than 4000. There's some great stuff in there, well worth watching, so here are all the videos, have a browse through and see what takes your fancy...


Open Source in Identity - Felix discusses the advantages of identity management in open source with Daniel Raskin.


Identity Bus - Felix chats with Daniel about varying industry perspectives on the identity bus and Sun's Security Token Service.


Social Networking & Identity: Platforms Power - Nick Wooler and I talk about the impact social networking has had on identity management.


Safeway's Benefits of Sun Identity Management - Paul Rarey, Chief Architect for Safeway, talks with John Barco about the benefits Sun identity management has provided to this retailer.


OpenSSO Enterprise and Sun Master Data Management Suite - Daniel talks with David Codelli from the JavaCAPS team about Sun's MDM Suite and the benefits of having a single customer view.


Identity and Access Management Deployment Best Practices - Sun's Saryu Nayyar visits with Steve Curtis of PricewaterhouseCoopers about practices for both new and existing customers.


A Discussion on Role Management with The 451 Group - 451 Group Analyst, Steve Coplan, talks with Sun's Sachin Nayyar about the Why, the What and the Where of role management.


Sun IDMBuzz Tv: Federation and OpenSSO: Connecting the Dots - Julio Tapia hosts a roundtable discussion on Federation and OpenSSO with Steve Curtis from PricewaterhouseCoopers and Daniel Raskin from Sun.


Identity and Access Management Trends and Strategy - Identity experts, John Barco and Sachin Nayyar discuss the trends and strategies in identity management.


OpenSSO and Glassfish: A Match Made in Heaven - Daniel talks with Glassfish Engineer, Doug Strickland, about synergies between identity and glassfish.


Access Certification: A Critical Identity-based Control - Listen to Sun Sr product Line managers Nick Crown and Craig McDonald discuss the importance of Access Certification and the introduction of Sun Identity Compliance Manager.


Sun IDM Buzz TV: Sun OpenSSO Enterprise - Daniel and I discuss how this solution solves three tough challenges.

Tuesday Oct 28, 2008

Speaking at CSI 2008, Washington, DC, November 17 2008

The good people at the Computer Security Institute have invited me to speak at their CSI 2008 conference as part of an Identity 'summit panel' considering topics in the field of identity, federation and security. Jim Nelson of New Mexico State University is moderating the panel, with John Petze of Privaris, Robert Richardson of the Computer Security Institute and Pamela Dingle of Nulli Secundus also speaking. If you have a taste for the CardSpacey side of digital identity, Pamela's name will be very familiar from her work at OSIS.

Although the conference site lists the summit as running from 11:00am - 5:00pm on Monday, November 17th, 2008, my understanding is that the panel sessions will run 11am-noon, 1:45pm-2:45pm, and 4pm-5pm. Come along and see where the conversation takes us!

Tuesday Sep 02, 2008

ID-WSF 2.0 Javapolis Video Online at Parleys.com

Another entry from the 'While-I-was-on-vacation' department... Video from my JavaPolis ID-WSF 2.0 session was posted at Parleys.com. This is the third and final session I did at JavaPolis last year, the previous two covering OpenSSO and SAML 2.0.

There's also a short report from the JavaPolis 2007 Speaker and JUG Dinner - you can catch a couple of glimpses of me enjoying the JavaPolis hospitality, though Harold and Alexis get speaking parts...

Friday May 09, 2008

Be an Identity Hero!

It's Friday afternoon, time for some fun! We've put together a neat little game where you can protect your enterprise from the like of disgruntled former employees, Sarbox gremlins and the deadly auditors with the help of Sun's identity management products: Identity Hero! Here's a screenshot:

Go save your enterprise!

Friday Mar 07, 2008

Federated Identity Through the Eyes of the Deployer

As I just reported over at The Aquarium, Eve and Marina recently published Federated Identity Through the Eyes of the Deployer - what it is, why you might want it and what questions to ask as you architect a federated identity system.

As I mentioned on The Aquarium, Eve was a key player in defining XML, SAML and more. What you might not know is that Eve is also a talented musician, shining even when accompanied by those less gifted in the art, such as here, at IIW2006b:

Here be the lyrics.

Thursday Mar 06, 2008

Credentica U-Prove Acquired by Microsoft - Zero Knowledge Proofs For All?

Across the wires this morning comes news from Kim and Stefan that Microsoft has acquired Credentica's U-Prove technology and the services of Stefan and his Credentica colleagues. I'm curious as to why the news isn't simply 'Microsoft acquires Credentica', but business is sometimes like that, I guess.

Anyway, congratulations to Stefan and co! I've been following their technology for a few years now (I even worked my way through Stefan's book - well, most of it - some of the formal proofs were a little beyond my mathematical abilities) and have met Stefan and Greg a couple of times - super guys, cool technology - it will be great to see it get wider exposure.

Friday Feb 29, 2008

More on CardSpace Password Management

I wrote an entry on Tuesday about CardSpace as a Password Manager. Kim responded with a request: "I’d like to hear Pat’s ideas about the user experience of bootstrapping the passwords into the Identity Provider.".

Well, I see this happening at the relying party (RP) - if you already had an account there you would go to some 'change password' page containing the information card 'script' to invoke the identity selector and proceed as I detailed in the earlier post. When the identity provider (IP/STS) receives this initial request, it will see that it has no password for that RP/user, create (and record) a new one and send it to the RP, which will write it into the user's entry exactly as if the user had just typed it in.

If you didn't have an account, the relying party would do the information card thing as part of the signup, as an alternative to just prompting you for a password. In both cases, the relying party could display the password on screen (probably requiring a mouse click to 'unmask' it) so the user could independently make a note if she really wanted to.

In all three cases, signup, login and change password, it's the same code from the RP point of view - just a way of getting a password from the user. And, in both cases, the password could be nice and strong, since the user doesn't really need to remember it. One other detail is that the RP would need to communicate its password policy (e.g. 5-12 characters, alphanumeric plus !, @, #, $, %) to the IP/STS; sp:RequestSecurityTokenTemplate looks like it could carry that in its optional wsp:Policy element.

Going further, Gerry posted this morning on how the identity provider could even provide a series of strong, one time use, passwords, providing additional security, albeit with some incremental complexity at the RP.

Ben raises the bootstrap question, and also says (paraphrasing slightly) "If we derive an RP password from a master password and the RP site’s name, we can eliminate the IdP and do the whole thing locally, using the master password.". Yes - I use Hashapass to exactly that, manually (of course, I saved the page to disk, examined the JavaScript and only ever run it from my disk copy), but there are some trade-offs here. One is that this is yet another piece of client software to get onto everybody's machine. Not impossible, but a hurdle. The other issue I see is the 'keys to the kingdom' attack. If an attacker obtains the master password, then all the RP logins are compromised instantly and the only mitigation (as far as I can see) is to go round each and every one individually, changing passwords and cleaning up any mess. With an identity provider, there is still a master password that can be compromised in the same way, but the mitigation is rather different. Change your password at the identity provider and (assuming the identity provider has this information) obtain the identity provider's record of which RP's you've authenticated to. If you were encrypting the passwords in transit between the IdP and RP, you wouldn't even need to change your password at any RPs, since our attacker may have logged in as you, but would not have any of the RP passwords.

Now, Eric Norman commented:

I don't get it.

In this scheme, all three of IdP, identity selector, and RP need to speak the information card protocols. If they do that, then why not just use the regular information card stuff?

Is there something missing in the information card protocols whereby these password tokens would add value? If so, what is it?

This looks to me like it's just adding more code and complexity without adding any value.

That's a good question - where is the benefit here, and to whom? Well, the benefit for the RP over the regular information card model is that the RP does not have to correlate Information Card Private Personal Identifiers (PPID's) with user accounts. At the cost of adding some minimal code to the login process (parsing username/password from a posted information card token, rather than from the usual form fields), the RP enables CardSpace login. The RP doesn't need to add a PPID column to its user table and doesn't need a strategy for linking incoming PPIDs with existing accounts. If the RP is running some off-the-shelf web application, with no access to its underlying user management model, this could be very useful, indeed.

For the user, this allows them to use strong passwords with a huge potential population of web sites, all based on a single authentication to their identity provider, this authentication via an identity selector such as Windows CardSpace, rather than a web page in a browser.

For the identity provider, this is a value-added service that it could either charge for, or (more likely) provide free-of-charge as a competitive differentiator.

Tuesday Feb 26, 2008

CardSpace as a Password Manager

You might have noticed the exchange between Ben and Kim over the past day or two... Ben made a point that CardSpace makes OpenID redundant - why not just send a password to the RP? Kim jumped all over him - somewhat misinterpreting what Ben later describes as one of my most diabolical hungover bits of prose ever. Ben goes on to clarify that maybe CardSpace can have a role in helping the user manage passwords; Kim says "Hmm... Food for thought" (okay, I'm paraphrasing); Ben admits he didn't explain himself too clearly to begin with; and, glory be, they're violently agreeing. Phew! I thought we were going to be seeing handbags at dawn...

Reading all this lit a spark in my mind of how this could work. The crux is to consider the username/password token, usually sent as one of a set of possible input tokens to an identity provider security token service (IP/STS), as an output token.

Here's how it would work... Borrowing a diagram from Microsoft's Guide to Interoperating with the Information Card Profile V1.0:

First of all, the IP/STS would specify ic:RequireAppliesTo in the managed card. This tells the identity selector to include a wsp:AppliesTo element in the wst:RequestSecurityToken (RST). The IP/STS is going to need this later...

Now, the user visits the relying party (RP) in step 1, requesting some resource. In step 2, the 'service requestor' (application client with identity selector) requests security policy from the RP. The RP would indicate, in step 3, that it wanted a username/password token by specifying a token type of http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0 in the policy.

Now the identity selector presents some set of information cards (hopefully just one) to the user (step 5) and the user selects one (step 6). Steps 7 and 8 would see the RP requesting security policy from the IP/STS, and the IP/STS supplying it, exactly as in the standard information card interaction. Here the IP/STS could require any form of input token, but username/password is most likely.

Between steps 8 and 9, the identity selector prompts the user for credentials (bad Microsoft, missing that out of the diagram!) and in step 8, the identity selector packages up the user's credentials in a WS-Trust RST and send them to the IP/STS.

Now, here's the interesting bit. The IP/STS authenticates the user, exactly as in the standard CardSpace case, but now it looks at the wsp:AppliesTo element, and looks up the user's username/password pair for that RP (this is an implementation detail - there could be a mapping of RP identifiers to username/password pairs per user, all encrypted on disk, of course). The IP/STS packages them as a wsse:UsernameToken, which is then encrypted with the RP's public key and returned to the identity selector (step 10). The display token could just show \*\*\*\*\*\*\*\* for the value of the password claim. Now we have a nice, securely packaged credential that the identity selector can send to the RP in step 11.

Here's the other nice bit... All the RP has to do is to decrypt the incoming token and it has the user's username and password, exactly as if they had arrived by a conventional form post. No further customization required at the RP - no changes to directory or database schemas, no extra steps of associating an information card with your account. Passwords on steroids.

About

superpat

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today