Friday Sep 21, 2007

All-New Fall Schedule

I have a packed schedule this fall - well, packed for me, anyway:

First up, next week, is Digital ID World at the Hilton in San Francisco. I'll be there for Sun's reception on Monday evening and the Concordia workshop on Wednesday. The last Concordia workshop, colocated with Burton Catalyst, back in June, gave some great insights into some real-world identity interoperability, with George Fletcher of AOL [PDF], Mike Beach of Boeing [PDF], Jim Heaton of GM [PDF], Ian Bailey of the BC Government [PDF] and Georgia Marsh of GSA [PDF] explaining the interop issues they are facing, as well as some notable successes. This time round, representatives of Chevron, InCommon and the State Services Commission of the New Zealand Government will be presenting. Admission is free - just add yourself to the wiki.

Next month, from October 23rd to 25th, is the Liberty Alliance plenary meeting in Tokyo. The plenary meeting is Liberty members-only, but there is an open workshop day on the Friday. On the packed bill are Roger Sullivan of Oracle, Makoto Hatakeyama of NEC, Paul Madsen of NTT, Prateek Mishra of Oracle, Yukio Itakura of the Institute of Information Security, Colin Wallis of the New Zealand State Services Commission, Ken Ojiri of NTT, Brett McDowell of the Liberty Alliance, Kenji Takahashi of NTT and my good self. I will be presenting an update on open source identity at Sun - OpenSSO, OpenDS and... well, you'll have to wait and see. The event is free - just register here.

November brings my first ever trip to Raleigh, North Carolina, on November 8th, to talk to the Triangle Linux Users Group. They've given me 2 hours (the fools!) to wax lyrical on identity from LDAP to SAML and beyond. Attendance is free and open, so, if you're in the Triangle area, come along. It starts at 7pm and, apparently, there is pizza.

Finally, in December, the good folks at Javapolis in Antwerp have kindly invited me to present 3 sessions - one each on SAML 2.0, Liberty ID-WSF 2.0 and OpenSSO. Hmm - I must submit those abstracts... I'm afraid you have to pay this time, but, at 410 Euros for the entire week (December 10th - 14th), it's great value. Here's the registration page.

So - there you have it - come along to one of the events, say hi, eat pizza and find out about identity, federation and OpenSSO

Wednesday Feb 14, 2007

David Goldsmith - Federation TV Star!

Thanks to Charles for this pointer (and to Dennis for pointing it out): David Goldsmith does a great job in this video explaining the problems inherent in the proliferation of online identities and how federation and Sun's product line (Sun Java System Access Manager and Sun Java System Federation Manager) address them. After working through a couple of real-world examples, David goes on to provide useful definitions of common federation buzzwords, such as 'circle of trust', 'identity provider' and 'service provider'. Well worth watching if you want to get up to speed quickly! Click here for the video.

Monday Feb 12, 2007

Slides from my RSA Conference session: "SOA-401 - Federated SOA: Harmonizing ID Security and Web Services"

I just uploaded the slides from my RSA Conference presentation last week: Federated SOA: Harmonizing ID Security and Web Services.

A few words of explanation on the opening slides... Sara Gates was originally booked to present in this slot. As you almost certainly already know, Sara left Sun a little while ago, and I inherited her slot. So, my opening gimmick was to introduce myself as Sara and then say "Of course, I'm not Sara, you can see and hear that, but how could a Web service tell the difference?". It was spoilt a little on the day by the RSA Conference announcer introducing me as Pat Patterson, but I made the point that if I had tried to introduce myself as Sara...

Anyway, in the presentation, I start from the position of unprotected web service interactions, working through transport-layer security via TLS/SSL to point-to-point message-layer security to Liberty Alliance's Identity Web Service Framework (ID-WSF), pointing out the different properties of each level. The session was recorded - I'm not sure if the recording will be publicly available, but, if so, I'll update this entry with a URL when it goes online.

Tuesday Feb 06, 2007

Norway using Access Manager/Federation Manager for SAML 2.0

It being RSA week, the news comes thick and fast... I've just seen the press release announcing that the Government of Norway has deployed a whole slew of Sun hardware and software, including Access Manager and Federation Manager, for its pioneering citizen portal, MinSide (English translation: MyPage). Quoting from the press release:

[...] the MinSide [MyPage] portal will roll-out six initiatives that will enable secure, browser-based access to healthcare, tax, motor vehicle registration, social security, student loans and many other government services.

...and...

As part of the solution, Sun Java(TM) System Access Manager and Sun Java(TM) Federation Manager help the Norwegian government manage secure access to services by offering single sign-on (SSO) as well as enabling federation across trusted networks of government agencies, service providers and customers. It provides open, standards-based authentication and policy-based authorization with a single, unified framework. This improved security framework is based on the Liberty and SAML standards to protect all aspects of the portal.

The Liberty Alliance website has a presentation by Dag Efjestad that gives much more detail. Cool stuff, Norway - douze points!

Speaking at RSA Conference on Friday Feb 9 2007

I'll be speaking at the RSA Conference on Friday at 9am in Gold Room 310 on Federated SOA: Harmonizing ID Security and Web Services. I'll be looking at the role of identity in Web services, from the very basics of transport-level security to the Liberty Alliance's Identity Web Services Framework (ID-WSF), and how these are realized in Sun Java System Access Manager and Sun Java System Federation Manager. Do come along and say "Hi!"

You might also be interested in Eve Maler and Brett McDowell's session Federated Identity: Evolving Past Industry Strife - Eve and Brett will be talking about the Liberty Alliance's current course and roadmap for the future.

Tuesday Dec 12, 2006

More on Federated Authorization

Conor and Paul both recently responded to James' questions on federated authorization. Conor quite rightly pointed out that I managed to describe two common scenarios involving federation and authorization without explicitly answering the question - "Does Federated Identity sometimes require Federated Authorization?". As much as it pains me, I have to agree with Conor here - federated identity per se does not require federated authorization - rather, the resource owner might require it. It all depends on the use case that you're implementing.

James also alerted me this morning to a very interesting post from Shekhar Jha. I'll have to take the time to read the SecPAL paper properly, and, even then, there are people far better qualified than me to comment on this, but it does look interesting - particularly the fact that there is a natural language-like, non-XML syntax.

Shekhar goes on to discuss relationships in the identity domain. I refer Shekhar to the excellent work done by Paul on the People Service - FAQ, white paper [PDF], specification [PDF]. This seems to map neatly onto what Shekhar is saying.

Friday Dec 08, 2006

Federated Authorization

In a comment to a previous blog entry here, James McGovern asks

Does Federated Identity sometimes require Federated Authorization? If so, how come this isn't ever discussed. Maybe you could address in future blog entry...

There are two models here. In the first model, a given user has a profile (set of attributes) stored at an attribute provider (which may or may not be the same as that user's identity provider). The user goes to a service provider, the service provider receives a SAML 2.0 Assertion containing some set of attributes, and the service provider acts as both the policy decision point (PDP), deciding, on the basis of the user's identity (including the attributes), which resources the user may access, and the policy enforcement point (PEP), restricting the user's access appropriately. Here's a real example in the enterprise space...

Sun has deployed federated single sign-on with BIPAC - BIPAC is the Business Industry Political Action Committee provides expert policy analysis, research and communications on campaigns and elections, and fosters business participation in the political process. Sun employees can access political information on the BIPAC website - who their elected representatives are, their voting record etc.

When I go to the BIPAC site, it redirects me to Sun, I log in with my Sun employee number and password and I'm redirected back to BIPAC with a SAML assertion containing a number of attributes - iirc, whether I'm a US citizen, whether I'm a member of a 'restricted class' of employees and my zip code. Note that the assertion does not identify me personally - it only tells BIPAC that I am a Sun employee with these attributes. Now the BIPAC site can act as the PDP, deciding what I can access, based on those attributes, and as the PEP, constraining my access to the BIPAC site according to those decisions.

In the second model (which is what I think James means by 'federated authorization'), the service provider is still a policy enforcement point, but the policy decision point is elsewhere. In our BIPAC example, the BIPAC site would still redirect me to Sun for authentication, but need not receive any attributes in the SAML assertion - just a pseudonym (SAML Name Identifier) that it can use to refer to me; again, BIPAC doesn't know who I am - the pseudonym can be a one-time identifier - used in this interaction, but never re-used - so I can't be tracked across visits. Now the BIPAC site can make an authorization request of a PDP at Sun, including my pseudonym and a reference to the resource I want to access. The PDP evaluates policy, essentially doing the same thing as the BIPAC PDP did in the previous example, and returns a response to BIPAC that indicates whether access to the resource should be allowed or denied.

Having these two models allows us to factor out authorization and put it where it makes sense. It may well be that it is the service provider that is responsible for policy, based on information provided by an attribute provider (model 1), or, alternatively, the service provider may simply request an authorization decision from a PDP, without being party to the data underlying the decision (model 2).

In terms of specs, both SAML and WS-Federation enable model 1 - passing attributes in assertions which are themselves carried in authentication responses. XACML is the basis for model 2, and is profiled for use with SAML by the SAML 2.0 profile of XACML v2.0 [PDF]. I'm not aware of any commercial products that implement this specification today (perhaps that's why no vendors are talking about it?), but OpenSSO is a good place to go to talk about requirements and implementation - you can sign up to the 'users' mailing list here.

Does this answer your question, James?

UPDATE - perspectives on this from

And responses from James -

Sunday Dec 03, 2006

links for 2006-12-03

  • This normative document defines terms used throughout the OASIS Security Assertion Markup Language (SAML) specifications and related documents.

Tuesday Nov 14, 2006

Announcing Open Federation

Right from the very inception of OpenSSO, the most frequently asked question has been "When are you open sourcing the federation code?". Well, today, the answer is... "Today!" Here is the text of the announcement:

The OpenSSO project is pleased to announce the availabilty of the Java source code for the identity federation and web services framework of the Sun Java System Access Manager and Sun Java System Federation Manager. The name of this effort is Open Federation.

Following is a list of links to help you get started:

The OpenSSO project and code will be updated constantly with bug fixes, new features, modules and accompanying documentation. Please check back often. In fact, OpenSSO is a growing community of developers, both inside of, and outside of, Sun. Be a part of OpenSSO and sign up at https://opensso.dev.java.net.

Go grab it, play with it, and build cool stuff!

Monday Oct 16, 2006

Federation - Italian Style

Somehow, this passed me by back in March/April, but a presentation at Sun's Customer Engineering Conference last month brought it back into focus - Italy's Ministry of Transportation has deployed a new Motorist Portal, providing services such as online payment of vehicle registration fees and traffic tickets.

What's interesting here is that drivers log in to the Motorist Portal to view their driving record, vehicle registration etc, but make payments via another government agency, Poste Italiane. The Motorist Portal acts as a SAML identity provider, with Sun Java System Access Manager authenticating users and providing single sign-on to Poste Italiene's service provider for 40 million Italian drivers - possibly one of the biggest live SAML deployments in the world.

You can find out more in this short SunTV presentation and the Italian press release (English translation via Google).

Wednesday Oct 11, 2006

CSO Article - The Truth About Federated Identity Management

I just finished reading The Truth About Federated Identity Management by Sarah D. Scalet at CSO. It's a good read, focussing on the importance of the business case in deploying federated identity and the fact that 80% of the work in any federation deployment is on the business side. The technology, by comparison, pretty much "just works". Make sure you hit the sidebar too: Thinking of Doing Federated Identity Management?.

Monday Aug 14, 2006

Nice To Be Considered an 'Industry Expert' on Federated Identity...

...even if it's qualified by 'so-called' and my cluefulness is called into question

James McGovern asks

when was the last time he [Pat Patterson of Sun] asked members of Project Liberty to start sharing pain points outside of the Project Liberty forum for others to consume and learn from?

Well - that's precisely what many members of Project Liberty recently did in the recent Identity Open Space in Vancouver. As its name suggests, this event was open to all-comers and jointly produced by the Liberty Alliance Project and some of the leading participants in the Internet Identity Workshop. We had some fascinating discussions, mostly documented (to greater or lesser extent) in the wiki.

Another interesting aspect of this event was that (as I blogged previously) IOS attendees were able to also attend Liberty's plenary sessions (under NDA), observing and even contributing to the discussion. My understanding (and no warranty, express or implied, is attached to this statement) is that the Liberty folks were very happy with the way this all turned out and keen to repeat it regularly in the future.

In the meantime, there will be another IOS next month in Santa Clara. Although this IOS is in association with the Digital ID World Conference, I wouldn't be surprised to see many of the Liberty folks there.

See you there, James?

Thursday Mar 23, 2006

Liberty User-Centric Identity Whitepaper and Webcast

There's a lot of buzz around 'user-centric identity' right now - the notion of involving users in the management of their personal information and its use, rather than leaving it to some enterprise or other organization. The folks at the Liberty Alliance have written a whitepaper entitled 'Personal Identity' that shows how Liberty's Identity Federation Framework (ID-FF) and its successor SAML 2.0 can be used to implement user-centric identity - for example, a user providing their own identity services via a Liberty-enabled device such as a cellphone. It's a good read - it starts from the basics, so you should be able to follow it even if you're new to Liberty and SAML.

On the same topic, John Kemp of Nokia and my esteemed colleague Hubert Le Van Gong will be presenting a webcast on April 12 2006 at 8am Pacific. PLEASE NOTE: Registration is required and limited to the first 100 respondents! The last webcast on the Liberty People Service 'sold out' very quickly, so get in there straight away if you're interested. If you're too late, don't despair - the webcast will be available in archive form after the event. I'll update this entry with the URL once it's online.

To register for the webcast, follow these steps.

  1. Go to http://projectliberty.webex.com
  2. Under the heading Attend a Meeting, click Register
  3. Search for centric
  4. Select User Centric Identity: Success Today and click on the Register Button. (Don't bother clicking on the link - it doesn't lead anywhere useful!)
  5. Fill out the required information and click Register Now at the bottom of the page.

Please email Tricia DeHart of the Liberty Alliance Project with any questions.

Tuesday Jan 24, 2006

Sun Eats Its Own Liberty Dog Food

One question that I'm often asked by customers is "How is Sun using the Liberty Alliance Project specifications?". Well, my stock answer is 'BIPAC'. The Business Industry Political Action Committee provides expert policy analysis, research and communications on campaigns and elections, and fosters business participation in the political process. Sun employees can access political information on the BIPAC website - who their elected representatives are, their voting record etc.

Now, this is obviously sensitive stuff, with huge implications for privacy. The 'old way' of accessing BIPAC would have involved a regular batch process to synchronize identity information from Sun to BIPAC; Sun employees would authenticate at BIPAC with their Sun ID and a BIPAC-specific password. In this old model, BIPAC would know exactly who I was and would be able to build a profile of my activity on the site. Not only that, I'd have another password to write on a post-it note and stick to my monitor remember.

The 'new way' of accessing BIPAC authenticates employees at Sun (using Sun Java System Access Manager) and uses Liberty ID-FF to give employees single sign-on to BIPAC. Now - here's the clever bit - no personal information is transmitted in the single sign-on process. BIPAC have no idea who I am - all they know is that I am an authenticated Sun employee. BIPAC can then use ID-WSF to retrieve a strictly limited set of attributes, including my zip code. So now, all Sun know is that I am a Sun employee in 90210 (well, I can dream). They have everything they need to tell me who my elected representatives are at every level up to Dubya, but no more. They don't know who I am, since they don't need to know who I am. This document gives some more detail on the deployment. Here I am demonstrating the system at a Liberty eGovernment Forum last year in Dublin:

Looking at the wider context, this was an ideal first deployment of Liberty for Sun. A real need for Liberty's privacy features combined with low risk - BIPAC is a valuable service, but not critical to Sun's core business. Watch this space for news as we roll Liberty and SAML out across Sun's other business partners, and, if you're at the RSA Conference next month, be sure to catch Sun's Yvonne Wilson at IMP-101 'Implementing Federated Identity: What Products Do You Need?'. Yvonne is an architect in Sun IT and will be covering our BIPAC integration in her presentation.

Wednesday Dec 07, 2005

SAML 2.0 simplifies federation

Patrick Harding of Ping Identity has written an article on SAML 2.0 for Network World. It's a useful resource, describing both the SAML 2.0 specifications (at a high level) and the convergence of standards and specs that led to them. However, it's a little strange that Patrick makes no mention of WS-Federation, especially since Ping support WS-Federation in a number of their products.
Why so coy, Patrick???
About

superpat

Search

Archives
« July 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
   
       
Today