Saturday Feb 14, 2009

Federated Provisioning - Liberty to the Rescue???

I thought I'd throw my hat into the ring of the current federated provisioning discussion (Ian, Nishant, Ian again, James) ...

Looking at the contentious #2 in Nishant's post, the Liberty Alliance standardized one approach to this several years ago with ID-WSF.

To recap the scenario:

Suppose two companies, Acme and Omega enter into a federation agreement, whereby employees of Acme will be able to access a service at Omega using their Acme credentials. There are two scenarios here for federated provisioning.


Acme decides that they are not going to decide beforehand which employees are allowed to access Omegas service. Instead, a link to the service is available on Acmes intranet, and whenever a user decides to go to the service, they should be given an account. In this case, no pre-provisioning is taking place. Instead, the provisioning has to occur in real-time, when the user accesses the service via the intranet link for the very first time.

The idea here is that when Omegas federation server encounters the incoming SAML token for a new user, it would recognize that the user does not have a federated account, and send the SAML token to Omegas provisioning server. The provisioning server would create the account right then and there, and return the necessary result back to the federation server so that the federation server can proceed to grant the user access.

Now, in my Liberty-tinged version, when sending a new user to Omega, Acme includes a reference to their Employee Profile (EP) service - essentially the service's endpoint URL - in the SAML assertion. This endpoint reference serves as both a description of where to find the service and permission for Omega (when sent as part of the signed SAML assertion) to invoke that service.

On receiving the assertion, Omega send a signed request to the EP service, the request containing the SAML assertion it just received. Now, the EP service knows that Omega is entitled to access that employee's data, since it has a signed SAML assertion, issued by Acme itself, that says exactly that (via the presence of the EP endpoint reference). The EP can return exactly the data required (this will have been configured according to the underlying contract between Acme and Omega).

Finally, if desired, the EP can leave a marker in the employee's account that says 'account provisioned at Omega', so that Acme doesn't send the EP reference in every SAML assertion. Alternatively, Acme could deliberately send the EP reference every time. Or even reset the marker when the employee's account changes in a significant way (say, her purchasing limit is changed) so Omega can fetch the new employee data.

In scenarios where manual intervention is required on the Acme side, the EP service can return a response that says "Come back later", and the Omega service relay that to the user.

Of course, de-provisioning is a different kettle of fish, but the advantage of federated access to services is that, once the employee is gone from the Acme end, he has no way to access the Omega service anyway, so de-provisioning is a little less urgent than if the employee was logging in to Omega directly.

Like I said, ID-WSF has been around for years. Perhaps it hasn't had much adoption because businesses weren't encountering the problems that it solves. Seems like that might change now...

Monday Nov 10, 2008

Pictures from Liberty Plenary, Tokyo, November 2008

I took a bunch of pictures around Tokyo last week - here's the set at Flickr. Many thanks to Colin Wallis and Fulup Ar Foll for being the official photographers at the Liberty Allstars vs NTT futsal match

Friday Oct 24, 2008

OpenSSO Tab Sweep - Oct 24 2008

Wow! OpenSSO is HOT right now...

Finally, OpenSSO is coming to the Stories blog - our first OpenSSO adoption story will run on Monday and will feature... well, you'll have to go look on Monday, or subscribe to Stories

Tuesday Dec 18, 2007

FAM 8.0 Puts the 'Full' in 'Full-Matrix SAML 2.0 Interoperability Testing'

As you might have just read, Liberty Alliance recently completed its first 'full matrix' SAML 2.0 interoperability test. Not only was Sun amongst the successful participants with its upcoming Federated Access Manager 8.0 product, we were the only participant to successfully test every conformance mode. Daniel, of course, beat me to the punch on this one, though I like to think my entry is laid out a little more neatly

I'll also take this opportunity to point out that, although Federated Access Manager 8.0 is scheduled for release next year, you can get the code and binaries right now via the OpenSSO project - in fact, we just released 'build 2' of OpenSSO v1, which includes the tested code.

Friday Nov 09, 2007

Slides from Liberty Tokyo and TriLUG

I've been back from Tokyo for a couple of weeks now and just realized that I haven't posted slides from my presentation on OpenSSO, so here they are [PDF]. Many thanks to the Liberty Alliance Japan SIG for organizing this day - about 220 attendees heard the latest Liberty Alliance news, many of them stopping by my booth afterwards to see OpenSSO in action. Special shouts to Takashi and Tatsuo for making me so welcome in Tokyo, as always. Via Tatsuo, here are some pics from our excursion on the last night there - I'm the balding caucasian guy in the blue t-shirt

Moving on... the preso at TriLUG last night - 'Digital Identity from LDAP to SAML and Beyond' - went well - about 60 or so very technical attendees. When I asked how many people in the audience did NOT understand sequence diagrams, only a couple of hands went up, and I breathed a sigh of relief as I explained the basics.

A BIG thankyou to Andy Oliver and the rest of TriLUG for the invitation to speak - it's a pleasure to talk to a well-informed, interested audience who are there by choice, not because it's their job . As promised, here are the slides [PDF]. There should be some video at some point too; I'll update this blog entry when it appears.

UPDATE - ogg and mp3 audio available. Listen to my voice gradually die due to the cold I'm suffering.

UPDATE 2 - thanks to Rich for the photo, and for providing accommodation at Pixelfodder Towers for the whole Patterson clan

UPDATE 3 - thanks to Takayuki for the photos from the Liberty Tokyo event. Here's a nice one of Tatsuo and me.

So - where next? IIW2007b in Mountain View, December 3-5, then Javapolis, in Antwerp, December 10-14. That'll be about it for 2007. Hopefully.

Friday Sep 21, 2007

All-New Fall Schedule

I have a packed schedule this fall - well, packed for me, anyway:

First up, next week, is Digital ID World at the Hilton in San Francisco. I'll be there for Sun's reception on Monday evening and the Concordia workshop on Wednesday. The last Concordia workshop, colocated with Burton Catalyst, back in June, gave some great insights into some real-world identity interoperability, with George Fletcher of AOL [PDF], Mike Beach of Boeing [PDF], Jim Heaton of GM [PDF], Ian Bailey of the BC Government [PDF] and Georgia Marsh of GSA [PDF] explaining the interop issues they are facing, as well as some notable successes. This time round, representatives of Chevron, InCommon and the State Services Commission of the New Zealand Government will be presenting. Admission is free - just add yourself to the wiki.

Next month, from October 23rd to 25th, is the Liberty Alliance plenary meeting in Tokyo. The plenary meeting is Liberty members-only, but there is an open workshop day on the Friday. On the packed bill are Roger Sullivan of Oracle, Makoto Hatakeyama of NEC, Paul Madsen of NTT, Prateek Mishra of Oracle, Yukio Itakura of the Institute of Information Security, Colin Wallis of the New Zealand State Services Commission, Ken Ojiri of NTT, Brett McDowell of the Liberty Alliance, Kenji Takahashi of NTT and my good self. I will be presenting an update on open source identity at Sun - OpenSSO, OpenDS and... well, you'll have to wait and see. The event is free - just register here.

November brings my first ever trip to Raleigh, North Carolina, on November 8th, to talk to the Triangle Linux Users Group. They've given me 2 hours (the fools!) to wax lyrical on identity from LDAP to SAML and beyond. Attendance is free and open, so, if you're in the Triangle area, come along. It starts at 7pm and, apparently, there is pizza.

Finally, in December, the good folks at Javapolis in Antwerp have kindly invited me to present 3 sessions - one each on SAML 2.0, Liberty ID-WSF 2.0 and OpenSSO. Hmm - I must submit those abstracts... I'm afraid you have to pay this time, but, at 410 Euros for the entire week (December 10th - 14th), it's great value. Here's the registration page.

So - there you have it - come along to one of the events, say hi, eat pizza and find out about identity, federation and OpenSSO

Tuesday May 01, 2007

Liberty Alliance Cheaper, More Open

Just back from the Liberty Alliance plenary meeting in Brussels, Belgium. Lots of interesting stuff afoot, both in the plenary meeting itself and the associated Identity Open Space (IOS) event.

One big news item - the economics of Liberty participation just changed, radically: effective May 1, individuals can join Liberty Alliance as associate ($100) or sponsor ($250) members. Fees have also been reduced for enterprises and other organizations - see the new Membership Matrix (PDF) for details.

Also, the Technology Experts Group (TEG) mailing list is now publicly viewable. Paul explains some of the rationale. TEG is the powerhouse of the Liberty Alliance (no offense to Public Policy, Business and Marketing or any of the other expert groups!), turning market requirements into specifications; this move makes that mechanism completely transparent.

Looks like the trend towards openness and participation is spreading!

Saturday Mar 24, 2007

links for 2007-03-24

Monday Feb 12, 2007

Slides from my RSA Conference session: "SOA-401 - Federated SOA: Harmonizing ID Security and Web Services"

I just uploaded the slides from my RSA Conference presentation last week: Federated SOA: Harmonizing ID Security and Web Services.

A few words of explanation on the opening slides... Sara Gates was originally booked to present in this slot. As you almost certainly already know, Sara left Sun a little while ago, and I inherited her slot. So, my opening gimmick was to introduce myself as Sara and then say "Of course, I'm not Sara, you can see and hear that, but how could a Web service tell the difference?". It was spoilt a little on the day by the RSA Conference announcer introducing me as Pat Patterson, but I made the point that if I had tried to introduce myself as Sara...

Anyway, in the presentation, I start from the position of unprotected web service interactions, working through transport-layer security via TLS/SSL to point-to-point message-layer security to Liberty Alliance's Identity Web Service Framework (ID-WSF), pointing out the different properties of each level. The session was recorded - I'm not sure if the recording will be publicly available, but, if so, I'll update this entry with a URL when it goes online.

Tuesday Feb 06, 2007

Speaking at RSA Conference on Friday Feb 9 2007

I'll be speaking at the RSA Conference on Friday at 9am in Gold Room 310 on Federated SOA: Harmonizing ID Security and Web Services. I'll be looking at the role of identity in Web services, from the very basics of transport-level security to the Liberty Alliance's Identity Web Services Framework (ID-WSF), and how these are realized in Sun Java System Access Manager and Sun Java System Federation Manager. Do come along and say "Hi!"

You might also be interested in Eve Maler and Brett McDowell's session Federated Identity: Evolving Past Industry Strife - Eve and Brett will be talking about the Liberty Alliance's current course and roadmap for the future.

Monday Jan 15, 2007

InfoCard and Minimal Disclosure

[I would have left this as a comment on Kim's blog, but I don't have an InfoCard handy and I can't figure out how to register there for a good old username and password...]

Kim Cameron replies to a question from Eric Schultz with a description of how InfoCard (or is it CardSpace?) handles minimal disclosure, allowing the relying party to request only the information it needs. In Kim's example, the relying party requests four claims regarding the user via an OBJECT tag:

Then, according to Kim,

If, next time, the relying party doesn’t want to receive these claims, it just doesn’t ask for them. If it has stored them, it should be able to retrieve them when necessary by using ”privatepersonalidentifier” as a handle. This identifier is just a random pairwise number meaningless to any other site, and so there is no identity risk in using it.

But, but, but... how does the relying party know not to ask for givenname, surname and emailaddress the second (and subsequent) time round? It doesn't know that it's already collected those claims for that user, since it doesn't know who the user is yet...

If only there were some specification [PDF] (perhaps part of some sort of framework) that, given a token from an authentication, allowed you to get the data you needed, subject, of course, to the user's permission [another PDF]. Smile!

Thursday Nov 30, 2006

SAML 2.0 meets Web 2.0 at

Nice article covering yesterday's Liberty Alliance webcast from Rich Seeley over at All the URLs for that webcast and this week's closely related podcast are here.

It's great to see momentum building in this whole area - Liberty, SAML, OpenID, OpenSSO... As I say in the podcast, this is a tremendously exciting time to be involved in digital identity.

Tuesday Nov 21, 2006

Open Source Identity for the Web 2.0 Era

Regular readers might recall I gave a presentation in Japan last month titled 'Open Source Identity for the Web 2.0 Era'. The Liberty Alliance folks liked it so much, they've asked me to repeat it as a webcast next Wednesday - 11/29/2006 - details here (if you're interested, better sign up fast, places are limited!).

The presentation focuses on OpenSSO and Project Lightbulb - the OpenSSO sub-project that implements a SAML 2.0 service provider in straight PHP - no custom extensions required. I'm planning to SAML 2.0-enable a simple PHP application, live on-the-air, no safety net

Johannes has already picked up on the webcast announcement and wonders what the Web 2.0 angle is. Let me explain...

Web 2.0 is a difficult term; it means something different to almost everyone you ask. Some focus on particular technologies - Ajax (just pasted that link in - do you realize, that essay, that coined the term 'Ajax', is only 21 months old!) being the most common example. Others focus on particular companies - Flickr, YouTube, any number of social networking sites - or business models - for example, combining your users' individual efforts to create something bigger than the sum of their parts.

For me, 'Web 2.0' is simply a shorthand for 'the Web today is very different from the Web of 5 years ago'. It's a whole world of change wrapped into a somewhat glib phrase. The Tokyo Liberty Alliance Day took Web 2.0 as its theme - my angle on it with this presentation is that a large part of Web 2.0 is participation - notably open source and lightweight languages - look at any 'Web 2.0 company' and you'll find lots of LAMP. It's this aspect that I focus on in 'Open Source Identity for the Web 2.0 Era' - bridging the gap between the enterprise/telco/square world of SAML 2.0 and the bloggy/scripty/hip world of PHP.

Having said all that, Johannes is spot on that "putting control in the hands of the end user — the essence of Web 2.0 — is not typically compatible with the way SAML projects tend to end up". There is much work to do in figuring out how the core of SAML 2.0 can be leveraged in wider settings than the typical (but no less important for that) enterprise/telco use cases. We're seeing some great thinking in this area from the likes of Paul and Eve. I suspect that this will be a key topic of the upcoming Internet Identity Workshop 2006b.

Wednesday Nov 08, 2006

Big in Japan

Sun Enterprise News is covering the recent Liberty Alliance Day in Tokyo. Hmmm - perhaps the orange Liberty Alliance soccer shirt wasn't the most flattering thing I could have worn...

Monday Oct 23, 2006

Liberty Alliance Day - Tokyo - Oct 30 2006

The Liberty Alliance is presenting Liberty Alliance Day 2006 (Google translated link) in Tokyo next Monday (Oct 30 2006). The theme for the day is 'Identity in the Web 2.0 Age'. There is a packed program of speakers, including Roger Sullivan of Oracle, Paul Madsen of NTT, Takashi Shitamichi of Sun, my good self, Conor Cahill and many more. Come along, learn about Liberty's People Service, open source identity projects and the latest work on advanced client technology and enjoy a cocktail reception with the speakers afterwards.

Sign up here!




« October 2016