Friday Apr 17, 2009

OpenSSO Tab Sweep - Apr 17 2009

A celebration this week and events over the next month in the world of OpenSSO...

So - there you have it - a packed few weeks in OpenSSO-land, and evidence that the OpenSSO community is as active IRL (in real life) as on IRC (Internet relay chat)

Wednesday Feb 25, 2009

Security Geek Irony

On going to the RSA Conference website:

Wednesday Apr 16, 2008

RSA Conference Interoperability Roundup - OSIS/XACML

At RSA this year, as well as the Project Concordia workshop I covered last week, there were OSIS and XACML interoperability events.

The information card (aka InfoCard, aka CardSpace) portion of the OSIS event focused on testing 17 identity provider security token services (IP/STS) against 39 relying parties (RP) plus specific feature tests (note - right now, a bug in the wiki software means that both the IdP and RP feature results tables are shown under the RP heading). Last time I looked, OpenSSO worked with 11 of the identity providers and 19 relying parties. Of the remainder, many (shown as N/A in the table) were not tested due to incompatible policies - for example, it's impossible to test an IP/STS against an RP that only accepts self-issued cards. Some others (shown as Not Tested in OpenSSO's results) are not yet online. Of the outright failures, many on the RP side seem to be due to the assumption that the token MUST be encrypted by the IP/STS. This is somewhat ambiguous in the specification (section 8.3), which clearly states that self-issued cards SHOULD be encrypted, but leaves the question open for managed cards. I'll let you into a secret - I inadvertently configured the OpenSSO IP/STS to not encrypt tokens; a lucky mistake in that it exposed this nit.

Meanwhile, over on the expo floor, OpenSSO was also well represented in the OASIS XACML interop event (press release). Where the OSIS event focused on basic on-the-wire compatibility, the XACML interop covered quite an elaborate use case from the U.S. Department of Veterans Affairs featuring role-based access control (RBAC), privacy protections, structured and functional roles, consent codes, emergency overrides and filtering of sensitive data. I ducked out of the OSIS interop to go take a look (and say 'Hi' to Bina and Dilli from the OpenSSO team) and was blown away - 7 vendors supplied policy decision points (PDPs), while OpenSSO was also the policy evaluation point (PEP) for the client side of the demo app. Actually, demo app doesn't begin to do it justice - the application showed how a patient could set policy to control access to medical records, down through controls on individual physicians seeing your records to physician + resource (e.g. Dr Bob isn't allowed to see my radiography results) and more. There was even an emergency 'break glass' override included to allow a physician (duly authenticated, of course) to get access to any of your notes via a specific affirmation that an emergency is in progress. Very cool stuff - it seems like XACML is coming of age!

More coverage by Phil, Anil and Craig

Monday Apr 07, 2008

RSA Conference 2008 - Concordia done, OSIS to go

If you're wondering where I've been lately, I was holed up preparing our interoperability demo for the Project Concordia workshop at RSA 2008 today, showing SAML 2.0/WS-Federation single sign-on from a service provider to an identity provider, the identity provider authenticating the user via a managed information card and sending claims from the card to the service provider as SAML 2.0 attributes. Note - if you clicking around there, not every combination of SAML 2.0/WS-Federation SP, IdP and Information Card STS completely works, but enough that the approach was proven. As promised, Here are the slides from my presentation today.

So... Tomorrow and Wednesday are OSIS I3 Interop, in Purple Room 220/222. Come along, say hi and check out how we're doing on those interoperability matrices...

Monday Feb 12, 2007

Slides from my RSA Conference session: "SOA-401 - Federated SOA: Harmonizing ID Security and Web Services"

I just uploaded the slides from my RSA Conference presentation last week: Federated SOA: Harmonizing ID Security and Web Services.

A few words of explanation on the opening slides... Sara Gates was originally booked to present in this slot. As you almost certainly already know, Sara left Sun a little while ago, and I inherited her slot. So, my opening gimmick was to introduce myself as Sara and then say "Of course, I'm not Sara, you can see and hear that, but how could a Web service tell the difference?". It was spoilt a little on the day by the RSA Conference announcer introducing me as Pat Patterson, but I made the point that if I had tried to introduce myself as Sara...

Anyway, in the presentation, I start from the position of unprotected web service interactions, working through transport-layer security via TLS/SSL to point-to-point message-layer security to Liberty Alliance's Identity Web Service Framework (ID-WSF), pointing out the different properties of each level. The session was recorded - I'm not sure if the recording will be publicly available, but, if so, I'll update this entry with a URL when it goes online.

Tuesday Feb 06, 2007

Speaking at RSA Conference on Friday Feb 9 2007

I'll be speaking at the RSA Conference on Friday at 9am in Gold Room 310 on Federated SOA: Harmonizing ID Security and Web Services. I'll be looking at the role of identity in Web services, from the very basics of transport-level security to the Liberty Alliance's Identity Web Services Framework (ID-WSF), and how these are realized in Sun Java System Access Manager and Sun Java System Federation Manager. Do come along and say "Hi!"

You might also be interested in Eve Maler and Brett McDowell's session Federated Identity: Evolving Past Industry Strife - Eve and Brett will be talking about the Liberty Alliance's current course and roadmap for the future.




« July 2016