Friday, May 28, 2010

ADFS V2.0 Lingo

Patrick Harding is the CTO over at Ping Identity. His post on “ADFS 2.0 – Learning the Lingo” is worth a read so you clearly understand the difference between the way Microsoft defines the various bits of their federation goo and how that translates into the way that non-Microsoft federation goo has been described. As Patrick says:
“…we all need to make sure that we can speak the same language.”
Indeed we do. Here’s his post – and like one reader commented, you can substitute Sun, CA or whomever you favorite non-MS federation software vendor is with “Ping” below…
This week Microsoft announced that ADFS 2.0 was GA. For those that have used PingFederate for some time, I thought I'd normalize the terminology that Ping Identity and Microsoft use to describe similar concepts when enabling identity federation. I make no claims (no pun intended) that one set of terms is better than the other, just that we all need to make sure that we can speak the same language.
ADFS terminology centers on the notion of an STS, Security Tokens and Claims.

STS (Security Token Service)
Microsoft asserts that an STS is a Security Token Service that issues/validates Security Tokens that contain Claims about a Subject.

PingFederate and ADFS are both implementations of an STS.

Further, the STS can play different roles. An IP-STS (Identity-Provider STS) is an STS that authenticates a subject, and issues a security token on behalf of that subject, while an RP-STS (Relying-Party STS) validates that security token and returns the claims contained within the security token.

PingFederate in IdP mode is an implementation of an IP-STS.

PingFederate in SP mode is an implementation of an RP-STS.

Lastly the STS can be used with different clients – a Passive STS interacts with a browser while an Active STS interacts with a client, web service or web application.

PingFederate in regular Web SSO mode (where you are using one of the SAML1, SAML 2 or WS-Federation Web SSO protocols) is an implementation of a Passive STS.

PingFederate in STS mode (where you using the WS-Trust protocol to support security token processing on behalf of a client or application) is an implementation of an Active STS.

It is this last definition that can cause some confusion when comparing ADFS and PingFederate as Ping has historically had a much narrower definition of the term STS. This is as a result of the STS term being specifically defined as an entity in the WS-Trust specification and that we then mapped directly into our product.

When PingFederate is enabled as an IdP for Web SSO; it’s a Passive IP-STS.

When PingFederate is enabled as an SP for Web SSO; it’s a Passive RP-STS.

 When PingFederete is enabled as an STS (using WS-Trust) to issue a SAML token on behalf of a client or application; it’s an Active IP-STS.

When PingFederete is enabled as an STS (using WS-Trust) to validate a SAML token one behalf of a client or application; it’s an Active RP-STS.

Still with me? Lets keep going.

Security Tokens
When security tokens are discussed in the context of ADFS and its support of WS-Federation and WS-Trust, Microsoft is actually talking about SAML Tokens. Further confusing matters is that Microsoft has been fond of saying ‘we support SAML’ when they actually mean SAML Tokens carried in WS-Federation/WS-Trust messages rather than the SAML 1.1/2.0 Web SSO protocols.

Ping always specifies the type of security token that is being processed, whether it is a SAML Token, Kerberos Ticket, X.509 Certificate, Password, SMSession Cookie, OpenToken, etc.

Microsoft defines a ‘claim’ as a statement about a user that is used for authorization purposes in an application. These claims are conveyed in security tokens, which as I described above are quite often actually SAML Tokens. When using WS-Federation and SAML 1.1/2.0, the ‘claims’ themselves are actually included in the AttributeStatement of a SAML Token as Attribute name/value pairs.

PingFederate 'attributes' are equivalent to 'claims' .

Microsoft defines a ‘claims aware application’ as an application that uses claims to make authorization decisions. Generally these claims have been made available to the application via ADFS. PingFederate’s design philosophy has always been to integrate with applications by passing user attribute information into and out of web applications. This attribute information is, at a minimum, a user identifier.

Every application ever integrated with PingFederate is a ‘claims aware application’.

Lastly Microsoft defines ‘claims transformation’ as the ability for ADFS to transform existing claims and import claims from other identity data sources. Ping has historically called this attribute mapping., which involves performing a user lookup against an identity store and mapping user attributes dynamically.

PingFederate 'attribute mapping' is equivalent to ‘claims transformation’ .

I am sure there are others, but I believe I have captured the major terminology differences. Look for some follow up posts that highlight some of the other differences between PingFederate and ADFS 2.0.

Thursday, May 13, 2010

They’re back! CLEAR is back.

Nearly a year later and CLEAR is back! And, they are excited to exceed your expectations.
CLEAR is back and under new ownership. We are transforming the CLEAR service, and with it your travel experience. For those of you who are not familiar with CLEAR please click here to learn more about us.

For our existing members, we appreciate your patience and loyalty. It is important for you to know that we will honor your remaining membership terms. The new CLEAR is a customer centric company - we want to rebuild it with you and for you.

Please click here to provide us with your current information and we will keep you up to date on the details of our progress.

The new CLEAR team is excited to exceed your expectations.
Last year I blogged a couple of times about CLEAR:
The new CEO is Caryn Seidman Becker. I couldn’t find out much about her or the new backers. In any case I really doubt I’ll be re-joining CLEAR. Why not?
  1. The airlines control priority lanes at most airports. At most airports I can jump to the front of lines or join an “express” line with my airline status.
  2. At some airports the CLEAR lane would merge into other lanes so you really didn’t a jump on things.
  3. The TSA has done a much better job of speeding things up and the rotten things about security you will still be subject to whether you have CLEAR or not – like full body scans (aside: I prefer the European full-body pat down!).
  4. CLEAR is not owned or run by the government. How long does Caryn last before we go through this again?
  5. CLEAR is not everywhere – certainly not in my home airport of Seattle. Oh, and it was closed everywhere. Now they have to re-build their network. Can they be successful? Who knows.
Last but not least: My CLEAR membership expired. By what right does the new company “get” my retinal scans and biometrics? Perhaps Ms. Becker would state that in the FAQ what they are going to do with expired membership data. It’s unCLEAR what will happen to former members data who do not re-join:

Q: Is my personal data safe?
A: Our member’s biographic and biometric data has been stored in a secure facility since June 2009, when the former company shut down.  In the next 30-60 days, that data will be transferred to another secure facility governed by the appropriate safeguards.

Q: How will the new CLEAR be handling privacy issues?
A: We will publish a privacy policy reflecting the information practices of the new CLEAR program.  By opting in, former CLEAR customers may join the new program, at which time their personal information will be governed by the new privacy policy.  In the meantime, we will abide by the terms of the privacy policy issued by Verified Identity Pass, the former owner of CLEAR.

I just don't see the value anymore - sorry CLEAR.

Wednesday, May 12, 2010

Top 10 IAM Challenges for Heterogeneous Enterprises

Enterprise Journal has published a two-part series I authored on this topic on their website.
An enterprise with a complex, heterogeneous environment faces many challenges when it comes to identity and access management (IAM). Too many identities and directories; inconsistent password policies across systems; diverse, time-consuming auditing processes; too much repetitive manual work; and the ever-increasing need to stay on top of compliance regulations are among the huge challenges faced by IT in an environment of multiple operating systems and applications.
This first part of a two-part series examines:
  • Multiple identities and directories
  • Single sign-on
  • Synchronization
  • Inconsistent password policies across systems
  • Traditional Unix directories (NIS) vs. compliance
The second part takes a look at:
  • Auditing
  • Entitlement management
  • Excessive manual/repetitive work
  • Compliance
  • Original purchase versus original expectations

Take a look and I hope you enjoy it.

Wednesday, May 05, 2010

Update: Extend your Corporate Active Directory Boundary to your Blackberry!

I blogged earlier on this topic here. Now that Research In Motion's WES 2010 conference is over the slides from the session are available here. In a nutshell, the benefit of the Quest/RIM partnership is all about extending single sign-on capabilities to BlackBerry® phone users and BlackBerry administrators. Here are some of the details:
  • Use Active Directory for authentication of your Blackberry phone and achieve single sign-on
  • Authentication to AD Using Your Blackberry phone to become a trusted network user
  • End-to-end authentication between users and backend services without logging in from your Blackberry phone
  • Single sign-on is enabled for Blackberry Enterprise Server administrators when they access the BES console
All of this was enabled through the use of Quest Single Sign-on for Java. One of the key benefits in using Quest Single Sign-on for Java is our support of Microsoft’s Kerberos extensions (S4U2Proxy & S4U2Self). These extensions enable the BES server to obtain a Kerberos ticket on behalf of the end-user. This means that all security – like when you are accessing an application via the Blackberry – occurs in the context of the end-user. So what’s the end result?
  1. BES administrators will be have single sign-on enabled to the BES console. No need to enter their credentials.
  2. Blackberry users will have single sign-on enabled to internal corporate resources via their phone’s browser. No need to enter their credentials.
Cool stuff!

    Tuesday, May 04, 2010

    European Identity Conference - Hot Topics for 2010

    Below is a list of key topics that Martin Kuppinger listed today in his keynote. Many of the conference topics will center around these topics but it is also a good list of topics that they will be covering throughout 2010 as part of their research…

    Key Topics 2010 – by Martin Kuppinger
    • How to create value by the Cloud
    • How to deal with privacy
    • How to reach enterprise GRC maturity
    • How to benefit from convergence
    • How to optimize your investments
    • How to improve information security
    Five Hot Topics in IAM
    1. User-centric, Privacy, national eID cards
    2. Privileged Access Management – integrated
    3. Versatility and Context
    4. Externalization of all 4 A’s
    5. IAM in enterprise architectures
    Five Hot Topics in GRC
    1. Closing the loop – from detective to preventive controls
    2. Information governance – beyond access
    3. Extending governance for a hybrid IT
    4. Enterprise GRC architectures – bridging the gap between business and IT
    5. Organizational development for enterprise GRC
    Five Hot Topics in Cloud Computing
    1. Understand what’s really in it for you in cloud computing
    2. Hybrid clouds
    3. Cloud mesh-ups, community clouds, industry clouds
    4. Cloud governance – services, risks, security and identity
    5. Cloud resource planning based on service management

    Monday, May 03, 2010

    Webcast: Cross-platform Identity Management

    We have a webcast coming up on this topic – details are below. You can register here ( to attend.

    A Key Path to Maximum ROI and Efficiency Gains
    Date: Wednesday, May 12, 2010
    Time: 2:00 p.m. Eastern to approximately 3:30 p.m. Eastern

    Identity Management is critical in today's complex, heterogeneous enterprises. There are key challenges to be met in areas of efficiency, security and compliance. As your organization grows and becomes more complex, your IT department must to adapt and efficiently accommodate the increasing technology needs.

    Cross-platform identity management can help you address many of your challenges. The first step in your path to achieving successful identity management is to pinpoint current identity sources and map their lifecycle -- how they are created, deleted and managed. Once that is accomplished, you can look for gains to be made in efficiency, consolidation, security and compliance.
    This webcast will give you valuable insight into what an assessment of your environment should accomplish, what to look for and what to expect in terms of an actionable plan to improve the environment going forward. 

    You will learn best practices and key issues to look for in:
    - Your current environment and processes
    - Reducing the number of Digital Identities and Directories
    - Automating Digital Identity Administration
    - Leveraging existing Identity Management to increase ROI

    The presentation and demonstration portion of the webcast will last for approximately one hour followed by a live Q&A session.

    European Identity Conference 2010

    I’ll be at the EIC 2010 conference this in Munich this week. I’m sure that I’ll have a few interesting posts as a result of sitting in the sessions. The EIC is one of the best identity conferences out there so I’m looking forward to it. It’s also nice to see the various European vendors that are in the IAM space and I’m looking forward to seeing who is in attendance. If you’re at the EIC please say hello and drop by our booth. I hope to see you there!

    Success Chasing a Single Password in Higher Education

    I came across this really interesting article about InCommon, Shibboleth and higher-education institutions and how when you mixed them all up you could achieve single sign-on and eliminate passwords. Basically, a number of higher education institutions have gotten together to use federation amongst themselves as a means of sharing information without the need for yet more passwords. So far, there are more than a 150 higher-education institutions federated together.

    This is a really good example of successful federation and what can be achieved if you have a common purpose and goal. Obviously a bit easier amongst higher-education institutions but just the same it was a challenge for those involved.
    Professors, staff members, and information-technology officials at all sorts of colleges share one vision of utopia: a campus with single sign-on. It's the idea that a person needs only one user name and password combination, or one set of credentials, to access every digital service an institution provides.

    But the reality, most often, is that users must keep track of different sets of credentials for different services. For instance, a professor has easy access to an online journal the college subscribes to, but might need different identifying information to get onto a grading system.

    A number of institutions, reaching for that utopia, have joined a nonprofit group called InCommon, founded in 2005. It includes more than 150 higher-education institutions and a lesser number of software companies, database providers, and other organizations.

    Joining InCommon gives colleges software with a shared standard that allows a secure single sign-on. When outside companies, like library-database providers, comply with that standard, colleges find it easier to work with them.
    I think the part that caught my attention was Microsoft’s membership in InCommon and how they were supporting Shibboleth and InCommon in their efforts:
    Microsoft just gave some institutions one more reason to join. Although the company has been a member of InCommon for about three years, it is expanding its software applications that work with Shibboleth. By early next year, its Live@edu services, which many colleges use for e-mail and other programs, will be compatible. (Google Apps for Education, a rival e-mail service, is not available through InCommon.)
    You should check out InCommon’s web site if you have a chance. They are definitely doing good work there.

    Sunday, May 02, 2010

    Number of iPads sold: 1,366,675

    That’s what it said over at Chitika Labs when I wrote this at 5:21AM Munich time. How do they do that you ask? It’s explained here and below:
    • We count how many new, unique iPads we see coming through the Chitika advertising network
    • We multiply that by how much of the Internet we see at any given time to figure out how many iPads in total are out there
    • We  look at where iPad traffic is coming from by state
    An interesting stat is the 20% of all iPads have been sold in California.

    I know one could argue how accurate Chitika’s numbers are but the fact of the matter is that without Apple’s direct comments on number of units sold this is one of the few real metrics I’ve seen out there and in the absence of other metrics this becomes the metric. Let's see what happens in a few days when the iPad 3G starts to ship!