Planet Identity (PId) mostly runs itself, thanks to Sam Ruby's excellent Planet Venus; usually, the only maintenance required is to add new subscriptions as folks submit interesting feeds. Very rarely I remove a feed from PId, usually because it's dead, but occasionally because the feed content doesn't quite 'fit' PId. Over the past few days a couple of people mentioned that Dave Kearns' IdM Journal, while a fine selection of links to relevant content, seems out of place amongst the 'primary source' articles at Planet Identity. I agreed, and, Dave having no objection, I've removed IdM Journal from PId. If you want to continue receiving IdM Journal, just point your feed reader at http://feeds2.feedburner.com/idmjournal/LhRB.
Do feel free to leave any suggestions for PId in the comments here, and have a good weekend, identity folk!
Flashing through the ether this morning was a press release covering OpenSSO Express 8 and OpenDS SE 2.0. Since OpenDS SE 2.0 was released a week or two ago, my colleague Ludo Poitou has documented its arrival and some of its new features in a series of blog posts:
Ludo calls out assured replication, an extension to the existing loose consistency multi-master replication feature that brings tighter consistency of data between replicas, as the biggest innovation in OpenDS 2.0; I know it's making an impact because, the very next day after OpenDS 2.0 was released I was approached by an attendee at the Community Leadership Summit singing its praises!
Over in OpenSSO-land, we're putting the finishing touches to OpenSSO Express Build 8, due for release in a couple of weeks time. This release will include our new Mobile One Time Password feature, the Fedlet for .Net and a new task flow for enabling single sign-on to Salesforce.com and a whole host of other goodies, so watch this space for its availability!
So, what's an Express Build? Well, as I mentioned when we released OpenSSO Express Build 7, back in April, Express Builds are supported 'snapshots' of development between full 'OpenSSO Enterprise' releases, allowing customers to get support on new features without waiting months for the full release. The key difference between Express builds and Enterprise builds is that fixes to Express builds are rolled into the next Express build, along with new features, while Enterprise builds have 'bug fix only' service packs and hot patches available for paying customers. Obviously, Express builds aren't for everybody, but we're finding that they work well for a lot of folks. There's lots more information and a FAQ at the OpenSSO wiki.
I blogged last week about Sun's hospitality suite at the Burton Catalyst conference in San Diego later this month (July 29th to be exact). I included a priority code in that post that would get you a discount off Catalyst conference registration; well, with a bit of digging I've unearthed the code that will get you a pass to get into the hospitality suites (NOT the sessions, mind) absolutely free (and, as we all know, there's nothing better than free, right?). Just register at the Burton site with super-duper secret priority code sun1du0w - and, shhhhh - don't tell them you got it here 😉
There's DIDW, IIW and even the SSO Summit, but, for me, the premier identity conference of the year is still Burton Catalyst. I've been going since (if I remember correctly) Burton Catalyst Europe, 2002, in Munich, and it's always a great industry gathering, with thought provoking sessions and fun hospitality suites (so much better than an expo floor!).
This year, from July 27th-31st, Catalyst returns to San Diego, at the Hilton San Diego Bayfront Hotel, and Sun's identity team, as usual, is hosting it's very own hospitality suite, on the evening of Wednesday July 29th. The theme for 2009 is Hip Hop - East Coast vs West Coast.
We'll have a break-dancing crew, 'signature East Coast/West Coast munchies', a whole bunch of demos, one-to-ones with Sun's identity domain experts (and me), and much, much more. It promises to be a VERY fun night. If you haven't yet registered for Catalyst, here's some good news, Burton are offering discounts on registration for 'Sun friends' - register at the Burton site with super-secret priority code sunFriend and we'll see you on the night!
Switching gears slightly, it was at my very first Catalyst, at Munich, back in 2002, that I first met Don Bowen, then (again, if my memory serves me) technical product manager for Sun Directory Server. We worked together in product management for a couple of years, and remained very close friends when I returned to engineering in early 2005.
If you know Don at all, you'll be aware that he's been fighting brain cancer since late 2007. In characteristic Don style, he's not taking it lying down, but battling away in great spirit, documenting the journey in regular blog entries. It's inspiring stuff, and puts most people's day to day travails into pretty sharp perspective. Anyway, the good news... make that GREAT news, is that Don will be at Catalyst this year, and a few of us have organized a post-hospitality suite get together to share a few beers and (if past experience is anything to go by) a lot of laughs with Don. It's on Wednesday July 29th, the same night as the Sun hospitality suite, at Henry's Pub, 614 5th Ave (between G St and Market St), about 15 minutes walk north of the Hilton. Full details are at the Meetup page we created for the event. Please RSVP if you're planning on joining us!
UPDATE Eve also covers the Project Concordia workshop being held on the Monday: Use Cases Driving Identity in Enterprise 2.0: The Consumerization of IT and the Cloud SSO Interop Demo, in which Sun is participating with OpenSSO. Two more reasons to be in San Diego the last week of July!
To recap the scenario:
Suppose two companies, Acme and Omega enter into a federation agreement, whereby employees of Acme will be able to access a service at Omega using their Acme credentials. There are two scenarios here for federated provisioning.
Acme decides that they are not going to decide beforehand which employees are allowed to access Omegas service. Instead, a link to the service is available on Acmes intranet, and whenever a user decides to go to the service, they should be given an account. In this case, no pre-provisioning is taking place. Instead, the provisioning has to occur in real-time, when the user accesses the service via the intranet link for the very first time.
The idea here is that when Omegas federation server encounters the incoming SAML token for a new user, it would recognize that the user does not have a federated account, and send the SAML token to Omegas provisioning server. The provisioning server would create the account right then and there, and return the necessary result back to the federation server so that the federation server can proceed to grant the user access.
Now, in my Liberty-tinged version, when sending a new user to Omega, Acme includes a reference to their Employee Profile (EP) service - essentially the service's endpoint URL - in the SAML assertion. This endpoint reference serves as both a description of where to find the service and permission for Omega (when sent as part of the signed SAML assertion) to invoke that service.
On receiving the assertion, Omega send a signed request to the EP service, the request containing the SAML assertion it just received. Now, the EP service knows that Omega is entitled to access that employee's data, since it has a signed SAML assertion, issued by Acme itself, that says exactly that (via the presence of the EP endpoint reference). The EP can return exactly the data required (this will have been configured according to the underlying contract between Acme and Omega).
Finally, if desired, the EP can leave a marker in the employee's account that says 'account provisioned at Omega', so that Acme doesn't send the EP reference in every SAML assertion. Alternatively, Acme could deliberately send the EP reference every time. Or even reset the marker when the employee's account changes in a significant way (say, her purchasing limit is changed) so Omega can fetch the new employee data.
In scenarios where manual intervention is required on the Acme side, the EP service can return a response that says "Come back later", and the Omega service relay that to the user.
Of course, de-provisioning is a different kettle of fish, but the advantage of federated access to services is that, once the employee is gone from the Acme end, he has no way to access the Omega service anyway, so de-provisioning is a little less urgent than if the employee was logging in to Omega directly.
Like I said, ID-WSF has been around for years. Perhaps it hasn't had much adoption because businesses weren't encountering the problems that it solves. Seems like that might change now...
For some reason, James has a bee in his bonnet over referential integrity and LDAP. I'm really not sure where he's coming from here - both OpenDS and OpenLDAP offer referential integrity (OpenDS ref int doc, OpenLDAP ref int doc), and Sun Directory Server has offered it for years (Sun Directory Server ref int doc). Does this answer your question, James, or am I missing something?
By the way, if you're wondering about the title of this post, it's an allusion to the mighty Half Man Half Biscuit's 1986 track Architecture and Morality, Ted & Alice, which itself was a play on the titles of Orchestral Manoeuvres in the Dark's 1981 album Architecture & Morality and the 1969 movie Bob and Carol and Ted and Alice. If there was any justice in the world, there'd be a neat link back to the world of identity here, but there isn't, so there's not...
Crack Sun identity management field operatives Paul Walker and Joachim Andres have put together an amazing demo of Sun's identity stack working with Sun xVM and Secure Global Desktop to provision (and disable!) 'Desktops in the Cloud' to end users. It's an integration tour de force, bringing together a whole slew of Sun products into a whole that is much more than the sum of its parts. Cool soundtrack too - well worth 12 minutes of your time. Oh - and make sure you view 'full screen', so you can properly see what's happening - there's quite a lot going on!
At DIDW 2008 last September, Daniel Raskin, Nick Wooler and I, among others, recorded a series of videos covering various aspects of identity management. I just went and watched the first in the series - a fascinating discussion between Daniel and Felix Gaehtgens of Kuppinger Cole - 'Open Source in Identity'.
One thing I noticed, on looking through the series, is that the number of views varies widely between the videos - from as little as 22 to more than 4000. There's some great stuff in there, well worth watching, so here are all the videos, have a browse through and see what takes your fancy...
Open Source in Identity - Felix discusses the advantages of identity management in open source with Daniel Raskin.
Identity Bus - Felix chats with Daniel about varying industry perspectives on the identity bus and Sun's Security Token Service.
Social Networking & Identity: Platforms Power - Nick Wooler and I talk about the impact social networking has had on identity management.
Safeway's Benefits of Sun Identity Management - Paul Rarey, Chief Architect for Safeway, talks with John Barco about the benefits Sun identity management has provided to this retailer.
OpenSSO Enterprise and Sun Master Data Management Suite - Daniel talks with David Codelli from the JavaCAPS team about Sun's MDM Suite and the benefits of having a single customer view.
Identity and Access Management Deployment Best Practices - Sun's Saryu Nayyar visits with Steve Curtis of PricewaterhouseCoopers about practices for both new and existing customers.
A Discussion on Role Management with The 451 Group - 451 Group Analyst, Steve Coplan, talks with Sun's Sachin Nayyar about the Why, the What and the Where of role management.
Sun IDMBuzz Tv: Federation and OpenSSO: Connecting the Dots - Julio Tapia hosts a roundta
ble discussion on Federation and OpenSSO with Steve Curtis from PricewaterhouseCoopers and Daniel Raskin from Sun.
Identity and Access Management Trends and Strategy - Identity experts, John Barco and Sachin Nayyar discuss the trends and strategies in identity management.
OpenSSO and Glassfish: A Match Made in Heaven - Daniel talks with Glassfish Engineer, Doug Strickland, about synergies between identity and glassfish.
Access Certification: A Critical Identity-based Control - Listen to Sun Sr product Line managers Nick Crown and Craig McDonald discuss the importance of Access Certification and the introduction of Sun Identity Compliance Manager.
Sun IDM Buzz TV: Sun OpenSSO Enterprise - Daniel and I discuss how this solution solves three tough challenges.
The good people at the Computer Security Institute have invited me to speak at their CSI 2008 conference as part of an Identity 'summit panel' considering topics in the field of identity, federation and security. Jim Nelson of New Mexico State University is moderating the panel, with John Petze of Privaris, Robert Richardson of the Computer Security Institute and Pamela Dingle of Nulli Secundus also speaking. If you have a taste for the CardSpacey side of digital identity, Pamela's name will be very familiar from her work at OSIS.
Although the conference site lists the summit as running from 11:00am - 5:00pm on Monday, November 17th, 2008, my understanding is that the panel sessions will run 11am-noon, 1:45pm-2:45pm, and 4pm-5pm. Come along and see where the conversation takes us!