Talisker Distillers Edition – finished in Jerez Amoroso wood

With an annoying cold on my chest, tonight seems like a night for Talisker – that most warming of single malts. I have the ‘Distiller’s Edition’ – distilled in 1986 and finished in casks that previously contained Jerez Aromoso. Talisker is the Isle of Skye’s only distillery, and has a reputation for fiery, peppery malts. The Distiller’s Edition is mellowed by the sherry finish, but the fire is definitely still there. I’m afraid, due to my cold, I can’t report on the ‘nose’, but from recollection, it has a nutty, toffee aroma. Tasting it, the toffee is definitely there, giving way to pepper with a hint of seaweed. The pepper continues in the finish with a salty seaside tang.
If the regular Talisker is a bit much for you (are you listening, Ken?), this might be just your cup of tea glass of malt. Mmmm – I feel better already!

HP takes swipe at Sun/Microsoft SSO proposals

I’m a little disappointed to read this article quoting Sai Allavarpu, HP’s director of product management and marketing for security and identity. The article says

According to Sai Allavarpu, […] despite the labeling and promotion, the specs do not promote interoperability at all.

This is pretty disingenuous stuff. Yes, several vendors support multiple protocols, but, and this is the important bit, without this effort, Microsoft would likely have brought Longhorn to market supporting only WS-Federation. Clearly these specifications promote interoperability between Microsoft and the rest of the identity management industry.
Yes, it is possible to support multiple protocols at the identity provider without these new protocols, and Sun’s Access Manager does just that with its support for multiple versions of Liberty ID-FF and SAML, but the “negotiation” specs, as Sai terms them, do have real value in a world where federation standards are evolving and identity and service providers will change their sets of supported protocols over time.
It’s a mistake to see these two specifications as the end of Sun’s interoperability efforts with Microsoft. To quote one of the greatest Britons of all time: “This is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning.”

Blogroll update

Finally I have time to post some links to blogs and news feeds which I have recently discovered…

  • Chuck Mortimore. What can I say? Super-deployment engineer on Access Manager (then called Identity Server) when I moved onto the product – a sad loss to Sun when he moved to Green Giant, or whatever they’re called .
  • Eric Norlin is VP of Strategic Marketing at Ping Identity. I got to meet Eric at Digital ID World last week – a nice guy and always a good read.
  • Jamie Lewis is the CEO and Research Chair of the Burton Group – network/identity industry analysts. When I first got into identity management proper, as product manager of Sun’s Meta-Directory, I spent the first two weeks on the job just reading Burton reports – a very efficient way to get up to speed.
  • Anyway – Lauren Wood’s day job is senior technical program manager in the CTO’s office, but she still finds time to help me out with web page layout for demos – most notably last week’s Sun/Microsoft web single sign-on demo.
  • Discovering Identity promises to be essential reading – Mark Dixon is a practice lead in Sun’s Identity Management sales practice.
  • tnt are Trusted Network Technology. It would be difficult to meet a nicer bunch of guys – hi Derek, Dave, Bob, Doug – and really cool technology to boot. They attach an identity token to packets at the IP level, then filter them throughout the network. A company to watch.
  • Good Morning Silicon Valley – my daily dose of tech news. Always entertaining.

Sun/Microsoft Press Conference

Well – it’s done. I’ve been involved in the web single sign-on interoperability work with Microsoft since the beginning of the year – four and a half months of painstaking specification work, designing a demo, going on vacation while the real engineers built the demo (BIG kudos to Emily for the protocol work and Lauren for the web pages on our side, Ryan on the MS side – the demo worked flawlessly and looked great!) then a final flurry of work on the demo script and rehearsals for the big day.
Watch the webcast – I’m presenting the demo with Don Schmidt of Microsoft. There’s a press release (if that’s your sort of thing) and a factsheet. The actual specs are online at Sun and Microsoft. I’m not going to repeat any of that here. I will say that it is somewhat nerve-wracking giving a live presentation just 6 feet from Steve Ballmer and Scott McNealy! AND – there is no truth in the rumour that I am Steve Ballmer’s ‘good twin’…
I’ve read blogs and comments that represent this as Sun moving from open to proprietary standards. This is emphatically not the case. The big news, as I see it, is that customers now have a way to implement SSO with the upcoming Active Directory Federation Services that would otherwise not exist. These specifications are published and will be submitted to a standards process, so other identity management vendors can implement them or not as they see fit.

Digital ID World this week

This is my schedule for Digital ID World this week:


1pm – ?pm

Bottoms Up Identity Meeting (Pacific A)


6pm – 9pm

Opening Reception (Sun Booth)


10am – 1:30pm

Booth Duty (Sun Booth)


1:30pm – ?pm

Wandering about, dipping in and out of sessions

Unfortunately, I have other commitments on Wednesday and Thursday (just too much going on right now!), so I can’t be up in SF those days.
So, come over the Sun booth and debate linguistic function, privacy and the Liberty Alliance Project, desktop single sign-on to federated partners, or just say “Hi!”.

Groups and Roles

Rohan Pinto posts on the subject of groups and roles. Following on from Rohan’s excellent description, there is one more salient detail. Roles and Groups are implemented (at least in Sun’s Directory Server) in very different ways:

  • A group contains a collection of member DNs. Navigating from a group object to its members is very fast. Finding the groups to which a given object belongs requires a search. The classic use for a group is a mailing list. Given a list name, I need to find the members so I can forward the email to them.
  • By contrast, a member object contains a list of DNs representing the roles to which it belongs. Navigating from an object to its roles is very fast. Finding the members of a role requires a search. The classic use for a role is in (surprise, surprise!) role-based access control. Given a user, I need to find the roles so I can provide access to appropriate resources.

There is much more to it than that – here is an excellent reference to groups and roles in Sun’s Directory Server – but the description above should help guide you in deciding between groups and roles for a particular application.

Not really a gauntlet…

Eric Norlin at PingID commented on my response to PingID’s recent press release on federation-enabling Windows logon. I wasn’t really throwing down the gauntlet, more pointing out the – shall we say – exaggeration that (quoting from the press release)

This makes it possible, for the first time, to provide seamless single sign-on access to remote resources and applications across autonomous security domains and corporate boundaries – from the Windows desktop logon via SAML.

I am a nice guy, really, Eric. If you’re going to be at Digital ID World next week then do stop by the Sun stand and say “Hi!” – that goes for anyone reading this. I’ll be there every day – if you want to chat and I’m not on the stand when you’re passing, then ask one of the other Sun folks when I’ll be around.

Back to the Californian Sunshine

As you’ll have guessed from the recent silence here, I’ve been on vacation. We spent a couple of weeks in England, wrapped around the Liberty sponsors’ meeting in Dublin. Some of the highlights:

  • Day-old piglets at Chatsworth Farmyard.
  • Gibbons, tamarins, orangutans and much more at Twycross Zoo.
  • The National Railway Museum (the world’s biggest) in York.
  • Alexander (our younger son – 9 months old now) had a naming ceremony at Overton Grange in Shropshire.
  • Staying at Karen’s mum’s cousin’s cottage in Aston Munslow – a lovely place – check it out if you’re looking for somewhere in England to get away from it all. There is no high-speed internet access and cellphone coverage is spotty at best – wonderful!
  • Dinner at the Hibiscus – one of Ludlow’s many Michelin starred restaurants (in fact, the Hibiscus is one of only 10 restaurants in the UK with two Michelin stars), about 20 minutes from the Malt House.

One of the great thing about having kids is that you have an excuse to do fun things like look at piglets, monkeys and railway engines. I love it! :) Of course, one of the not-so-great things about having kids is that trips to Michelin-starred restaurants are rather rare. Many thanks to Karen’s parents Ann and Tony for having the boys for the evening.