Access Manager 7.0 Documentation Collection
Great, free, tool for burning ISOs to CDs/DVDs on Windows XP, 2003 etc. Right click, Copy Image to CD – job done!
Eric S. Raymond’s rant about CUPS – I mean that in the best possible way.
Interesting project – runs Linux on Windows. Quite cool, but is it redundant with VMware (and its free player), Xen and the like?
Zoom from a view of the Milky Way at 10 million light years from Earth to an oak tree to cells to subatomic particles. In Java. Cool!
One question that I’m often asked by customers is “How is Sun using the Liberty Alliance Project specifications?”. Well, my stock answer is ‘BIPAC’. The Business Industry Political Action Committee provides expert policy analysis, research and communications on campaigns and elections, and fosters business participation in the political process. Sun employees can access political information on the BIPAC website – who their elected representatives are, their voting record etc.
Now, this is obviously sensitive stuff, with huge implications for privacy. The ‘old way’ of accessing BIPAC would have involved a regular batch process to synchronize identity information from Sun to BIPAC; Sun employees would authenticate at BIPAC with their Sun ID and a BIPAC-specific password. In this old model, BIPAC would know exactly who I was and would be able to build a profile of my activity on the site. Not only that, I’d have another password to
write on a post-it note and stick to my monitor remember.
The ‘new way’ of accessing BIPAC authenticates employees at Sun (using Sun Java System Access Manager) and uses Liberty ID-FF to give employees single sign-on to BIPAC. Now – here’s the clever bit – no personal information is transmitted in the single sign-on process. BIPAC have no idea who I am – all they know is that I am an authenticated Sun employee. BIPAC can then use ID-WSF to retrieve a strictly limited set of attributes, including my zip code. So now, all Sun know is that I am a Sun employee in 90210 (well, I can dream). They have everything they need to tell me who my elected representatives are at every level up to Dubya, but no more. They don’t know who I am, since they don’t need to know who I am. This document gives some more detail on the deployment. Here I am demonstrating the system at a Liberty eGovernment Forum last year in Dublin:
Looking at the wider context, this was an ideal first deployment of Liberty for Sun. A real need for Liberty’s privacy features combined with low risk – BIPAC is a valuable service, but not critical to Sun’s core business. Watch this space for news as we roll Liberty and SAML out across Sun’s other business partners, and, if you’re at the RSA Conference next month, be sure to catch Sun’s Yvonne Wilson at IMP-101 ‘Implementing Federated Identity: What Products Do You Need?’. Yvonne is an architect in Sun IT and will be covering our BIPAC integration in her presentation.
Late last year I recorded a segment for a Sun ‘Net Talk‘ feature. The feature – Sun Does Windows – Interoperability Delivered went live a couple of days ago. Bill Vass (Sun’s CIO), Benjamin Baer (Director, Partner Operating System Marketing), John Tollefsrud (N1 Architect) and Matt Wolf (Senior Product Marketing Manager, Windows on Sun) give an overview of some of the various touch-points between Sun and Microsoft products – I present the Sun/Microsoft Web SSO Interoperability demo in segment 17. This is essentially the same demo that Don Schmidt of Microsoft and I presented back in May 2005, but you get to see more of the actual demo applications this time round. Of course, the rest of the Net Talk is all new, so it’s worth watching in its entirety.
Solaris (and other *nix operating systems) can authenticate users against an LDAP compliant directory server, such as Sun Java System Directory Server, for log in. Sun Java System Access Manager can also authenticate users against an LDAP directory server for web single sign-on, access control and federation. There is an issue in that, by default, Access Manager locks down its Directory Server instance, removing the capability to do anonymous LDAP search and read operations. Unfortunately, this removes the ability for Solaris to authenticate users.
Jeff Nester, a Senior Identity Management Specialist at inSolutions (Dig the retro iPlanet favicon at inSolutions.net, Jeff!) recently wrote a paper explaining how to configure Directory Server and Access Manager so that Solaris and AM authentication co-exist. This allows you to create a single directory entry that enables access to both Solaris and web applications protected by AM.
Useful stuff if you’re trying to consolidate directories and keep passwords consistent across desktop login and web applications. Lots of other goodies at Jeff’s site too – must try the tips for getting a video projector to work on a Toshiba Tecra M2 in Java Desktop System. If that works, I definitely owe you a beer, Jeff
If you are a product manager in the field of identity management, you’re probably used to having a job title that sounds like a tongue twister – for example, my good friend Eric Leach is the ‘Access Manager Product Manager’ (did somebody say “Red Lorry, Yellow Lorry”?). If you have such a tongue twisting title, or you’d like one, take a look at this job req. The upside – you’d get to be part of Sara Gates‘ merry band. The downside – uh – you’d get to be part of Sara Gates’ merry… OK – lame joke, cool job.
James McGovern, Enterprise Architect at The Hartford, posted a series of questions on federation and blogging just before Christmas. My Christmas vacation started just after he posted that entry, so I haven’t had a chance to respond before today. So – here goes… Remember the disclaimer: these thoughts are my own and do not necessarily reflect the official line of Sun Microsystems, the Liberty Alliance or, indeed, reality . Oh – and my cut’n’paste didn’t preserve links in the quotations from James’ original. Sorry.
Pat Patterson of Sun, commented on one of my comments I left in his blog and only partially responded to my rant that folks in the blogging community need to take an enterprise view to identity and not just evangelize the Liberty Alliance…
I think you’re mischaracterizing the ‘blogging community’ a little there, James. I don’t see Kim Cameron doing much evangelizing on behalf of Liberty .
Figured the best way to make my point would be to ask these same bloggers to respond in their own blogs, answers to the following questions:
- The Liberty Alliance is a wonderful organization that is working towards interoperability but doesn’t have as a charter the notion of community formation as this typically occurs within a specific industry vertical. Examples include the SAFE initiative in pharma and Securities.Hub on Wall Street. Do bloggers who work for software vendors have any duty to enable (or at least talk about) the notion of best practices around community formation at an industry vertical level? If so, do they strictly talk in terms of case studies of what has occured in the past or provide guidance to verticals that haven’t yet walked this path?
Wow. Well, personally, I certainly don’t feel qualified to enable or talk about best practices in community formation at an industry vertical level. In a previous life, I was involved with Identrus, a consortium of financial institutions working first to enable global authentication of business partners, then to establish a secure payment initiation system, but I worked on the architecture and implementation of the specs. (Heh – I just found this on the Identrus site. The iPlanet brand is long gone, of course, as are some of the listed products. I worked on iPlanet Trustbase Transaction Manager, the last version of which end-of-lifed in Feb 2003.) Anyway – perhaps Robin Wilton, also a Trustbase alumni, would have a few thoughts on vertical community formation, since he was more on the business side of things.
- Identity Bloggers pretend that notions such as Sarbanes Oxley don’t exist (or at least never mention them). Do they think that federations also need the notion of attestation? If so, don’t you think this will become an impediment to corporate adoption of federated identity for many verticals?
Have you read Sara Gates‘ (Sun’s VP of identity management) blog recently? Sara is very interested in Sarbox and compliance – in fact, she wrote this article recently comparing compliance demands to seatbelt laws.
I think that identity management has a huge part to play in compliance. In fact, Sun has a product dedicated to auditing compliance – Identity Auditor. You are spot on in highlighting the need for attestation in federation. I think this will be an area that Liberty will turn to in future.
- SAML 2.0 is a good move to increase interoperability and should be implemented in all security oriented products. Maybe you can tell us why within the enterprise we should use SAML 2.0 between say Active Directory and RACF vs. sticking with tried and true approaches such as Kerberos?
You use the appropriate tool for the job. Where there is a tried and true approach then use it. For example, if you are implementing single sign-on between some group of websites in the same internet domain, then it would be madness to use SAML 2.0 rather than simply deploying a web-based access management product such as Sun’s Access Manager. However, if you are implementing single sign-on between siloed (silo’d?) divisions of an enterprise, each with its own identity management infrastructure, or between an enterprise and a trading partner, then SAML 2.0 is the appropriate tool for the job.
- The Liberty Alliance can only point to a handful of Fortune 100 enterprises (non-software) that have joined. Its primary makeup is most of software vendors. Maybe you could tell us why an Enterprise Architect that works for a Fortune 100 enterprise would request for next years budget the annual dues for membership vs spending it in other areas?
Well – one motivation would be to redress the balance . Seriously, though, with Liberty membership you’re buying a voice in the standards setting process – the ability to ensure that enterprise concerns are heard.
- Do you think that enterprises are well-served by consolidating identity stores vs keeping them spread all over the place and doing SAML? If consolidation is a good thing, why wouldn’t it be a good idea to consolidate identity within Active Directory?
Consolidation is a great thing, though I would counsel Sun’s Directory Server over Active Directory, of course. However, consolidation isn’t always possible:
- In the case of an acquisition or merger, consolidation can be a costly and time-consuming process. It’s still worthwhile, but often an interim solution is needed to bridge identity infrastructures.
- Legislation may preclude consolidation – for instance, a multinational corporation may not be able to store all identity data in one location. Or even provide access to more than a strict subset across national boundaries.
- Consolidation isn’t always feasible – Radovan Semančík talks about this in a recent blog entry.
So – I would say, consolidate as far as possible (or sensible) and use federation to bridge to disparate environments.
- Should SXIP, LID and SAML exchange tokens from one system to those in another or should they continue to do their own thing with their own tokens? If the later, could this really be considered an identity metasystem according to Kim Cameron’s laws of identity?
Ah – user-centric identity. I can’t really comment here – I keep an eye on what folks like Sxip and Netmesh are up to (e.g. YADIS), but I can’t pretend to any expertise. Chuck Mortimore (Sxip) and Johannes Ernst (Netmesh) (to pick two almost at random) are much bette
r qualified than I am to speak on thse issues. And, of course, the mighty Kim Cameron would be best placed to judge whether this is a metasystem according to his definition.
- If you want corporations to embrace the notion of federated identity, wouldn’t it require more than simple “look at me” interoperability demos and for all the vendors in this space to create some publicly available notion of “reference architecture” above and beyond what exists in Project Liberty?
We’ve done some work in this area, but much more remains to be done. Yes, I know that particular paper addresses a set of telco use cases, but the principles apply across industry boundaries.
- Acknowledgement that not all problems are technology related and consider asking the Liberty Alliance to take on social / governmental issues related to identity in the same way that Richard Stallman does for the Free Software Foundation. Examples include mechanisms that will allow an industry vertical to form communities without the appearance of collusion. What about certain countries such as Italy that create laws that violate current thinking on identity? Have you seen this article?
Have you been to the Liberty website recently? There are vertical industry sections on Identity Theft Prevention, Healthcare, Guidelines on subjects from the implications of EU Data Protection and Privacy Law for Establishing a Legal Framework for Identity Federation to federation enabling 401(k). This is all there for the taking – no membership required.
Liberty Alliance’s Public Policy Expert Group “drives dialogue with global government and nongovernment groups concerned with the many issues pertaining to identity and data management”. For instance Benefits of Federated Identity to Government.
Read Robin Wilton’s Esoterica for regular articles on social / governmental issues relating to the Liberty Alliance, Sun and identity management in general.
- More thinking on how identity changes based not on the person but their interaction? Examples may include the notion of “six degrees of separation” or minimally the practice of role affliation?
Not a topic I can really address in a bullet point reply, but, yeah – interesting. Is a role an identity?
- How should we think about SmartCards within our own infrastructure and how it plays with federated identity? I know MS is doing this for their own employees.
Well, smartcards as an authentication mechanism play nicely with federated identity. A SAML assertion can (in fact, usually does) identify the mechanism by which the user authenticated, so architecting systems that require smartcard authentication to access a given set of resources is perfectly possible.
- Should we have a mechanism for discovery of capabilities for various identity systems? Should it be YADIS? Something else?
Good question. Is this what Kim’s metasystem will turn out to be? Will YADIS do this? Is there room for more than one metasystem? In that case, do we need a metametasystem???
- Any thoughts on how federated identity can integrate with Digital Rights Management?
I’m going to play the “not Sun’s opinion” card here… In the light of Sony’s recent DRM nightmares, I think DRM needs a total rethink. Can DRM work at all? Should content providers’ business models change to reflect the realities of the digital world?
- Any thoughts on how Liberty Alliance can embrace the notion of a Virtual Personality?
- What if we decided to externalize identity and put it on a spacecraft headed to pluto? Dont take this question seriously.
I’d go back to coding technical analysis systems. Don’t take this answer seriously.
- How come pretty much all of the identity bloggers don’t support trackback in their blogs? Is it because they haven’t yet figured out how to protect their own identity or that of others?
The short answer is trackback spam. I provide trackback links. Sometimes they work. Sometimes the spam load is so heavy we just turn them off. There is no easy solution right now. I believe the user-centric guys are working on this…