Great tutorial by Malla Simhachalam and Marina Sum on securing web services using NetBeans 5,5 and Sun Java System Access Manager
From Orhan Alkan comes this report of Turkcell deploying mobile strong authentication with Sun Java System Access Manager. Orhan and his colleagues in the Sun Turkey Professional Services team developed a custom authentication module to handle the signature validation in Access Manager.
Orhan was kind enough to give me some more detail by email: the subscriber’s private key is in the SIM, so it is portable across phones. Authenticated subscribers can access all of Turkcell’s web-based customer applications including billing, enabling services such as international calls and roaming and changing rate plans, and even access their accounts at banks such as Garanti, Akbank and Isbankasi.
Recalling an earlier entry on Turkcell’s ID-WSF pilot – they certainly seem to be in the vanguard of mobile operators when it comes to identity.
Thanks to Charles for this pointer (and to Dennis for pointing it out): David Goldsmith does a great job in this video explaining the problems inherent in the proliferation of online identities and how federation and Sun’s product line (Sun Java System Access Manager and Sun Java System Federation Manager) address them. After working through a couple of real-world examples, David goes on to provide useful definitions of common federation buzzwords, such as ‘circle of trust’, ‘identity provider’ and ‘service provider’. Well worth watching if you want to get up to speed quickly! Click here for the video.
I just uploaded the slides from my RSA Conference presentation last week: Federated SOA: Harmonizing ID Security and Web Services.
A few words of explanation on the opening slides… Sara Gates was originally booked to present in this slot. As you almost certainly already know, Sara left Sun a little while ago, and I inherited her slot. So, my opening gimmick was to introduce myself as Sara and then say “Of course, I’m not Sara, you can see and hear that, but how could a Web service tell the difference?”. It was spoilt a little on the day by the RSA Conference announcer introducing me as Pat Patterson, but I made the point that if I had tried to introduce myself as Sara…
Anyway, in the presentation, I start from the position of unprotected web service interactions, working through transport-layer security via TLS/SSL to point-to-point message-layer security to Liberty Alliance‘s Identity Web Service Framework (ID-WSF), pointing out the different properties of each level. The session was recorded – I’m not sure if the recording will be publicly available, but, if so, I’ll update this entry with a URL when it goes online.
Over at VoidStar, Julian Bond writes about the long slow death of AllOfMP3. I think AllOfMP3 had the model about right, apart from the fact that it was never clear whether the artists actually got any of the proceeds. Julian wonders
So what now? Investigate their competitors or just switch back to the P2P networks?
I’ve been using emusic for the past couple of weeks and, I have to say, I’m very happy with it. Everything is available in un-DRMed MP3; the selection is very skewed towards indie/alternative, but that just suits me fine
System security on the One Laptop per Child’s XO laptop
It being RSA week, the news comes thick and fast… I’ve just seen the press release announcing that the Government of Norway has deployed a whole slew of Sun hardware and software, including Access Manager and Federation Manager, for its pioneering citizen portal, MinSide (English translation: MyPage). Quoting from the press release:
[…] the MinSide [MyPage] portal will roll-out six initiatives that will enable secure, browser-based access to healthcare, tax, motor vehicle registration, social security, student loans and many other government services.
As part of the solution, Sun Java(TM) System Access Manager and Sun Java(TM) Federation Manager help the Norwegian government manage secure access to services by offering single sign-on (SSO) as well as enabling federation across trusted networks of government agencies, service providers and customers. It provides open, standards-based authentication and policy-based authorization with a single, unified framework. This improved security framework is based on the Liberty and SAML standards to protect all aspects of the portal.