OpenSSO Tab Sweep – Feb 27 2009

Wow – it’s been nearly 7 weeks since the last tab sweep, not so much due to a lack of OpenSSO news, quite the reverse – so much going on that I’ve not had 2 minutes to sit down and document it. Anyway, here we go…

That wraps it up for February. Watch out for more exciting OpenSSO news coming soon!

XACML and SAML – a Match Made in… 2005

Over at NetworkWorld‘s Security: Identity Management Alert, Dave Kearns weighs in on the ongoing federated provisioning debate with Federated provisioning could exist. While Dave is right to highlight the promise of the Liberty Alliance‘s Identity Governance Framework (IGF), he is way off the mark regarding XACML and SAML. Dave writes:

Some have suggested that XACML (eXtensible Access Control Markup Language) might be the answer. But it […] suffers from the same problem as SPML (no interaction with SAML) […]

This is patently not true! Four years ago, OASIS defined the interaction between XACML and SAML in SAML 2.0 profile of XACML v2.0 [PDF], part of the XACML 2.0 specification set. Since then, SAML/XACML has been implemented in a range of products, including Sun OpenSSO Enterprise, with interoperability between seven vendors’ products demonstrated at the OASIS XACML Interop Demo (held at the RSA Conference, April 2008).

XACML and SAML, best buddies since February 2005 🙂

Verizon Wireless on Improving Security and User Experience with Sun Access Manager

Last November, at the Gartner Identity and Access Management Summit 2008 in Orlando, FL, Damo Bashyam of Verizon Wireless (VZW) gave a presentation titled ‘Simplify Identity Management to Improve Security and Online Customer Experience’; Daniel just pinged me to say that this presentation is now online, along with the associated slides, and what a presentation it is!

If you’re looking for marketecture, then move on; if you want to know how the largest wireless telecommunications network in the United States is using Access Manager (the old name for OpenSSO Enterprise) in a high-scale, high-availability deployment, then it’s all here, in just 23 minutes. Some of the numbers are staggering: over 40,000,000 users, 1,000,000 logins per day, peaking at 4,000 logins per minute. VZW deployed Access Manager into two data centers, with session failover within each data center and multi-master replication between six Sun Directory Server instances.

The preso and slides detail all this and the business benefits to VZW – for me, given my focus on federation, one highlight was the fact that they have extended single sign-on to 25 third-party application service providers (ASPs), 12 of them in a single night with just 4 hours (planned) downtime for the cutover. Another interesting aspect is that this is a Sun stack, top-to-bottom, so VZW have just one throat to choke in the event of an issue, with no intra-vendor finger pointing. Damo describes it as a partnership – one that has brought real and lasting benefits for both partners.

So… go download the slides, make yourself a nice cup of tea, and spend a few minutes watching the preso:

Federated Provisioning – Liberty to the Rescue???

I thought I’d throw my hat into the ring of the current federated provisioning discussion (Ian, Nishant, Ian again, James) …

Looking at the contentious #2 in Nishant’s post, the Liberty Alliance standardized one approach to this several years ago with ID-WSF.

To recap the scenario:

Suppose two companies, Acme and Omega enter into a federation agreement, whereby employees of Acme will be able to access a service at Omega using their Acme credentials. There are two scenarios here for federated provisioning.

[…]

Acme decides that they are not going to decide beforehand which employees are allowed to access Omegas service. Instead, a link to the service is available on Acmes intranet, and whenever a user decides to go to the service, they should be given an account. In this case, no pre-provisioning is taking place. Instead, the provisioning has to occur in real-time, when the user accesses the service via the intranet link for the very first time.

The idea here is that when Omegas federation server encounters the incoming SAML token for a new user, it would recognize that the user does not have a federated account, and send the SAML token to Omegas provisioning server. The provisioning server would create the account right then and there, and return the necessary result back to the federation server so that the federation server can proceed to grant the user access.

Now, in my Liberty-tinged version, when sending a new user to Omega, Acme includes a reference to their Employee Profile (EP) service – essentially the service’s endpoint URL – in the SAML assertion. This endpoint reference serves as both a description of where to find the service and permission for Omega (when sent as part of the signed SAML assertion) to invoke that service.

On receiving the assertion, Omega send a signed request to the EP service, the request containing the SAML assertion it just received. Now, the EP service knows that Omega is entitled to access that employee’s data, since it has a signed SAML assertion, issued by Acme itself, that says exactly that (via the presence of the EP endpoint reference). The EP can return exactly the data required (this will have been configured according to the underlying contract between Acme and Omega).

Finally, if desired, the EP can leave a marker in the employee’s account that says ‘account provisioned at Omega’, so that Acme doesn’t send the EP reference in every SAML assertion. Alternatively, Acme could deliberately send the EP reference every time. Or even reset the marker when the employee’s account changes in a significant way (say, her purchasing limit is changed) so Omega can fetch the new employee data.

In scenarios where manual intervention is required on the Acme side, the EP service can return a response that says “Come back later”, and the Omega service relay that to the user.

Of course, de-provisioning is a different kettle of fish, but the advantage of federated access to services is that, once the employee is gone from the Acme end, he has no way to access the Omega service anyway, so de-provisioning is a little less urgent than if the employee was logging in to Omega directly.

Like I said, ID-WSF has been around for years. Perhaps it hasn’t had much adoption because businesses weren’t encountering the problems that it solves. Seems like that might change now…

OpenSSO Deployments Around Europe

News from Europe of some interesting OpenSSO deployments… First, in France, Capgemini has been working with Valeo, a major manufacturer of automotive components, to replace a Lotus collaborative platform with Google Apps (plus a set of custom web applications) for over 30,000 employees. If you’ve been keeping up with Superpatterns, you’ll have guessed what they’re using to provide Valeo employees with single sign-on across the whole set of web apps… Yep, OpenSSO. This French story gives some more detail [PDF].

A couple of stories came out of Norway last year on their government-to-citizen and government-to-business systems, MinID (My ID) and Altinn respectively. In April, the Norwegian Ministry of Government Administration and Reform published ‘Clearing the PIN Code Chaos on Public Web Sites‘, describing how citizens had to manage a large number of usernames, passwords and PIN’s to access Norway’s various government department websites. Then in July, Accenture won the contract to implement the next generation of Altinn. The ‘eID-interoperability hub’ and ‘advanced security solution’ mentioned in the articles? You guessed it… OpenSSO.

OpenSSO – powering single sign-on and federation all around the world…

Attend an OpenSSO Community Day, Save €€€!

As Daniel just blogged, attendees at our second OpenSSO Community Day, to be held at the Deutsches Museum in Munich on May 5 2009, can get a 20% discount off their registration for the European Identity Conference 2009, which is kindly hosting us during their conference week. Just quote OPENSSO when you register and you’ll get the discount. As Daniel says “We will be passing an attendance list to Kuppinger-Cole so you need to show-up to our community day to get this discount“.

Meanwhile, looking at our first OpenSSO Community Day, in New York City, on March 17 (yes, St Patrick’s Day; no, that wasn’t intentional – honest!) we blew past our original estimate of one man and a dog and had to move it to a bigger room. We’re now in the Shorin Performance Studio on the 8th floor of the Kimmel Center.

Currently leading in the unofficial “furthest travelled attendee” contest for New York looks to be Kimimasa, flying in from Japan. Can anyone beat that? Any OpenSSO community members in Perth, Australia?

OpenSSO Community Day 2.0 – Munich – May 5 2009

You asked, we listened… the next OpenSSO Community Day is in Europe!

After I announced the NYC OpenSSO Community Day, one of the most frequently asked questions was “Can we do an OpenSSO community day near me?”, with many requests coming from the other side of the Atlantic. So… we got together with our friends at Kuppinger Cole and are pleased to announce… OpenSSO Community Day 2.0!!!

Hosted by the European Identity Conference 2009 at the Deutsches Museum in Munich, Germany, and sponsored by Sun Microsystems, this is another opportunity for OpenSSO contributors, deployers and users to come together in an informal ‘unconference‘ setting.

Being an unconference, the only rigid item on the agenda will be to decide at 9am on the sessions for the rest of the day. You can show up and talk about any OpenSSO-related topic you like. Maybe you have an interesting deployment, a new extension or a nagging question – sessions can be discussions as much as presentations. Now, that doesn’t mean that there need be zero preparation – if you have a session in mind, go to the wiki and add it there, so folks can get an idea of the likely content ahead of time. We’ve already posted a few ideas.

All are welcome, attendance is free, and lunch will be provided. We’ll likely adjourn to a nearby bar at the end of the day to continue the conversation 🙂

We’re using meetup.com to manage the registration process – just join the OpenSSO group and RSVP!

OWASP Hartford: February 2009

Just blogged by my good friend James McG:

The next meeting of the Hartford CT chapter of OWASP will occur on February 10th and will feature Mary Ruddy of Project Higgins along with Ramesh Nagappan of Sun.
OWASP events are 100% free to attend. Help spread the word…

Funnily enough, I’ve definitely met Mary, but I’m not sure I’ve ever met Ramesh. I won’t get to see him next week, either, since Hartford is about 3,000 miles away from me, but you definitely should, if you’re in the area…

Referential Integrity, Ted & Alice

For whatever reason, James hasn’t moderated-in my comment on his Random Thoughts for 2009-01-18, so here it is in blog entry form…

For some reason, James has a bee in his bonnet over referential integrity and LDAP. I’m really not sure where he’s coming from here – both OpenDS and OpenLDAP offer referential integrity (OpenDS ref int doc, OpenLDAP ref int doc), and Sun Directory Server has offered it for years (Sun Directory Server ref int doc). Does this answer your question, James, or am I missing something?

By the way, if you’re wondering about the title of this post, it’s an allusion to the mighty Half Man Half Biscuit‘s 1986 track Architecture and Morality, Ted & Alice, which itself was a play on the titles of Orchestral Manoeuvres in the Dark‘s 1981 album Architecture & Morality and the 1969 movie Bob and Carol and Ted and Alice. If there was any justice in the world, there’d be a neat link back to the world of identity here, but there isn’t, so there’s not…