Ping Identity® — One password is all it takes.

Call toll free:
1.877.898.2905

Archives By Subject


Cloud (32)
Communities (10)
CTO (3)
Customers (6)
HR Technology (1)
IdM (184)
Internet (25)
Ping Connect (1)
Ping Identity (96)
TV Everywhere (4)

 

Subscribe


Enter your email address to subscribe to this blog.

Calendar


<< September 2010 >>
Sun Mon Tue Wed Thu Fri Sat
 - - -1234
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 --

Search


View By Author


Andre Durand (295)
Jil Backstrom (2)
John Fontana (77)
Patrick Harding (27)
Pete Geoly (1)
Sid Sidner (10)
Ping Identity > Blogs > Ping Talk 

Ping Talk Blog

Twitter OAuth: Keep your eye on the API

August 31, 2010 , John Fontana | IdM, Cloud

John Fontana

So Twitter cut over to OAuth today and as far as I can tell the Earth is still spinning on its axis.

But it is a watershed event for the microblogging service, or in plain language; Twitter-based  apps won’t store your password anymore.
 
I've said here before that OAuth's development bears watching as more services cut over to the emerging protocol, which will eventually intersect with current enterprise identity systems – mostly because API access to application components will demand it.
 
Here is how Twitter explains its OAuth moment to application developers:
“You, as the application developer:
  • don't have to worry about exposing the credentials for your users whether through a bug or other means (especially considering that a lot of people use the same password for multiple services);
  • don't have to worry about the user changing their password — a user can change his or her password and the OAuth "connection" to your app will still work;
  • don't have to worry about other applications masquerading as your application - only you can set the byline with your application name;
  • will eventually have access to more APIs from Twitter that will only be available to "trusted" OAuth-enabled applications; and
  • give the @twitterapi team more visibility into the network — you help us plan for capacity, and you help us squash spam and you help us identify bugs."
 
Twitter is on the right track, but not a pioneer. They are adopting version 1.0 and still working on support of version 2.0, which is a more secure version but won’t be finalized until the end of the year. But others such as Facebook and Gowalla are already using 2.0.
 
The bottom line here is securing the API. Why? Google and Facebook handle five billion API calls per day. Twitter handles three billion, which is 75% of all its traffic. And more than 50% of SalesForce.com’s traffic is via API.
 
APIs will help users integrate features or data from their SaaS apps with their on-premise systems.
 
Ping is working on OAuth support that our end-users are likely to see by the end of the year to help make such possibilities comes true.
 
In addition, Ping’s principal engineer Brian Campbell is already working through the IETF on a bridge between SAML and OAuth 2.0 that will allow a specifically structured SAML token to be exchanged for OAuth.
 
From what I am hearing, some of what you should be thinking about in terms of OAuth is how systems manage it.
 
One expert I know told me that concerns may center on making sure the cryptography, negotiation, management of OAuth peer servers, the establishment/honoring/caching of tokens, etc. can be separated from the applications themselves, so it all can be centrally managed/logged/audited.
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
   

Came. Saw. Conquered.

August 25, 2010 , John Fontana | Customers

John Fontana

One thing I love about technology is getting to talk to people who get dirty up to their elbows in the stuff. I enjoy writing about end-users because once warmed up they usually have some great stories and unique anecdotes to share.

Internally, we have been juicing our efforts to get more customer stories into the flow. So today’s post is as much highlighting one of those end-users – Australian telecom provider AAPT – as it is a kickoff to some customer case studies you’ll see pass through these virtual pages.
 
Specifically regarding AAPT, it is shooting for the cloud, literally, and aiming at being strongest out of the gate with a range of business services from authentication, to storage, to reselling Google Apps
 
The company is cutting its services teeth on internal adoption of Google Apps and Gmail.
 
Internally, the company spent five days rolling out Google Apps to 1,200 user and is in the process of rolling out 1,700 Google Gmail inboxes. User access to those services is secured with a hosted Single Sign-On service run off Ping Connect, a hosted service from Ping Identity.
 
Last year, however, AAPT nearly hit a nasty and potentially embarrassing roadblock. As part of a partnership with Google, AAPT was set to record a television commercial detailing how they rolled out Google Apps and secured it via Single Sign-On.
 
The problem was the IT architects might have been the last to know, according to David Tarrant, AAPT IT architect and a consultant on the company’s cloud build out and Google adoption.Ten days before the commercial, IT was informed of the SSO requirement and had to not only roll out software but pick a product.
 
Parent company Telecom New Zealand had an identity platform built on Sun Microsystems products, said Tarrant, but the estimated time to federate it with the Google platform was 2-3 months.
 
“So I found Ping and we had it done in 3-4 days,” he said. “As soon as I found Ping had a hosted service [PingConnect] that is what I wanted.”
 
But Tarrant acknowledges it was a means to an end. “We didn’t care about SSO, what is important is the same password. You don’t have to learn new passwords. And all of it falls under compliance.” And Tarrant says the Google/Ping strategy saves the IT department $252,000 per year.
 
Now Tarrant is eyeing the Salesforce.com users within the organization as the next project.
 
In parallel, the third-largest telecom provider in the country also is actively building out a commercial offering designed to provide virtual private clouds to customers. The company plans to ramp up services like desktops, applications and email. Tarrant says that should be in full swing in the next 18 months to two years.
 
AAPT owns and operates its own national voice and data network. It provides residential, business, government and wholesale customers with local and long distance voice, mobile, data and internet solutions.
 
 “We don’t want to build our own authentication service we want to use somebody else’s, we don’t want to build our own Google services we want to use somebody else’s, we don’t want to build storage services we want to use somebody else’s,” said Tarrant. “We want to build relationships with cloud providers all over the world.”
 
And how is the cloud services build-out going?
 
In May, Paul Broad, CEO of AAPT made a presentation at the company’s investor briefing day and singled out content delivery and cloud computing as areas targeted to grow, highlighted Q3 as the launch of Google Apps for business users, and named Specialty Fashion Group, Rio Tinto, Austar and WPP Holdings as key new customers.
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
 

Got trust?

August 24, 2010 , John Fontana | Cloud, Internet

John Fontana

This morning I got a reminder why trust is such an important part of the identity architecture that is being constructed as corporations begin to understand concepts from federation to cloud computing.

In fact, why trust is an indispensable tool for any architecture, organization or society.
 
Here in Denver, the city’s safety manager Ron Perea resigned last night after being engulfed in a controversy over the discipline he handed police officers involved in abuse cases involving citizens.
 
Perea told his boss, Mayor John Hickenlooper, that he didn’t think he could rebuild trust with the public after his decision not to fire two police officers caught on video tape beating a young man.
 
"Once he put it in that context, it was hard to argue with," Hickenlooper told the Denver Post. "It would be very difficult to rebuild after all the events of the last four or five days. It would be very hard to rebuild that trust."
 
Three months on the job and Perea, the former head of the Los Angeles office of the U.S. Secret Service, knew that a public that distrusted him made impossible his job of ensuring safety.
 
Without trust, all is lost.
 
The same is true whether you’re protecting the streets of a city or the virtual pipes of a global distributed network.
 
PayPal’s Andrew Nash described to me a few months ago how a collection of trust brokers on the Internet were needed to create any sort of relevant connections online. In other words, without trust between parties, between machines, nothing of significance gets done.
 
A few days ago, a panel of experts on a Webinar on Federal News Radio concluded that trust was indeed the next killer app. They talked about integrity, policies, transparency and just the plain fact that people will need a system that allows them to trust other people.
 
At Ping’s recent Cloud Identity Summit, Accenture’s Mike Neuenschwander told the audience, "If we are going to have an environment of any-to-any and not repave existing partnerships, the industry has to develop a systematic approach to trust."
 
Trust frameworks were a foundational element of the Obama administration’s recent National Strategy for Trusted Identities in Cyberspace (NSTIC).
 
Get yourself plugged into the work of groups like Kantara, InCommon and the Open Identity Exchange (OIX), which was approved by the federal government in early March to certify online identity management providers.
 
Trust me, watch this space.
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
 

Provisioning searching for door out of no man's land

August 24, 2010 , John Fontana | Cloud

John Fontana

Standards-based provisioning, which is lining up to be the next major evolution of cloud computing, is facing some significant gyrations in the near future.

Major players staking major bets on the cloud want to see something get done given that SPML 2 has not garnered any takers. Cloud providers need a standard specification that speaks squarely to their particular use cases.

Large enterprises need reliable, standards-based tools for deploying users in mass to cloud applications in order to preserve cost and agility benefits.

Will the solution eventually be an evolution of SPML, the OASIS Provisioning Services Technical Committee is going again after a near death experience, or will something different come to pass?
 
Those with provisioning on their minds met in July at the Burton Catalyst Conference as part of a special interest group (SIG). Burton analyst Mark Diodati was tasked with writing up a statement for the group, which he published a few days ago on his blog.
 
The conclusion is that work should revert to the basics, Diodati wrote. “The next iteration of SPML should focus on solving ‘the connector problem’ and provisioning use cases for cloud-based applications.”
 
Diodati said 11 of the 12 participants, which are listed on his blog, agreed that a standards-based provisioning protocol is needed, and that it is best to evolve the SPML standard rather than introduce a new one.
 
Prateek Mishra, product manager for Oracle identity management and a major contributor to the SAML specification, said on the OASIS TC mailing list that Oracle is opposed to a new version of SPML. “This is a very large effort and typically takes 3-4 calendar years and dozens of person years to complete.” Oracle would like to evolve SPML and focus on specific use cases that are “important to the community.”
 
But Diodati noted that one SIG participant, Chuck Mortimore from Salesforce.com, had still not made a decision one way or the other.
Mortimore is not alone. His stance aligns with some of what I heard at Catalyst. 
 
Some of the big cloud vendors are not yet convinced that SPML can meet their requirements. One vendor told me that there is also concern that SPML comes with a lot of baggage.
 
But there is agreement that provisioning is a sore spot for cloud providers who need an answer to customer questions about on-boarding users in an efficient and relatively painless manner. SPML 2 failed at passing the acid test on those requirements.
 
Does a provisioning standard need to be hashed out among an independent group of motivated participants who can set a framework and then move it into a more formalized standards body for critique and refinement?
 
That is how it worked with many of the early SOA standards that Microsoft and IBM developed. Not all survived scrutiny, but many are still around today after going through the wash at standards bodies.
 
The notion of an independent group framing a provisioning specification is a 180-degree turn from the path SPML has taken. The specification was incubated at OASIS.
 
In May, Richard Sand, CEO for Skyworth TTG and the co-chair of the revised OASIS Provisioning Services TC, told me his goal for a “SPML 3.0” would be to ignore compatibility with 2.0 and adopt only “building blocks” from the existing work.
 
He said he would like to simplify some of the use cases and add some higher level ones. In addition, he favors REST over SOAP.
 
But what he needs is support for a majority of the major cloud vendors – including Microsoft, Google and Amazon. None of those companies were part of the Catalyst meeting nor are they currently part of the OASIS TC.
 
Consensus and forward progress needs to come quickly, however.
 
As one vendor told me, “We can’t defer this problem any longer.”
 
Where do you stand? Should SPML be revived and revised? Or should something new be created that might better align with the rise of cloud computing?
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
 
 

The Ping Concierge

August 20, 2010 , Sid Sidner | Communities

Sid Sidner

Recently I have been meeting lots of people at conferences - customers, strangers, friends of Ping Identity, and various Identerati.  I have been presenting them my business card, telling them that I am the concierge of Ping.  I tell them that although we strive to be an open company and they probably already have contacts within the company, if they have any needs or problems and can’t figure out how to get it worked out, that they should contact me and I’ll run it down for them.  I usually get a smile, a thoughtful look, and then they pocket my card, hopefully for future use.

This is one the duties that Ping hired me for - to make sure that as we grow, that we never lose touch with the world around us.  We want to be the Nordstrom of software companies.   So I’ve been charged to be the person who is always available.  It’s a great job!

Contact me at my virtual desk in the lobby - on my mobile: +1(402)650-1979, by email: ssidner at pingidentity.com, or by Twitter: at tootallsid.


Intel dresses up for cloud security play

August 19, 2010 , John Fontana | Cloud

John Fontana

Look who’s looking at security in the cloud (and everywhere else).

Intel today said it intends to acquire McAfee for $7.68 billion, a move that clearly signals that Intel sees security as a platform and not a product set that amounts to sticking fingers in the ever-expanding levee that is the cloud.
 
Intel’s purchase price was a 60% premium on McAfee’s stock price just before the deal was announced. That pretty much defines big bet, as well as the fact it was Intel's largest acquisition ever.
 
There are a lot of strategies and directions hanging off this acquisition, but the secure cloud angle is clearly a major factor. And that includes not only security services, but client-based security as both Intel and McAfee were playing up the mobile implications of their union.
 
Late last year, ABI Research pegged cloud as the disruptive force in the mobile market and said the cloud would become the dominant way in which mobile applications operate.
 
In May, I cited a definition by Christofer Hoff, director of cloud and virtualization for Cisco, who said cloud security has three flavors – in the cloud (infrastructure), for the cloud (securing other services) and by the cloud (used by providers).
 
Can Intel cover all three?
 
Gigaom reporter Mathew Ingram said in his story today: “The McAfee acquisition could allow Intel to offer a way to securely tunnel between client devices and servers in the cloud, with security on a mobile chip as well as on the server side. There’s also McAfee’s software and services business to tap into.”
 
I would only add that eventually Intel has to streamline a standards-based identity piece (authentication/authorization) into the puzzle in order to balance a protect-the-perimeter mentality.
 
Back in 2005, Intel Research was busy working on something they called the Identity Capable Platform Vision, which was described as “a client-based approach to enabling flexible access to any device, network or service through a trusted environment that cooperates with and extends infrastructure-based solutions, including federated models.”
 
Not exactly sure how that all plays out, but the point is they have seen this ball coming for some time. (See the graphic below that frames Intel’s research).
 
McAfee has had its eye on the ball also, buying in March, Trust Digital, a smartphone management and security software company. And announcing earlier this year the McAfee Cloud Secure program, which gives cloud providers and SaaS vendors security testing, business practice review, compliance certification, and ongoing vulnerability evaluation.
 
McAfee said the program was the first step in a vision of securing the cloud ecosystem; now we get to see how it grows from within Intel. And how Intel will line up all the pieces and butt heads with competitors.
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
 

NEW! Webex Single Sign-On & Account Management Connector

August 19, 2010 , Andre Durand | Ping Identity

Andre Durand

We just released a new SaaS Connector which enables Single Sign-On (SSO) and user account management for WebEx Meeting Center, the leading online communication and collaboration platform.   In addition to support for user account management, the WebEx Connector includes a Quick Connection template that simplifies and streamlines the SSO and provisioning configuration by pre-populating connection settings, SSO endpoint parameters and provisioning configuration.

Features
  • Quick Connection Template:  The WebEx quick connection template, in combination with SAML 2.0 metadata exchange, streamlines the configuration of a WebEx Meeting Center connection.   Standard configuration parameters are pre-populated within the connection, requiring entry of only site-specific details.
  • User Account Management:  The WebEx SaaS Connector enables user account management, which automatically creates user accounts in WebEx Meeting Center and continually monitors your existing corporate directory for modifications and deletions.

WebEx is the newest in Ping Identity’s family of SaaS Connectors, which provide advanced SSO and user account management capabilities for leading SaaS vendors including Workday, Salesforce and Google.

For additional information check out our WebEx solution page or contact your sales representative.


NEW! IWA & Java SSO Integration Kits

August 19, 2010 , Andre Durand | Ping Identity

Andre Durand

Java Integration Kit 2.4.1

Ping recently released a new Java Integration Kit for PingFederate. It includes completely rewritten Java Sample Applications with a focus on providing a reference OpenToken application integration. Build-able source code is included with the distribution. The OpenToken Adapter and Agent remains the same as the 2.4 kit version.

IWA IdP Integration Kit Version 2.4

The PingFederate Integrated Windows Authentication (IWA) IdP Integration Kit provides an Identity Provider (IdP) adapter for PingFederate. This kit allows a PingFederate IdP server to perform single sign-on (SSO) to Service Provider (SP) applications, based on IWA credentials.

In addition to various bug fixes, version 2.4 of the IWA IdP Integration kit includes:

•    Added full NTLM functionality and support for security policies exhibited by Windows clients and servers
•    Added support for Kerberos failover to NTLM authentication when the user is external to the domain

Both Integration Kits are available for immediate use from the Download Page.


One blog's call to free AD

August 18, 2010 , John Fontana | Cloud

John Fontana

My colleague Jil Backstrom mentioned the Prudent Cloud blog this afternoon, and with a name like that, I just had to check it out.

In the one post that caught the most of my scanning eyes, blog author Subraya Mallya says Active Directory and BizTalk Server are Microsoft products that should be set free in the cloud. 
 
I’m not certain what his definition of free is, but I know that Microsoft is thinking hard about bridging technologies between the enterprise and the cloud.
 
The Active Directory many companies know today likely won’t be “free” anytime soon. And likely won’t be going anywhere in the distant future either, unless your company enjoys watching 10 years of build out and IT investment swirl down the porcelain bowl in the office water closet.
 
Last November, Microsoft Identity Architect Kim Cameron showed me the first sketches of the next evolution of Active Directory, a clip-on that helps build a bridge between enterprise and the cloud. I wrote about what he described as a “directory federation” technology here.
 
And here  is another article from the Microsoft Developer Network and another from Kuppinger Cole on Microsoft’s idea that incorporates a schema called System.Identity and provides a foundation for developers seeking access controls for their .Net applications in the cloud.
 
Microsoft is still in the early development stages, but the work is the beginning of the manifestation of Mallya’s declaration on AD.
 
The “directory,” which Microsoft does not want me to call Next Generation Active Directory, is a modular add-on to AD that is built on a database and designed to add querying capabilities and performance never before possible in a directory.
 
Individual instances of the “directory” can be tuned for specific applications, shielding the corporate directory from schema changes and traffic spikes.
 
While Microsoft is working hard on evolving its directory technology, don’t forget to think about where other tools will leverage this directory, and where support for other identity requirements and cross-platform obligations will fit.
 
There is a big picture here, and AD is only one piece and Microsoft just one vendor in a puzzle for access control and security in the cloud. Stay tuned.
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
 

Trust - the discussion continues. Part II

August 13, 2010 , John Fontana | IdM, Ping Identity

John Fontana

Trust in the digital world is like banking’s five C’s for obtaining credit, according to Hilary Ward, head of managed identity services for Citi Global Transaction Services.

She was speaking Thursday as part of a panel on Federal News Radio trying to answer the question: Is Trust the Next Killer App?
 
For the record, the answer was yes; and the five C’s in banking, the industry where Ward makes her mark, are: character (integrity), capacity (sufficient cash flow to service the obligation), capital (net worth), collateral (assets to secure the debt) and conditions (of the borrower and overall economy).
 
“Trust is knowing who you are dealing with, knowing you can collaborate and knowing they are going to be responsive and have integrity in your interactions,” she said. “Now extend that across enterprise boundaries.”
 
In other words, it’s not an easy problem to solve, but it is one that must be solved, according to Ward and her panel colleagues, John Clippinger, founder and co-director of The Law Lab at Harvard University, and Jeff Voas, a computer scientist at the National Institute of Standards and Technology (NIST).
 
“Trust is not a static property,” says Voas. “It evolves over time. It has to be built into the principals, into online transactions. But what is trust today is not trust tomorrow.  It has to be part of the system. It is not something you glue on [after the fact].”
 
In essence, digital trust can be as fickle, and as fleeting, as it is in inter-personal relationships.
 
“Technology is just a layer,” says Ward. “It is the policies and the ability to have transparency to the rules.” That provides an expectation on how things will happen, which is then backed by a dispute resolution process. “The parties have to feel confident they can resolve issues,” Ward says.
 Michael Farber, Booz Allen Hamilton
Moderator Michael Farber (right), a vice president with Booz Allen Hamilton's IT business, plied the trio with questions ranging from defining trust, to building standards, to understanding transparency, and to determining whether risk management and reputation can scale. (Clippinger and Ward say yes. Voas said he is still pondering.)
 
“One of the challenges I see is that if you believe in trust-as-a-service you have to be accountable to third-parties to enforce that trust,” said Clippinger. “To do that, you have to relinquish some sort of control. I think that is a huge obstacle for most companies.”
 
Gartner says that obstacle will take time to erode. The analyst firm predicts by next year “third-party providers will offer identity-proofing services and assume limited liability for individual identities.” And by 2013,” identity-proofing services will be used widely in industry segments with strong assurance requirements.”
 
Coming to grips with such risks throughout trust networks was a recurring theme.
 
“The Internet is the Wild West,” said Voas. “We have a grand challenge in taking the best practices out of [closed] communities and bringing them into [the Internet] community in terms of trust. The human factor is a big challenge. It is people trusting people.”
 
Clippinger said the Law Lab is very interested in reputation systems. “Reputation linked to authenticated identity is going to be very important.”
 
Ward said Citi thinks that it can use identity as “the underpinning of how things are done downstream.”
 
A big impact in all of this, according to the panel, is the emerging user-centric identity model, trust framework organizations like the Open Identity Exchange (OIX), and mobile platforms.
 
“We think mobile devices will be a key to gluing it together,” said Clippinger.
 
Ward said contract law will be a big part of trust. “Accountability will help build a fabric for the [trust] framework.”
 
In the end, the answer to the question “Is trust the next killer app?” was a resounding yes, but no one was discounting the number of variables that need to be considered before the killer is unleashed.
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
 

More Entries