Ping Identity® — One password is all it takes.

Call toll free:
1.877.898.2905

Archives By Subject


Cloud (34)
Communities (10)
CTO (3)
Customers (6)
HR Technology (1)
IdM (184)
Internet (25)
Ping Connect (1)
Ping Identity (97)
TV Everywhere (4)

 

Subscribe


Enter your email address to subscribe to this blog.

Calendar


<< September 2010 >>
Sun Mon Tue Wed Thu Fri Sat
 - - -1234
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 --

Search


View By Author


Andre Durand (296)
Jil Backstrom (2)
John Fontana (79)
Patrick Harding (27)
Pete Geoly (1)
Sid Sidner (10)
Ping Identity > Blogs > Ping Talk 

Ping Talk Blog

Vox's OpenID delegation plan

September 7, 2010 , John Fontana | Cloud

John Fontana

(Includes update on Vox's delegation methods)

All right, stow the lawn chairs I mentioned in my previous Vox post.  

While Vox and its OpenID service is definitely going away, it has a plan for delegation of its duties after it shuts down on Sept. 30. But end-users will have an active role in the effort.
 
Those that have OpenID accounts with Vox have until the end-of-the-month to do survival maintenance on their accounts. Those that don’t do the maintenance will get a Bronx cheer from the lawn-chair crowd.
 
Vox will continue to be an OpenID provider until the end of September. Liz Brooking, the director of marketing for Vox-parent Six Apart, said users need to migrate before that date.
 
“After 9/30, if you've migrated your blog to TypePad, any OpenID requests to your blog will have authentication delegated to TypePad,” she said in an email. TypePad also functions as an OpenID provider
 
For users that have migrated their blog to TypePad, Brooking said, Vox would use the delegation methods in the OpenID 1.1 and OpenID 2.0 specs. With those methods, what is returned is four link relations; two that point to TypePad's OpenID Server endpoint, and two that point to the address of the user's new blog on TypePad.
 
Here is how it will look:
  <link rel="openid.server" href="http://www.typepad.com/services/openid/server" />
  <link rel="openid2.provider" href="http://www.typepad.com/services/openid/server" />
  <link rel="openid.delegate" href="[new blog url]" />
  <link rel="openid2.local_id" href="[new blog url]" />
 
But there is a caveat, Brooking adds. “OpenID supports only one level of delegation.  So if you were previously delegating your personal domain's address to Vox for authentication, we recommend delegating your personal domain to another provider.”
 
What that means is Vox can delegate the ID's it has authority over, but if the user has delegated their authority to Vox then Vox cannot delegate to TypePad.  One hop fine, two hops not.
 
So there are two courses of action to save users from a dreaded “log-in failed” message Oct. 1 and beyond.
 
To be clear here, Pam Dingle, my colleague and OpenID Foundation board member, points out that this is a federation issue and not just an OpenID issue. And that is a key point to remember.
 
The story here is not that Vox and its OpenID service is disappearing, but it points out the soft spots in the infrastructure and reminds users that there is a work-in-progress here.
 
Or as Dingle puts it, “it's just that OpenID is leading the vanguard on Consumer federation, and so the question seems new and scary.”

Here is what she wrote in the comments section of my last blog post, but it bears highlighting/repeating here:
 
“Any Relying Party needs to be able to address the issue of a non-responding Identity Provider.”
 
The story I would like to hear now is from someone who performs the delegation and how it went.
 
Can your grandmother do it?
 
How easy is it to side-step this issue and is that side-step as easy as setting up your OpenID in the first place?
 
Tell us your story from the trenches.
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
 

OpenID provider imploding, chaos coming?

September 3, 2010 , John Fontana | Cloud

John Fontana

So if you're wondering what it looks like when an OpenID provider implodes, then pull up your lawn chairs on Sept. 30 when Six Apart officially shuts down VOX, a blogging site and an OpenID provider.

Yesterday, the service stopped taking new registration, On the 15th, users won't be able to create new blog posts but can still sign in for maintenance on their account. And on the 30th, it all goes dark, including the OpenID of VOX users and presumably the authentication engine VOX OpenIDs rely on.

Big deal?

Sure, if you have associated your VOX OpenID with services that you regularly use and where you store data. If there is no one to validate that VOX OpenID than you don't exist, and worse yet, you have no access rights to your stuff.

Here's the scenario that Ping's Pam Dingle, an OpenID Foundation board member, laid out for me.

It's Oct. 1, you go to log into, say LiveJournal, with your VOX OpenID. LiveJournal cannot validate you as a user because the VOX service is no longer online. You get a log-in failed message.

Now you have no access to your account and you will have to go through some sort of help desk hell trying to validate you are who you say you are or you'll never see your data, photos, etc ever again.

While this event isn't likely to crush a huge number of users under its wheel, it does start to expose some of the issues around OpenID. Can they be solved, perhaps. The simple solution may be that OpenID IDPs consolidate into a handful of providers such as Google, which doesn't appear to be going anywhere soon.

The VOX situation is the kind of scenario that has not yet been in the hype churn of OpenID, but is one that corporate users should be ponderng in any evaluation of consumer ID technologies.

"This is the part of OpenID and consumer federation in general that is not as well standardized in terms of the concept of changing your ID or multiple IDs. There are probably places on the net without interfaces that allow you to make changes. Those will require help desk." she said.

The short-term solution? Break the link now between the services you use and your VOX OpenID.

Log-on now to services where you use your VOX OpenID, authenticate yourself, and disassociate your VOX OpenID with the service and associate some new user name/password or an OpenID from another provider.

And, sorry, do it one off for every service associated with your VOX OpenID.

"It will be 100 times easier to do it now then at the end of month," said Dingle. She says if people don't make the switch before the end of the month then they will have to go the OpenID recovery route (if our service provider even has such a thing).

Hopefully their won't be much end user pain, but the important flashpoint may be igniting debate around how to deal with OpenID IDPs that disappear off the face of the Earth.

And the important result would be a long-term solution to such inevitability. Maybe VOX's implosion will be the watershed event that forces end-users to congregagte around providers with viable, long-term staying power.

What do you think?

 

Follow John on Twitter and check out our Identity-Conversation Tweet list

 

 


Twitter OAuth: Keep your eye on the API

August 31, 2010 , John Fontana | IdM, Cloud

John Fontana

So Twitter cut over to OAuth today and as far as I can tell the Earth is still spinning on its axis.

But it is a watershed event for the microblogging service, or in plain language; Twitter-based  apps won’t store your password anymore.
 
I've said here before that OAuth's development bears watching as more services cut over to the emerging protocol, which will eventually intersect with current enterprise identity systems – mostly because API access to application components will demand it.
 
Here is how Twitter explains its OAuth moment to application developers:
“You, as the application developer:
  • don't have to worry about exposing the credentials for your users whether through a bug or other means (especially considering that a lot of people use the same password for multiple services);
  • don't have to worry about the user changing their password — a user can change his or her password and the OAuth "connection" to your app will still work;
  • don't have to worry about other applications masquerading as your application - only you can set the byline with your application name;
  • will eventually have access to more APIs from Twitter that will only be available to "trusted" OAuth-enabled applications; and
  • give the @twitterapi team more visibility into the network — you help us plan for capacity, and you help us squash spam and you help us identify bugs."
 
Twitter is on the right track, but not a pioneer. They are adopting version 1.0 and still working on support of version 2.0, which is a more secure version but won’t be finalized until the end of the year. But others such as Facebook and Gowalla are already using 2.0.
 
The bottom line here is securing the API. Why? Google and Facebook handle five billion API calls per day. Twitter handles three billion, which is 75% of all its traffic. And more than 50% of SalesForce.com’s traffic is via API.
 
APIs will help users integrate features or data from their SaaS apps with their on-premise systems.
 
Ping is working on OAuth support that our end-users are likely to see by the end of the year to help make such possibilities comes true.
 
In addition, Ping’s principal engineer Brian Campbell is already working through the IETF on a bridge between SAML and OAuth 2.0 that will allow a specifically structured SAML token to be exchanged for OAuth.
 
From what I am hearing, some of what you should be thinking about in terms of OAuth is how systems manage it.
 
One expert I know told me that concerns may center on making sure the cryptography, negotiation, management of OAuth peer servers, the establishment/honoring/caching of tokens, etc. can be separated from the applications themselves, so it all can be centrally managed/logged/audited.
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
   

Came. Saw. Conquered.

August 25, 2010 , John Fontana | Customers

John Fontana

One thing I love about technology is getting to talk to people who get dirty up to their elbows in the stuff. I enjoy writing about end-users because once warmed up they usually have some great stories and unique anecdotes to share.

Internally, we have been juicing our efforts to get more customer stories into the flow. So today’s post is as much highlighting one of those end-users – Australian telecom provider AAPT – as it is a kickoff to some customer case studies you’ll see pass through these virtual pages.
 
Specifically regarding AAPT, it is shooting for the cloud, literally, and aiming at being strongest out of the gate with a range of business services from authentication, to storage, to reselling Google Apps
 
The company is cutting its services teeth on internal adoption of Google Apps and Gmail.
 
Internally, the company spent five days rolling out Google Apps to 1,200 user and is in the process of rolling out 1,700 Google Gmail inboxes. User access to those services is secured with a hosted Single Sign-On service run off Ping Connect, a hosted service from Ping Identity.
 
Last year, however, AAPT nearly hit a nasty and potentially embarrassing roadblock. As part of a partnership with Google, AAPT was set to record a television commercial detailing how they rolled out Google Apps and secured it via Single Sign-On.
 
The problem was the IT architects might have been the last to know, according to David Tarrant, AAPT IT architect and a consultant on the company’s cloud build out and Google adoption.Ten days before the commercial, IT was informed of the SSO requirement and had to not only roll out software but pick a product.
 
Parent company Telecom New Zealand had an identity platform built on Sun Microsystems products, said Tarrant, but the estimated time to federate it with the Google platform was 2-3 months.
 
“So I found Ping and we had it done in 3-4 days,” he said. “As soon as I found Ping had a hosted service [PingConnect] that is what I wanted.”
 
But Tarrant acknowledges it was a means to an end. “We didn’t care about SSO, what is important is the same password. You don’t have to learn new passwords. And all of it falls under compliance.” And Tarrant says the Google/Ping strategy saves the IT department $252,000 per year.
 
Now Tarrant is eyeing the Salesforce.com users within the organization as the next project.
 
In parallel, the third-largest telecom provider in the country also is actively building out a commercial offering designed to provide virtual private clouds to customers. The company plans to ramp up services like desktops, applications and email. Tarrant says that should be in full swing in the next 18 months to two years.
 
AAPT owns and operates its own national voice and data network. It provides residential, business, government and wholesale customers with local and long distance voice, mobile, data and internet solutions.
 
 “We don’t want to build our own authentication service we want to use somebody else’s, we don’t want to build our own Google services we want to use somebody else’s, we don’t want to build storage services we want to use somebody else’s,” said Tarrant. “We want to build relationships with cloud providers all over the world.”
 
And how is the cloud services build-out going?
 
In May, Paul Broad, CEO of AAPT made a presentation at the company’s investor briefing day and singled out content delivery and cloud computing as areas targeted to grow, highlighted Q3 as the launch of Google Apps for business users, and named Specialty Fashion Group, Rio Tinto, Austar and WPP Holdings as key new customers.
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
 

Got trust?

August 24, 2010 , John Fontana | Cloud, Internet

John Fontana

This morning I got a reminder why trust is such an important part of the identity architecture that is being constructed as corporations begin to understand concepts from federation to cloud computing.

In fact, why trust is an indispensable tool for any architecture, organization or society.
 
Here in Denver, the city’s safety manager Ron Perea resigned last night after being engulfed in a controversy over the discipline he handed police officers involved in abuse cases involving citizens.
 
Perea told his boss, Mayor John Hickenlooper, that he didn’t think he could rebuild trust with the public after his decision not to fire two police officers caught on video tape beating a young man.
 
"Once he put it in that context, it was hard to argue with," Hickenlooper told the Denver Post. "It would be very difficult to rebuild after all the events of the last four or five days. It would be very hard to rebuild that trust."
 
Three months on the job and Perea, the former head of the Los Angeles office of the U.S. Secret Service, knew that a public that distrusted him made impossible his job of ensuring safety.
 
Without trust, all is lost.
 
The same is true whether you’re protecting the streets of a city or the virtual pipes of a global distributed network.
 
PayPal’s Andrew Nash described to me a few months ago how a collection of trust brokers on the Internet were needed to create any sort of relevant connections online. In other words, without trust between parties, between machines, nothing of significance gets done.
 
A few days ago, a panel of experts on a Webinar on Federal News Radio concluded that trust was indeed the next killer app. They talked about integrity, policies, transparency and just the plain fact that people will need a system that allows them to trust other people.
 
At Ping’s recent Cloud Identity Summit, Accenture’s Mike Neuenschwander told the audience, "If we are going to have an environment of any-to-any and not repave existing partnerships, the industry has to develop a systematic approach to trust."
 
Trust frameworks were a foundational element of the Obama administration’s recent National Strategy for Trusted Identities in Cyberspace (NSTIC).
 
Get yourself plugged into the work of groups like Kantara, InCommon and the Open Identity Exchange (OIX), which was approved by the federal government in early March to certify online identity management providers.
 
Trust me, watch this space.
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
 

Provisioning searching for door out of no man's land

August 24, 2010 , John Fontana | Cloud

John Fontana

Standards-based provisioning, which is lining up to be the next major evolution of cloud computing, is facing some significant gyrations in the near future.

Major players staking major bets on the cloud want to see something get done given that SPML 2 has not garnered any takers. Cloud providers need a standard specification that speaks squarely to their particular use cases.

Large enterprises need reliable, standards-based tools for deploying users in mass to cloud applications in order to preserve cost and agility benefits.

Will the solution eventually be an evolution of SPML, the OASIS Provisioning Services Technical Committee is going again after a near death experience, or will something different come to pass?
 
Those with provisioning on their minds met in July at the Burton Catalyst Conference as part of a special interest group (SIG). Burton analyst Mark Diodati was tasked with writing up a statement for the group, which he published a few days ago on his blog.
 
The conclusion is that work should revert to the basics, Diodati wrote. “The next iteration of SPML should focus on solving ‘the connector problem’ and provisioning use cases for cloud-based applications.”
 
Diodati said 11 of the 12 participants, which are listed on his blog, agreed that a standards-based provisioning protocol is needed, and that it is best to evolve the SPML standard rather than introduce a new one.
 
Prateek Mishra, product manager for Oracle identity management and a major contributor to the SAML specification, said on the OASIS TC mailing list that Oracle is opposed to a new version of SPML. “This is a very large effort and typically takes 3-4 calendar years and dozens of person years to complete.” Oracle would like to evolve SPML and focus on specific use cases that are “important to the community.”
 
But Diodati noted that one SIG participant, Chuck Mortimore from Salesforce.com, had still not made a decision one way or the other.
Mortimore is not alone. His stance aligns with some of what I heard at Catalyst. 
 
Some of the big cloud vendors are not yet convinced that SPML can meet their requirements. One vendor told me that there is also concern that SPML comes with a lot of baggage.
 
But there is agreement that provisioning is a sore spot for cloud providers who need an answer to customer questions about on-boarding users in an efficient and relatively painless manner. SPML 2 failed at passing the acid test on those requirements.
 
Does a provisioning standard need to be hashed out among an independent group of motivated participants who can set a framework and then move it into a more formalized standards body for critique and refinement?
 
That is how it worked with many of the early SOA standards that Microsoft and IBM developed. Not all survived scrutiny, but many are still around today after going through the wash at standards bodies.
 
The notion of an independent group framing a provisioning specification is a 180-degree turn from the path SPML has taken. The specification was incubated at OASIS.
 
In May, Richard Sand, CEO for Skyworth TTG and the co-chair of the revised OASIS Provisioning Services TC, told me his goal for a “SPML 3.0” would be to ignore compatibility with 2.0 and adopt only “building blocks” from the existing work.
 
He said he would like to simplify some of the use cases and add some higher level ones. In addition, he favors REST over SOAP.
 
But what he needs is support for a majority of the major cloud vendors – including Microsoft, Google and Amazon. None of those companies were part of the Catalyst meeting nor are they currently part of the OASIS TC.
 
Consensus and forward progress needs to come quickly, however.
 
As one vendor told me, “We can’t defer this problem any longer.”
 
Where do you stand? Should SPML be revived and revised? Or should something new be created that might better align with the rise of cloud computing?
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
 
 

Intel dresses up for cloud security play

August 19, 2010 , John Fontana | Cloud

John Fontana

Look who’s looking at security in the cloud (and everywhere else).

Intel today said it intends to acquire McAfee for $7.68 billion, a move that clearly signals that Intel sees security as a platform and not a product set that amounts to sticking fingers in the ever-expanding levee that is the cloud.
 
Intel’s purchase price was a 60% premium on McAfee’s stock price just before the deal was announced. That pretty much defines big bet, as well as the fact it was Intel's largest acquisition ever.
 
There are a lot of strategies and directions hanging off this acquisition, but the secure cloud angle is clearly a major factor. And that includes not only security services, but client-based security as both Intel and McAfee were playing up the mobile implications of their union.
 
Late last year, ABI Research pegged cloud as the disruptive force in the mobile market and said the cloud would become the dominant way in which mobile applications operate.
 
In May, I cited a definition by Christofer Hoff, director of cloud and virtualization for Cisco, who said cloud security has three flavors – in the cloud (infrastructure), for the cloud (securing other services) and by the cloud (used by providers).
 
Can Intel cover all three?
 
Gigaom reporter Mathew Ingram said in his story today: “The McAfee acquisition could allow Intel to offer a way to securely tunnel between client devices and servers in the cloud, with security on a mobile chip as well as on the server side. There’s also McAfee’s software and services business to tap into.”
 
I would only add that eventually Intel has to streamline a standards-based identity piece (authentication/authorization) into the puzzle in order to balance a protect-the-perimeter mentality.
 
Back in 2005, Intel Research was busy working on something they called the Identity Capable Platform Vision, which was described as “a client-based approach to enabling flexible access to any device, network or service through a trusted environment that cooperates with and extends infrastructure-based solutions, including federated models.”
 
Not exactly sure how that all plays out, but the point is they have seen this ball coming for some time. (See the graphic below that frames Intel’s research).
 
McAfee has had its eye on the ball also, buying in March, Trust Digital, a smartphone management and security software company. And announcing earlier this year the McAfee Cloud Secure program, which gives cloud providers and SaaS vendors security testing, business practice review, compliance certification, and ongoing vulnerability evaluation.
 
McAfee said the program was the first step in a vision of securing the cloud ecosystem; now we get to see how it grows from within Intel. And how Intel will line up all the pieces and butt heads with competitors.
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
 

One blog's call to free AD

August 18, 2010 , John Fontana | Cloud

John Fontana

My colleague Jil Backstrom mentioned the Prudent Cloud blog this afternoon, and with a name like that, I just had to check it out.

In the one post that caught the most of my scanning eyes, blog author Subraya Mallya says Active Directory and BizTalk Server are Microsoft products that should be set free in the cloud. 
 
I’m not certain what his definition of free is, but I know that Microsoft is thinking hard about bridging technologies between the enterprise and the cloud.
 
The Active Directory many companies know today likely won’t be “free” anytime soon. And likely won’t be going anywhere in the distant future either, unless your company enjoys watching 10 years of build out and IT investment swirl down the porcelain bowl in the office water closet.
 
Last November, Microsoft Identity Architect Kim Cameron showed me the first sketches of the next evolution of Active Directory, a clip-on that helps build a bridge between enterprise and the cloud. I wrote about what he described as a “directory federation” technology here.
 
And here  is another article from the Microsoft Developer Network and another from Kuppinger Cole on Microsoft’s idea that incorporates a schema called System.Identity and provides a foundation for developers seeking access controls for their .Net applications in the cloud.
 
Microsoft is still in the early development stages, but the work is the beginning of the manifestation of Mallya’s declaration on AD.
 
The “directory,” which Microsoft does not want me to call Next Generation Active Directory, is a modular add-on to AD that is built on a database and designed to add querying capabilities and performance never before possible in a directory.
 
Individual instances of the “directory” can be tuned for specific applications, shielding the corporate directory from schema changes and traffic spikes.
 
While Microsoft is working hard on evolving its directory technology, don’t forget to think about where other tools will leverage this directory, and where support for other identity requirements and cross-platform obligations will fit.
 
There is a big picture here, and AD is only one piece and Microsoft just one vendor in a puzzle for access control and security in the cloud. Stay tuned.
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
 

Trust - the discussion continues. Part II

August 13, 2010 , John Fontana | IdM, Ping Identity

John Fontana

Trust in the digital world is like banking’s five C’s for obtaining credit, according to Hilary Ward, head of managed identity services for Citi Global Transaction Services.

She was speaking Thursday as part of a panel on Federal News Radio trying to answer the question: Is Trust the Next Killer App?
 
For the record, the answer was yes; and the five C’s in banking, the industry where Ward makes her mark, are: character (integrity), capacity (sufficient cash flow to service the obligation), capital (net worth), collateral (assets to secure the debt) and conditions (of the borrower and overall economy).
 
“Trust is knowing who you are dealing with, knowing you can collaborate and knowing they are going to be responsive and have integrity in your interactions,” she said. “Now extend that across enterprise boundaries.”
 
In other words, it’s not an easy problem to solve, but it is one that must be solved, according to Ward and her panel colleagues, John Clippinger, founder and co-director of The Law Lab at Harvard University, and Jeff Voas, a computer scientist at the National Institute of Standards and Technology (NIST).
 
“Trust is not a static property,” says Voas. “It evolves over time. It has to be built into the principals, into online transactions. But what is trust today is not trust tomorrow.  It has to be part of the system. It is not something you glue on [after the fact].”
 
In essence, digital trust can be as fickle, and as fleeting, as it is in inter-personal relationships.
 
“Technology is just a layer,” says Ward. “It is the policies and the ability to have transparency to the rules.” That provides an expectation on how things will happen, which is then backed by a dispute resolution process. “The parties have to feel confident they can resolve issues,” Ward says.
 Michael Farber, Booz Allen Hamilton
Moderator Michael Farber (right), a vice president with Booz Allen Hamilton's IT business, plied the trio with questions ranging from defining trust, to building standards, to understanding transparency, and to determining whether risk management and reputation can scale. (Clippinger and Ward say yes. Voas said he is still pondering.)
 
“One of the challenges I see is that if you believe in trust-as-a-service you have to be accountable to third-parties to enforce that trust,” said Clippinger. “To do that, you have to relinquish some sort of control. I think that is a huge obstacle for most companies.”
 
Gartner says that obstacle will take time to erode. The analyst firm predicts by next year “third-party providers will offer identity-proofing services and assume limited liability for individual identities.” And by 2013,” identity-proofing services will be used widely in industry segments with strong assurance requirements.”
 
Coming to grips with such risks throughout trust networks was a recurring theme.
 
“The Internet is the Wild West,” said Voas. “We have a grand challenge in taking the best practices out of [closed] communities and bringing them into [the Internet] community in terms of trust. The human factor is a big challenge. It is people trusting people.”
 
Clippinger said the Law Lab is very interested in reputation systems. “Reputation linked to authenticated identity is going to be very important.”
 
Ward said Citi thinks that it can use identity as “the underpinning of how things are done downstream.”
 
A big impact in all of this, according to the panel, is the emerging user-centric identity model, trust framework organizations like the Open Identity Exchange (OIX), and mobile platforms.
 
“We think mobile devices will be a key to gluing it together,” said Clippinger.
 
Ward said contract law will be a big part of trust. “Accountability will help build a fabric for the [trust] framework.”
 
In the end, the answer to the question “Is trust the next killer app?” was a resounding yes, but no one was discounting the number of variables that need to be considered before the killer is unleashed.
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
 

Zimbra saddles up to SAML

August 13, 2010 , John Fontana | IdM, CTO

John Fontana

Zimbra has its own proprietary protocol for handling assertions about user identity that is called Preauth, but now it is publicizing a standards-based alternative: SAML.

Zimbra is in pre-production testing with a new Zimbra server extension option that will offer support for SAML tokens.
 
The company says it is getting more requests for integrating single sign-on so users can integrate into corporate apps data pulled from the Web-based Zimbra collaboration suite without having to re-authenticate
 
We know the drill here at Ping and are happy Zimbra, which was purchased from Yahoo by VMware earlier this year, sees the value in SAML.
 
Vishal Mahaja wrote on the Zimbra blog that “Zimbra has a framework that could be employed to write a SAML server-extension that knows how to process SAML assertions, to enable SSO into Zimbra.”
 
Zimbra has a pretty impressive customer list including Century 21, H&R Block, Raytheon and Mozilla.org. In addition, as part of the sale to VMware, Yahoo will retain the right to use Zimbra tech in Yahoo Mail and Yahoo Calendar.
 
Mahaja has diagrams and examples in his blog showing how the Zimbra server acts as the SAML relying party
 
And look for Zimbra to nail down SAML support in the near future, according to Mahaja. He published code showing how to support SAML assertions within Zimbra by writing a “SamlAuthProvider class” that extends “AuthProvider,” a Zimbra extension sub-class that knows how to process/validate Preauth.
 
The AuthProvider extension for SAML is not yet supported for production deployments, but it can be used for testing.
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
 

More Entries