Recently I have been meeting lots of people at conferences - customers, strangers, friends of Ping Identity, and various Identerati.  I have been presenting them my business card, telling them that I am the concierge of Ping.  I tell them that although we strive to be an open company and they probably already have contacts within the company, if they have any needs or problems and can’t figure out how to get it worked out, that they should contact me and I’ll run it down for them.  I usually get a smile, a thoughtful look, and then they pocket my card, hopefully for future use.

This is one the duties that Ping hired me for - to make sure that as we grow, that we never lose touch with the world around us.  We want to be the Nordstrom of software companies.   So I’ve been charged to be the person who is always available.  It’s a great job!

Contact me at my virtual desk in the lobby - on my mobile: +1(402)650-1979, by email: ssidner at pingidentity.com, or by Twitter: at tootallsid.

My final #cis2010 blog entry is about Kathi Becker, the wizard that organized the 2010 Cloud Identity Summit.  When Andre Durand, Ping Identity’s CEO, conceived of this 5 short months ago, he turned to his old friend, Kathi Becker, to make it happen.

Andre was one of the partners in the Digital ID World (DIDW) conferences, along with the founder, Phil Becker, Kathi’s husband.  When the first DIDW was getting organized, Kathi could see that they were really struggling.  So she offered her talents, pulled it off, and the rest is, as they say, history.

Kathi’s long-time day job is as a management consultant with PLB Ventures where she is a Managing Partner. For over 30 years she has provided management consulting and leadership education. She is an expert in developing educational programs that “cut through the noise and get to the meat of the matter” helping executives develop leadership capabilities to achieve goals they never thought possible. Her ability to craft and deliver thought-provoking programs always leads to well attended, critically acclaimed sessions with measurable long-lasting results.

Kathi’s clients include IBM, Microsoft, American Airlines, British Petroleum, U of Chicago Medical Center, Kaiser Permanente and Ford Motor Company.

The 2010 Cloud Identity Summit was by all accounts a huge success.  The partnership between Andre and Kathi is another example of the power of community to work together to achieve great things.  Next year should be even better as Andre, Kathi and team put their heads together to come up with the 2011 Cloud Identity Summit in Keystone.

When I saw Phil last week at the Summit, I told him that the secret in life for us guys was “marrying up”.  He laughed knowingly and nodded his head in agreement.

On the final day of the 2010 Cloud Identity Summit in Keystone I caught up with Michele Leroux Bustamante, the Chief Security Architect for BiTKOO.  Her colleague, Doron Grinstein, had presented their flagship product, Keystone, to the conference earlier in the day.  

When I asked her why she’d come to CIS, Michele said she had come to support the BiTKOO sales effort in their Solutions booth and because identity is one of her passions. She knew that she would get to see a lot of people she knew and meet new ones. “I’ve already seen the folks from Microsoft and we’re based on the Microsoft platform.  I knew I’d get to meet the Ping folks.  I’d hoped to meet some new folks who share this passion.  I’ve already gotten to have some great conversations about the challenges we all face.  As a group, we need to come together and agree on the issues we’re dealing with, so we can inter-operate better and have our products communicate better.”

Then I asked her what she’d gotten out of Thursday’s program.  Michele replied, “Well, I really liked John Shewchuk’s presentation.  First on all, he’s really fun to watch; secondly, he talked about a really long term vision, which I think somebody does need to do, just to get everyone thinking about the potential for claims, the potential for federation and identity management in general; and I loved that [Microsoft] shared a vision that I had already been thinking along the lines of, and that is that OAuth2 is a much simpler form of federation, that may have a chance of being vastly adopted than we’ve seen so far with some of the other protocols, like SAML, WS-Federation, and WS-Trust.  Not that they’re not great protocols - they are - but we have challenges with mobile devices and REST-based services and Silverlight and Ajax.  How do we get a unified view of authentication, authorization, and communication with identity?  This makes it very possible.”

On Wednesday, the second day of the Cloud Identity Summit 2010, I talked to Chuck Mortimore, the Product Management Director for Identity and Security, from Salesforce.com.  Chuck has a long history in the Interent identity community, and along with Eric Sachs from Google and Andrew Nash from PayPal who are also attending CIS 2010, he and Salesforce.com are major factors in the future of identity.

I asked Chuck why he came to the conference.  He laughed and reminded me that he was speaking Thursday afternoon.  But then he went on to say that this conference has allowed him to meet with some other like minded companies and to discuss collaborating on new initiatives. Chuck also likes to hear what customers have to say, so he appreciated the talks on Wednesday by some of the Ping Identity customers. He said that the Unconference in the afternoon was great, because after a general problem was stated, he could ask customers what that meant to them and whether they had any related problems. "For a product manager, this is great stuff!'

During the Tuesday workshops at the Cloud Identity Summit I had the pleasure of talking to John Dilley, Product Architect, Akamai Technologies.  If you've never heard of Akamai, you've still used them, probably everyday.  They are a key part of the Internet infrastructure, providing edge content and application servers worldwide to speed delivery or Web pages and applications.  If you watched the World Cup on your PC on espn3.com, you have Akamai to thank for making it possible for millions of people to watch simultaneously.  They also are experts at hosting applications for large corporations that need to get the app servers close to their users.

John has been with Akamai for over 10 years, joining right before they IPO'ed.  I listened, rapt, as he warmed to his subject and told me about some of the stuff they do and some of how they do it.

I asked John how he liked the morning session. John had attended Gunnar Peterson's and Chris Hoff's workshop on the security in the cloud.  He said it was great, covering a topics in risk management.  John said this is not his area of expertise and that he found the information really insightful.

I asked him why he came.  John said that he could see identity becoming more of a factor as they think of new ways to help speed the Internet.  He figured that the Cloud Identity Summit would be great way to start to learn about it and meet other people who were focused on the cloud.

At Ping Identity, we eat our own dog food and love it!

Several weeks ago, Ping took another step in our own corporate evolution into cloud computing by adopting Google Apps.  Like millions of other companies that have jumped on the Google App bandwagon, we did it for lowered cost and improved functionality - the mantra of cloud computing.   Google can run the whole system for us for not much more than the price of a server, let alone the costs of software, networking, backup, power, and staff time.  And the functionality of Gmail, Google Calendar, and various applications is impressive, obviously focused around search as the organizational paradigm and with lots of creature comforts.

But enough of a sales pitch for Google, already!  What is most interesting is our use of our own product, PingConnect, to allow single sign-on to these applications.

Since I'm kinda new to federated identity technology, I called Ping Identity's Chris Turra, PingConnect system admin and all-round identity ninja, to help me understand how it all works.  Chris was great help and even drew me a diagram using Adobe Connect while we were on the phone.  Ping Identity picked Chris up during our Sxip Access product acquisition in 2008 and is an example of the quality of people I get to work with!

Let's review the identity topology a little bit.  Ping uses an LDAP accessible identity manager, Microsoft's Active Directory in fact, that stores each user's ID and password.  Access to Google Apps is effectively from the Internet now for ALL our employees, whether they work in one of Ping's offices, from a home office, or at the beach.   We have a portal page hosted in our Google Sites; we have our mail in Gmail; our calendars in Google Calendar; and finally we are starting to create and share documents in Google Docs (love that easy sharing!).

When a Ping employee accesses any of these with their browser (PC, Mac, iPad, iPhone, Android, Linux, etc), Google Apps redirects the browser to our instance of PingConnect along with a SAML request.  PingConnect authenticates the user against AD and if successful, returns the browser back to Google Apps with a SAML response that indicates an authentication success.  Because this is signed with the private key associated with the public key in a certificate that we gave Google Apps during setup, it trusts the SAML assertions and lets the employee have access.

Subsequent accesses from other browser tabs or windows don't require the user to authenticate at all, because Google picks up its session that indicate that the user is already authenticated.

But, wait!, you say - what about rich clients, like the mail clients on phones that aren't browser based? Google doesn't have a mechanism of doing single sign-on with IMAP... do they?  Well, it depends what you mean by single sign-on.  If you mean not having to have passwords everywhere, then PingConnect has got you covered, because PingConnect can generate a unique, random password for a user, that they can use to setup the rich client.  The user doesn't have to invent the password or remember it.

Here's how it works: an employee goes to their Google account settings and selects Change Password.  Google Apps then redirects back to PingConnect with the browser.  PingConnect generates a random password, displays it to the user, and then invokes a Web Service API on Google to set the password for the user.  This request uses standard HTTPS and is authenticated using an administrator ID and password.  The user then enters their user ID and the displayed password value into their rich client and voila! they can connect.  This has many virtues: the user can change their password at any time; our admin doesn't have to go and set a password for each account in Google; and nobody knows the clear text value of the password except the user, because PingConnect doesn't store it for reuse and Google of course stores it as a salted hash, from which it can't be recovered.

The user experience is great - the employee signs in somewhere, once, for browser based apps, using their Ping Identity user ID and corporate password.  And for rich clients, they use their ID and a randomly generated password.

Alpo, look out!

(In case you're interested, the setup for SSO in Google Apps requires a certificate with the public verification key, and the URLs for login, logout, and password change, which is how the PingConnect (or PingFederate) password manager gets invoked.)

More information about Ping Connect

As I mentioned in a previous blog post, we are now offering a new page on our customer support portal, Ideas.

Ideas allows you to share ideas about how to use our products better, or how we might improve them.  Also ideas about the portal and other services are welcome here.  And in the unlikely event that you are not completely delighted with our products or services, this is your place to lodge a complaint.

Like Answers, each Idea can have replies.  So if you see an Idea that you want to comment on, it is easy to chime in.

Finally, you can vote once for each idea, either promoting it or demoting it.   The ideas with the most votes will float to the top, like cream rising on milk.  Speaking of which, each Quarter we will choose the best Idea and award the author with an iPad™ by Apple!!

Myself and other PingIdentians will be monitoring the ideas daily.   We may not respond to all of them, but be assured that we will pay attention to each and every one.

This is your chance to have a voice at Ping Identity and maybe win an iPad™.  After all, we're partners.

We are expanding the breadth of our customer community with new benefits for our paying support customers:

I achieved a long-time professional goal this week - I attended an Internet Identity Workshop - IIW 10.

I was not disappointed.

As the Community Evangelist for Ping Identity, I went to focus on the people who attended more than the mind-candy that the ideas represent.  Ping Identity has long participated in IIW and cares deeply about this community.

Technology filters out of human groups.  The IIW exactly demonstrates this.  I saw two key aspects to IIW - Open Space meetings and Kaliya Hamlin, the organizer.

IIW is based on the concepts of Open Space Technology.  The inventor of Open Space Technology, Harrison Owen, realized that when you get a bunch of experts in a field at a conference, the best ideas come out of the informal interactions outside the presentations.  So he decided to formalize those.  I have to say, I have always been a little suspicious of the touchy-feely sound of an Unconference.  Well, let me tell you, I was wrong - this is serious business, and is focused on Getting Stuff Done.  People come to IIW to learn, to think together, and spark ideas in each other.   The format is pretty simple.  At the beginning of the day, anybody that has a topic that they want to talk about writes it on a big note card, with lots of colored markers.  Then they all line up and one at a time, each person holds up their card, announces the title and what it means, and then goes to the agenda wall, selects a time slot in one of the five sessions and in one of the twenty or so meeting areas, and sticks their card under that session with a sticky note telling the meeting area.   Then the first session starts and everybody picks topics to participate in.

IIW is a shared effort of Kaliya Hamlin, Phil Windley and Doc Searls, but as the facilitator, Kaliya's personality and energy ignite the workshop.  A tough facilitator who can stifle with a word or a gesture anyone who blathers, she is also able to gently coax nervous and shy people.  A guru of user-centric identity herself, who opened the first day with a brilliant summary of Our Story To Date, she is very good at listening and encouraging other gurus to stand up and be heard.  The result is not chaos but true collaboration, and it is mesmerizing to watch Kaliya lead the parts where everyone is together.

Technologists are famously noted for suffering the semi-autism of Asperger's Syndrome, while nursing huge egos that let them conceive lofty goals and then obsessively work toward them.  At IIW, you can feel people working to manage their inhibitions and their egos, to share and to respect, while keeping that edgy impatience that means Stuff Will Get Done.

This IIW is the 10th in five years.   There were 240 people, which Kaliya said is about 60 more than ever before.  I was one of those noobs. And even though I was expected to respect the oldies (and you can be sure I did), I was encouraged to lend my voice to the conversation.

Meetings like IIW are another aspect of social media and social networking.  Like so many inversions caused by things like Web sites telling all about your company, and Twitter showing your thoughts, and blogging, LinkedIn, and Facebook making a permanent record of your ideas, professional career, and personal life, IIW fosters the co-opetition that allows technology to accelerate and grow strong.  If you want to be part of the conversation, you want to show up.   So you find folks from the Netherlands talking about a government fostered market in strong identity, Japanese talking about personal data stores based on telecom data, and lots of geeky women who have something to say and feel comfortable saying it.

Oh, and I couldn't help but sample some mind-candy: OAuth2, UMA, personal data stores, the Open Identity Exchange, PingPong, and Google's thoughts about OpenID.  It was geek heaven!

http://www.greatwhitesnark.com/2010/03/25/difference-between-nerd-dork-and-geek-explained-in-a-venn-diagram/