Ping Identity® — One password is all it takes.

Call toll free:
1.877.898.2905

Archives By Subject


Cloud (32)
Communities (10)
CTO (3)
Customers (6)
HR Technology (1)
IdM (184)
Internet (25)
Ping Connect (1)
Ping Identity (96)
TV Everywhere (4)

 

Subscribe


Enter your email address to subscribe to this blog.

Calendar


<< September 2010 >>
Sun Mon Tue Wed Thu Fri Sat
 - - -1234
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 --

Search


View By Author


Andre Durand (295)
Jil Backstrom (2)
John Fontana (77)
Patrick Harding (27)
Pete Geoly (1)
Sid Sidner (10)
Ping Identity > Blogs > Ping Talk 

Ping Talk Blog

Twitter OAuth: Keep your eye on the API

August 31, 2010 , John Fontana | IdM, Cloud

John Fontana

So Twitter cut over to OAuth today and as far as I can tell the Earth is still spinning on its axis.

But it is a watershed event for the microblogging service, or in plain language; Twitter-based  apps won’t store your password anymore.
 
I've said here before that OAuth's development bears watching as more services cut over to the emerging protocol, which will eventually intersect with current enterprise identity systems – mostly because API access to application components will demand it.
 
Here is how Twitter explains its OAuth moment to application developers:
“You, as the application developer:
  • don't have to worry about exposing the credentials for your users whether through a bug or other means (especially considering that a lot of people use the same password for multiple services);
  • don't have to worry about the user changing their password — a user can change his or her password and the OAuth "connection" to your app will still work;
  • don't have to worry about other applications masquerading as your application - only you can set the byline with your application name;
  • will eventually have access to more APIs from Twitter that will only be available to "trusted" OAuth-enabled applications; and
  • give the @twitterapi team more visibility into the network — you help us plan for capacity, and you help us squash spam and you help us identify bugs."
 
Twitter is on the right track, but not a pioneer. They are adopting version 1.0 and still working on support of version 2.0, which is a more secure version but won’t be finalized until the end of the year. But others such as Facebook and Gowalla are already using 2.0.
 
The bottom line here is securing the API. Why? Google and Facebook handle five billion API calls per day. Twitter handles three billion, which is 75% of all its traffic. And more than 50% of SalesForce.com’s traffic is via API.
 
APIs will help users integrate features or data from their SaaS apps with their on-premise systems.
 
Ping is working on OAuth support that our end-users are likely to see by the end of the year to help make such possibilities comes true.
 
In addition, Ping’s principal engineer Brian Campbell is already working through the IETF on a bridge between SAML and OAuth 2.0 that will allow a specifically structured SAML token to be exchanged for OAuth.
 
From what I am hearing, some of what you should be thinking about in terms of OAuth is how systems manage it.
 
One expert I know told me that concerns may center on making sure the cryptography, negotiation, management of OAuth peer servers, the establishment/honoring/caching of tokens, etc. can be separated from the applications themselves, so it all can be centrally managed/logged/audited.
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
   

Trust - the discussion continues. Part II

August 13, 2010 , John Fontana | IdM, Ping Identity

John Fontana

Trust in the digital world is like banking’s five C’s for obtaining credit, according to Hilary Ward, head of managed identity services for Citi Global Transaction Services.

She was speaking Thursday as part of a panel on Federal News Radio trying to answer the question: Is Trust the Next Killer App?
 
For the record, the answer was yes; and the five C’s in banking, the industry where Ward makes her mark, are: character (integrity), capacity (sufficient cash flow to service the obligation), capital (net worth), collateral (assets to secure the debt) and conditions (of the borrower and overall economy).
 
“Trust is knowing who you are dealing with, knowing you can collaborate and knowing they are going to be responsive and have integrity in your interactions,” she said. “Now extend that across enterprise boundaries.”
 
In other words, it’s not an easy problem to solve, but it is one that must be solved, according to Ward and her panel colleagues, John Clippinger, founder and co-director of The Law Lab at Harvard University, and Jeff Voas, a computer scientist at the National Institute of Standards and Technology (NIST).
 
“Trust is not a static property,” says Voas. “It evolves over time. It has to be built into the principals, into online transactions. But what is trust today is not trust tomorrow.  It has to be part of the system. It is not something you glue on [after the fact].”
 
In essence, digital trust can be as fickle, and as fleeting, as it is in inter-personal relationships.
 
“Technology is just a layer,” says Ward. “It is the policies and the ability to have transparency to the rules.” That provides an expectation on how things will happen, which is then backed by a dispute resolution process. “The parties have to feel confident they can resolve issues,” Ward says.
 Michael Farber, Booz Allen Hamilton
Moderator Michael Farber (right), a vice president with Booz Allen Hamilton's IT business, plied the trio with questions ranging from defining trust, to building standards, to understanding transparency, and to determining whether risk management and reputation can scale. (Clippinger and Ward say yes. Voas said he is still pondering.)
 
“One of the challenges I see is that if you believe in trust-as-a-service you have to be accountable to third-parties to enforce that trust,” said Clippinger. “To do that, you have to relinquish some sort of control. I think that is a huge obstacle for most companies.”
 
Gartner says that obstacle will take time to erode. The analyst firm predicts by next year “third-party providers will offer identity-proofing services and assume limited liability for individual identities.” And by 2013,” identity-proofing services will be used widely in industry segments with strong assurance requirements.”
 
Coming to grips with such risks throughout trust networks was a recurring theme.
 
“The Internet is the Wild West,” said Voas. “We have a grand challenge in taking the best practices out of [closed] communities and bringing them into [the Internet] community in terms of trust. The human factor is a big challenge. It is people trusting people.”
 
Clippinger said the Law Lab is very interested in reputation systems. “Reputation linked to authenticated identity is going to be very important.”
 
Ward said Citi thinks that it can use identity as “the underpinning of how things are done downstream.”
 
A big impact in all of this, according to the panel, is the emerging user-centric identity model, trust framework organizations like the Open Identity Exchange (OIX), and mobile platforms.
 
“We think mobile devices will be a key to gluing it together,” said Clippinger.
 
Ward said contract law will be a big part of trust. “Accountability will help build a fabric for the [trust] framework.”
 
In the end, the answer to the question “Is trust the next killer app?” was a resounding yes, but no one was discounting the number of variables that need to be considered before the killer is unleashed.
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
 

Zimbra saddles up to SAML

August 13, 2010 , John Fontana | IdM, CTO

John Fontana

Zimbra has its own proprietary protocol for handling assertions about user identity that is called Preauth, but now it is publicizing a standards-based alternative: SAML.

Zimbra is in pre-production testing with a new Zimbra server extension option that will offer support for SAML tokens.
 
The company says it is getting more requests for integrating single sign-on so users can integrate into corporate apps data pulled from the Web-based Zimbra collaboration suite without having to re-authenticate
 
We know the drill here at Ping and are happy Zimbra, which was purchased from Yahoo by VMware earlier this year, sees the value in SAML.
 
Vishal Mahaja wrote on the Zimbra blog that “Zimbra has a framework that could be employed to write a SAML server-extension that knows how to process SAML assertions, to enable SSO into Zimbra.”
 
Zimbra has a pretty impressive customer list including Century 21, H&R Block, Raytheon and Mozilla.org. In addition, as part of the sale to VMware, Yahoo will retain the right to use Zimbra tech in Yahoo Mail and Yahoo Calendar.
 
Mahaja has diagrams and examples in his blog showing how the Zimbra server acts as the SAML relying party
 
And look for Zimbra to nail down SAML support in the near future, according to Mahaja. He published code showing how to support SAML assertions within Zimbra by writing a “SamlAuthProvider class” that extends “AuthProvider,” a Zimbra extension sub-class that knows how to process/validate Preauth.
 
The AuthProvider extension for SAML is not yet supported for production deployments, but it can be used for testing.
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
 

Trust - the discussion continues

August 10, 2010 , John Fontana | IdM, Ping Identity

John Fontana

There is a lot of talk about trust these days. It was a pivotal topic at the recent Cloud Identity Summit (CIS) and the Burton Group Catalyst Conference.

Verisign’s Nico Popp, SafeNet’s Doron Cohen, Bitkoo’s Doron Grinsten, PayPal’s Andrew Nash and Accenture’s Mike Neuenschwander all took an angle on the topic at CIS.
 
And Burton put on an interop that highlighted the importance of trusted providers and trust frameworks, while the Open Identity Exchange announced at the conference it had formed the U.S. ICAM Trust Framework Working Group with the hope of extending its existing framework to Level-of-Assurance 2 and 3 statuses.
 
Now the discussion will continue on Thursday (8/12) when Federal Radio News broadcasts (listen here at 11am EST) a panel discussion examining the topic “Is Trust the Next Killer App?”
 
The panel includes John Henry Clippinger, founder and co-director of The Law Lab at Harvard University and author of "A Crowd of One: The Future of Individual Identity."  Clippinger last month took Facebook to task for violating the trust of its users. Clippinger also helped found and support Project Higgins, which is designed to give people more control over their personal identity, profile and social networking data.
 
Also on the panel is Jeff Voas, a computer scientist at the National Institute of Standards and Technology (NIST). He served as the IEEE Reliability Society President (2003-2005, 2009-2010), and serves as the IEEE Computer Society's Second VP (2010). Voas is IEEE Division VI's Director-Elect (2010).
 
The third panel member is Hilary Ward, who is head of managed identity services for Citi Global Transaction Services where she is responsible for creating a sustainable global identity business strategy. In 2008, Citi received from the Liberty Alliance (now Kantara) an IDDY Deployment Award for providing managed identity services that helped users utilize digital credentials and signature technologies in a comprehensive and legally binding way.
 
The Citi Managed Identity Services infrastructure spans the web (HTTP/ HTTPS), web services (SAML, WS-Security, SOAP), PKI (Certificate Authorities, X.509, PKCS#7), strong authentication technologies (HSM, KSM) records management and entitlement management (XACML), identity platforms (RDBMS, LDAP), document formats (PDF, XML) and development platforms (.NET, Java).
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
 

IETF working on SAML, OAuth 2.0 bridge

August 5, 2010 , John Fontana | IdM

John Fontana

Ping Identity principal engineer Brian Campbell last week submitted a draft specification to the Internet Engineering Task Force (IETF) for bridging between the SAML world and the IETF’s emerging OAuth 2.0 specification.

This is the type of advanced work I have been hinting at lately in this blog that Ping is doing internally and in the identity community to help define and support a future identity infrastructure that will stretch from consumer to enterprise.
 
The spec Campbell authored with Chuck Mortimore of Salesforce.com is titled “SAML 2.0 Bearer Assertion Profile for OAuth 2.0.”
 
Now that might be a techie title, but Campbell explains the value this way. “It allows enterprises to use their SAML investments – both the technical aspects and the trust relationships with partners – and leverage that into using the emerging standards.”
 
You can listen to him explain it in his own words on the Ping Identity TV web site.
 
The OAuth 2.0 specification, which is still working its way through the IETF, includes a place that allows for the exchange of an arbitrary token type for an OAuth token.
 
OAuth is a security protocol that enables users to grant third-party access to their web resources without sharing their passwords, according to an introduction to the spec printed on the hueniverse blog.
 
Campbell says the spec he has co-authored profiles the specific use of a SAML 2.0 bearer assertion in requesting an access token. So in essence, a specifically structured SAML token can be exchanged for OAuth.
 
“In some ways it is bridging the gap between more enterprise centric technologies and emerging social centric technologies,” says Campbell.
 
The full text of the specification is available on the IETF Web site.
 
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
 
 
 

Evolution of federation

August 2, 2010 , John Fontana | IdM, Ping Identity

John Fontana

Last week the industry got down to work on the evolution of federation.

Broad federations. B-to-C and G-to-C. Federations of federations to be exact.
 
The Burton Group hosted the first-ever open identity for business interop. It was a test that spanned multi-provider, multi-protocol and included multiple levels of assurance. The interop was built on profiles for SAML, OpenID and IMI (info.card) developed by the Identity, Credential and Access Management (ICAM) subcommittee of the U.S. CIO Council.
 
The goal is to enable the industry to build federations over a broad spectrum using government standards as a baseline.  On display was interoperability among published ICAM profiles for OpenID and IMI (info.cards), and the soon-to-be-published ICAM SAML profile.
 
“The government is saying these are mature enough for government use,” said Drummond Reed, executive director of both the Open Identity Exchange (OIX) and the Information Card Foundation. “That is an important statement for how ready these are for large scale usage. And the government is also judging what level of assurance the technology and the protocols are ready for.”
 
From a high level, the goal is to certify identity providers to issue identities that grade out at varying levels of assurance for use in business-to-consumer and government-to-consumer interactions.<more/>
 
Today, Google, Yahoo, PayPal, Equifax and VeriSign are among certified identity providers (IDPs), but only at Level of Assurance (LOA) 1, which is defined as “little or no confidence in the asserted identity’s validity.”
 
But the type of infrastructure desired -- trusted providers, graded assurance, policies and trust frameworks (such as the Open Identity Trust Framework Model shown below) – would open the floodgates for identity to be plugged in everywhere on the Internet with levels of assurance up to LOA 4 (very high confidence in the asserted identity’s validity.)The Trust Framework model
 
Yes, it would be a huge step forward. But not before some hard work gets done.
 
“The hard part is the business agreements between the (identity) providers and the relying parties (RP),” said Ian Glazer, an analyst with Gartner/Burton. “Making sure the pipes fit together; not hard at all.”
 
I have been hinting over the past months that Ping is already engineering support for emerging protocols, such as OpenID.  Ping’s participation in the interop is evidence of how that work is progressing, and how those with SAML-based infrastructures will incorporate evolutions in identity.
 
Federations for business-to-business are being done today – Ping is one company making that possible – but the business-to-consumer space has unique challenges.
 
“Issues come up with aligning metadata and policies across large scale federations,” said Mike Jones, a board member of the OpenID Foundation and director of identity partnerships at Microsoft.
 
"Questions center on just getting metadata into a federation database, vetting that information and determining all the information needed has actually been captured,” says John Bradley, federation interoperability working group chairman at Kantara.  “IDPs and RPs have to figure out how to dynamically configure with someone that they are not negotiating with out of band,” he says.
 
Attribute management is another huge consideration. “We still have lots of work to do on how to use and manage attributes in this trust environment. There are lots of voices screaming lots of options,” said Peter Alterman senior advisor for strategic initiatives at the National Institutes of Health (NIH).
 
Another issue is the Secure Hash Algorithm (SHA), which the government wants graded at 256. Today, most implementations in federation software are at 1. It’s a relatively easy update for vendors to make, but end-user demand is not yet there, says Glazer. SHA hash functions are a set of cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard.
 
Last week at the Burton interop, a collection of thought leaders worked through the issues because they know big problems are the most fun to solve.
 
Ping’s Pam Dingle built a demo showing a user logging into a health-care site with an OpenID and then, via Ping Federate in the background, upgrading to a SAML-based token with a higher level of assurance to enroll in a clinical trial.
 
Microsoft showed a user with a PayPal ID signing up for a medical device trial using OpenID and WS-Federation behind the scenes.
 
The other participants included Azigo, Equifax, InCommon, PayPal, CA Technologies,CardGears,NIH and Ping.
In addition, OIX announced it formed the U.S. ICAM Trust Framework Working Group with the hope of extending its existing framework to LOA 2 and 3 statuses. According to OIX’s Reed, the biggest problem will be the business model . “How do you have a successful federal model with money flowing through it,” says Reed.
 
Ping CTO Patrick Harding said the interop was “where open identity standards meet levels of assurance in the real world.” Harding said what will develop out of this work is a grading system for IDPs so relying parties will know what levels of assurance IDPs support.
 
The expectation is that “this will be the equivalent of the certification practice statements on PKI from 15 years ago. This is the moral equivalent for federated SSO 15 years later.”
 
Follow John on Twitter and check out our Identity-Conversation Tweet list 
 
 

 


You there, on the grassy knoll

June 30, 2010 , John Fontana | IdM, Internet

John Fontana
(Updated with  link to CDT blog, June 30, 4:40 MDT)
So what’s going to hamstring the U.S. government’s National Strategy for Trusted Identities in Cyberspace (NSTIC), which calls for an “Identity Ecosystem?’
 
Protocols? Infrastructure? Liability? Warring geeks heavily armed with ones and zeroes?
 
The early returns point to paranoia. Here are some of the comments I’ve culled so far from the NSTIC home page and some media websites.
 
“This is not for you, it's for Big Brother.”
 
“It is laughable that a totalitarian like Obama thinks that we won't notice that he's asking for access to every bank account and private email in the country.”
 
“Look at the Gulf Oil mess and then ask yourself, "Do I really want them messing with cyberspace?"
 
“I should *also* mention that I suspect Microsoft is pushing this on you. Because trusted systems rely on secrets, they cannot be implemented in full form in open source software.”
 
And there was this comment supporting the use of multiple passwords that seems to ignore the fact that many people simply use the same one over and over (so long as they can remember it).
 
“30 passwords are more secure than one universal identity.”
 
What many are missing is that NSTIC is not about one password, but about a non-government infrastructure interconnected through various trusted parties and with the user in control of multiple credentials and identity attributes.
 
Not for a second do I think NSTIC is without issues (establishing/implementing a trust framework jumps out), but the government’s strategy seem to be tracking with what is going on in the private sector among technologists and vendors attempting to create an open identity system. In fact, many in the private sector had input into the NSTIC draft, which is open for public comment until July 19.
 
Remember, the Internet can trace its roots back to a government project.
 
Now I know anything emanating from any partisan government leadership is bound to attract conspiracy theorists and NSTIC is no exception.
 
Digital identity is a tough technology issue to solve and perhaps even tougher to understand for the non-techie, especially down there in the weeds.
 
But to me, NSTIC is an arrow pointing in the right direction, what do you think? (Conspiracy theorists need not apply.)
 
Heather West at the Center for Democracy and Technology argues that the government needs to incent industry and users to adotp digital ID, but laments the lack of discussion on how to create trust.
 

Follow John on Twitter and check out our Identity-Conversation Tweet list

Register for the Cloud Identity Summit, July 20-22, 2010 at Colorado's Keystone Resort.
 
 

"Federation is more relevant than ever"

June 28, 2010 , John Fontana | IdM

John Fontana
Ian Glazer, an identity guru for Burton Group/Gartner, is out with his review of Burton’s Euro Catalyst conference. As he summed up the relevant themes, one observation jumped out at me. 
 
Federation is more relevant than ever.”
 
There is a lot of type and hype and conversation churning right now over open protocols and trust frameworks and an undulating identity landscape ripe with promise, but what is true is that users are laying foundations now and they need federated identity, which is being built with proven technologies such as SAML and WS-Trust.
 
Users are always willing to listen to progress and bleeding edge reports, but another of Glazer’s observations says volumes about where companies are in the identity cycle.
 
“Organizations are quite interested in a claims-based identity infrastructure but unsure when they can get there due to budget cycles and other realities of business.”
 
Instead of stealing anymore of Ian’s thunder, I’ll just point you to his trip report.
 
 

Follow John on Twitter and check out our Identity-Conversation Tweet list

Register for the Cloud Identity Summit, July 20-22, 2010 at Colorado's Keystone Resort.
 

Federation, one foot in the future not in the grave

June 22, 2010 , John Fontana | IdM, Cloud, Internet

John Fontana
HP’s Marco Casassa Mont, a senior researcher in the company’s labs, wondered on his blog the other day if federated identity management is dead from an end-user/consumer perspective.
 
I would say there is mounting data and active trends that point in the opposite direction.
 
Mont concedes that organizations are using federation and SSO to cut costs, but I would argue they also are doing it because they see many other business benefits.
 
Furthermore, Mont wonders about adoption rates of federated identity management by web service providers.
 
I would point to early returns of a survey conducted by TechValidate (and funded by PingIdentity) that shows 61% of Ping’s SaaS partners see SSO requests from their customers rising moderately to dramatically this year. Hint, if you are providing a web-based service you better offer SSO and federated identity – today based on SAML and later on an integration of established and emerging protocols.
 
Here’s more. JanRain last week announced that a handful of media outlets, such as the L.A. Times, Better Homes and Garden and the Dallas Morning News, are adopting its OpenID engine. Not just for convenience, but to gain awareness of who their readers are given that their shrinking physical-world subscription lists have left media outlets nearly blind to their internet user base.
 
Ping for its part added an OpenID connector for Google Apps in March and broader OpenID support is coming later this year.
 
Some will classify this as hype, but I’m fairly certain Ping and JanRain are not developing Internet protocol support in a vacuum.
 
In addition, Gartner said last week identity management is the top priority in IT security spending. The firm’s conclusion was, “Identity management appears to be taking the lead as a top priority as businesses look to deploy some of the more advanced federated identity technologies both within the enterprise for single sign-on and as a way to potentially extend identity-based access control into cloud-computing environments.”
 
I would argue the trend has impact on the consumer side, as a cultural shift is underway among end-users – corporate or consumer – to clean-up a world littered with passwords. And end-users exposed to the shift on the corporate side are going to crave it on the consumer side. A sort of techno-reverse from typical adoption trends.
 
But if you want to play purely on the consumer side, Google, with 25 million users on Google Apps, in March introduced Google Marketplace and declared itself an OpenID IDP, giving users SSO and federated identity with other SaaS providers. In May, Google stated its intentions to become a RP to help seed the market for such services.
 
Ping CEO Andre Durand likened the announcement to a starter’s pistol going off for the race to SSO and federate identity management. 
 
Add to the mix NTT DoCoMo’s 65 million users with access to OpenID authentication, and Japan’s Ministry of Economy, Trade and Industry adoption of OpenID.
 
The list of OpenID supporters includes Facebook, Twitter, Yahoo!, LiveJournal, Blogger, flickr, Orange, mixi, WordPress and AOL. And OpenID providers include chi.mp, ClaimID, myID.net, myOpenID, Verisign Labs, and Your Internet ID (Yiid).
 
And don’t forget the emergence of OAuth 2.0, XACML and trust frameworks from the likes of Open Identity Exchange, Kantara and InCommon.
 
I checked in with Ping’s Pam Dingle, who is on the board of the OpenID Foundation, and her belief is that federated identity for consumers is just getting started not dying out. “It’s a baby but will advance rapidly next year,” she said.
 
Others, like Microsoft, believe the same thing and plan to support open identity protocols in both consumer and business scenarios.
 
Dingle’s conclusion, however, is that federated identity won’t make a grand entrance like Charlie running down the street with his golden ticket to Willy Wonka’s Chocolate Factory, but will instead happen more like “coincidental federation.”
 
Consumers, dying to get to their messages, will log into an IDP such as Google and find that they no longer need a unique username and password when they visit their next favorite Web-based application, which just so happens to be a relying party.
 
The federation will happen where companies like Ping put it, in the plumbing where it belongs.
 

Follow John on Twitter and check out our Identity-Conversation Tweet list

Register for the Cloud Identity Summit, July 20-22, 2010 at Colorado's Keystone Resort.

 


Gartner: ID management driven by federated ID tops IT's security priorities

June 11, 2010 , John Fontana | IdM

John Fontana

If I could say it better than my former Network World colleague Ellen Messmer I would, but I can’t so I’m just going to link to her story on Gartner’s survey  that shows identity managemnt projects rank first in the top priorities for IT's security spending.

The results of the survey come from interviews with IT professionals at 308 companies.
 
But let me highlight two paragraphs from Ellen's story:
 
“Identity management appears to be taking the lead as a top priority as businesses look to deploy some of the more advanced federated identity technologies both within the enterprise for single sign-on and as a way to potentially extend identity-based access control into cloud-computing environments.”
 
And this one:
 
“But in terms of firewalls as a priority, [Gartner] notes that there's a movement to install next-generation firewalls.”
 
On that last point, check this link to From Firewall to IdentityWall.
 

Follow John on Twitter and check out our Identity-Conversation Tweet list

Register for the Cloud Identity Summit, July 20-22, 2010 at Colorado's Keystone Resort.

 


More Entries