Microsoft’s revelation of its vision and plans for IDMaaS via WAAD has engendered a lot of discussion and reaction. In this week’s articles, you will find a piece by the perennial Microsoft tech-watcher, Mary-Jo Foley, dissecting WAAD. You will also find analysis by Craig Burton, NIshant Kaushik, Dave Kearns, and some more insights from Kim Cameron. This will surely not be the last of it, not the least of which because Ping’s PingOne service is also an IDMaaS so I expect you will be hearing from us.


  • Mary-Jo Foley: Microsoft finally goes public with Windows Azure Active Directory details
    “But Microsoft has decided now’s the time to talk WAAD, possibly as one stage setter for its June 7 announcement of new Windows Azure features and functionality. TechEd North America, which kicks off on June 11, also will be a venue for more WAAD information, as I noted in February. (After I blogged about the WAAD sessions on the TechEd docket, Microsoft pulled the listings from their TechEd site, but I still believe there will be more information on the topic there.)”
  • Craig Burton: Microsoft is Finally Being Relevant
    “Surprise surprise. For the last few years it looked as if the battling business units and power struggles within Microsoft had all but rendered the company incapable of doing anything innovative or relevant. But clearly something has happened to change this lack of leadership and apparent stumbling in the dark. Microsoft is not only doing something innovative — but profoundly innovative.”
  • Kim Cameron: Craig Burton on Microsoft’s Identity Management as a Service
    “But why quibble?  Craig really gets what’s important. I like the fact that he takes the time to explain why Identity Management as a Service really is a big deal. I suspect part of what he is saying is that it dwarfs the incremental changes we have seen over the last few years because it will impact every mainstream technology.”
  • Nishant Kaushik: How Do Governance Controls Fit Into IDMaaS?
    “What I was surprised to find missing from Kim’s and Craig’s discussion about IDMaaS were the governance controls one needs in identity management (and therefore IDMaaS) – like approval workflows, access request and access recertification.”
  • Dave Kearns: CBAC to the rescue, once again
    “This is just Context-based Access Control (CBAC, sometimes called ABAC for Attribute-based Access Control) extended to the cloud environment. “
  • Craig Burton: Freedom of Choice ≠ Your Choice of Captor
    “Microsoft’s vision has changed the playing field. Any vendor building IDMaaS that is not meeting the Freedom of Choice requirements defined here is no longer in the game. That is profoundly innovative because this is truly a vision that benefits everyone — but mostly the customer.”
  • Kim Cameron: Identity management before the cloud (part one)
    “Since identity is a fundamental requirement of computing infrastructure, organizations have been involved in digital identity management for decades. Over the years, three models have emerged and co-existed. Of course I’m tempted to skip the history and jump headfirst into what’s new and fresh today. But I think it is important to begin by reviewing the earlier models so we can get crisp about how the IdMaaS model differs from what has gone before. (Some day people who want to skip the previous models will be able to click here.)”
  • The 2012 IAM Playbook – Part 2 of 3
    “In part 1 of this 3-part article, we described the scenarios and motivation for a new approach to IAM that is required for these days. Here we will start explaining what makes up that new playbook.”
  • CIS Series. Andrew Nash: Verified attribute exchange
    “Google’s Andrew Nash has a verified attribute exchange plan that he wants to unwrap at the Cloud Identity Summit. It involves interfaces, standards, user attributes, APIs and what has emerged as the trickiest ingredient - commitments. If all goes well, his presentation will serve as a starting point for an attribute exchange ecosystem.”
  • Paul Madsen: Redefining the application perimeter
    “TOA to mobile native applications is more complicated - at least if the native applications have pulled data from the server and stored it locally. If you were to draw a line around the 'application' then you would need to include the corner of the device where that application stored its data.”
  • Privacy, Please: This Is Only for the Two of Us
    “The secrecy was welcome. We weren’t cluttering up anyone else’s feeds on Twitter, and didn’t have to worry about random high school friends seeing and commenting on our exchanges on Facebook. In addition, there were gestures distinct to the app. It let us share information about our locations, and to exchange doodles, to-do lists and virtual nudges — all conveying that “I’m thinking about you.””
  • Corning announces ultra-slim flexible Willow Glass
    [Normally I do not report hardware innovations. However in this case I think this announcement from the world’s leader in tablet screen glass is very important. This could usher in the age of touch surface being everywhere, not just on tablets. Smart walls, furniture, and appliances]
  • Ex-Google employee calls Google+ a ‘stupid Facebook clone
    “Google’s social network Google+ has been the subject of numerous debates. Despite boasting a large user base, a recent study suggested the service is a ghost town and now a former Engineering Director at the Internet giant has chimed in, blasting the service and the company’s co-founder Larry Page. The former executive called Google’s products a means to an end and claimed the company was merely building tools to obtain as much personal information as possible about its users to better woo potential advertisers.”
  • Identity Woman: European Travel and Podcasts this Summer
    “I'm heading to Europe on Wednesday. The travel plans and events are below. One of the main reasons I am going is to connect with the peoples and communities in Europe working on identity, personal data. I want to come back with about 10 podcasts recorded with key people from the community that I meet along the way - these will be edited on my return and posted on the web publicly.”
    Summer -> Fall Talks/Plans
  • Chris Zannelos: The IAM Gap - Part 2
    “But there is a gap here. A huge gap. Certification cycles are typically run in 3, 6 or 12-month intervals. Why? Because that’s when auditors check on it. And because business people will not tolerate a daily, weekly or maybe even a monthly access certification review. And during that time between the provisioning action and the periodic access review, there are powerful business, technical, and human forces pushing against that alignment. “
  • John Fontana: Your next boss might be a developer
    “Developers are finding themselves back in the spotlight as the shifting computing landscape clamors for their skills. Recently, I stepped outside my ID world to attend the Glue Conference and see what’s up.”
  • Doc Searls: The absent market for personal data
    “I was interviewed for a story recently. (It’s still in the mill.) In the correspondence that followed, the reporter asked me to clarify a statement: “that the idea of selling your data is nuts.” I didn’t remember exactly what I said, so I responded,”
  • Data as Currency & Dealmaker
    “The following is a perspective on 5 ways in which data is changing how we do business in 2012 and beyond.”


  • [Sample of June 5th] Windows Azure Access Control for Single Sign-On
    “Developed by Arwind Gao, this sample code demonstrates how to implement for Access Control Service for your web role application,”
  • OpenID Connect Implicit Client Profile 1.0 - draft 00
    “OpenID Connect Implicit Client Profile is a profile of the OpenID Connect Standard 1.0 Specification that is designed to be easy to read and implement for basic web-based Relying Parties using the OAuth implicit grant type. OpenID Providers should consult the Standard specification. This profile omits implementation and security considerations for OpenID Providers.”
  • OpenID Connect SDK 1.0 for Java
    “Today we released OpenID Connect SDK for Java, to serve as a starting point for developing IdP servers and RP clients based on the protocol.”
  • JSLR
    “JSLR – derived from the term ASLR – is a way of randomizing certain tags and attributes so the attacker cannot inject malicious HTML without knowing the randomized token. It is easy to implement since any static/dynamic HTML can be rewritten with a special id that enables the element or attribute. The HTML itself is intercepted before it’s rendered by the browser using the plaintext element, the DOM is then used to create a safe copy of the HTML before adding the code back. This enables JSLR to check each attribute and tag and verify it wasn’t added by the attacker. I believe the following technique will ultimately be the death of XSS – requiring just few refinements to be able to cover a wide range of attacks including DOMXSS and similar techniques.”



Valuable Identity

  • EDUCAUSE Comments: Financial Aid Fraud and Identity Verification
    “EDUCAUSE submitted comments last week in response to a U.S. Department of Education (ED) notice about ED’s intent to hold a negotiated rule-making process later this year on financial aid fraud in online/distance learning programs. We focused on the potential of InCommon and its joint effort with the Postsecondary Electronic Standards Council (PESC), a project called CommIT, to address the student identity verification concerns at the heart of the problem. “
  • US DOJ: Global Standards Council
    “In accordance with the founding principle of Global, the Global Standards Council (GSC) directly supports the broad scale exchange of pertinent justice and public safety information by promoting standards-based electronic information exchanges for the justice community as a whole. Specifically, the GSC develops, maintains and sustains the standards associated with these aforementioned information exchanges. To further foster community participation and re-use, the GSC also receives, evaluates, and recommends to Global for adoption, those proposed standards submitted by Global consumers and stakeholders.”
  • Keith Rabois: Why Square’s handcrafted approach to payments can win
    “I sat down with Square’s chief operating officer Keith Rabois to talk about where Square is now, where it’s headed and how it expects to compete as the competition closes in.”

TV Everywhere


* Required Fields