Now who says that federated identity can’t be entertaining as well. On January 24th, Sun’s Daniel Raskin, who is involved in Sun’s OpenSSO project, poked a bit of fun at competitor Ping Identity by putting a short videoclip up on his blog which would help “explaining the differences” between Sun and Ping. It didn’t take long for Ping’s crew to respond in kind, promising an “epic battle” in their own video posted on Ping’s blog.

What I quite interesting about these little jabs carried out in good humour were the comments about “federation auto-connect” that Ping announced a few weeks ago in the latest version of PingFederate. The idea of this feature is to make federating between different entities easier by automating the exchange of meta-data. At Symlabs, the company I worked for previously, my then-colleague Sampo Kellomaki had developed the same feature about a year earlier, and had even mentioned it in his presentation at the first European Identity Congress last year. At that time, I must confess that I was unsure this feature’s value in most scenarios – apart from very specific low-risk “open” federations which were already being catered to by OpenID. Charts such as the one featured in this blog entry from Ping still raise a certain scepticism, but maybe that scepticism might prove to be wrong. I am certainly interested in exploring further the value proposition of auto-federation and will make sure to tickle some answers out of the participants in the federated identity track that I’m moderating at our next Conference in April.

As both Sun and Ping will be at the European Identity Conference 2008, we will try to set the stage for an epic battle to be carried out there! And to make it even more interesting, we’ll throw the other contenders into the foray as well!

On January 18^th, Yahoo announced support for OpenID 2.0. OpenID is an open framework for decentralized single-sign-on. It effectively allows user to register with one trust Identity Provider (IdP), and then sign in to any other OpenID-enabled site by just providing the details to the IdP where the user has established the account. For example, once Yahoo start with this service, I would be able to go to any web site that also supports OpenIDs, and tell that site that I am a Yahoo user. The site will then verify my credentials using Yahoo’s sign-on system – effectively meaning that once I have my Yahoo account, I will not need to remember many other usernames and passwords for other sites that support OpenID, but just be able to log in straight to them.

Sounds exciting, doesn’t it? Well, it’s certainly exciting news for the OpenID community. But what does this actually mean for the users and for the further advance of the technology? Before I dwell on the question, let’s look at the facts. Yahoo claims 248 million registered users. That’s about as big as it gets in terms of providing, and of course the OpenID scene is thrilled. On January 30^th, Yahoo will debut its first public beta version of the service. Yahoo has, interestingly, chosen to support only version 2.0, instead of offering support for the more established version 1.1.

So why support only version 2.0? Yahoo specifically points to security as the reason (OpenID 2.0 is more secure). This is most likely because of several oversights in the OpenID 1.1 specification that could be exploited for potential phishing attacks. Understandably, Yahoo does not want to be haunted by that. This is why Yahoo is promoting its “sign-on seal” for the OpenID service as well. A “sign-on seal” is a special piece of text or a small image that you can configure, which is displayed every time Yahoo asks you to sign in. This is done in order to prevent phishing attempts from rogue sites that pose as Yahoo branded login sites. Yahoo has introduced this feature in mid-2006, and actually done it in a very elegant and user-friendly way.

Rarely are grand announcements made without some kind of “gotcha” – just like in this case: Yahoo will start by allowing other site to consume Yahoo OpenIDs, but not the other way around – it will not accept OpenIDs from other providers (at least for the time being). This is actually quite a big deal. The big advantage of having an OpenID is that I don’t have to keep manage and remember passwords in the many other sites that I use. So if the “big boys” such as Yahoo, AOL and potentially even Google in the future, claim that they “support OpenIDs” but will only allow their IDs to be used in other places – not the other way around. Hence, it will not be possible yet to sign into Yahoo’s services using, for example, an AOL account.

AOL has been supporting OpenID for some time now, announcing support for providing OpenIDs to its users almost a year ago (similar to what Yahoo has now done, but with Version 1.1). Even though AOL stated that it would work “gradually” in order to accept OpenID identities from other entities as well, this progress has been very slow, and AOL has drawn criticism because of it. Yahoo on the other hand does not directly mention a planned support for accepting OpenIDs from other entities. In Yahoo’s press release, it’s all about adding 248 users to the OpenID “ecosystem”. Ominously, no reference for the other way around. Hopefully this will happen however, because otherwise Yahoo’s step, although in the right direction, is a one-handed one: let the drawbridge to the castle down, but only let people out, not in. Now that Yahoo is the biggest contributors of OpenIDs in the Internet, will it also be a leader? Or will other major players, such as Google, who is experimenting with OpenID already through its blogs, or even AOL, make the first step in also accepting OpenIDs? Not just myself will be watching carefully over the next months.

Hello World! I am excited to have joined Kuppinger + Cole, and my responsibilities will be around the technologies of directory services and identity federation. I would like to kick off my blog by writing about an acquisition that actually happened a week ago, when Nokia Siemens Networks announced that it will acquire Apertio, a Bristol, UK based vendor of telecommunications software. Now what does this have to do with identity management, or even with directories? Simple. Apertio specialises in a very specific type of directory server software. They have come up with a in-memory based, highly efficient and super-scalable directory server that supports LDAP as well as access through protocols used in the Telco space (SS7, IMS).

So what role do directory servers play in the Telco world? Mobile carriers for example, use something called an HLR (Home Location Registry) as the data store for operational subscriber data. A HLR is effectively like a very large directory server, or user database if you wish, that must be highly available (otherwise you might lose service), and highly scalable (able to support many thousands of operations per second, otherwise you, again, might not get the service at the time that you need it). Traditionally, HLRs were sold as “big black boxes” at a juicy prices to mobile operators. What Apertio has done was to very elegantly merge traditional directory server standards and technology with the telco world by writing a specialised directory server that would be accessible via LDAP, and traditional SS7-base telco protocols. Granted – their directory server was so much geared towards that particular use case that it was not sold (nor made much sense) as an enterprise directory. But what fascinated me about Apertio was that they pioneered in successfully marketing the fusion between a LDAP directory and Telco HLRs. At the same time, they were in a great position to also sell the successor technology, called HSS (Home Subscriber Server, part of the IP Multimedia Subsystem, or IMS – effectively the “next generation” in communications).

Apertio has made great inroads with that successful combination. How will technology evolve in the conversion zone between LDAP and HLR/HSSes? I for one, firmly believe that many directory servers are ready for “prime time” when it comes to the stringent demands of the telco industry. Some of the LDAP servers available today can support the thousands of operations required, have the resilience features, and some of them even support transactions. Now that Apertio, who sold their products based on a software solution turns into “boxed HLRs” and “boxes HSSes” with a Nokia Siemens label on them, there might be competition arising from a new company brave enough to add the missing piece to today’s directory server in order to turn them into the next generation telco equipment. I doubt that the traditional vendors will go directly into this – at the end of the day, companies such as Sun and IBM might not want to encroach on the telco equipment manufacturers with whom they have built successful symbiosis by offering competing products – but a third party might well jump into that space.

Very large directory server projects fuel some important developments at the major directory vendors and add scalability and new features that can, to an extent also benefit enterprises, and large service providers that need to store millions of customer entries. Multi-master replication, partitioning and transactional features are all examples of this – who knows if this technology would have been developed if not for one or the other very large directory project. It will be interesting to see who, if anyone, jumps on that bandwagon to offer the next software based HLR/HSS systems based on LDAP technology, and how this may affect directory server vendors in making their software better and faster.