This has been an intense week at PDC 2008 – the first one ever for me. I’m sure it won’t be my last!

If you’ve followed our Kuppinger Cole news, you may have seen my article about Microsoft’s Geneva announcement. I was very excited about this announcement, because of the importance of the identity metasystem for the future. Microsoft clearly putting its money where its mouth is and fully jumping onto the bandwagon of a fully interoperable, open claims-based identity metasystem. This is not just interesting if you run Microsoft software. This has a profound and positive impact on our industry as a whole.

I am holding a Webinar today (Friday morning in the Americas=afternoon in Europe, Middle East, Africa) to put all of this into what I think is the proper perspective and outlining why I think this is such a big deal, why this is relevent for you and how you can profit from this. You are all cordially invited!

http://www.kuppingercole.com/events/n40030

Ping Identity recently announced the availability of Version 5.1 of Ping Federate in their blog. What caught my attention was that Ping has now also finally added a feature I (and others) call “auto-provisioning” or “federated provisioning”. In federated environments, when users from other entities visit your site and gain access to services, it is often necessary to store some local data about these users on your system. In very simple cases, this could be user profile data, such as the colour of the background, but there could be much more information that would need to be stored.

So does this mean that by deploying federated environments, you are getting back to the “silo problem” where you have fragments of identity data floating around? Does this mean that as a service provider you must now store identity information, and accounts, and deal with everything that comes with it – including compliance with complex intermingled laws and directives? Ugh!

Don’t panic. In most cases you don’t have to – this can usually be avoided through proper design of the federation scenario. So should you avoid storing any data about external users coming into your system from federated identity providers? Well, this would be nice, but is not always practical. So you often end up having to store something about a user that “arrives” at your site from elsewhere through a federation (or your support of user centric identities).

So here are my recommendations, in no particular order:

• Create those “user entries” on the fly – when someone “flies into” your site for the first time through a trusted federated link or an OpenID sign-on, create the user entry then automatically – if it’s not already there. Why? Because the alternative would be setting up a synchronisation service, and you really want to avoid that unless you really, really, REALLY have to…
• Avoid storing “personal” data. This will make you resilient against privacy regulations. OK, or at least not expose you any further to them as you already are
• In most cases, you already receive some data about the user together with the sign-on token. Try not to store a copy of that data, but instead just keep the data around for the lifetime of the current session. This might not always be practical or even possible. In that case, if you do store it, make sure you update the information when you receive changed data next time in the token.
• Don’t turn the stored data into a “live account” by giving a user the option to store a local password, unless you really have a good reason to do so! (I am actually wondering what would be a good reason to do this and can’t think of any!)

If you follow these recommendations, then you can rest assured that you are not creating user accounts. Instead, you are creating “profile entries”. These are not to be counted as “accounts” or “identities” when the auditors arrive, because the profile entries themselves don’t carry any entitlement per se – you are not authenticating user entries. You are instead just keeping track of, say, a user’s preferences. That is a completely different type of animal.

Another good reason, especially for the first recommendation is that you’ll be saving yourself a lot of maintenance if you provision “on the fly” as opposed to manage synchronisation links (including the headaches that come with it). Again, the world is not perfect, and you may find yourself with your back to the wall surrounded by synchronisation links that all cry for constant love and tending.

I could go on and on, but instead I’ll refer to the presentation “How to efficiently manage external identities” that my colleague Stefan Rohr and I held at EIC 2008. Hmm. Somehow I can’t find the link to it. I guess that’ll have to be added tomorrow.

Obviously these recommendations come from the use cases that I’ve been seen or have even been personally involved in. I’d be really interested in YOUR use cases. Do you agree with my recommendations? Did I perhaps overlook anything, or am I just plainly wrong or “not applicable” in some scenarios? Please let me know by either commenting, or if you prefer, email me.

The European Identity Conference 2008 closed its doors last Friday, and for me it has been a fantastic event in all aspects. Obviously you should take my comments with a grain of salt as I am working for Kuppinger Cole and am therefore part of the organising team. However, I have never before attended a conference that combined such a breadth of topics, number and quality of speakers and depth. Many conferences are either at the “C*O level” or pure “geek conferences”. At the former, the geeks still intermingle since they are brought to the event to do exactly that, or to showcase their solutions. At the latter, it’s mostly tech-talk, pure and deep. EIC 2008 covered the whole range and therefore appealed to everyone as well as offering unique opportunities to learn more about the topics from other points of view.

The agenda was packed, and including BoFs (bird of feather sessions) many days went straight from 7 in the morning to 7 in the evening. I was actually surprised that so many people actually showed up at 7 AM for the integrated breakfast + BoF sessions. And yes – unfortunately having many tracks going on in parallel can be frustrating for those who are interested in multiple topics at once. But I think the track organisation has been done pretty well after a lot of fine-tuning, and besides – we’d all love to meet for two weeks, but nobody in charge would sign off on the travel request!

The identity federation track that I moderated was packed to the brim. Good to know – we definitely need a larger room for next time! Some people were standing, and we had to open the windows. Conor Cahill kicked off the track to give a overview of the technology within the area. He had a lot of ground to cover, and since the agenda was packed, I joked that he had agreed to speak faster in order to keep the presentation to 30 minutes. In fact that’s exactly what he did – finishing with still 5 minutes left for questions. He just emailed me his presentation and it will go online tomorrow to join all the other presentations already downloadable (those who attended the conference will have received the link). We followed with an experts panel discussing the current state of federation technology and where it’s likely to go, and where new technologies such as information cards will fit in. After that we had two user presentations: Anton Shmagin from the United Nations talked about a unique multi-technology and multi-protocol federated circle of trust in three months and how the organisational, political and of course technical challenges were solved. After that, Brian Puhl spoke about Identity Federation tales from the trenches at Microsoft. Brian is a real barnstormer and his presentations are excellent, funny, insightful and offer many nuggets of information that you wouldn’t get anywhere else. He is in Microsoft’s IT department, and in charge of Microsoft’s internal Active Directory systems. He uses the term “dogfooding” to describe what he is often asked to do – use beta versions coming from devlopment and putting them to production use in such a large environment – and then putting out the fires. I’m sure he has many of the developers’mobile phone numbers on speed dial! After the user presentation we had a vendor panel, which gave everybody the chance to exchange jabs and score points, as well as explain their specific vision and value-add. And we could have gone on, but there were only three hours for the track – hardly enough to “cover it all”. Several presentations on federation were also to be found on some of the other tracks and workshops and usually very well attended – an indicator on how important the topic is.

Conferences give a unique opportunity to meet up with peers, and for me this has been the perfect opportunity to network with users, customers, vendors and experts in the field. One of my personal highlights has been a 45 minute talk with Dave Kearns, Kim Cameron, Jackson Shaw and Dave Olds where we discussed the future “identity bus” concept that Microsoft’s Stuart Kwan introduced at the Directory Expert Conference in March. Following that announcement there’s been quite a bit of speculation of what such an “identity bus” might look like, and what it would replace. In my opinion, this “identity bus” would be the future fundament of identity management, like today’s directory services. Our discussion has been videotaped, and our camera man Bernd almost broke down after carrying that heavy camera on his shoulder once the interview was over.

Joerg also sent me out with Bernd the camera man to do several video interviews with some of the important players in the space. These interviews are currently being converted into streamable format and will be posted on this site “real soon now” (TM). Watch this space

TUESDAY, March 4th. Chicago, back to freezing temperatures.

Microsoft’s Stuart Kwan kicked off the second day with his keynote address where he spoke about an “identity bus”, where off-the shelf applications can plug in for all their authentication and access control needs. It was exciting to hear this from Microsoft. The concept is actually not even that new – Phil Windley wrote about this in his book “Digital Identity. But it’s great to see that Microsoft seems fully committed to (several selected) open standards (most of them likely to start with the letters W and S) and interoperability, and assuming that this stays that way, I agree with Stuart that “it does not seem as far off as you might think”. His vision is that claims, or “assertions” in SAML-speak, are the core of identity data within the bus that can be transformed into different formats depending on application needs. Somehow I had a quick excursion down memory lane during the end of the presentation to a place in time a few years ago when I was briefly involved in a project for a large service provider who had deployed two web application environments. One of them was called the “Microsoft Environment” and the other one was called the “Open Environment”. I remember that they had quite a challenge getting identity management to work across both environments at that time. So in future, that unnamed company will just have one “Open environment” that includes all the Microsoft web applications as well.

Later on in the exhibition area I took a closer look at the latest virtual directory server product that had just been announced a day previously by a company called “Optimal IDM”. I was given a comprehensive tour by chief software architect Nada Dickerson who graciously let me monopolise her for an extended period (I couldn’t help it, coming from the virtual directory space, this really peaked my interest). Optimal IDM has deployed identity management solutions over several years and has run into the same types of issues over and over again, which led them to develop their virtual directory product. The product is specialised to handle three specific “modes”. The first mode is called “Union Mode” and aggregates unique entries from multiple containers into a virtual consolidated view. The other two modes are variants of this, and add join rules. Object Precedence Mode can be used to specify which back-end has the precedence when the same object exists in multiple back-ends. Attribute Precedence Mode can additionally join attributes from the same object in multiple backends so that the returned object contains data from all objects of the same name. This is essential the “shadow joiner” or “data augmentation” feature found in competing products. Optimal IDM has developed their virtual directory product entirely with .NET technology and believes this to be a competitive advantage over other virtual directories.

Even before the conference, I had already earmarked the slot at 11 AM for Pamela Dingle’s presentation entitled “Hanging Out in the CardSpace Kitchen”. I hadn’t met Pamela before, but read some of her excellent material on the subject. It turned out exactly as I had hoped – an excellent, educational and lively presentation from *the* authority on CardSpace (apart from Microsoft’s Kim Cameron, of course). She also made the connection clear between Microsoft’s implementation, Project Bandit and Project Higgins. Microsoft’s Brian Puhl chimed in at the end to give an excellent scenario on how CardSpace can be used to work around some tricky legal issues in federated environments.

I remembered Dave Kearns mentioning in one of his posts from way back when that when Pamela Dingle presented on CardSpace at one of the Digital ID World conferences, she had Microsoft employees clamoring to ask questions. Well they didn’t do this time, but I certainly did. I met Pamela again that night in Centrify’s hospitality suite at a virtual bowling tournament on a Wii. Both Pamela and I were new to the Wii and immediately noticed that it even offers its own variety of “InfoCards” in the way of avatars (pictures) of the participants that our host configured for us.

Another highlight was the BoF (birds of a feather session) on ADFS that I attended. Stuart Kwan and Brian Puhl were there as well, and shared some interesting details on why we actually need to use claims and can’t just instead stick additional identity information in a Kerberos token (some applications would just choke on that), as well as throw around some ideas on how home realm discovery could be used in an environment where multiple federation protocols are used. Then suddenly we were all deep into CardSpace again. Stuart also offered a very interesting opinion how internal security tokens might look like in a hypothetical, futuristic Windows version. Unfortunately I had to run out because I had an appointment, but I think the BoF ran well over its allocated time – definitely another DEC highlight.

Against good judgement and to the bewilderment of my bowling buddies at the Centrify hospitality suite, I decided to forego the invitation to Oxford Computer Group’s party featuring a band called “Hairbanger’s Ball” and instead head off to early retirement for the day. In hindsight this was not the smartest thing to do, because it must have been a real blast, and overall the particular session in the morning that I wanted to attend was cancelled. Well, I’ll know better next time!

I am at Netpro’s Directory Expert Conference in Chicago this week, and very excited to be here! I’m keeping my eyes and ears wide open for the latest tech and trends around Microsoft AD and Identity Management, and also participating at an experts panel this afternoon. Knowing that DEC is an action-packed event, I came a day early, and it was well worth it. Sunday’s ramp-up to DEC 2008 was a pre-conference workshop on Microsoft Identity Lifecycle Manager (ILM) 2 beta, Certificate Lifecycle Manager (CLM), Active Directory Federation Services (ADFS) and Active Directory Rights Management Service (ADRMS). It was a hands-on lab experience given by David Lundell from the Oxford Computer Group, who did a brilliant job putting it together.

Microsoft’s vision is to have Directory Services in the centre of a comprehensive infrastructure that supports Identity Lifecycle Management, Strong Authentication, information protection and federation. Harnessing the tools presented in this workshop, one can see where this is going. Although some of the components (specifically ILM 2) are still in beta and not expected to be released until the “second half of 2008”, the picture may still be a bit rough and blurred, but one can see that it will be quite a beautiful one, once completed.

I was particularly impressed by Certificate Lifecycle Manager (CLM), an add-on to ILM that facilitates string authentication, specifically in the area of smart cards. It seems that Microsoft has managed to add significant value to an area that is often notoriously difficult for many enterprises to implement. Starting with an abstraction layer to the underlying card’s hardware stack to a comprehensive lifecycle implementation, CLM supports the full work-flow of the whole lifecycle of issuance, PIN reset, revocation and retirement. Self service is of course part of the offering and is streamlined for efficient and secure management from initial issuance to retirement and secure recycling. Just like the Dot Net Factory, Microsoft is harnessing the new Windows Workflow Foundation for all of its workflow management. For data flow, uses its MIIS meta-directory technology.

Just before the session closed, Microsoft’s Bobby Gill gave us a “sneak peak” of some additional features of ILM 2 beta 3 “hot off the disk” that he compiled a few hours ago. It is obvious that many significant enhancements are still being made, and Microsoft is very actively involved with its beta partners to collect their feedback and make improvements before the official ILM 2 is released.

Back to keeping my eyes and ears open, and I shall be back soon with some more news from DEC 2008!

Now who says that federated identity can’t be entertaining as well. On January 24th, Sun’s Daniel Raskin, who is involved in Sun’s OpenSSO project, poked a bit of fun at competitor Ping Identity by putting a short videoclip up on his blog which would help “explaining the differences” between Sun and Ping. It didn’t take long for Ping’s crew to respond in kind, promising an “epic battle” in their own video posted on Ping’s blog.

What I quite interesting about these little jabs carried out in good humour were the comments about “federation auto-connect” that Ping announced a few weeks ago in the latest version of PingFederate. The idea of this feature is to make federating between different entities easier by automating the exchange of meta-data. At Symlabs, the company I worked for previously, my then-colleague Sampo Kellomaki had developed the same feature about a year earlier, and had even mentioned it in his presentation at the first European Identity Congress last year. At that time, I must confess that I was unsure this feature’s value in most scenarios – apart from very specific low-risk “open” federations which were already being catered to by OpenID. Charts such as the one featured in this blog entry from Ping still raise a certain scepticism, but maybe that scepticism might prove to be wrong. I am certainly interested in exploring further the value proposition of auto-federation and will make sure to tickle some answers out of the participants in the federated identity track that I’m moderating at our next Conference in April.

As both Sun and Ping will be at the European Identity Conference 2008, we will try to set the stage for an epic battle to be carried out there! And to make it even more interesting, we’ll throw the other contenders into the foray as well!

On January 18^th, Yahoo announced support for OpenID 2.0. OpenID is an open framework for decentralized single-sign-on. It effectively allows user to register with one trust Identity Provider (IdP), and then sign in to any other OpenID-enabled site by just providing the details to the IdP where the user has established the account. For example, once Yahoo start with this service, I would be able to go to any web site that also supports OpenIDs, and tell that site that I am a Yahoo user. The site will then verify my credentials using Yahoo’s sign-on system – effectively meaning that once I have my Yahoo account, I will not need to remember many other usernames and passwords for other sites that support OpenID, but just be able to log in straight to them.

Sounds exciting, doesn’t it? Well, it’s certainly exciting news for the OpenID community. But what does this actually mean for the users and for the further advance of the technology? Before I dwell on the question, let’s look at the facts. Yahoo claims 248 million registered users. That’s about as big as it gets in terms of providing, and of course the OpenID scene is thrilled. On January 30^th, Yahoo will debut its first public beta version of the service. Yahoo has, interestingly, chosen to support only version 2.0, instead of offering support for the more established version 1.1.

So why support only version 2.0? Yahoo specifically points to security as the reason (OpenID 2.0 is more secure). This is most likely because of several oversights in the OpenID 1.1 specification that could be exploited for potential phishing attacks. Understandably, Yahoo does not want to be haunted by that. This is why Yahoo is promoting its “sign-on seal” for the OpenID service as well. A “sign-on seal” is a special piece of text or a small image that you can configure, which is displayed every time Yahoo asks you to sign in. This is done in order to prevent phishing attempts from rogue sites that pose as Yahoo branded login sites. Yahoo has introduced this feature in mid-2006, and actually done it in a very elegant and user-friendly way.

Rarely are grand announcements made without some kind of “gotcha” – just like in this case: Yahoo will start by allowing other site to consume Yahoo OpenIDs, but not the other way around – it will not accept OpenIDs from other providers (at least for the time being). This is actually quite a big deal. The big advantage of having an OpenID is that I don’t have to keep manage and remember passwords in the many other sites that I use. So if the “big boys” such as Yahoo, AOL and potentially even Google in the future, claim that they “support OpenIDs” but will only allow their IDs to be used in other places – not the other way around. Hence, it will not be possible yet to sign into Yahoo’s services using, for example, an AOL account.

AOL has been supporting OpenID for some time now, announcing support for providing OpenIDs to its users almost a year ago (similar to what Yahoo has now done, but with Version 1.1). Even though AOL stated that it would work “gradually” in order to accept OpenID identities from other entities as well, this progress has been very slow, and AOL has drawn criticism because of it. Yahoo on the other hand does not directly mention a planned support for accepting OpenIDs from other entities. In Yahoo’s press release, it’s all about adding 248 users to the OpenID “ecosystem”. Ominously, no reference for the other way around. Hopefully this will happen however, because otherwise Yahoo’s step, although in the right direction, is a one-handed one: let the drawbridge to the castle down, but only let people out, not in. Now that Yahoo is the biggest contributors of OpenIDs in the Internet, will it also be a leader? Or will other major players, such as Google, who is experimenting with OpenID already through its blogs, or even AOL, make the first step in also accepting OpenIDs? Not just myself will be watching carefully over the next months.