Identity and Access Management

First Phase Provisioning Access360 Business Layers Waveset BMC Web Access Control Oblix Netegrity Securant DASCOM Entegrity Password Management Courion M-Tech Meta-directory/Virtual Directory iPlanet Novell Siemens Zoomit OctectString RadiantLogic Second Phase web services, federation, SOA Trustgenix PingIdentity Sxip SOA Software Layer 7 Symlabs Third Phase activity in applications, information governance, identity in the network, and role / privilege analysis Eurikify Bridgestream Prodigen TIzor Consul Virsa Would be adding to the list when i get chance..

The feature list is Support for PDP Chaining Policy Combination algorithm Supported: DENY overrides ALLOW (permit overrides can be simulated by having a MasterPDP which will then controll the other PIP &PDP - Will need to specify sequence of the PDP & PIP Separately) Supports the concept of PIP which works as Interceptor (like PDP) but does not return decision. It instead returns data which can be used by PDP (More info needed on how) ID that will be authorized is extracted from the credential used by client to contact the service. A concept of Resource Owner is supported which can be extracted from "resource, service or container depending on availability in that order of precedence" Authorization Schemes supported self - Caller ID = Owner gridmap - Caller ID part of pre-defined list. This sheme also supports user ID mapping to local user id (how does that help or can be leveraged??) Identity - Caller ID = Specified ID Host - Called's Host ID = specified Host

Links Role Based Access Control IDManagement Problems and IDentity Management Objectives Globus Toolkit ( Summary ), DACS (to read) and Acegi (to read) for Access Control Web 2.0 Components Introduction to biometric device Active Directory Unix Integration IIW2005 Talks GSA Federal Identity Management Handbook covers User Registeration and Issuance Guideline(identity proof, card issuance), Physical Card requirements, Smart card specification, Implementation planning guidelines. Very basic introduction to PKI Enabled Email security Web Services Protocol specifications List VMWare 2005 World Presentation Open-source Identity Management Tools Identity Management project Basics Comparing EPAL and XACML - bottom line XACML is a super set of EPAL.

Another company in the "identity enabled network" space besides Identity Engines that I talked about earlier Moral of the story seems to be that Trusted Identity store (like LDAP) needs to be integrated with network Application access policy must include Identity & Roles Application Control beyond port. Nothing new here. Besides looking at the product itself nothing new on the authentication side (seems to be similar things that other network product would support). But at the same time there are wide variety of applications that are supported "out-of-box" though I am not sure what we are going to achieve by simple performing an allow or deny at the application level since that is as good as port level access! (nothing more finegrained). The field of identity enabled network seems to be the next step in the growth of the identity. It would be interesting to see what other companies are working on.

I think we really need to see how the identity is managed in real world and may be that can help us figuring out how it may work in digital world. So we would need a passport like mechanism, which would assert very basic information about the person across the international boundary and that is where I think we may concentrate at these international conference (any thing beyond that would be equivalent to boiling the ocean). Then we would need trusted bodies for various context. For example the international transactions would need banks working as intermediatery (as used for trade by companies across international boundaries) and then you may have technical bodies like medical bodies who may vouch for their members in transactions. So, I agree with the basic idea that there would be large number of bodies and also think that there would be multiple protocols that would be developed for and by each of community as they need to share this information. I think the idea of having a singl

What is a product like this going to buy me as a citizen of web? I can see their idea of a central repository of user reputation (something similar to Credit Reporting company). But all the big sites have their own repository and why would they want to share that. So, their basic approach would be to get the smaller websites to get to use this service. Now that is a big issue because why would most of these websites want to purchase a service they do not need. As soon as the customer pays via credit card, these people do not care about the reputation of the customer. So unless this system can help them Lets take the model from customer point of view. Most people would like to get tangible benifits out of this before they would be ready to aggregate their identity information in one place. This could be in form of discount in online stores. In addition to that the reputation needs to be integrated with a identity engine that can build a central repository of their profile (which

Good idea and summary of various type of information that is associated with the user i.e. Names Characteristics - Static and dynamic Relationships - I am not sure whether Relationship should be separate from the role. I am assuming that any relationship with always have the roles automatically defined for all the participant of the relationship either implicitly or explicitly. Roles - See the Relationship and that is why roles by them selves may not make sense. These have to be in a given context and the context being the relationship or community of which relationship is part of. Locations Experience - Experience would result in knowlege!! right? and so knowledge would be super set of experience and information that was gathered through experience of others (i.e. teaching, reading). Knowledge - Reputation What do you say?

So finally the company is out with the product. I have been hearing about this company for some time now. Any way seems like these guys are catering to the requirement of companies that want to control access to their network in much secured fashion. Most of these guys have need to perform the following functions Sequestering the machine hooked to the environment unless validated (so it may not even be able to get a IP via dhcp) the laptop would be checked for latest version of firewall, antivirus with the latest updates. The user would need to authenticate to ensure that it gets access to the network. (Not seen a lot though) if the user tries to access an application this access needs to be managed. Auditing all these events with additional information for monitoring and analysis. W.r.t. the third access requirement, I have seen most of the company already have something installed. For example web applications would have the Web SSO products. But most of the client server applicati

That is what tells me that we really need to develop a open source identity management interface for people to be able to do the basic User CRUD Password management (password reset) User data management and basic user provisioning to other products

Seems like the fine grained authorization is really heating up!! But let's wait and see what is Oracle's idea of the finegrained access control .

I see a lot of releases on the vendor installations. This is an attempt to capture them on single page. Mercer Human Resource Consulting - Trustgenix International Bancshares Corporation - Secured Services Inc Wendy's International Inc - M-Tech GM, GE, T-Mobile - Sun Identity Manager Toyota Financial Services , Principal Financial Group , Swedish Police - Thor technologies SunTrust - Courion

Seems like somebody else is also bothered by complete lack of discussion of Liberty/SAML in the Identity 2.0 world like me

I think most of the people will agree that the basic issue with the auto-form filling is storage and security of that storage. That is what makes the existing auto-fills a big no-no for "informed" users. So, till we have browsers that are developed with very good built-in data security through smartcard or encrypted USB support we can not go too far with the whole idea of identity storage on the client. The client till that time will continue to make a good pitstop that will allow the end-user to controll what is going from the IDP/Identity Provider to Service Provider.

There is an existing product that is built around the XRI. Besides that the basic issue of multi-identity and associated management w.r.t. End-user is something that the products and protocols have to manage.

This is one of the worst reason I have heard against the anonymizers. Now why do I have to make myself known to the whole world if I donot have faith that the website that I access do not have adequate resources or will to protect my identity as is apparent from the way the big companies have failed us. So these services will always fulfill a requirement in the world.