Tuesday, December 20, 2005

The toe nails of Identity Elephant

I have over time learned that defining things has not been my strength and over time I have understood that most of us in Identity and Access space can run most of our professional life without have a industry standard definitions. But at the same time, I like to keep a glossary list handy which I attach to every project document and let it change as the client tries to make sense out of their environment.
After reading the Dave Kearns and Scott Lemon's thoughts, I was again reminded of the Identity elephants that seems to be in the room and how people are trying to find it. In that context I think I found that these two people are so close in their definition the way I understood them that I had to write about it. The idea in case of Scott is that Identity is "same as" while for Dave is "Identifying" (which for him somehow always leads to DNA, twins, etc, anyway this may be something for other blog). Now incase of an identification system, the identification means it needs to have information about the entity that it wants to "Identify". So, the process of "identification" for the system means that the representation of the "identity" in the system's memory is "same as" representation of the entity that system has received from the entity (through the authentication information/identifiable attributes). With regards to the other part of Scott's article that is about existance of "Observer", that ties in well with Dave's idea of "identify" that in order to get the "identifiable attribute" in the memory of the system, some one has to "observe" the entity and register its identifiable attributes and so this is an action that takes place before the identifiable attribute can be stored in memory.
So to summarize
  • Observer "observes" the identifiable attribute
  • Observer stores the identifiable attribute in Identification system's memory
  • Entity exposes its identifiable attribute(s) to Identification system
  • Identification System uses the identifiable attribute(s) stored in memory to check whether the Entity's identifiable attribute(s) is "same as" that stored in memory.
And thus we have identified the toe nails of identity elephant.

Sunday, December 18, 2005

Authentisoft Introduces IDX EAP

I am completely confused by this company's approach in the IAM space. I do not understand what their target market is and can only speculate that it will include small size business or may be a complete Java shop whose developer think this is a good "IAM" product. Take a look at the article (and the discussion ) that have come from Justen Stepka who works with the company. The product seems to be too little too late at first glance (atleast in IAM space) but then may be I donot understand the product and its complete feature set.

Internet Rebels

After watching the Google EPIC, I had a burst of "creative" thought (which is very rare let me tell you) about a futuristic novel based in 2015 about a renegade who is part of a network of people who run a parallel internet over P2P protocol. The idea being that once you develop protocols to index and search the P2P member site using distributed indexes you may be able to browse the net anonymously. But after reading these articles, it seems to me that something like above may become a reality rather than remaining a fiction in my head. But seriously guys is it good to reject a more structured way to generate internet content just because the format is being proposed by companies that are trying to make money out of people's content. May be I am being too naive.

Federation revisited

While going through some articles on the reports from Burton group on Identity Management, I ran into this article from Andre Durand. The basic point of contention was that Burton has predicted that Federation will not be separate product long term while the Patrick Harding contests that it will be a separate product. This point of view from PingID can be attributed to the fact that their flagship product is a federation server though they do provide other components like Token Service. But lets not go there and look at the argument. The basic point of the contention seems to be that the infrastructure needs a federation server to consume SAML assertion and generate internal SAML assertion that can be consumed by the internal infrastructure. But I am not sure whether that means that you have to setup a federation server the way described by them using this diagram. I see the work they describe more the job of a Token Service as I have opined earlier. (which I think is one of the good ways of implementing an Authenticaion web services) which will be used by infrastructure components to do the validation. I do not see the federation server becoming the point of entry in the infrastructure since there are much better products to do that job (like XML firewalls for web services and Web SSO products for the other browser based applications).
May be this is just the difference of level of technicality that we are at and Patrick Harding is trying to say the same thing as above and I am getting into the details.
Please also note that in case of browser based application most of the implementations that are taking place in this field are moving along the idea of Federation Server being the initial point of contact for SAML validation, setting up the session with existing Sign On products and then redirecting the browser to web application protected by the SSO product. Thus, the model provided by PingID makes sense for the initial part of the SAML validation but I am not sure when the third party applications will start shipping out with support for federation SSO (more specifically the Web SSOs and XML firewalls, some of which already support it) just like they have started supporting the concept of Single Sign On.

Saturday, December 10, 2005

FSSO - where are we?

With so many federated sign on specification out there, it was becoming really tough to keep track of them. The way I see, we can divide them in to community site initiated Identity URL based specs like SXIP (new addition), LID, OpenID, i-names(XRI) vs standard/large vendor initiated identity token based specs like SAML, WS-Federation and infocard.
Given that the community initiated specs based on URL based Identity have come together under YADIS (except SXIP and I am hoping they will join the party soon), where does that leave us with WS-*, SAML, Microsoft Infocard and Passel (with counter-signed and self-signed attributes). While the community based FSSO specs are consolidating, the businesses are rolling out services mostly using SAML to perform FSSO between the services that they are providing. We are still waiting for the Infocard and WS-Federation to pick steam. It seems that the infocard may be obsolete by the time it comes out if YADIS is accepted by the community (unless they find a way to coexist which I do not see at the moment given the love of SOAP on Infocard side and love of REST in the URL based identity) and SAML becomes the norm in the Business business community.
At this point one thing that is bothering me is complete lack of initiative from Yahoo, Google (more important) and ebay on the FSSO front. If these company "don't get it", the community based initiative may not succeed (unless somebody figures a way to integrate with them without their involvement). But the basic question is why should these companies "get it" i.e. what are they going to get out of this? Only benifits that I see for these portal companies is the ability to sign on more partners who would like to receive some sort of users' identity for better marketing purpose. So, the idea would be that as soon as you click on an advertisement, search item or any link to the partner site, the basic identity from these portal would flow to the partner site giving them the ability to customize the website based on the attributes like age, location, name, gender, etc. Obviously, this will extensively utilize anonymization techniques (like that part of SAML 2.0) to ensure that user information is not given out without his knowlege. At this point the game is getting very dynamic. A single new annoucement may change the way FSSO would grow over next few years which makes the whole game all the more interesting....

Saturday, December 03, 2005

What is identity - In words of Bulla Shah

I really like the way this this poem explores the basic question of "who am i" i.e. "what is identity". This poem was composed by Bulla Shah , a 17th century sufi poet, and used in a great song.
Bulla, who knows who I am?

Neither I am a believer (who stays) in a mosque
Nor do I indulge in actions of disbelief
Nor am I the pure one amongst the impure

Neither I exist in books of Vedh
Nor do I stay drunk
Nor do I remain stoned, rotting

Neither I am happy nor sad
Nor am I in the (argument of) Purity and Impurity
Neither I am (made) of water nor of earth

Nor am I fire nor air

Neither I am Arabic nor Lahori
Nor am I (resident of) the Indian City Nagaori
Nor Hindu nor Turk Peshaweri

Neither I found the secret of religion
Nor did understand Adam and Eve
Nor did I create a name for myself

From beginning to end, I tried to understand myself
I did not come to know of anyone else
I am not just another wise one

Bulla Shah, who is this standing?
Bulla, who knows who I am?

Neither I am Moses nor Pharoah
Neither I am awake nor asleep
Neither I am fire nor Air
Nor do I live among fools
Neither I am sitting nor am I in a tornado

Bulla Shah, who is this standing?

Thursday, December 01, 2005

Anti-suite Approach

This article talks about suite vs Anti-suite. Each of these approach have their own pros and cons and fit specific markets. Some factors that may determine it are
SMB (suite) vs Enterprise
Work with bleeding edge products vs conservative adoption
So, I do not think it would be appropriate to categorize any market whether it is network security or identity management as suite or anti-suite.

PingSTS Announced - Identity for Web Services

Given that the InfoCard is based on this service, need to setup a working environment to test this integration. Besides that I am bothered by lack of tokens types on the output side. Anyway, will write about it more once I get chance to do the testing.