Virtual Daniel

Virtual Federation: A Game of Ratios

Tuesday May 13, 2008

In many of my blogs I've written about Virtual Federation Proxy (VFP)a feature available in OpenSSO, the code base from which Sun's upcoming release Federated Access Manager 8 is derived. I've received lots of email from people asking me to explain the benefit of this feature in more detail so this blog focuses on explaining the problem that organizations are facing and how VFP can lower the overall total cost of ownership for web access management and federation infrastructure.

THE PROBLEM
Most organizations are still working toward internal single sign-on. That is, the majority of organizations still have multiple authentication points or reduced sign on (RSO). For example, an organization may still have separate sign-ons for it's Web Portal, HR System and Payroll system. It could be using Enterprise Single Sign On to simulate a SSO experience, but it still maintains three different authentication infrastructures. If that organization wants to begin federating with external service providers using all three applications it needs to deploy a federation service at each authentication point. In other words, an organization would need to deploy separate federation points for each applications -- Web Portal, HR system and Payroll system. 



The problem with this is an organization needs to maintain more federation instances and infrastructure than it wants and would not be following federation best practices by implementing a single, centralized federation hub. In short, the ratio between an organizations authentication points to federation points would be a 1:1 ratio. That is, for every authentication point an organization maintains it would also need to deploy an additional federation point. This, oftentimes, is an inhibitor to beginning federation because many organizations believe they need to solve their internal single sign on issues before starting with federation.

THE SOLUTION: VIRTUAL FEDERATION PROXY (VFP)
VPN allows a company to lower infrastructure costs by reducing the # of federation instances, hardware, and ongoing support/maintenance costs required to support each individual authentication point. VFP changes the ratio of authentication points to federation points from a 1:1 ratio to an X:1 ratio. For example, the organization mentioned above that has 3 authentication points (Web Portal, HR System, Payroll System) would now only require one federation deployment to manage all 3 authentication points, a 67% reduction in hardware, software, and ongoing maintenance. In short, OpenSSO's Virtual Federation Proxy (VFP) solves this problem by unhinging any dependencies between internal SSO and federated SSO.



VPN does this by allowing organizations to add a plug-in to each authentication point that allows it to push federation data to OpenSSO when a user logs in. OpenSSO caches the federation data and then acts as a virtual proxy on behalf of each authentication point. For example, the company mentioned above that has three authentication points would deploy a basic plug-in to federate enable its Web Portal, HR System, and Payroll System. If a user logged in to the HR system and then tried to access a partner service during the authenticated session, for example an outsourced 401K service, OpenSSO would act as a proxy for the HR application and handle all communications with the 401K service using the cached data. Once the session is terminated the cached data is deleted from OpenSSO.

Finally, as an organization makes progress toward SSO they do not need to worry about constructing, maintaining and end-of-lifing multiple federation services. Instead, it can simply change how each application interacts with a single federation hub. In short, VFP allows organizations to architect a long-term federation solution that follows best practices, simplifies their path to federated single sign on, lowers total cost of ownership, and simplifies an organizations identity infrastructure in a pragmatic manner.

Peace out!

[1] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 04:16PM May 13, 2008 by Daniel Raskin in Sun
Tags:

Sun Identity Team Challenges PING, IBM, ORACLE, CA and Microsoft

Friday May 09, 2008

OK Identity Competitors!

We had our video battle warm-up with the scrappy Ping Identity a few months ago, but now we challenge you to a little game called IDENTITY HERO!"

My teammates at Sun believe that they can rescue more identity enterprises than our competitors. Let's throw down and see who can claim the highest score!!!

BOOOYAH!!!

[0] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 01:00PM May 09, 2008 by Daniel Raskin in Sun
Tags:

Simple Federation meets The Federation Validator

Thursday May 01, 2008

My goal in life, besides world peace, is to make federation so simple my 15 month child, Taro, can do it. Now that's a lofty goal, but we're making progress towards that in Federated Access Manager 8. To give you a preview, I've prepared a screencast that shows the following:

* Configuring an Identity Provider (IDP)
* Configuring an Service Provider (SP)
* Creating a Circle of Trust between the IDP and SP
* Validating the federated connection

The goal is to give you an idea of how simple federation has become. Keep in mind, I'm marketing and I can do it. I'm also not one of those converts from engineering to marketing (light-side to dark-side), but rather come from a business background and have a BA in Public Affairs. In short, this stuff is not designed for identity experts, but rather dimwits like myself.

As always you can check all of this out for yourself at www.opensso.org. Enjoy the demo . . .

[2] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 06:03PM May 01, 2008 by Daniel Raskin in Sun
Tags:

OpenSSO Workshop @ CommunityOne

Tuesday Apr 29, 2008

Howdy Peoples!

Next week is JavaOne and there is a lot of excitement brewing around Sun. In the world of identity we're gearing up to host a workshop titled "OpenSSO: Creating Federated Relationships with Software as a Service, Social Networking, and Web 2.0 Applications" on Monday May 5 at 4pm in Hall E 135. This session is part of CommunityOne, which is free of charge to attend. All you need to do is register. See you there!


[0] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 04:12PM Apr 29, 2008 by Daniel Raskin in Sun
Tags:

Identity Buzz Podcast: The Fedlet and light-weight federation

Thursday Apr 24, 2008

Last week, I joined Red Monk's Michale Cote and Brandon Whichard on the Identity Buzz podcast. We talked about The Fedlet, a small, light-weight way to get identity federation setup with Sun tools. Click on the link below to listen and enjoy!

Download the episode directly here, or subscribe to the RSS feed in iTunes or other podcatcher to have it auto-downloaded.

[1] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 11:09AM Apr 24, 2008 by Daniel Raskin in Sun
Tags:

UPDATED: Watch the FEDLET Now! REALLY!

Tuesday Apr 22, 2008

OK. Had some video problems, but here it is. REALLY!

You've been patient. You've survived our teaser campaigns. As promised, you've earned the privilege to see the fedlet. So . . . sit back, pour yourself a glass of wine (or a shot of Jägermeister) and enjoy an overview of THE FEDLET.

[1] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 05:17PM Apr 22, 2008 by Daniel Raskin in Sun
Tags:

Fedlets Everywhere Video

Friday Apr 11, 2008

We're almost there folks. Here's the final teaser around Fedlets. Around this time next week you will be drinking an umbrella drink and reflecting on the power of the Fedlet.

[1] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 03:36PM Apr 11, 2008 by Daniel Raskin in Sun
Tags:

From the Trenches at Sun Identity, Part 3: Federated Access Management Simplified

Friday Apr 11, 2008

As Pat stated on his blog, from the shameless self-promotion dept...

Hot on the heels of her interview with the scrappy Jamie Nelson and infamous Pat Patterson, Marina's latest subject is... lil ol' me!

[0] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 03:33PM Apr 11, 2008 by Daniel Raskin in Sun
Tags:

Piglet versus The Fedlet

Friday Apr 04, 2008

Many people keep asking me "What is the Fedlet?" Does it relate to identity? Well, the answer to that one is YES,DEFINITELY! Not only that, but it will also revolutionize how to solve a specific pain point in the world of identity! Some folks have also surmised that the Fedlet is somehow related to Piglet. I can assure you that is definitely not the case.

I know I've been dragging this one out for some time so we're working to pull together an Identity Buzz with Brandon and Coté to discuss "WHAT IS THE FEDLET!" That said, I will only answer their questions with either "waaaaarmer" or "coooooolder." Stay tuned.

[0] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 03:34PM Apr 04, 2008 by Daniel Raskin in Sun
Tags:

THE FEDLET APPROACHES!

Monday Mar 24, 2008

[0] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 03:52PM Mar 24, 2008 by Daniel Raskin in Sun
Tags:

What is the FEDLET?

Friday Mar 21, 2008

[4] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 01:51PM Mar 21, 2008 by Daniel Raskin in Sun
Tags: