do it. think it. blog it! ... a twisted world

FYI: This blog is getting too cluttered with "infocard" related information. I have decided to maintain this this blog with non "infocard" related information from now on. Any work that I do on "infocards" would be blogged on my infocard blog. So head on over there for "infocard"-"info".

PS: Please update your blogrolls and bookmarks too...

Kim's much awaited Infocard For Wordpress PHP code release is expected soon (this week). All those of you who have been eagerly awaiting this code release; do bookmark http://www.identityblog.com/?page_id=390. I have it on my desktop RSS reader so I get a heads up on it. Well, I'm just tipping you folks off on the release date that's soon approaching...

While on the topic: Here's another very interesting EXCLUSIVE post by Ed Oswald on betanews.com:

EXCLUSIVE Microsoft plans to roll its Passport authentication service into the Windows Live family of Web services by 2007, renaming it to Windows Live ID, BetaNews has learned. While the company is keeping mum on specifics, the service will make use of Microsoft's new InfoCard technology.

Sources familiar with the situation say Windows Live ID is part of up to three-dozen "Live" services currently in development. Some of these products would piggyback on top of preexisting services -- like Windows Live Local Search Free Call, which enables users to call businesses directly from search results.

Standalone offerings, meanwhile, would include products like the Windows Live Toolbar and the recently announced Windows Live Family Safety Settings.

While most of these services will not be released by April, when the core Windows Live family is said to be exiting beta, the revelation of a whole host of new Live products in the pipeline indicates Microsoft is placing a major bet on the Web services concept.

A Microsoft spokesperson confirmed the existence of Windows Live ID to BetaNews late Monday, calling it the authentication service for Windows Live. "You may consider it a major upgrade to Passport technology," he said. According to Microsoft, Windows Live ID would play a large part in making upcoming services possible.

"We do plan for Windows Live ID to work with InfoCards in the future," he continued, although declined to say whether the feature would make it into the service's initial launch.

Microsoft chairman Bill Gates provided the first clues to the existence of Windows Live ID at the RSA Conference earlier this month, when he said InfoCard was intended to replace Passport and would make password-based authentication obsolete.

With over 30 services potentially taking on the "Live" moniker, industry watchers are warning that the Redmond company risks diluting the brand like it did with the .NET concept.

"Within a matter of months [after .NET's initial release], Microsoft marketers began attaching the .Net moniker to all kinds of products, from Windows .Net Servers, to MapPoint.Net," said Mary Jo Foley, author of the Microsoft Watch newsletter. ".Net became a meaningless term that even Redmond's own couldn't explain concisely."

According to Foley, Microsoft risks the same result with Windows Live if it isn't careful. "It seems like Microsoft, its partners and its customers could benefit from some kind of clearly articulated policy as to what will and won't be considered a Live property."

The Microsoft spokesperson could not confirm public release dates or the number of Windows Live projects in development, but acknowledged, "you'll see many more new products in the coming months."

WOW, Windows Live ID. Now thats something I wasn't aware of. I was under the impression that "passport" and "infocard" were totally different systems, But now I'm getting confused with this announcement as Microsoft seems to be walking down the path of renaming passport to Windows LID (i abbrevated it already), and then also announcing the integration of "infocard" into it.... makes me wonder what one's plans are here.... The news is also on Microsoft Weblog, Yahoo, eWeek, MSFN, etc...

But why call it "Microsoft Live ID" ??? .... It would soon get abbrevated to Microsoft LID (as I already did). Johannes, are you reading this ?

My ongoing effort to develop a infocard authentication module... (which will be published here)

Step 1: Install Internet Explorer 7.0 (Beta 2). This UNFORTUNATELY works ONLY with Internet Explorer 7.0. Well, I'm really not too sure if "fortunately" or "unfortunately" would be the appropriate word to be used... but anyways...

Step 2: get infocard up and running on your desktop's. ( using the WinFX CTP ) refer to my prior post. There may be better and more ways of installing the infocard component on one's desktop, But I'm aware of just this method for now. If you know of other methods, please post them as comments here.

Step 3: Enable SSL on your web application. ( refer to your webserver docs to learn how to do it ) The login requires an SSL connection. InfoCard will use this certificate to (1) display the trust dialog for first time visit (2) encrypt the token to the targetUrl. InfoCard supposedly also supports High Assurance certificate. NOTE : You may be also able to use Paul Johnston's client side Javascript Hash Algorithm, but I've not tested it and am not sure.

Step 4: get your web application to invoke the infocard component Identity Selector to enable you to choose the credentials you would like to submit. The Web Application can simply embed HTML tags using either the OBJECT tag ot the XHTML tag as part of the FORM element. The following code snippet would enable you to do that: ( just an example based on the web application requiring only the Email Address of the authentication source )

click to enlarge

OBJECT tag example:

Click To Enlarge

XHTML tag example:

Click To Enlarge

OR Use a simple HTML Form as follows:

Click To Enlarge

Step 5: Once the InfoCard UI refer to my prior post for screenshots of the UI shows up, Select the InfoCard you want to present. The IP ( Identity Provider ) generates a token and that token is posted as part of specified field ( in the example above, the field name is "xmlToken") to the targetUrl (in this example, InfoCardAuthenticationServlet).

You will notice that inside the OBJECT tag or XHTML tag, you could specify RP's policy such as issuer, token types, claim set, etc. I'm still learning new stuf here. I've not yet discovered everyhting.

The POST operation would look like the following:

POST /InfoCardAuthenticationTokenServlet HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Length: 6478
Content-Type: application/x-www-form-urlencoded
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Host: www.YOURDOMAIN.com
Referer: https://www.YOURDOMAIN.com/InfoCardAuthenticationServlet
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
UA-CPU: x86
InfoCardSignin=Log+in&xmlToken=%3Cenc%3AEncryptedData+Type%3D%22http%3A%2F
%2Fwww.w3.org%2F2001%2F04%2Fxmlenc%23Element%22+xmlns%3Aenc%3D%22http%3A%2
F%2Fwww.w3.org%2F2001%2F04%2Fxmlenc%23%22%3E%34WVfaItHJTYU%2BsxIR1T25fi9k%
2FOc%2FMX7Q%2B6NSDs4nGqkn4rzqpez9BUWNZw7caVOrDeao

    .......
diZwfj0w06g199qlAqUMZEWxh0%3D%3C%2F
enc%3ACipherValue%3E%3C%2Fenc%3ACipherData%3E%3C%2Fenc%3AEncryptedData%3E

Step 6: Wait till I learn more and post more info here. In the meantime, If YOU know anything more, please share the info. It would help me too. Lets learn and share at the same time.

You could also see a list sites to which you have sent your infocards via the "site list" link in your infocard Identity Selector GUI.

click to enlarge

PS : Could someone show me how to post html code using the PRE tag on this blog. For some reason, the PRE tag on my blog just does not work. Am I missing something in my stylesheets?. If someone can help me resolve this issue, I'd save tons of time that I am currently using to create image snapshots of my code, uploading images and posting HREF links to them. It would really help if anybody could point me to some good resource which would enable me to POST HTML code within a PRE tag.

I was almost a quarter past ways devloping the smartcard applet which theoretically could read the info from the smartcaard and use the digital certificate from the smartcard to authenticate you to Access Manager.

Here's the low-down on the effort. Smartcard readers are vendor specific. I used the ActivCard SDK for building the applet with some amout of minor hacking. So now; I have come to realize that the smartcard reader and the applet are vendor specific. whew !! what a painstaking effort. But nevertheless a good learning experience.

So Now; I'm invesigating musclecard; and hope to learn that the applet that I develop is not vendor specific... If anybody has any info on developing a non vendor specific (smartcard reader manufacturer specific) applet, please, please please do "SHARE" the info.

I wish everybody adopts the OpenSC Framework. Identity Alliance has a product called ID Alley.

ID Ally provides everything you need to begin deploying and using smart cards for security purposes. It provides the necessary software components to enable your smart card with a variety of applications and purposes such as:

• Email Signing / Encryption using Outlook
• Web Authentication using Internet Explorer
• Signing and Encryption using Adobe Acrobat
• Password wallet for secure password storage
• Enrollment using Windows 2003 CA
• Certificate Auto-Enrollment Options
• Digital ID (certificate) Self-Enrollment Tool
• Mozilla/Firefox Email, Web Authentication
• Caching for convenience and speed
• Utility for viewing certs and changing pin and unblocking
• Card applet management capability
• Easy to Use Installer and Documentation

ID Alleyis FREE for personal use, and has a 30 day free trial for professional use so you can trial the software before choosing whether to license it. Using Windows 2000 or XP, you can use the provided installer to install all the components and documentation needed to begin.

Download ID Ally

In order to use ID Alley, You need to do the following:

• Download ID Alley
• Unpack ID Alley
• double click on the msi file to install it
• start regedt32
• change HKEY_LOCAL_MACHINE\SOFTWARE\Identity Alliance\AuthShim\PKCS11BaseModule to "opensc-pkcs11.dll"
• change HKEY_LOCAL_MACHINE\SOFTWARE\Identity Alliance\AuthShim\PKCS11Module to "opensc-pkcs11.dll"
• change HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Identity Alliance CSP\PKCS11Module to "opensc-pkcs11.dll"
• close regedt32
• run "ID Alley Card Manager"
• enter PIN
• urn off virtual slots in opensc.conf

Test it by visiting some ssl client certificate protected web site with Internet Explorer

AH !! you need to also use a PC/SC compliant smartcard reader FROM ANY VENDOR. And if you do this my SmartCard applet would work... So help me please...

Kim had posted a nice article on A simple managed payment card example a while ago. So basicaly what happens with a "issued" infocard is that the infocard only contains a pointer to where the user information is to be obtained from (in this case as per Kim's example the issuer happens to be Bank Of America, and the requestor is amazon.com). Well, Kapil had a nicer post on Smartcards and Federated Identity. Kapil quotes

Smartcards are the actually the real enabler of biggest network of identity federations world has known till date i.e GSM.
[...]
various standards like SAML, Liberty, InfoCard/WS-Trust, WS-Federation etc for identity federation respect and understand the usefulness of security devices like Smartcards. All these standards propose the solution to same set of problems in _almost_ same way and differ mostly in wire protocols used. SAML and Liberty has a profiles ECP (Enhanced client proxy) and LECP (Liberty enabled client or proxy) respectively which enables a Smartcard based authentication where as InfoCard (a profile of WS-Trust) treats Smartcard as another Security token service which can generate self issued security tokens.

nice... I see the light at the end of the tunnel. infocard treats a smartcard as a personal security token service (PSTS) which can issue security token in form of SAML assertions.

and so i thought... or rather... continue to think...

Whats the difference between the long existent JavaCard/Liberty vs InfoCard/WS-Federation ?

I remember sometime back I had read an article on Microsoft Employees Get Carded" by Karen Epper Hoffman via Kapil's Blog. Well, Scott made us use these along from a long time ago... And Microsoft's views on smartcards are no different.

Hubert has put together a nice demo of how a using Liberty’s ID-WSF protocols, we can create a module that greatly helps the user in dealing with his digital identities.

Currently laptops, sunray 1g, sunray 170 and desktops ARE available with builtin smartcard readers.

and hence my dilema...

Yes (to all those who were wondering on who is working on porting infocard to Solaris/Linux, I currently am working on integrating infocard with access manager and my next move would be to port infocard to Solaris/Linux.

The process of porting infocard over is not a 1 week task. It may take me longer as i'm overloaded with work and hardly have time to spare for this development. But with me assigning an hour or two everyday I hopefully would complete this shortly. In the meantine I shall also blog my experiences in the process. and here's my first run at it.

infocard in it's current form can be used on Window XP desktops  which have SP2 installed, Windows 2003 Server with SP1 installed and Windows Vista (February CTP). It require WinFX Runtime Components (for x86 or for x64). I currently am playing around with infocard on Window XP with SP2 and Windows 2003 Server with SP1.

As soon as the WinFX CTP is installed on the system, the infocard components also get installed. You would also notice that your control panel would now have a "Digital Identities" component installed. This is the core component from which you can create, edit, import or delete your infocard's.

You can create as many "Identities" as you choose. but what Bugs me is that I can create "any" Identity of my choosing. The screenshot below shows how I created Identities with Myself, Kim, Pat and Bill Gates as the "identities" "I" wish to be recognized as.

click to enlarge

Here's the issue that bugs me. This issue has been bugging me for a while since the time "user-controlled" identities became the talk of the town oops web. The term "identity management" I believed was a step forward in preventing "identity theft" (someone, please correct me If i'm wrong here). With the volume of identity theives who exists on the web today, the ability of creating "identities" just faciliatates the process. I agree that the "identity" may be of no good is nobody accepts the identity. But however, Microsoft would succeed to enabling organization in adopting infocard and it's usage participation would rise. For Organizations (participants) who have their head over their shoulders, the organizations ("issuers") would issue users their "infocard"/"identities" which could be used to access a service. Users could import the "issued" infocard onto their desktops using the "Install a provider card" as in the screenshot below.

click to enlarge

Here's my biased opinion. If the only infocard's that MATTER are the ones that are issued by a provider, What makes it different from "Liberty"? Liberty is built on the "identity-given" framework/concept. The ability of enabling a user to create his own "infocard" may sound appealing, but how does it help? Well, for a novice user, it may sound cool, because he/she can create several "infocards" of themselves and choose which one to provide a "requestor" based on the information he/she would want to provide a particular web service/application. But for the miscreants, it's a toolkit to spoof identities.

Another issue is that the "infocard's" are stored on a users desktop (porting them from one system to another "may" be a pain to a novice user). Now, this makes it even worse. anybody who has access to the users machine has the ability to delete the infocard's that one may have created. What IF my son deletes my infocard'S intentionally or accidentally ? What If my infocard gets stolen ? If the infocard's are not protected, they could be exported from one machine to the other with ease. The only way to secure it it by password protecting it. (So where does no passwords required play a picture in this ?) One can come up (makeup) with numerous issues with this model. But whats important is the fact that the "only" infocard's that matter would be the ones that are issued by a service provider/identity provider. Well, we have another issue now, IF  each IDP/SP would start issuing infocard's to their users, the user ends up having tens of hundreds of infocard's to manage. How different is that from tens of hundreds of username/password combinations?

As a infocard user am I supposed to store all my infocard's on a USB drive and carry it along with me just to enable me to use a service from any desktop? (the desktop additionally should be infocard enabled !!).

AH!! I'm tired right now. I shall follow up on this again soon.. as my thoughts keep formulating and changing.

PS: I personally like JavaCards. Please read Hubert's post on Liberty à la InfoCard. And think... "JavaCards and Liberty". You be the judge. So you decide for yourselves.

UPDATE : This does not mean that I am not working on porting infocard to *nix and integrating it with AM. I am working on that too. Shall keep you posted on developments at my end periodically.

UPDATE 2 : I am NOT against infocard. I'm just thinking out loud as I keep discovering new stuff. And thought processes change periodically. The only thing that has been constant in my discoveries so far has been "change"

As a taste of upcoming MIX06 sessions, Kim Cameron presents a thumbnail sketch of how InfoCards bring an architecture for identity to the Internet, a demo of how it works and a peek at how you integrate it into a Web page.

1. 20060209InfoCardKC.EXE
2. 20060209InfoCardKCDemo.EXE

source : MSDN TV

See Kim's full session on this topic at the MIX06 conference.

UPDATE 1 : Also read Johannes Ernst's blog on "There are lots of things that are right about Microsoft InfoCard.

After seeing the infocard demo, I feel that infocard really is a nice thing. I do not want to comment on the "open source or closed source" part as there are several of us in this field who are debating that topic. So I leave that upto those who better understand it and fight for it in the open source community.

Here's my take. Sun has the Sun Java Systems Access Manager. This product really has extremely good visibility and usage in the real world, especially in the corporate sector. Individuals who care about secure identity and those who (by choice or otherwise) use a microsoft windows desktop as the client would end up using infocard for authentication in the future as microsoft plans to use infocard for building what they call a fundamentally secure platform. Now having said that I dont see the entire world not using windows as the desktop client. yep; true; mac's, linux, and solaris have a long way to go to becoming the defacto standard desktop for end users. So. All said and done, I thought of a small project that I would embark on in my free time. I would try to develop a InfoCard Authentication Plugin (using the Microsoft Federated Identity and Access Resource Kit and JAAS) for the Sun Java Systems Access Manager. Well; this may not be a good idea, but I guess it would be well worth my free time. As soon as I finish the module (hopefully soon, especially with Kim's & Kapil's help), I shall distribute the entire codebase and procedure for enabling you to deploy the infocard authentication plugin on Access Manager soon. (This may make for a good demo given that most users happen to have a windows desktop). One main reason for me to embark on this is because I see a strong similarity between this effort and nFactor Authentication (which I had blogged about a long tiem ago).

After all SUN and Microsoft have joined hands for the inter-operability of Liberty and WS-Federation and the results of which have led to the Web Single Sign-On Interoperability Profile & the Web Single Sign-On Metadata Exchange Protocol (which have just been released).

UPDATE 2 : Also read "Microsoft Employees Get Carded" (an old post) by Karen Epper Hoffman

For those who have been following up on my posts, I suppose you have read my prior post on Outsourcing Identity Theft. I was so so so wrong. It happened to me all over again (just yesterday). This time it was someone placing an order for a plasma TV with dell.

I should not be saying that it was exactly the same, as there was a minor difference. This time I did get dell to provide me with the credit card number that was used (the dell rep was reluctant; but I persuaded him to do so); and to my utter dismay, It sure was MY credit card number. Another minor difference was that it was for a 42" Plasma TV and not a computer. Well I did speak to the RCMP, and the advise I got from them was to simply cancel my credit card and sit tight. There was not much they could do about it unless the miscreant was caught red-handed.

I did some follow up on my own to only to find out that the delivery address was slightly different from the one in my prior episode. This time it was by a "George Bankwah @ 11595 St. Evariste, Montreal Quebec. H4J 2N6 with the phone numner 514-743-1819".

Well, I also happened to read Kim's post on IDENTITY INFORMATION THEFT versus identity theft which made me wonder which category this would fall into ?

Any suggestions or thoughts Kim ?

Microsoft Passport has been around for a while. This article describes the Risks of the Passport Single Signon Protocol extensively. Contrary to my personal preferences and beliefs; I myself have been using passport for quite a while just because of the large list of participating sites that I frequent.

However the frequent presentation of the following screenshot is compelling me to believe that someone needs to get their act together and also give other alternatives a shot...

This is a very good example of how a single point of failure can cause serious impact on business processes.

1. Password Management: Grief Relief
2. Identity Management Is Here to Stay
3. Moving Beyond Compliance to Business Value
4. Simple Sign-On
5. Ruby Tuesday's Identity Crisis

PS : no time to blog details, and the above list of things were what I thought were worth bloggin on.. and since I had no time to blog (have to catch a flight. gotto rush) I thought that a linked list was a better choice.

REMINDER : Here's a good example of how identity theft can give you nightmares.

In the early 1990's, someone ran amok, using Mr. Lorenzo's identity. It was used to rack up tens of thousands of dollars in fraudulent credit card debt. It was given to the police after various traffic violations. And a man even used the name Raymond Lorenzo when he was arrested and indicted in 1991 in Suffolk County, N.Y., for, among other things, burglary, forgery and criminal possession of a weapon.

Read More...

PS: Identity Management needs to be given importance. More importance than anything else.

tee hee...; Remember my old post on RFID; Here's a new spin to it; tee hee...

In order to conduct a scientific survey of the tiger population this year, Wildlife Institute of India (WII) would soon be issuing photo identity cards to all the tigers of the country.

WII scientists have also proposed three new scientific techniques to have a more accurate count of the tigers living in the wild.

As per the proposal, the three techniques are namely computerised pugmarks, camera traps and DNA tests. All the three techniques would be used in the tiger survey starting in the country from January 15.

Read More...

H&R Block Mistake Exposes Social Security Numbers : Aint this a classic example of how the simplest form of silly mistakes can be a vehicle for Identity Theft.

H&R Block was not just stupid enough to print the U.S Taxpayers Social Security Numbers on the packages mailed out to customers, but looked even sillier when Denise Sposato, an H&R spokesperson said

The Social Security numbers on the packages had no formatting that would make them stand out, and no one would have been able to easily identify them as a Social Security number

Sposato was further heard to have said : "The people affected had been our customers two to three years ago"

I guess having been a past customer minimises risks aye !!!

"It is a very good idea for everyone to check their credit report at least twice a year," advised Sposato. I guess Sposato does not know that a continual credit monitoring service costs $$$'s. Who's gonna pay for that ? H&R Block ??

This sure is a wild wild world !! I wonder whats left? printing resumes, photographs, & credit card information on the mailers ??

Identity Theives are not born, but created... and we are the ones who nurture them with our stupid mistakes...

{{{rant}}} {{{rant}}} {{{rant}}}

UPDATE : H&R Block believes that and answer to this error is by setting up a website to warn recipients about the mixup.

UPDATE 2 : I guess the Identity Theives are causing this too...

After James McGovern, kicked off the discussions around Identity Federation, Pat's response was quite a detail. Johannes Ernst, Shekar Jha, Tom Gordon, Radovan Semančík & Mark Dixon and a lot more chimed in with their perspectives, and I thought that my 2.0 cents on the subject was worth posting.

Identity Bloggers pretend that notions such as Sarbanes Oxley don't exist (or at least never mention them).

Well, I believe that all bloggers who speak on identity management are very well aware of SOX and it's likes. Why in this day and age do we believe that compliance is not critical. I think that it would be foolish to believe that identity bloggers ignore SOX.

SAML 2.0 is a good move to increase interoperability and should be implemented in all security oriented products. Maybe you can tell us why within the enterprise we should use SAML 2.0 between say Active Directory and RACF vs. sticking with tried and true approaches such as Kerberos?

I'd like to re-iterate Pats' comment once again here : You use the appropriate tool for the job. Where there is a tried and true approach then use it. What more could I add to it ??

Do you think that enterprises are well-served by consolidating identity stores vs keeping them spread all over the place and doing SAML?

There was a time period where the entire industry was thinking in terms of consolidating the disparate authentication systems into one huge repository for authentication data. Well, it was not a easy task. Consolidation has it's own pro's and cons. I guess I'm missing out on something here. Consolidation between user identities that are owned by 2 seperate organizations ?? Aint federation the topic of discussion here ? OR is James referring to a "passport" structure ?

If you want corporations to embrace the notion of federated identity, wouldn't it require more than simple "look at me" interoperability demos and for all the vendors in this space to create some publicly available notion of "reference architecture" above and beyond what exists in Project Liberty?

I believe that there was more than just a "look at me" kind of a demo done by Gartner sometime ago. But hey ! I believe that this would be a great opportunity for me to utilize my resources and contacts to put together a real live network of federated systems that use various dispare systems like sxip, netmesh, shibboleth, Sun Federation Manager and throw a live federated infrastructure out there.

How should we think about SmartCards within our own infrastructure and how it plays with federated identity? I know MS is doing this for their own employees.

I'm surprised that James mentioned MS and forgot all about JavaCards. Mary Has one too

How come pretty much all of the identity bloggers don't support trackback in their blogs? Is it because they haven't yet figured out how to protect their own identity or that of others?

C'Mon James, You didnt need Pat to tell you about trackback spam.

Guess we all have a long way to go. But hey !! here's a thought. While we all think in terms of authenticating user identities, we forget that authenticating devices (device identities) is as critical as user identities. IP address and MAC addresses can be spoofed easily. But by embedding a unique security key in a device (something that cannot be spoofed) we could embark on authenticating and authorizing a device prior to letting the device on any network. I liked it when in the good old days, an IP address was granted to a device AFTER the fact that authN was succesful. In todays world regardless of authentication; a device is granted an IP and is placed onto a network. Well, we've made the life of a unauthorized person a lot more easier by letting him in. If we could authenticate and authorize devices prior to granting IP addresses or placing devices on a trusted subnet by using some form of secure key identifier, we'd be closer to being in a more secure environment. I have done some work on this forefront; but poor me, I'm not a sales guy and am having a hard time selling the thought. maybe someday

OK... here's my prediction for the new year and the oncoming... Identity Management would be the CORE for WEB 2.0-The next generation Web. Having said that I thought that it would be good to list out a few open source Identity Management products that are out there that one would need to keep a keen eye on...

PS: Do feel free to add to this list by leaving your comments.

• Sun Interoperability Prototype for Liberty : Interoperability Prototype for Liberty is the first open-source implementation of the Liberty Alliance Version 1.0 specification based on Java technology. IPL consists of sample Java source code libraries, implementing the Liberty version 1.0 specification, and is not designed for commercial deployment. IPL is licensed as open source under the Sun Microsystems Open Source License.
• SourceID : Open Source Federated Identity Management Liberty Alliance, SAML, and WS-Federation. Royalty free commercial use if used on fewer than 100 computers per company
• Shibboleth : Shibboleth is developing architectures, policy structures, practical technologies, and an open source implementation to support inter-institutional sharing of web resources subject to access controls. Key concepts within Shibboleth include: Federated Administration, Access Control Based On Attributes, Active Management of Privacy and used OpenSAML.
• OpenSAML : OpenSAML is a set of open source Java and C++ libraries that are fully consistent with the SAML 1.0 and 1.1 CR specifications.
• Yale CAS : The Central Authentication Server (CAS) is designed as a standalone web application. It is currently implemented as several Java servlets and runs through a HTTPS server.
• Atlassian Seraph : Seraph is a very simple, pluggable J2EE web application security framework.
• OpenSPML : The toolkit offers an easy-to-use interface for configuring, issuing and interpreting standards-compliant provisioning requests across diverse identity infrastructures.
• Novell Nsure UDDI Server : Nsure is a UDDI 2.0 registry built on Directory Services technology. It offers a secure access to the registry contents (authentication and authorization), unified account management, and distribution of the registry by leveraging Directory Services. It works with any LDAP(V3) based directory backend.
• OpenPrivacy : A reference implementation of the Reputation Management Framework (RMF). OpenPrivacy's core project is designed to ease the process of creating community with reputation enhanced pseudonymous entities. The RMF is primarily a set of four interfaces: Nym Manager, Communications Manager, Storage Manager and Reputation Calculation Engine (RCE).
• NSF Middleware Initiative : NMI-EDIT: Identity and Access Management for Collaborative Applications.
• jSai : jSai (pronounced "Jay-Say") is iPOV's home grown Servlet Authentication Implementation. jSai is implemented completely using J2SE + Servlet technology; no J2EE "Application Server" needed. jSai supports basic JDBC and XML backed user stores, as well as an LDAP user store. jSai provides developers with the application level security they want and need for small and medium size web applications; avoiding the complex setup in other security implementations that are aimed at large "enterprise" applications.
• Acegi Security System for Spring : Comprehensive security services for The Spring Framework.
• Gabriel : Gabriel is a security framework for Java. By using access control lists and permissions, Gabriel enables components to check access to actions. On top of that Gabriel protects methods like EJB does but without the overhead. It distinguishes itself from other frameworks by the ease of use with a small API and by mapping method access to permissions instead of persons. This way the same permissions can be used to protect method access and to check which GUI elements to show based on user permissions.
• JOSSO : JOSSO, or Java Open Single Sign-On, is an open source J2EE-based SSO infrastructure aimed to provide a solution for centralized platform neutral user authentication. The Pluggable framework allows to implement and combine multiple authentication schemes with credential stores.
• Kasai : The goal of Kasai is to provide a simple-to-use-yet-powerful security environment for multi-user applications. Unlike JAAS, Kasai provides a much higher security abstraction. Additionally, Kasai includes a very powerful and performing auditing system that records all users activity on a relational database.
• JPAM : JPAM is a Java-PAM bridge. PAM, or Pluggable Authentication Modules, is a standard security architecture used on Unix, Linux and Mac OS X systems. JPAM permits the use of PAM authentication facilities by Java applications running on those platforms.
• CAS Generic Handler : CAS Generic Handler is a plugin giving CAS (Central Authentication Service) the ability to authenticate users with different methods (LDAP, database, files, NIS, ...).
• SunXACML : This project provides complete support for all the mandatory features of XACML as well as a number of optional features. Specifically, there is full support for parsing both policy and request/response documents, determining applicability of policies, and evaluating requests against policies. All of the standard attribute types, functions, and combining algorithms are supported, and there are APIs for adding new functionality as needed. There are also APIs for writing new retrieval mechanisms used for finding things like policies and attributes.
• Shaj : Shaj (Simple Host Authentication for Java) is a simple library that allows your Java app to verify users with the underlying operating system. Shaj also allows you to check group membership. Shaj is not a competitor for full featured authentication API's but rather a complimentary way to piggyback on system accounts on any platforms. Shaj is used in FishEye for local account authentication, hence it is in use on most flavours of Windows and *NIX.
• Open Web SSO : The Open Web SSO project provides core identity services to facilitate the implementation of transparent single sign on as an infrastructure security component. The goal of Open Web SSO project is to provide an extensible implementation of identity services infrastructure that will facilitate single sign on for web applications hosted on web and application serversThis project is based on the code base of Sun Java(tm) System Access Manager product.
• Cosign : Support Global Logout by visiting a link Support GSSAPI authentication Written in C and support MS ISAPI (IIS), Apache 1.3/2.0, Servlet and Java/J2EE

Links Courtesy: Carlos E. Perez

UPDATE: another comprehensive list at http://safehaus.org/map/nov05.html. Link Courtesy : Shekhar Jha

UPDATE 2: Shekar Jha has also compiled a very nice list of Identity & Access Management vendors. boy!! how could I have missed that one ?