Superpatterns

Although I don't have a technical session this year, I will be up at JavaOne tomorrow, presenting "Identity and Web Services: A Marriage Made in Heaven?" with my good friend, the Wizard of IdM, Don Bowen, at 1:05pm in the Pavilion Theater. We'll spend about 20 minutes exploring the different ways that identity and web services impact each other. If you've heard Don on the Sun IdM podcasts, you know this'll be fun

UPDATE - here are the slides [PDF].

• Liberty is serious about clients
  MWD on the Liberty Alliance's Advanced Client specifications - nice analysis that dispels some misconceptions about Liberty
  (tags: macehiterwarddutton libertyalliance advancedclient identity)
• OpenSSO on Glassfish Cheatsheet
  Angelo Joseph on getting OpenSSO up and running on Glassfish. I read this expecting some special tips and tricks on getting it working, but there are none - just 3 simple steps, which is great, because it means we're doing our job properly
  (tags: angelojoseph opensso glassfish cheatsheet)
• Using OpenDS as a user data store for OpenSSO
  Another great blog entry on going that little bit off the OpenSSO beaten track from our QA Manager, Indira Thangasamy. This time Indira explains how to store OpenSSO's users in OpenDS.
  (tags: opends opensso indirathangasamy)

The fabulous Bianca Botello (our Marketing Programs Manager for identity management - if you've marvelled at Sun's hospitality suites at the Burton Catalyst conference then you've seen Bianca's work) is now blogging at Identity Management Buzz. Get all the latest news on Sun's identity management user group meetings, our latest identity management podcast and even Rainn Wilson ('The Office's Dwight Schrute) hosting Saturday Night Live.

(In case you're wondering about the bag image - Bianca is a huge LV fan )

I just uploaded the slides from my RSA Conference presentation last week: Federated SOA: Harmonizing ID Security and Web Services.

A few words of explanation on the opening slides... Sara Gates was originally booked to present in this slot. As you almost certainly already know, Sara left Sun a little while ago, and I inherited her slot. So, my opening gimmick was to introduce myself as Sara and then say "Of course, I'm not Sara, you can see and hear that, but how could a Web service tell the difference?". It was spoilt a little on the day by the RSA Conference announcer introducing me as Pat Patterson, but I made the point that if I had tried to introduce myself as Sara...

Anyway, in the presentation, I start from the position of unprotected web service interactions, working through transport-layer security via TLS/SSL to point-to-point message-layer security to Liberty Alliance's Identity Web Service Framework (ID-WSF), pointing out the different properties of each level. The session was recorded - I'm not sure if the recording will be publicly available, but, if so, I'll update this entry with a URL when it goes online.

There's a lot of buzz around 'user-centric identity' right now - the notion of involving users in the management of their personal information and its use, rather than leaving it to some enterprise or other organization. The folks at the Liberty Alliance have written a whitepaper entitled 'Personal Identity' that shows how Liberty's Identity Federation Framework (ID-FF) and its successor SAML 2.0 can be used to implement user-centric identity - for example, a user providing their own identity services via a Liberty-enabled device such as a cellphone. It's a good read - it starts from the basics, so you should be able to follow it even if you're new to Liberty and SAML.

On the same topic, John Kemp of Nokia and my esteemed colleague Hubert Le Van Gong will be presenting a webcast on April 12 2006 at 8am Pacific. PLEASE NOTE: Registration is required and limited to the first 100 respondents! The last webcast on the Liberty People Service 'sold out' very quickly, so get in there straight away if you're interested. If you're too late, don't despair - the webcast will be available in archive form after the event. I'll update this entry with the URL once it's online.

To register for the webcast, follow these steps.

1. Go to http://projectliberty.webex.com
2. Under the heading Attend a Meeting, click Register
3. Search for centric
4. Select User Centric Identity: Success Today and click on the Register Button. (Don't bother clicking on the link - it doesn't lead anywhere useful!)
5. Fill out the required information and click Register Now at the bottom of the page.

Please email Tricia DeHart of the Liberty Alliance Project with any questions.

One of the upsides of transatlantic flight is that you get a chance to catch up on your reading. I'm in Rome this week for a Liberty Alliance Project plenary meeting, so I had about 12 hours airtime to read Digital Identity, by Phillip Windley. Windley blogs on identity management, and the cover blurb tells us that he was CTO of iMall Inc., VP of product development for Excite@Home and CIO in Governor Michael Leavitt's administration in Utah. Windley is now an Associate Professor of Computer Science at Brigham Young University.

Windley writes authoritatively and lucidly on the 'big picture' issues of identity management, although the book is marred by numerous distracting typographical errors ('security breeches' – now where can I buy me some of those???).

Digital Identity's 226 pages can be divided into two sections. The first 12 chapters present an overview of digital identity and identity management. This part of the book is somewhat of a mixed bag. Chapter 9, on 'Names and Directories' is as good an introduction to the topic as I have seen anywhere. Windley explains why naming is critical, what a directory is and, perhaps most importantly, why it is different from a general purpose relational database. He even covers aggregation of identity data into metadirectories and virtual directories, giving the reader an understanding of the trade offs inherent between the two approaches. Similarly, I was delighted to read chapter 12 on 'Federating Identity'. Starting from the 'Mirage of Centralized Efficiency', Windley uses an analogy to the evolution of the Visa credit card system to show how digital identity is evolving through four phases:

Unfortunately, when it comes down to technical details, Windley is less sure-footed. Chapter 6 – 'Integrity, Non-Repudiation and Confidentiality' is very muddled on the topic of serializing digital certificates, claiming “The certificate, being a data structure, is binary data”, then going on to explain how the Distinguished Encoding Rules (DER) allow certificates to be serialized into a string of octets. Well, binary data is a string of octets. In fact, digital certificates in the X.509 standard are abstract data structures expressed using Abstract Syntax Notation 1 (ASN.1). It is from this abstract representation that DER gives us an unambiguous binary encoding.

Similarly, in Chapter 11, Windley's otherwise excellent coverage of SAML is let down by his reference to 'SAML authentication assertions', 'SAML attribute assertions' and 'SAML authorization assertions' as three distinct assertion types. In fact, there is only one kind of SAML Assertion, which may contain one or more statements. Each statement may be an authentication statement, an attribute statement or an authorization statement, so, crucially, a SAML authority can tell you that Alice was authenticated with a smartcard, she is in the engineering department and that she is allowed to read the file at http://foo.com/bar all in the same assertion. Windley then goes on to describe the web browser single sign-on use case of SAML in terms of the 'pull profile' and 'push profile'. These are nicely descriptive names, but would be confusing for a reader who then turned to the SAML 1.1 Bindings and Profiles Specification and found the definition of the 'browser/artifact' and 'browser/POST' profiles (renamed to 'HTTP artifact' and 'HTTP POST' bindings in SAML 2.0).

The following 8 chapters present Windley's approach to creating an 'identity management architecture' (IMA), which he describes as

"[...] a coherent set of standards, policies, certifications and management activities [...] aimed at providing a context for implementing a digital identity infrastructure that meets the current goals and objectives of the business, and is capable of evolving to meet future goals and objectives."

Here, Windley writes from his experience as a CTO and CIO, presenting a realistic approach to creating an IMA with the emphasis on iterative processes – limiting the initial effort if necessary and using feedback to improve the architecture rather than trying to create the perfect architecture in one 'big bang'. Working from a foundation of establishing governance for identity management, Windley covers business modelling (what's out there, rather than what should be!), documenting processes, analyzing identity data, creating an interoperability framework, building a policy stack and, finally, creating the reference architecture for the enterprise and then individual systems. Along the way, we are introduced to an 'Identity Maturity Model' – uncomfortable reading if you recognize aspects of your organization's identity management practice in the 'ad hoc' Level 1. Throughout, Windley focuses on building consensus throughout the organization on the business benefits of an IMA, rather than the imposition of rules from the IT department – a recipe for avoidance and non-compliance.

Overall, I would recommend this book to enterprise architects looking to build your own identity management architecture. If you can look past the typos, and refer to source material for the technical minutiae, you will find a valuable approach to deciding what 'best practice' for your organization, and moving towards it. A corrected second edition could become 'the' introductory text to identity management in the enterprise.

One question that I'm often asked by customers is "How is Sun using the Liberty Alliance Project specifications?". Well, my stock answer is 'BIPAC'. The Business Industry Political Action Committee provides expert policy analysis, research and communications on campaigns and elections, and fosters business participation in the political process. Sun employees can access political information on the BIPAC website - who their elected representatives are, their voting record etc.

Now, this is obviously sensitive stuff, with huge implications for privacy. The 'old way' of accessing BIPAC would have involved a regular batch process to synchronize identity information from Sun to BIPAC; Sun employees would authenticate at BIPAC with their Sun ID and a BIPAC-specific password. In this old model, BIPAC would know exactly who I was and would be able to build a profile of my activity on the site. Not only that, I'd have another password to write on a post-it note and stick to my monitor remember.

The 'new way' of accessing BIPAC authenticates employees at Sun (using Sun Java System Access Manager) and uses Liberty ID-FF to give employees single sign-on to BIPAC. Now - here's the clever bit - no personal information is transmitted in the single sign-on process. BIPAC have no idea who I am - all they know is that I am an authenticated Sun employee. BIPAC can then use ID-WSF to retrieve a strictly limited set of attributes, including my zip code. So now, all Sun know is that I am a Sun employee in 90210 (well, I can dream). They have everything they need to tell me who my elected representatives are at every level up to Dubya, but no more. They don't know who I am, since they don't need to know who I am. This document gives some more detail on the deployment. Here I am demonstrating the system at a Liberty eGovernment Forum last year in Dublin:

Looking at the wider context, this was an ideal first deployment of Liberty for Sun. A real need for Liberty's privacy features combined with low risk - BIPAC is a valuable service, but not critical to Sun's core business. Watch this space for news as we roll Liberty and SAML out across Sun's other business partners, and, if you're at the RSA Conference next month, be sure to catch Sun's Yvonne Wilson at IMP-101 'Implementing Federated Identity: What Products Do You Need?'. Yvonne is an architect in Sun IT and will be covering our BIPAC integration in her presentation.