Superpatterns

Welcome, Microsoft, to the World of SAML 2.0
[ microsoft saml ]

This is a blog entry I've been wanting to write for a LONG time... At the Professional Developers Conference today, Microsoft announced that 'Geneva', their forthcoming identity platform (part of which is the successor to Active Directory Federation Services), will not only support SAML 2.0 as a token format, but also as a single sign-on protocol. The Federation Wars are over!!!

Lots more to read on the subject:

• Don Schmidt: Microsoft “Geneva” Server Supports SAML 2.0
• Mike Jones: Next News from the PDC: SAML 2.0 Protocol Support in “Geneva” Server
• Network World: Microsoft to unveil tools to push identity platform into the cloud

Me, I'm looking forward to testing OpenSSO with Geneva. We live in interesting times indeed

links for 2008-09-26
[ federation google identity identitymanager idm microsoft provisioning resourceadapter sun warrenstrange ]

• A kinder, gentler federation agreement
  Via James McGovern - BPuhl, an AD engineer in Microsoft's IT department describes one federation partner's approach to information gathering
  (tags: microsoft identity federation)
• A Sun Identity Manger Resource Adapter for Google Apps
  Warren Strange has written a custom resource adapter for Sun Java System Identity Manager, using the Google Provisioning API to manage Google Apps accounts.
  (tags: identity google identitymanager sun idm provisioning resourceadapter)

links for 2008-05-17
[ ad analysis authentication bbc bigadmin fedora gartner identity infrastructure kerberos ldap linux microsoft opensource opensso solaris solaris10 sun t1000 t2000 ubuntu windows xtech ]

• Linux shop adds Solaris for performance boost
  Wow - "[...] it turned out that Solaris 10 had a throughput that was 50 times better."
  (tags: fedora linux solaris solaris10 sun t1000 t2000 ubuntu)
• Open Source at Sun Microsystems, 2008
  Gartner Analysis. Synopsis: Open source at Sun Microsystems is strong, and Gartner expects an increasing role for open source within its business strategies in coming years.
  (tags: analysis gartner opensource sun)
• BigAdmin Feature Article: Using Kerberos to Authenticate a Solaris 10 OS LDAP Client With Microsoft Active Directory
  This document describes configuration of a Solaris client to use Microsoft Windows Server 2003 R2 Enterprise Edition (Active Directory) for authentication and naming services.
  (tags: ad authentication bigadmin kerberos ldap microsoft solaris solaris10 sun windows)
• XTech 2008 - BBC Tech Refresh and Identity - Brendan Quinn And Ben Smith » SlideShare
  Presentation from XTech 2008 in Dublin, about the BBC's plans to reinvigorate its technical platform and to create new user management services. Slides 38 and 39 are my favourites :-)
  (tags: bbc identity infrastructure opensso xtech)

links for 2008-04-18
[ andreassolberg feide microsoft saml sp1 video vista ]

• Simplified Web Browser Single Sign-On and Sign-Out Profile for SAML 2.0 | Feide RnD
  Cool stuff - a sensible subset of SAML 2.0 making it easier to grok. Does Andreas ever sleep???
  (tags: andreassolberg feide saml)
• YouTube - Stupid Internal Microsoft Vista SP1 Video
  Even allowing for the fact that this MUST have been made in a knowing, ironic frame of mind, it's super-lame.
  (tags: microsoft sp1 video vista)

links for 2008-03-20
[ adfs federation microsoft specifications sso ws-federation ]

• Microsoft Web Browser Federated Sign-On Protocol Specification
  ADFS' profile of WS-Federation - if you're working on interop with ADFS, this is probably the most important document in the world.
  (tags: adfs ws-federation microsoft specifications federation sso)

Credentica U-Prove Acquired by Microsoft - Zero Knowledge Proofs For All?
[ credentica microsoft stefanbrands zeroknowledge ]

Across the wires this morning comes news from Kim and Stefan that Microsoft has acquired Credentica's U-Prove technology and the services of Stefan and his Credentica colleagues. I'm curious as to why the news isn't simply 'Microsoft acquires Credentica', but business is sometimes like that, I guess.

Anyway, congratulations to Stefan and co! I've been following their technology for a few years now (I even worked my way through Stefan's book - well, most of it - some of the formal proofs were a little beyond my mathematical abilities) and have met Stefan and Greg a couple of times - super guys, cool technology - it will be great to see it get wider exposure.

links for 2007-07-10
[ microsoft photosynth seadragon ted ]

• Microsoft Live Labs - Photosynth at TED Conference
  Microsoft Live Labs Architect, Blaise Aguera y Arcas demonstrating Seadragon and Photosynth at the TED (Technology, Entertainment, Design) Conference in Monterey, CA. Very very cool demo!
  (tags: ted microsoft seadragon photosynth)

Sun and Microsoft Interoperate for Web Authentication, Part 1
[ accessmanager iis interop microsoft sdn sun ]

In between all the talk of federation, PHP and web services, we sometimes lose sight of the fact that bread-and-butter single sign-on and access control still has huge value in improving both security and the user experience. Over at the Sun Developer Network, Marina Sum and I just published an article - Sun and Microsoft Interoperate for Web Authentication, Part 1 - focusing on how Sun Java System Access Manager and its policy agents integrate with Microsoft IIS to provide both single sign-on and access control - right down to Windows ACLs on files on disk.

As the article mentions, some functionality (specifically, the basic authentication plugin - from the 'Configuration of the Policy Agent for HTTP Basic Authentication' heading to the end - sorry, there is no handy name anchor in there to link to) will be released in AM Policy Agent for IIS 2.2-Hotpatch6 sometime in the next few weeks. I'll post here as soon as this is available; at that point you will be able to work through the entire article. In the meantime, much of it works with the current policy agent, so you can get started straight away.

Sun/Microsoft Press Conference
[ accessmanager adfs federation microsoft pressconference sso ]
Well - it's done. I've been involved in the web single sign-on interoperability work with Microsoft since the beginning of the year - four and a half months of painstaking specification work, designing a demo, going on vacation while the real engineers built the demo (BIG kudos to Emily for the protocol work and Lauren for the web pages on our side, Ryan on the MS side - the demo worked flawlessly and looked great!) then a final flurry of work on the demo script and rehearsals for the big day.
Watch the webcast - I'm presenting the demo with Don Schmidt of Microsoft. There's a press release (if that's your sort of thing) and a factsheet. The actual specs are online at Sun and Microsoft. I'm not going to repeat any of that here. I will say that it is somewhat nerve-wracking giving a live presentation just 6 feet from Steve Ballmer and Scott McNealy! AND - there is no truth in the rumour that I am Steve Ballmer's 'good twin'...
I've read blogs and comments that represent this as Sun moving from open to proprietary standards. This is emphatically not the case. The big news, as I see it, is that customers now have a way to implement SSO with the upcoming Active Directory Federation Services that would otherwise not exist. These specifications are published and will be submitted to a standards process, so other identity management vendors can implement them or not as they see fit.