Cloud Identity Summit 2011

English on August 21st, 2011 No Comments

The cloud conference in the clouds or at least close to the clouds took place from 18.-21. July 2011 in Keystone, Rocky Mountains, at an altitude of 2.830m. The conference was organized by Ping Identity, headed by Andre Durand who put a lot of passion into the conference and into the fostering of the “identity family”. Many Thanks to him, his wife and the Ping crew who made this event possible. Microsoft, Google and Covisint sponsored the event which started with two days of workshops and another two days of conference.

The conference offered a good mixture of technical oriented talks, companies views and analysts visions. The first thing I noticed was the absence of the “big” IAM software vendors. No visible presence of Oracle, IBM …   I am very relieved that other companies are now setting the IAM tone
especially after the disappearance of active players like SUN. These companies are now Ping, Google, Salesforce.com, eBay. I am not sure about the reason for the absence of the big players, but one reason could be that the focus of new trends in identity is more and more shifting to the consumer space. Especially the strong presence and activity of companies like Google, Salesforce.com and others emphasizes that cloud identity is now more and more an API identity topic.

Back to chronology:  In the first two days we had to choose between different workshops. Some of them were sponsored by Google, for others an additional fee was charged. The work sessions duration was 3 hours. Enough time to dig deeper in cloud identity topics. The workshop titles listed below give an overview on the “hot topics” this year:

  • Cloud Security 101; Gunnar Peterson from Artec
  • OAuth 101; Paul Madsen and Brian Campbell, Ping Identity
  • The essential XACML Primer; Gerry Gebel, Axiomatics
  • OpenID & OpenID Connect; Eric Sachs from Google
  • SAML Single Sign On 101;  John Da Silva, Ping Identity
  • SAML & OAuth with Force.com; Pat Patterson from Salesforce.com
  • Challenges of Consumer Identity in the Cloud; Mike Neuenschwander, Drew Clippard and Matt Randall
  • Windows Azure, Office365 and More;  Brian Puhl, Laura Hunterm Vittorio Bertocci from Microsoft
  • Securing & Connecting the Mobile to the Enterprise; Andy Zmolek from LG
  • Integration with the Google Cloud; Eric Sachs, Ryan Boyd and others from Google
  • XACML 3.0 and Hands On Cloud Authz; Doron Grinstein from BITKOO
  • Integrating PingFederate with the Microsoft Ecosystem ADFS/WIF/SP2010; Travis Spencer from Ping Identity
  • The Kantara / OpenID Summit

The conference agenda on day 3 and 4 was made of keynotes and two separate tracks on different topics. The presentation were all scheduled to last 30 minutes and there was plenty of time to network in the breaks, definitely a plus.

A very interesting presentation was held by Farhang Kassaei by Ebay talking on the “Role of Identity in eCommerce”.  Trying to answer the question about the the nature of commercial identity and a commercial IDP and how it differs from a social network identity and a social network IDP. Another question he asked was if one IDP can cover all range of identities. His answers described the identity from a view point of a  merchant: “Identity = Customer”  and identity management is not about SSO but easy on boarding, personalization, transaction, less risk and more security. Of importance to the merchants customer itself is: convenience, value, privacy control, less risk and more security. He pointed out that there is a real business value for merchants to have an (customer) attribute provider that dynamically supplies relevant information about a buyer (e.g. how many merchants have been shipped to the address of the buyer without complaints in the last 6 months) or an IDP that offers methods and techniques to identify that two identities are the same person (entity resolution) which is very important to detect fraud.

Paul Madsen’s presentation on Synergies “You  got SAML on my OAuth” demonstrated how much the portfolio of standards are interrelated and/or play together:

  • SCIM + SAML:  SAML binding for SCIM: SCIM can be used for a just-in-time provisioning through a SSO assertion which holds SCIM attributes. Or more simple by API right before SSO.
  • SCIM + OAuth:  OAuth can be used to secure SCIM API calls. SCIM can be used to provision accounts for subsequent OAuth based mobile access.
  • SAML + OAuth: Hybrids like OAuth token carried in SAML SSO messages. Or assertion profile that uses SAML assertions within OAuth flow.
  • SAML + OAuth + JWT: Use SAML assertion or JWT (speek: joot) for OAuth client authentication or OAuth grant type
  • OpenID + JWT OAuth: OpenID Connect adds identity layer on top of OAuth 2 and stipulates use of JWT for identity tokens
  • UMA + OAuth: User Managed Access extends OAuth 2 to manage access to distributed resources through a centralized Authorization Manager

Eric Sachs of Google “Time to Eliminate Passwords”  emphasized on the user experience aspect which is still in its infancy. Signing in to web applications in the majority of cases means typing in the user name (likely the long email address). Tedious compared to what we are used to in operating system logins (think of Windows 7, Mac, Chome OS login screen). Google launched the Account Chooser project: https://sites.google.com/site/gitooldocs/experiment—account-chooser
which tries to bring the OS login user experience to the web. Web sites who want to adopt Account Chooser will find implementation help by the Google Identity Toolkit GITKit.

John Shewchuk of Microsoft presented on his company’s view on Federated IT and Identity: Office 365 was launched in June in 40 markets and 20 languages and already 50.000+ organizations signed up in the first two weeks. Office 365 leverages Azure’s infrastructure capabilities and enables managed and federated identities. Directories are a critical enabler for federated IT but existing standards need to be modernized. The programmable directory principles need to model not only identity but federation of data, authentication and authorization. For more information take a look at OData and Facebook graph.

This is just a few randomly taken samples of presentation that I described. Lots of interesting presentation at the summit could fill the whole SSOCircle blog. If you are looking for more information on presentations given go to the Cloud Identity Summit web page http://www.cloudidentitysummit.com/Presentations-2011.cfm.

Bookmark summary:
www.simplecloud.info
oauthssodemo.appspot.com
account-chooser.appspot.com
Account Chooser Experiment
login-helper.appspot.com
www.odata.org
graph.facebook.com
openidsamplestore.com

P.S. The next Cloud Identity Summit will be held in Vail, Colorado on 16.-19. July 2012.

Tags: , , , ,

No Responses to “Cloud Identity Summit 2011”

Leave a Reply

You must be logged in to post a comment.