SSOCircle

European Identity Conference 2009

Listed in reverse chronological ordering and with focus on SSO, federation and authorization topics.

My conclusions:

A very well organized conference from Kuppinger Cole and partners. Many distinct persons attended, presented and discussed in panel sessions. Visiting the conference is a must as it is the leading identity conference in Europe. Many thanks to Kuppinger Cole for organizing it.

After returning home my personal impression this morning is that I had been traveling to Babylon. I heard many people speaking about GRC ( governance, risk, compliance ), claims and attributes, authorization and externalization of authorization decisions, RBAC and ABAC and XACML, not to mention DABBOPDS (differentiated app behavior based on permission data sharing). Is this the way to go ? In most of the keynotes I visited on GRC the presenters were giving their best to answer what GRC is, especially in the context of IAM. Have we seen a satisfying answer ? In the presentations on Geneva it was always necessary to clarify what “claims” are and how claims differ from attributes, if they differ at all. I noted the best definitions I heard:

I guess we are somehow away from mutual understanding. I’ll be with Tim Cole’s ruminative closing note where he asked: how can the identity challenges be solved for the cloud if today there are so many unanswered questions in the “small” enterprise world. Elaborating it a little bit more, I would say we are giving ourselves a hard fight, if we will not come to a more simple and clear approach. I guess simplicity is key, more then ever.

Looking in more detail on the SSO and federation field. When we started SSOCircle in 2006 we were convinced that the federation protocols finally converged into SAML 2.0 and that it is just a matter of time for the mainstream breakthrough. Basically SSOCircle has always had the ambitious goal to help accelerating the take-off process. Reflecting the last three years we saw OpenID sky rocketing from scratch which had good reasons: simplicity. With OpenID 2.0 we notice this advantage going away and becoming even more complicated as SAML. Now we are facing interesting times with the coming Geneva server which plugs into Active Directory pushing the infocard technology and with Microsoft getting collaborative supporting SAML 2.0. Considering the market share of Active Directory and the very pragmatic approach of Microsoft which keeps a lot of problems unsolved for the moment (thinking of the missing solution of storing infocards for roaming users or that there is no way of combining claims from different infocards) there is a good chance for success. I am comparing this to the discussions around https and shttp protocols in the mid 1990s. Were many people had many reasons that shttp is the better solution for securing web traffic but Netscape pushes https through due to their browser market share at that time and the simplicity http over SSL had and still has. Without https the commercial internet would not be where we are now. I am curious to see the impact the release of Geneva will have. RTM is expected for the second half of 2009. Maybe the European Conference 2010 will be the right moment to make up an early benchmark.

Now you’ll find some comments on some of the sessions I have visited in reverse chronological ordering:

day 4: workshop day

Friday was dedicated to workshops on serveral topics. One of them was on XACML held by Bakak Sadighi and Ludwig Seitz from Axiomatics. A very didactically structured training that started with an introduction on access control lists, capability lists, group based, role based and attribute based access control. Sadighi pointed out the difference between role and group based authentication is “role activation” which means that you can dynamically decide to act in a specific role. They then further dig into the XACML 2.0 standard and the additions XACML 3.0 (currently in draft) will bring, basically the concept of hierarchical administrative policies that help leverage administrative delegation.

day 3

Dipping into the world of Identity Systems and Claims: Vittorio Bertocci from Microsoft, answered the question of the definition of “claims” with: A claim is the answer to a question somebody would ask you to allow you access to a specific task. It can be a privilege or a simple attribute. Ariel Gordon, Microsoft, detailed that after asking him for the difference of a claim and a attribute. He said a claim is a rated attribute. In a presentation of Liam Lynch and Upendra Mardikar described the shift from identity 1.0 to identity 2.0 where in their understanding behavioral checks and reputation play a major role in authentication and authorization. He mentioned that Ebay has to evaluate 20 TByte of logfile a day to do risk analyzes. A “real time” behavioural analyses might ease this problem. He is motivating to participate in cloud security efforts that you can find in cloudsecurity.org.

A panel session moderated by Dave Kearns discussed the topic of authentication beyond passwords: tokens, biometrics and others. These methods have all their pros and cons. From case to case one has to decide on what the value of the protected resource is to justify the method used. A good way would be to have a single sign on solution protected by strong authentication to limit the number of tokens used and to reduce the overall costs, Jackson Shaw of Quest Software mentioned. By the way this is one idea behind SSOCircle. You can find authentication methods from user name/password, X.509 certificates in software or hardware tokens, OTP tokens, Swekey’s and soon the award winning Yubikey. The topic leads to the next panel on context based authentication where Dave Kearns was asking the 6W+1H question of who, what, when, where, which, how and why that may have influence on the decision of authorizing access. As the first six may be answered by technical means there is still the question of why a user is doing a specific action. Another proof that the big questions of IAM cannot only be answered by technical means.

In Tim Cole’s closing note he asked the question: how can the identity challenges be solved in the upcoming cloudy IT be solved if today there are so many unanswered questions in the “small” enterprise world. He is asking who will be the Google in identity context. Google ? A little pity that Google wasn’t present and demonstrated their vision of cloud identity. We are all looking forward to find answers to the open questions. A great conference. Well done Kuppinger Cole & Partners.

day 2

Felix Gaethgens gave an overview on the mess of authorizations and entitlement management today which starts at role based authorization (RBAC) to Attribute based authorization (ABAC) in which XACML ist the most prominent representative. His presentation was the foundation for the succeeding talk and a very interesting panel discussion. It was emphasized that the role based model is to coarse to be applied to all business rules, one example was given: an employee of an insurance company who is also a customer became ill and a colleague of her sitting next in the same office had access to their medical record in her business role as insurance consultant). Their is a need to take context into account to decide whether a person should be authorized to a particular action. This is what leads to a very fine coarse definition of elementary claims/attributes and not to the definitions of uncountable roles by combining all variants of claims to new roles. Another eye-catching aspect is the externalization of entitlement management from within an application to a central system. This is a point all speakers agreed but obviously such an architecture brings up the questions of performance. How can an application performantly work if for a single task the application has to request hundreds of attributes and policies ? This is where things become unclear and unsolved. The same applies to the question how XACML can solve the problem, as it is a policy language but doesn’t solve how to access the policies. There need to be different solutions according to the problem and the audience. There should be a solution for simple internet based web2.0 applications in a very simple say restful way and there must be more sophisticated solutions for environments like financial industries etc. APIs are definitively not the preferred way here. But all participants agreed to that there would be at least an improvement if all vendors would work together and put their applications on the same foundation of a policy language like XACML. Seems like a simple obvious first step. But in reality it seems to be a difficult one.

In his presentation of real life federation deployments Chris Harvison from Scotiabank explained the difficulties they faced on utilizing federation in the Canadian banking sector and how difficult it is to convince service providers to implement federation protocols as these companies do not see this as their core business. He mentioned that only an agreement between the Canadian banks (fortunately there are only 4 chartered banks) finally forced the service providers to do so. The same applies to an effort withing the German automotive industry where companies formed the SESAM project as Wofgang Jodl, BMW, mentioned in his session. Harvision also mentioned how the virtual federation concept of OpenSSO and the Fedlet eased there efforts. Daniel Raskin added that the Fedlet is supported through OpenSSO enterprise support. So if a company with support contract gives out the Fedlet to a partner, the partner can call Sun and receives support. By the way: a SSOCircle Fedlet is soon downloadable from our download site. Beside our CGI and lightbulb samples this is another way to easily integrate with SSOCircle.

Joost van Dijk gave another presentation of a successful deployment: the SURFfederatie project. A Federation service for the Dutch Higher Education. As they formerly developed their own federation protocol A-Select and they didn’t want to limit the federation to a single protocol, they deployed a federation protocol gateway based on Ping Federate. They provide their offering as “identity as a service” which leads to the next panel session on IaaS. Up to this point I was missing participants of Ping. Last year Andre Durand and Patrick Harding were attending but I remember Andre Durand’s words when he was asked how Ping as a niche vendor could survive between all these big players like IBM, Sun, Novell and Oracle, he answered: we will see whether we are still here in 2-3 years. With contentment I noticed Marc LLerandi from Ping Identity was taken part in the IaaS panel session. Actually IaaS is something SSOCircle is pushing since more than a year by introducing IDPee, a hosted IDP. The advantages are obvious: leave the complexity of operating and managing an identity provider to specialized providers and save money and hassle. We will see how this business evolves when people get used of the idea to outsource there identity management. Good luck to all these pioneers.

European Identity Award winners:

day 1

Tuesday morning I am faced with two problems: a long 4 hours drive from Frankfurt to Munich early in the moring and then, after arrival, the decision where to go at the conference. For the first point it might appeal to Kuppinger Cole to change the conference location to Frankfurt. The latter is certainly nothing I can blame Kuppinger Cole for an excellent conference program with many choices.

At the OpenSSO community meeting Daniel Raskin is showing the OpenSSO roadmap. He is emphasizing that OpenSSO is the software that manages enterprise SSO, federation and web services security with one product. This sounds like a message to Oracle and its bundle of point products. But no word on the future of OpenSSO under Oracle’s flag. I guess nobody can say something about the way Oracle is going – or did I miss it ?

OpenSSO is now at express build 7 which brings a new configuration wizard for Google Apps on the task panel of the administration GUI. The task panel is something which will be extended in the next releases. Raskin is mentioning wizards to configure Salesforce.com and SugarCRM. In progress of development are improvements for a better entitlements management. Although OpenSSO has XACML request/response, PDP and PEP functionality it lacks an intuitive management GUI and a scalable policy engine. In one of the next builds a new authentication module will provide one time passwords without the need of a hardware token. OpenSSO will generate OTP through OATH and send out the password by SMS to your mobile. This sounds cheap, but keep in mind that you either will need hardware to send SMS or adopt the module to use an API of a SMS provider. Further development work is done on OAUTH integration into OpenSSO.