It is nothing really new, but it was a missing feature in the administration GUI of our Public IDP: Configuring which user profile attributes should be sent as an AttributeStatement in a SAML assertion.
The feature has always been there, but administrators had to open a service request to have attributes configured. Now, you can select which attributes to insert during importing of Service Provider metadata. A sample is in the screen shot below:
This year’s European Identity & Cloud Conference took place from 17.-20. April with the last day being a workshop day to deepen some of the topics. The event is one of the most important IAM meetings in the world and continues to increase its impact. Almost 600 visitors from allover the world and 40 exhibitors constituted to a 35% growth. As every year the vendor landscape showed some dynamics with NetIQ acquiring Novell’s IAM business, ATOS taking over Siemens IT Solutions and Services (DirX), new rising stars appearing like ForgeRock, Symplified and The Dot Net Factory to name a few, Ping Identity expanding its presence and big companies like VMWare participating for the first time.
The most discussed new topics this year have been “The Open API Economy” and “Life Management Platforms” (Personal Cloud).
API economy: most presenters agreed that open APIs are important to the businesses today as they can bring new business opportunities and allow cloud users to orchestrate their applications into MashUps delivering the service that the business really needs. And even more for some companies it will be crucial to provide APIs to stay in business. In Andre Durand’s speak: “A business without a cloud API is like a door without doorknob”.
Life Management Platforms provide more than personal data store. They offer an answer to the need of people to share data in a very controlled and secure way. An example mentioned is the insurance contract number that is needed to be accessed from abroad in case of a car accident. These platforms follow a minimum disclosure approach which is totally different from those of social networks a la Facebook as we know them today (Remember: as soon as you entered your information, the data belongs to Facebook) . Life Management platforms are expected to replace the existing social networks in a 10-15 years time frame.
For me one of the main take-aways of the conference is the fact that now identity and information security really matters. Finally it has arrived on the agenda of the boards.
As usual the conference started with a set of pre-conferences on Tuesday morning: Kantara Initiative Summit, OASIS and ISACA workshops and the OpenId community reviewing the status of OpenID Connect, OAuth 2.0 and Account Chooser.
The actual conference itself began in the afternoon with Martin Kuppinger’s keynote. The KuppingerCole team itself changed with Craig Burton, Fulup Ar Foll and Alexei Balaganski joining as analysts and Tim Cole stepping back due to health reasons. In absence of the charming, entertaining Cole the moderator’s task was taken over by Nigel Cameron bringing a more rigid timeliness the the conference schedule.
The IAM world today is not characterized by fundamental new aspects but undergoes a more evolutionary development. In his keynote Kuppinger describes these changes as a development process from manufacturing to industrialization which manifests itself in the need of IT departments to meet changing requirements. IT departments feel that they now must compete against external (cloud) offerings. This is similar to the pressure that we know from outsourcing considerations but with cloud computing becoming more prevalent the rivalry is more tangible. Kuppinger describes the new demand in his “IT Paradigm”, a standardized model for building future IT. The paradigm illustrates how IT departments can provide the services the business really wants by enforcing information security, mitigating risks and being compliant by enforcing an enterprise-wide Governance approach.
According to KuppingerCole the Trends 2012 are:
In the reminder of the first day the agenda’s tough schedule provided for a number of keynotes (9 keynotes without a break …) which brought the known and highly valued mixture of business and academical thought leaders as well as keynotes by sponsoring vendors. Speakers, some of them known from previous years, presented their viewpoints and vision. Enrico Mordini postulated “the new gold is identity” , Reinhard Posch reported on eID projects and their challenges especially in the cross border usage (see STORK https://www.eid-stork.eu), Kim Cameron (“through a series of bizarre events and the fact that it is hard to retire” he returned to Microsoft) stated that the new cloud requires a new identity model. IDMaaS (Identity Management as a service) is needed to assemble claims from multiple sources and organizations will selectively expose their directories to other applications. “The cloud motor runs on identity”, he said. Supporting concepts: Microsoft U-Proove https://connect.microsoft.com/site1188 (Remark: and IBM Idemix http://www.zurich.ibm.com/idemix/details.html). Speakers from Cyber Ark presented on PxM, Shireif Nosseir, CA on the transformation of the security model, Peter Weierich of IC Consult on externalized authorization, Laurent Liscia of OASIS on evolving cloud standards, ID-Cloud (ID in the cloud) and TOSCA (portability for the cloud), Jonathan Sander of Quest, Barbara Mandl of Daimler on consumerization of IT, Doc Searls about “free customers are the new platform” in contrast to the old captured customer (See: http://lockerproject.org/, http://www.kynetx.com/ – Kinetic rule engine and KRL the cloud programming language), Mike Neuenschwander now with Oracle and Patrick Parker, CEO of The Dot Net Factory completed the spectrum.
The second day started early at 8:30 with three keynotes by speakers mainly from the banking sector and then split up in five tracks, one being a track dedicated on legal topics and one a round table discussion on consumer identity. As last year the cloud audit track elaborated the need for cloud audit standards which are required so that the customer is able to compare providers and otherwise stays unclear in what he really buys. A statistics was shown which measured the cloud readiness of countries concerning their legal and regulatory structure. The result ranks Japan, Australia and Germany as the first three countries. (Some references: Cloud Services Measurement Initiative – CSMIC, http://www.cloudcommons.com/, ENISA http://www.enisa.europa.eu/activities/application-security/test/, ISAE3402 replaces SAS70 http://isae3402.com/, ISO/IEC WD TS 27017 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=43757) .
In the afternoon and the following day several successful examples of large scale federations were shown which came mostly from the educational sector (The Danish Federation with their own profile OIOSAML, WAYF best practice in out sourced federation in Denmark, REFEDs with astonishing 27 federations, 1815 IDPs and 2755 service providers (Reference: https://refeds.terena.org/index.php/Main_Page).
Craig Burton moderated a session with the provoking statement “Is SCIM a Scam?” A very lively track with statements like “SOAP is dead”. Burton and the other participants came to the conclusion that SCIM is not a scam because it is simpler than SPML (basically providing only CRUD operations and not trying to reflect the whole provisioning object model) and the specification work involved big names in the cloud like Google and WebEx who are expected to implement SCIM for their services contributing to make 2012 the year of SCIM.
In the Life Management track, Drummond Reed (http://connect.me) and Marcel van Galen (http://www.qiy.com/) presented on their services, VRM (Vendor Relationship Management), the personal cloud and relationship as a service.
The evening of day two concluded with keynotes from Andre Durand, Ping Identity “IT problems are fractal: your job is never done” and “a business without a cloud API is like a door without a doorknob”, Eberhard Faber on challenges security managers should watch (bring your own device = bring your own vulnerability), Stephan Bohnengel of VMWare and the European Identity Award Ceremony.
European Identity Award Winners 2012
My unofficial award for the acronym of the year goes to a very old and known acronym “API”. I have never expected that API’s will get such an ineffable importance for businesses not just application developers.
The third conference day started with presentations given by ATOS, Jacques Bus of Digital Enlightment Forum and Kai Rannenberg of University of Frankfurt (http://www.m-chair.net). Rannenberg lectured on a more privacy friendly Internet. (References: ABC4TRUST https://abc4trust.eu/ a EU Project on attribute-based credentials for trust, and partial identities, ISO/IEC JTC 1/SC 27/WG http://www.iso.org/iso/iso_technical_committee.html?commid=45306) STORK https://www.eid-stork.eu/, Microsoft U-Proove https://connect.microsoft.com/site1188 based on blind signature and IBM Idemix http://www.zurich.ibm.com/idemix/details.html. based on zero knowledge proof, ISO/IEC 24760 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=57914).
The tracks of day three gave insight on best practice experiences of IAM projects (e.g the Province Trentino), the use of open source in IAM, a real IAMaaS solution provided by Swisscom and an interesting panel with Craig Burton, Martin Kuppinger, Kim Cameron, Fulup Ar Fol and Steven Willmott from 3scale on “IT model and the API economy” describing the openness cycle of APIs:
Raw Data → internal reuse → customer reuse → partners and distribution
with all steps providing values.
To summarize the conference all in all was a very interesting and informative event and as always organized perfectly by the KuppingerCole team.
SSOCircle Toolbox Part 3:
Continuing our series on field tools that help troubleshooting SAML federation problems, we are now adding online decoder and encoder to translate SAML messages into readable text. In many cases you need to see what is in the SAML messages even if you have no access to the servers log files. Although transferred via the browser the base64 and sometimes zipped content is not directly readable.
The tools:
allow to copy and paste the request into a form and decode the contents.
The following images show how to use the tool. Just copy & paste the contents of the request into the form. Use a tool like the firefox addon “tamper data” to log the request.
SAML Online Decoder : encoded text
Click on decode and switch to XML view:
SAML Online Decoder: decoded text
We use these tools often to see for example which attributes are in the assertion or whether constraints are set as expected.
Stay tuned with more tools to come.
In December Google announced the availability of SAML SSO and other APIs within the free edition of Google Apps. SAML was already introduced for the premium/business and educational versions back in 2007. But now you can benefit from this feature to make access to all versions of Google Apps more secure.
This article has two parts. Part I describes how to secure access to Google Apps using SSOCircle IDPee with password-free X.509 client certificate authentication which is a good countermeasure against phishing attacks often practiced to capture user name and password in order to gain access to your Gmail account. Remember the attack against U.S. officials Gmail accounts by phishing attacks originating from China (see CNN: “Massive Gmail phishing attack hits top U.S. officials”).
Part II describes how to leverage certificates to encrypt and sign emails with a standard browser and Gmail. Take the next step to protect your email communication from everyone including the service provider. Do all these with your standard browser.
This is what you need for Part I (Secure access to Google Apps):
Follow the steps below to configure the application. We assume you already have user accounts created at Google Apps and SSOCircle IDPee.
A. Configure Google Apps for SAML SSO
Configure SAML SSO in Google Apps
Google Apps SSO configuration screen
B. Import Google Apps configuration data into SSOCircle IDPee
Manage SAML Meta data
You can retrieve a sample of meta data on the SSOCircle web site and replace the string “YOUR_GOOGLE_APPS_DOMAIN” with the name of your domain.
Copy & paste it into the form:
Import Google Apps meta data
You will now see that your Google Apps meta data was properly as shown in the following screen:
Service Provider meta data listing
C. Enroll certificate for your user account
Finally after getting the Google Apps – SSOCircle IDPee integration in place, you need now to enroll for a personal client certificate. SSOCircle IDPee provides automatic enrollment pages for Firefox, Internet Explorer and Chrome. Read the following screens to see how simple it is:
Certificate autmatic enrollment page
After clicking on the link for your browser a key generation and certificate enrollment page appears. Choose a key length that fits your requirements and submit the page. A process is started that gernerates a private – public key pair locally and submits a certificate signing request to SSOCircle IDPee. SSOCircle will sign the certificate and send it back to the browser for import in the local certificate store.
This is done fully automatically:
Certificate key generation and enrollment
The browser displays a message that the certificate issued by the CA was successfully imported. Now you are ready to go to authenticate to SSOCircle IDPee and Google Apps without a password send over the wire. Just click on the three-locks symbol at the authentication page. A certificate chooser is displayed by the browser. Choose your personal certificate generated in the previous step and you are logged in …
X.509 certificate authentication
Cloud security made simple – SSOCircle. Contact us for more information.
It is already a year ago when we published the article “Service-now.com: On Demand IT Service Management supports SAML 2.0” which ended with the sentence “Looking forward for more to come …”
One year after we have set up an online demo showcasing SAML single sign on between SSOCircle and ServiceNow. With Google Apps offering office, email, calender, spreadsheet, etc, Salesforce offering cloud CRM and ServiceNow IT service management our demo “Cloudified Company” is becoming more and more reality.
The added value that SSOCircle offers is not only about a more convenient access to applications via single sign on but also about improved security by leveraging strong authentication means. Try it out by registering an user, enroll a X.509 client certificate and use it to authenticate to ServiceNow Online Demo and the other services in the Circle of Trust.
The ServiceNow Online demo is also a good opportunity to check out what the ServiceNow application is about. In this demo we are mapping all SSOCircle Public IDP users to one user with name “itil” at ServiceNow.
A full list of our demo service providers can be found at Service Provider section.
Watch John Andersen’s video on setting up SSO between ServiceNow and SSOCircle. John is the integration expert at ServiceNow.
About Service Now:
ITIL v3 + Web 2.0 + SaaS = Service-now.com, a pioneer of On Demand IT Service Management, combines ITIL v3 guidelines with Web 2.0 technology to a Software as a Service offering.
SSOCircle Toolbox Series Part 1
Understanding the “iPlanetDirectoryPro” session cookie can be key to debugging problems like OpenSSO / OpenAM internal session rooting, persistence problems and misconfiguration.
The SSOCircle Toolbox OpenSSO / OpenAM session decoder: http://idp.ssocircle.com/sso/toolbox/ossoDProDecode.jsp
The iPlanetDirectoryPro Cookie is used by OpenSSO and OpenAM to reference a specific user session. It consists of an unique random identifier marking the session, a base64 encoded extension part and a tail value. The Extension part itself holds information for internal session routing (some keys are optional and depend on the system architecture):
SSOCircle Toolbox Series Part 2
OpenSSO and OpenAM store passwords (for example J2EE Policy Agents) encrypted in configuration files. If you need to encrypt a password without having access to the bundled encryption tools, use the SSOCircle Toolbox OpenSSO / OpenAM Password Encryption web tool.
And if you can’t remember what the password was and the only documentation you have is the configuration file with the encrypted service secret, use the SSOCircle Toolbox OpenSSO / OpenAM Password Decryption web tool.
The cloud conference in the clouds or at least close to the clouds took place from 18.-21. July 2011 in Keystone, Rocky Mountains, at an altitude of 2.830m. The conference was organized by Ping Identity, headed by Andre Durand who put a lot of passion into the conference and into the fostering of the “identity family”. Many Thanks to him, his wife and the Ping crew who made this event possible. Microsoft, Google and Covisint sponsored the event which started with two days of workshops and another two days of conference.
The conference offered a good mixture of technical oriented talks, companies views and analysts visions. The first thing I noticed was the absence of the “big” IAM software vendors. No visible presence of Oracle, IBM … I am very relieved that other companies are now setting the IAM tone
especially after the disappearance of active players like SUN. These companies are now Ping, Google, Salesforce.com, eBay. I am not sure about the reason for the absence of the big players, but one reason could be that the focus of new trends in identity is more and more shifting to the consumer space. Especially the strong presence and activity of companies like Google, Salesforce.com and others emphasizes that cloud identity is now more and more an API identity topic.
Back to chronology: In the first two days we had to choose between different workshops. Some of them were sponsored by Google, for others an additional fee was charged. The work sessions duration was 3 hours. Enough time to dig deeper in cloud identity topics. The workshop titles listed below give an overview on the “hot topics” this year:
The conference agenda on day 3 and 4 was made of keynotes and two separate tracks on different topics. The presentation were all scheduled to last 30 minutes and there was plenty of time to network in the breaks, definitely a plus.
A very interesting presentation was held by Farhang Kassaei by Ebay talking on the “Role of Identity in eCommerce”. Trying to answer the question about the the nature of commercial identity and a commercial IDP and how it differs from a social network identity and a social network IDP. Another question he asked was if one IDP can cover all range of identities. His answers described the identity from a view point of a merchant: “Identity = Customer” and identity management is not about SSO but easy on boarding, personalization, transaction, less risk and more security. Of importance to the merchants customer itself is: convenience, value, privacy control, less risk and more security. He pointed out that there is a real business value for merchants to have an (customer) attribute provider that dynamically supplies relevant information about a buyer (e.g. how many merchants have been shipped to the address of the buyer without complaints in the last 6 months) or an IDP that offers methods and techniques to identify that two identities are the same person (entity resolution) which is very important to detect fraud.
Paul Madsen’s presentation on Synergies “You got SAML on my OAuth” demonstrated how much the portfolio of standards are interrelated and/or play together:
Eric Sachs of Google “Time to Eliminate Passwords” emphasized on the user experience aspect which is still in its infancy. Signing in to web applications in the majority of cases means typing in the user name (likely the long email address). Tedious compared to what we are used to in operating system logins (think of Windows 7, Mac, Chome OS login screen). Google launched the Account Chooser project: https://sites.google.com/site/gitooldocs/experiment—account-chooser
which tries to bring the OS login user experience to the web. Web sites who want to adopt Account Chooser will find implementation help by the Google Identity Toolkit GITKit.
John Shewchuk of Microsoft presented on his company’s view on Federated IT and Identity: Office 365 was launched in June in 40 markets and 20 languages and already 50.000+ organizations signed up in the first two weeks. Office 365 leverages Azure’s infrastructure capabilities and enables managed and federated identities. Directories are a critical enabler for federated IT but existing standards need to be modernized. The programmable directory principles need to model not only identity but federation of data, authentication and authorization. For more information take a look at OData and Facebook graph.
This is just a few randomly taken samples of presentation that I described. Lots of interesting presentation at the summit could fill the whole SSOCircle blog. If you are looking for more information on presentations given go to the Cloud Identity Summit web page http://www.cloudidentitysummit.com/Presentations-2011.cfm.
Bookmark summary:
www.simplecloud.info
oauthssodemo.appspot.com
account-chooser.appspot.com
Account Chooser Experiment
login-helper.appspot.com
www.odata.org
graph.facebook.com
openidsamplestore.com
P.S. The next Cloud Identity Summit will be held in Vail, Colorado on 16.-19. July 2012.
This year’s European Identity Conference (EIC2011), a fixed star in the digital identity world took place in Munich, Germany, from 10.-12. May and a supplemental workshop day on the 13th. As last year the conference also hosted the Cloud 2011. In terms of venue the conference made a leap into the future from the venerable Deutsche Museum to the Dolce Ballhaus-Forum, a modern hotel and conference center north of Munich. Needless to say that the conference was well organized by KuppingeCole and newly introduced supplemental offerings like the World Cafe unconference or a crash course in international privacy and IT security law.
Before diving into details my overall impression was that the identity community is finally reaching a state of reflection. Compared to last year, where I experienced a more enthusiastic atmosphere and speakers, the 2011 conference was strongly influenced by academics and organizations. Keynote topics like “where will identity be next year” and personal changes like that of Kim Cameron who recently left Microsoft inspired Jackson Shaw to present a retrospect bolstered thoughtfulness.
In addition the human part of identity is coming more and more into consideration. At EIC2011 we had the chance to listen to speakers like Emilio Mordini, a psychoanalyst and founding director of Centre of Science, Society and Citizenship or Stephan Humer, a sociologist from Berlin University of Arts whose presentations demonstrate that sociological aspects play a very important role in acceptance and success of digital identity and internet security.
We finally reached the social human being and not only the user account. 
identity acceptance development cycle, shown below, demonstrates these iterations which might lead to new rethinking and specifications.
This is a great achievement. In other areas it seems we are not at that point yet. Looking at the evolution of OpenID which is finally approaching a new level with OpenID Connect reinventing the wheel that SAML 2.0 already did but with less complexity replacing SOAP and XML security with REST and JSON. That looks to me like taking the first shortcut in the identity acceptance development cycle due to missing implementation acceptance at least in the consumer identity space. Listening to Barbara Mandl from Daimler revealed that there are also several instances of shortcut 2 caused by business not technical reasons. In summary there is still a lot to do for the identity community, despite that most technologies are mature, the digital identity in a social world is very complex and subject to change.
In my eyes the most dynamic fields are:
the integration of mobile devices as a whole and the formation and establishing of Trust Frameworks.
But continuing with details of the conference in chronological order. As always it is subjective due to my interests and the selection of presentations visited.
Day 1:
Preconferences:
The conference started similar to the years before with a set of preconferences. One of these was an update and overview of OpenID staffed with Eric Sachs, Google, David Recordon, Facebook, John Bradley, Nat Sakimura and Don Thibeau, OpenID Foundation, Mike Jones and Anthony Nadalin, Microsoft; The upcoming version of OpenID is expected for IIW in November and will be named OpenID Connect, the AB for artifact binding will be removed from the name. It’s goal is to make “easy things easy and harder things possible”. Its design is modular with focus on integrating mobile devices. It will replace the 3.5 years old OpenID 2.0 spec and will introduce some advanced concepts known from the SAML spec, like level of assurance similar to SAML auth context and session management, like single logout, but less ambitious than the one known from SAML 2.0. OpenID connect is based on OAuth 2.0 which itself will be finalized in the next months.
Announcements:
In a press conference Drummond Reed, known from his work on XRI, XDI, Information Card, OIX and OpenID foundation, launched a new start-up called connect.me. Connect.me is the first personal respect trust network in which you can vouche/vote for a person in a specific respect. With joining the network people agree to 5 principles called promise, permission, protection, portability and proof. Connect.me is not a new social network but constitutes a layer above other social networks. By vouching for a person at http://vote.connect.me you are giving a person “trust points” for a specific respect. For me this is comparable to the seller rating in ebay. I am curious to see how this will develop and if we all get personal ratings in the new future. I expect that in next year’s EIC agenda there will be the rating mentioned right behind the speaker’s name. We will see if leaving Microsoft will change Kim Cameron’s rating from AAA to AAA+ or AAA-.
Keynotes:
As usual Martin Kuppinger gave the opening notes with an overview on the the hottest topics which are:
BYOD stands for “bring your own device” and reflects that many employees nowadays want to use their own private devices (iPad, iPhone etc) in business. This poses a new thread on corporate security.
Cloud: In cloud computing more standards will evolve and there will be no success without security. Recent security breaches like SONY or Amazon give us a new awareness of users, company CIOs and politics that accelerates the development.
GRC: continuing progress towards one GRC for business and IT. Regulatory pressure will reach other industries.
IAM: PxM, privileged x=(Access,Account,Identity, User) Management, is the important topic in 2011. Externalization of authorization is becoming reality and versatile authentication will become more widespread. The RSA breach as one of the reasons.
Mobile:
BOYD as a new phenomena and the circumstance that the built-in security is not sufficient. Kuppinger compared the security of mobile devices to the security standard of PC in the 80s.
CIO key topics in 2011 will be
First day keynotes on “the future of identity” continued with presentations by Laurent Liscia, executive director of OASIS, Wolfgang Hirsch of Siemens IT solutions, Maurizio Griva of Reply. Kim Cameron’s keynote was canceled and replaced by an interview in which Tim Cole eagerly tried to get information about Cameron’s real reasons for leaving Microsoft. Was it Microsoft’s recent strategy? No answer from Cameron except a comment expressing his feelings: “hey man, I am feeling so free”. Jackson Shawn (Quest Software) keynote directly influenced by Cameron’s “retirement” gave a retrospective of the development of identity from 1991, 1996, 1999 and a forecast how it may look like in 10 years from now. Illustrated with photos from Cameron and him as they were close fellows all these years. Shawn said that the start-up companies he is watching right now are Oka, Biznet3, SecureAuth and Symplified.
Prof. Reinhard Posch, CIO for the Austrian Government, presented on eID cards and the cloud and Jörg Asma from KPMG gave his view on future hot topics: Facebook as an identity manager and application hoster. Cloud computing driven by the use of devices like iPad etc. BYOD, the use of private devices for business purposes. Interesting his statement from HR on attracting new talent: today you don’t need a fancy car to attract new hires but cool lifestyle devices like the iPad or iPhone.
Day 2:
Starting with three keynotes from Dave Kearns on integrated identity management, Rolf von Rössing, VP of http://isaca.org. ISACA is an independent , nonprofit, global association, ISACA engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. Framework examples are: Cobit 5 bringing the GRC frameworks to the public, Risk IT, Val IT and BMIS. Professor Eberhard von Faber presented on froward strategies to protect corporate data in the cloud: Encryption is important to protect data in the cloud but has its limitation in server side batch processing for example in BI systems.
Alternatives are homomorphic encryption, not now but maybe in 10 years, or peudonymisation which can solve some problems. [Remark: fully homomorphic encryption is a encryption in which a service provider can operate (add, multiply) on the encrypted data without being able to decrypt data. That means a cloud service can work on data without knowing it.] Other means to secure the data are database encryption and database activity monitoring. Access restriction only protects from outside. Most service provider lack in protection from inside attacks. Limiting access to data (e.g. by terminal server or not having full access to “data files”) and EDRM (enterprise data right management) as well as VPN against eavesdropping and protection against access of data from other tenants are important. Securing the cloud isn’t easy. It still need to be easy to use. User awareness, control and monitoring are key for successful cloud deployments.
Breakout:
The conference offered four parallel tracks from which I selected the Directory & Federation track. Martin Kuppinger gave an introduction with the statement: you cannot make federation which relies on data quality if you do not have your directory in order. Federated directories are a solution to that problem as the single directory does not work due to complexity and privacy. Here comes virtual directories or cloud directories into play, whereas use cases for the latter are authentication of customers, directories for specific applications or the migration of in house directories to the cloud. Kuppinger expects directories in 2020 being similar as they are today.
I was surprised seeing an overcrowded room when visiting “How to authenticate for the cloud”. A panel discussion lead by Sebastian Rohr with Judith Little, CloudID, Mark O’Neill, Vordel, Travis Spencer, Ping, and Tom Stewart, SecureAuth. The better way to do the authentication to the cloud is to authenticate internally and then federate to outside. This will increase adoption as too much different methods lack user acceptance. Authorization to the cloud is still difficult to handle as there are mainly proprietary methods used.
“Federation lessons learned” with Matthew Gardiner, CA & Kantara, Nishant Kaushik, Oracle and Travis Spencer, Ping, concluded that federation is now main stream. Success of facebook connect demonstrates that federation still profits from the federated SSO use cases but that reinventing over and over with new technology is problematic. A business sponsor and a aligned strategy is needed. One question asked by Mike Small was if there is a reason to not use federation. Spencer answered that there is no reason except there are some use cases for mobile devices with limited capability that can be overcome by OAuth or WS-*. Cloud business becomes a major driver for federation which does not stop at SSO. Provisioning, authorization and audit are getting more and more important.
Cloud standards adoption track: in the absence od Laim Lynch, eBay, Mike Small gave an introduction to the topic. Analyzing the risks in cloud computing. Starting with the risk of vendor locking which is more prevalent with SaaS than with PaaS or IaaS. Other risks are “Legal risk: contract”: we need a trusted standard for a provider contract; “Loss of governance”: standards for provider certification and auditing required; “Privacy legislation”: standard how well a provider meets privacy laws; “Impersonation”: is user name/password sufficient?; “Insider abuse of privilege”, “Management Interface”; “Ineffective data deletion” ; “Poor authorization model”;
Mike Small also pointed out that current cloud provider assurance frameworks are far too complex with 148 control points. He introduced a star rating method scoring the major controls reducing the list to 5 basic and 11 risk factors.
In the evening Kuppinger and Cole presented the annual European Identity in several categories:
Day 3:
Three keynotes from Niels von der Hude, Beta Systems, Emilio Mordini, CEO of Centre for Science, Society and Citizenship, and Barbara Mandl from Daimler.
Mordini, a psychoanalyst, presented on the secrecy in the post wikileaks era. He elaborated the meaning of secrecy, s.th. hidden, kept separate from other things and invisible or unspoken. He asked the question: Do we still need secrecy in modern information society? His answer: we need secrecy and publicity and compared that to the life in a small village: everybody knows where you are, who you are what you are doing. But people do that with discretion: they pretend to ignore knowing the information. He concludes that ICT should address access rights. But strong data protection and security are often useless. True power is not to remember and to be remembered but forget and to be forgotten.
Back to reality: Barbara Mandl pointed towards the real problems a global corporation is confronted with. Data protection requirements in Germany, the US or Japan are total different. For example in Japan the working counsel supports to store and evaluate log in and log out times in active directory. Federation itself is not a solution as a whole. Contracts with every supplier and contracts for special applications pose challenges to legal departments. Both on Daimler and supplier side.
She also pointed out that things that work perfectly in private space, (e.g. security awareness in private online banking) due to protecting own belongings. But: the same people do not care about these things at work.
Legal track:
EIC offered a three hour crash course on international privacy and IT security law for IT professionals which compared the data protection legislation in the EU, the US and China and gave an introduction to the European legal requirements for data protection, IT security, encryption and audit. I remember a tweet saying: “It seems like two words can dissolve all the reputedly strong EU privacy & data security protections: contract or consent “. And that is exactly the point: opt-in rather than opt-out.
In another track on privacy Stephan Humer, Berlin University of Arts, presented on the sociological aspects of eID cards: technical people are problem centered. Normal people are not necessarily, they might act chaotic …
A talk from Maarten Wegdam, Novay, and a panel discussion analyzed topics like “Consumer and citizen identities; Governmental issued or trust frameworks? and “Identity assurance frameworks are now upon us. But what are they good for?”.
In the best practice track the winner of the EIC award “BrokerGate” reported from their project setting up a SAML identity provider service for 10.000 brokers and 20 insurer (final goal) in Switzerland with versatile authentication methods. In a final presentation Vassilia Orfanou from EUReID, the pan-european network of eID practitioners introduced the platform to consolidate documents and information, support networking and exchange of information related to eID projects in Europe: http://ePractice.eu.
Final words: a very successful conference and thanks to KuppingerCole for a perfect organization and composition of interesting topics. For interested readers: the European Identity Conference 2012 will be held on 17-20. April. So the fixed star has moved a little bit.
ITIL v3 + Web 2.0 + SaaS = Service-now.com, a pioneer of On Demand IT Service Management combines ITIL v3 guidelines with Web 2.0 technology to a Software as a Service offering.
As we have seen in many cases customers of SaaS providers are increasingly asking for identity and access management features for convenience and security. To meet this requirements Service-now.com added SAML v2 support to their Spring 2010 release. This is in line with what we have seen at other important SaaS players like Salesforce.com who added SAML 1.1 support in the Summer 2008 release and SAML 2.0 later. Demonstrating once more that SAML 2.0 is a must-have in the enterprise SaaS world.
If you go to wiki.service-now.com you’ll find an article on “Embedded:SAML 2.0” the functionality added by the SAML 2.0 Single Sign-On plugin. The article explains in detail how to configure Service-now.com to use SAML authentication and outlines the Single Sign On and Single Log-out request flows in sequence diagrams.
Service-now.com uses SSOCircle as the sample Identity Provider. One more time a service provider is using our free SAML 2.0 identity provider service as a test platform of choice. Ensuring that their service is compatible and runs out of the box with SSOCircle.
Citing from the wiki the next release of Support-now will support deep linking with SAML 2.0 and processing of signed SAML requests.
Looking forward for more to come …
