Andre Durand

Discovering life, one mistake at a time.

Archive for the ‘Identity’

PingFederate – Front & Center

November 07, 2007 By: Andre Category: Identity

A recent Webinar titled “Picking the right Federation Product for the Job” by Mike Neuenschwander 

of Burton Group placed Ping at the center of the federation universe. It only took 5 years. 🙂

BarbieToken. Brilliant!

November 06, 2007 By: Andre Category: Identity

It’s only a matter of time before identity tokens, like cell phones today, become a sort of fashion accessory. The company in pole position to make tokens hip is Apple of course. Imagine a new device, call it the iKey (with built in strong authentication, such as a thumb print scanner or something), looking much like a Nano, but used as a universal key to open everything in your life, virtual and physical. Leave it to Apple to make access cool, personalization hip and one-click purchasing via wireless a mainstream activity. To pull this off, Apple would have to aggregate at critical mass of relying party devices and online services. What’s interesting is that Apple most likely has enough in their own universe of devices and online services to pull this off. Publish the API’s to hook the device and let the world go wild. Now that’s interesting, and with enough muscle, quite achievable within 2 to 4 years.


Barbie Becomes an Authentication Device for Pre-Teen Friendship

By Kevin Poulsen 

At last, a USB security token for girls! 

Pre-teens in Mattels’ free Barbie Girls
virtual world can chat with their friends online using a feature called
Secret B Chat. But as an ingenious (and presumably profitable) bulwark
against internet scum, Mattel only lets girls chat with “Best Friends,”
defined as people they know in real life.

That relationship first has to be authenticated by way of the Barbie
Girl, a $59.95 MP3 player that looks like a cross between a Bratz doll
and a Cue Cat, and was recently rated one of the hottest new toys of the 2008 holiday season.

The idea is, Sally brings her Barbie Girl over to her friend Tiffany’s
house, and sets it in Tiffany’s docking station — which is plugged
into a USB port on Tiffany’s PC.  Mattel’s (Windows only) software
apparently reads some sort of globally unique identifier embedded in
Sally’s Barbie Girl, and authenticates Sally as one of Tiffany’s Best

Now when Sally gets home, the two can talk in Secret B Chat. (If
Sally’s parents can’t afford the gadget, then she has no business
calling herself Tiffany’s best friend.)

It’s sort of like an RSA token, but with cute fashion accessories
and snap-on hair styles. THREAT LEVEL foresees a wave of Barbie Girl
parties in the future, where tweens all meet and authenticate to each
other — like a PGP key signing party, but with cupcakes.

Without the device, girls can only chat over Barbie Girls’ standard
chat system, which limits them to a menu of greetings, questions and
phrases pre-selected by Mattel for their wholesome quality. 

In contrast, Secret B Chat  lets girls chat with their keyboards —
just like a real chat room. But it limits the girl-talk to a white list
of approved words. “If you happen to use a word that’s not on our list
(even if it’s not a bad one), it will get blocked,” the service
cautioned girls at launch. “But don’t worry —  we’re always adding
cool new words!”

Blown away

October 31, 2007 By: Andre Category: Identity

Yea I know, not very spooky, but Lunch just blew me away.

Snap Observation: MySpace & Facebook

October 31, 2007 By: Andre Category: Identity

Myspace = an artistic whiteboard for personal expression
Facebook = a utility for staying updated on what your friends are up to

For the first time, I think I’m starting to get ‘social networking’, and Facebook is much closer to a useful tool for me. I also find it curious how one of the best features of Facebook is really a derivative of ‘presence’, or an ability for people to project what they’re doing and where they are.


October 29, 2007 By: Andre Category: Identity

Apparently, as Steve Donovan tells me, dyslexia is indeed a treatable disease, which is a good thing, as we got spanked. I owe a lot of people steak dinners, and will be serving them up with my new Red Sox colors here very soon.

SAML SSO for Google Apps

October 24, 2007 By: Andre Category: Identity

Working with Google engineers over the past few days, one of our engineers today validated the use of PingFederate for establishing SAML single sign-on into Google Apps. Using our Integrated Windows Authentication (Windows IWA) integration kit,
a user can log into Windows (to Active Directory), open their browser,
and immediately gain secure SAML access to their Google email and other
applications and documents. Below are the notes from the engineer who
validated this interoperability.


an admin account for Googleapps. In the admin account, provide Google
with the URL for its SSO service and upload your public key such that
Google can verify your SAML.responses. That the only configuration
necessary on the Googleapps account.

On the PingFederate side,
create a new connection (in our test-case, we used the PingFederate IWA
adapter) and defined the entityID and ACS URL for Google.

Below are the steps that describe how this works:

  1. User
    makes a request to reach to a Google host application. In this case I
    was trying to access to Gmail account I had, and the URL for that was
  2. Google generates a SAML authentication request.
  3. We
    receive the SAML request and then authenticate the user. Since we are
    using the IWA adapter, the user already has a valid session.
  4. We generate a SAML response that contains the authenticated user’s username and send it to Google ACS.
  5. Google’s ACS verifies the SAML response using our public key and redirects the user to the destination URL.
  6. The user has been redirected to the destination URL and is logged in to GMail.

course, you can try all of this for free, just download PingFederate,
get anactivation key, select an integration kit, and have at it. Future
tech notes and a graphic explaining what we’ve done will follow.

Go Rockies!

October 23, 2007 By: Andre Category: Identity

thanks mark

ProQuo Launched Today

October 23, 2007 By: Andre Category: Identity

The average US citizen
receives 44 lbs of junk mail every year, so creating a more efficient
way to actively manage the marketing offers you want is a strong start
to improving this broken paradigm.

I’m really pleased to announce that today, ProQuo launched. There’s a lot of history behind ProQuo that I’ll get into at a later date, but suffice it to say, the company began as a result of some brainstorming sessions we had here at Ping Identity nearly two years ago. Under the vision and guidance of Steven Gal, ProQuo’s CEO (check out his new blog BrokenID), Dean Leffingwell (a Ping board member), and with a lot of hard work by the entire ProQuo team, this new service was created to provide agency-like services for consumers, helping them make meaningful choices about how companies used their personal data, beginning with a service to manage junk mail opt-out, and marketing offers opt-in.

ProQuo let’s consumers choose which marketing they want to stop, and which they want to stay on (e.g., some people love their local coupons). And ProQuo will protect people with a revolutionary new privacy policy that goes far beyond any company I’ve ever seen in the consumer data business.

Personally, I think there is a strong connection with this vision, and what Doc Searls has been working on with VRM, and of course, the entire thing is rooted in identity.

Check it out

Rearden Commerce wins IDDY Award with PingFederate

October 19, 2007 By: Andre Category: Identity

Rearden Commerce was the recipient of the 2007 Liberty Alliance IDDY award at Digital ID World. They won the award and was recognized for the speed with which they deployed a SAML-based single sign-on solution based on PingFederate from Ping
. Rearden Commerce’s initial deployment of Ping Identity’s
PingFederate went live on July 9, 2007 and within one month, Rearden Commerce
federated with 15 companies supporting 10-20 percent of all user sessions.
Through PingFederate,
the Rearden Commerce platform provides single sign-on capabilities via a wide
variety of industry open standards, including SAML (Security Assertion Markup
Language) 1.0, 1.1 and 2.0 protocols or the WS- Federation protocol, enabling
corporations to provide secure seamless access to their employees without any
additional user authentication.

I’d love to say that great software alone made this possible, but the reality is, Chuck Mortimore of Rearden Commerce is an exceptionally bright guy, who simply knows how to get things done.

More on Rearden Commerce

Delivered as Software as a Service (SaaS) to more than half a million
employees in more than six hundred companies, the Rearden Commerce Personal
Assistant leverages federation technology to help users find and purchase the
services they need based on their preferences and company policies. Identity
federation allows enterprises a standards-based approach to securely link and
exchange identity information across partner, supplier and customer
organizations. It effectively bridges separate security domains to provide
companies with the ability to secure their cross- boundary interactions —
removing friction, improving productivity, gaining efficiency and enabling
competitive differentiation.   

Through the use of federation technology, organizations deploying the
Rearden Commerce Personal Assistant have been rapidly achieving high levels of
user adoption. By making it easy for their employees to find and buy services
from preferred providers offering negotiated discounts, organizations typically
save 20-30 percent on the services purchased through the system.


Only 4%

October 16, 2007 By: Andre Category: Identity

They installed one of those LCD screens that display a mixture of factoids and commercials in our elevators a few months back. Apparently, in a recent survey, they asked people what they thought their CEO deserved for “National Boss Day” (whatever that is). The answers, as you’d guess, were pretty funny, and only 4% surveyed thought their boss was deserving of the CEO title. Ouch.