Andre Durand

Discovering life, one mistake at a time.

Archive for the ‘Ping Identity’

PingTrust v1.0 Now Available – Identity for Web Services

February 13, 2006 By: Andre Category: Ping Identity

After 9 months of hard work and sweat (not by me of course, but the Ping engineering, sqa and marketing teams), I’m proud to announce that we released our 3rd major product here at Ping — PingTrust v1.0. It’s the first complete stand-alone WS-Trust server and Security Token Service for creating, validating and exchanging security tokens. While at this stage it’s focused mostly on large, internal enterprise use-cases, it serves as the foundation for our support of Kim Cameron’s work around InfoCards and consumer facing identity. It’s basically a Java STS, which is the foundation for creating an InfoCards server in support of Microsoft’s identity metasystem.

Why PingTrust

About PingTrust

Applications depend on user-level identity to protect critical resources, generate audit trails for regulatory compliance and support user-based billing. However, Web Services and SOA have lacked standards-based mechanisms for enabling trusted user identity, making these important functions difficult – if not impossible – without introducing proprietary application-level extensions that breach Web Services principles and introduce questionable security.

PingTrust builds on two open security standards that set the stage for true interoperability and a solution that scales. OASIS Web Services Security 1.0 (formerly WS-Security) allows for the embedding of security tokens in SOAP messages, while WS-Trust establishes a mechanism for obtaining and validating tokens from a Security Token Service (STS). PingTrust is such an STS. It supports both .NET and Java applications, Web-based and rich clients. PingTrust can operate on the Web Services Client-side, Provider-side or both sides of a Web Service transaction.

“With PingTrust, the concept of user session no longer ends at the application a user originally logs into, either directly or via federation,” commented Patrick Harding, chief technical officer, Ping Identity. “Instead, user session and identity now follow SOAP messages wherever they may go throughout the SOA.”

“By supporting WS-Trust, Ping Identity is providing a Security Token Service that can participate in the Identity Metasystem. This enables identity information to be exchanged using industry standard Web services, regardless of the underlying platforms” said Michael Stephenson, Director of Identity and Access at Microsoft. We look forward to Ping’s products interoperating with Microsoft technologies, including .NET, Active Directory and the upcoming ‘InfoCard’ technology.”

PingTrust: Caller ID for Web Services

Using PingTrust, a Web Services client can exchange the security token being used in the local security domain, such as a Kerberos ticket, for a SAML token that represents the original user’s identity in other federated security domains, including those at other companies. After being bound into a SOAP message and delivered to a Web Services Provider, the Provider will know who originated the request and will be able to use that information in determining how to process the request.

PingTrust is a lightweight, standalone, modular product that:

  • Provides out-of-the-box support for several token types including SAML 1.1 and SAML 2.0, x.509, Kerberos and username/password, and is extensible to support custom tokens
  • Provides a Web-based console for 100% GUI configuration
  • Moves identity-related security and cryptography code out of applications by consolidating token security token processing into a centralized, shared server
  • Aggregates trust management to dramatically simplify administration
  • Does not require a heavyweight identity management system

Datasheet | Download PingTrust v1.0

Business Models 101 — 1 Degree from Money is better than 6

February 03, 2006 By: Andre Category: Ping Identity

By now I’m sure you’ve all read about the concept of 6 degrees of
separation. Similar to my fascination with wave theory, I’ve been
intrigued with this concept as it applies to business models. How many
times have you heard of some great Internet related business concept
wherein the business model was at least 6 degrees removed from money
changing hands?

I’ve got a new filter when I evaluate ideas, which goes part and parcel
with my thinking around bootstrapped businesses, and that is, 1 degree
of separation is better than 2 — especially when it comes to how a
business will make money. In the ideal situation, you’d put yourself in
the 0 degrees of separation from money, such as a bank. You’ll notice
how most of the skyscrapers  in NY bear one of their names. Enough

Federation: Everywhere or Shared Infrastructure

December 15, 2005 By: Andre Category: Ping Identity

We recently reviewed a Burton 2005 year-end wrap up report on Identity
Management. In the report, Burton makes some
statements with respect to where federation functionality will be
consumed in the long-term. While there is plenty of room for debate, Patrick
Harding here at Ping made an
interesting observation which I felt appropriate to share.  

Burton Group Statements

  • Long term, federation isn’t a separate product
  • Federation standards already seeping into many product
    classes: Firewalls, gateways, application servers, and IdM
  • Federation likely won’t be point-to-point like SSL; various
    tiers of the infrastructure will act on claims as necessary
  • Systems need to federate, but that doesn’t necessitate an uber-federation system

Email Exerpt from Patrick Harding

“My point was that if every piece of infrastructure (i.e.
firewalls, SSL VPN’s, App servers, IdM systems, apps, proxies, XML
gateways etc etc etc) can consume or generate a SAML Assertion then the
overall trust model becomes completely unwieldy. At a minimum every
piece of infrastructure needs keys for all partners to create or
validate signatures and in addition the processing capabilities to
map/retrieve the correct identifiers and attributes that can be
understood or have been received from a partner. I made the point that
this is analogous to saying every piece of infrastructure has its own
CA, or every piece of infrastructure has its own password

Federation Everywhere

“There has to be a separate layer of
infrastructure to manage federation partners for federation to
scale. One mechanism is a push model where an admin
console reaches out to every piece of SAML enabled infrastructure and
adds/deletes partners (and the keys) as well as setting the correct
expectations for identifiers and attributes. This is extremely hard
(think provisioning) in a heterogeneous environment. The second
mechanism is for each piece of infrastructure to request that the
federation layer create or consume SAML Assertions on its behalf. On
the creation side, a piece of infrastructure asks the federation layer
for a SAML Assertion it can use to access partner X. On the consumption
side, a piece of infrastructure asks the federation layer to consume an
externally generated SAML Assertion and return a SAML Assertion that
can be used internally for that piece of infrastructure.”

Federation As Shared Infracture

Ping Releases Apache Module for WS-Federation Single Sign-on

December 07, 2005 By: Andre Category: Ping Identity

Ping today announced a new open source Apache Module for extending ADFS and WS-Federation Single Sign-On into Apache environments and applications. The new toolkit (with source code) will be released on December 15th and made available for free download from, Ping Identity’s sponsored open source website for federation toolkits. In addition to this, we announced our intention to support WS-Federation in PingFederate, our commercial, stand-alone federation server which today implements SAML 2.0 federation functionality.

About the WS-Federation for Apache Toolkit

The WSFedAuth Apache module will guard access to protected Apache 2.0 resources as configured by the administrator and/or application developer. 

If a user is identified correctly (as determined by possessing an AuthToken cookie) then access to the resource is granted, otherwise the module will initiate the WS-Federation Passive Profile to establish the identity of the user. The module is designed to interoperate with STS’s that adhere to the WS-Federation: Passive Requestor Interoperability Profile V1.2 (9/19/2005).

In summary, the WSFedAuth Apache module will redirect an unauthenticated user to a WS-Federation STS server. Once authenticated by the STS the user is redirected back to the Apache server where the WSFedAuth module will consume and validate the returned RSTR message. Once validated the module will create an AuthToken cookie and redirect the user back to the original application resource.

Integration with ADFS

The WSFedAuth module can be configured to trust a local ADFS Resource STS. This implies that the ADFS Resource STS has been implemented within the same security domain (and likely the same DNS domain) as the Apache web server.

  • it is the responsibility of the ADFS Resource STS to establish trusts with multiple ADFS Requestor STS’s.

  • the ADFS Resource STS handles identity and attribute mapping

  • the WSFedAuth module ONLY has to trust the key/cert of its local ADFS Resource STS

The WSFedAuth module can ALSO be configured to trust a remote ADFS Requestor STS.

  • in effect the WSFedAuth module becomes a Resource STS from the perspective of the ADFS Requestor STS

  • the WSFedAuth module is limited to only trusting a single ADFS Requestor STS (i.e. the Apache server can only support a single Identity Provider)

  • the WSFedAuth module will not perform any local identity/attribute mapping



Respect: What separates the UFC from World Heavy Weight Boxing

December 02, 2005 By: Andre Category: Ping Identity

I recently upgraded all my TV’s to Comcast HDTV. I had been a
DirectTV customer for over 6 years. The reason, Comcast basically gives
you the HDTV receivers with DVR, while DirectTV makes you buy them. It
would have cost me $1200 to upgrade all of the TV’s in the house. With
a slightly alterered channel lineup, I’ve noticed a lot of Ultimate
Fighting Championship programming in HD, so I’ve been watching it

While I enjoy boxing, I’m not a huge fan. What liking I did have for
the sport has deminished significantly in recent years, with the lack
of professionalism of both the boxers and certainly the promoters.

On the other hand, I’ve grown a tremendous amount of respect for the
individuals who fight in Ultimate Fighting. Having been in martial arts
for 7 years, I know first hand how a significant part of the training
teaches you a respect for others, a respect for life and and to strive
for a balance in both your spiritual and physical life. Many if
not most of the UFC fighters are trained in mixed martial arts, and as
a result, it’s clear by their behavior both before and after the fights
that they’ve learned to live with a certain humility and respect for
their peers just not found in professional boxing. The rhetoric which
preceeds a fight is often tempered by snippets of respect for their
opponent. While it is indeed a rather primal and brutal sport, I hope
at least they can maintain the calibur of individuals they are
currently attracting.

PingSTS Announced – Identity for Web Services

November 30, 2005 By: Andre Category: Ping Identity

Ping today announced that PingSTS (Preview 1) is now available as part of our early adopter program. It’s Ping’s second major product, and the brain-child of our new VP of Technology, Patrick Harding, who had a need for it at Fidelity before joining Ping. Darren Platt, former head of engineering of Securant before they were purchased by RSA Security has been leading our efforts here, and doing a wonderful job. PingSTS is a Security Token Server which effectively allows companies to centralize, much like a certificate authority, where they get SAML assertions for use in their web services and SOA initiatives. The below graphic shows how we connect the introduction of this new product, which enables app-to-app identity to our existing product, which enables user-to-browser identity.

PingSTS is an advanced WS-Trust Security Token Server. It builds upon WSS 1.0 and WS-Trust to supply a Security Token Service (STS) for identity-enabling web services. Using PingSTS, a Web Services client will be able to exchange the security token being used in the local security domain, such as a Kerberos ticket, for a SAML security token that represents the original user’s identity in other federated security domains, including those at other companies. PingSTS also allows Web Services providers to validate SAML security tokens before performing requested services.

PingFederate with SAML 2.0 – Ready for Download

November 22, 2005 By: Andre Category: Ping Identity

PingFederate v3.0, now with SAML 2.0 support for federated single sign-on, logout and attribute exchange is now available for immediate download from

Commitment & Passion

November 15, 2005 By: Andre Category: Ping Identity

We launched a new version of our federation server today — PingFederate 3.0. On schedule. While I’ve been fortunate to have worked with some exceptionally talented people throughout my career at both Durand and Jabber, the maturity of the Ping team and their commitment and passion to deadlines and quality is truly extraordinary. I’m honored to be working with this group.  

IDG Partners with Digital ID World

September 23, 2005 By: Andre Category: Ping Identity

We (Digital ID World) today announced a partnership with IDG, which we’ve been working on for the past two months. It will allow us to significantly accelerate and expand the conference, both domestically and internationally. From our little interaction to date, IDG is one quality outfit, and I’m pretty excited to work with them to accelerate awareness around the centrality of identity to computing and security. Here’s an exerp from the announcement.



Digital ID World and IDG World Expo Join Forces

Premier identity event reaches new plateau in serving the identity industry


FRAMINGHAM, MA, September 23, 2005 – IDG World Expo, the leading producer of world-class tradeshows, conferences and events for technology markets, and Digital ID World, Inc. today announced that the two companies will work together to make Digital ID World even more valuable and relevant for the identity community. Digital ID World®, the premier identity industry event dedicated to digital identity technologies and solutions, is scheduled to take place in Spring 2006.


“Our May 2005 event was a watershed moment where both attendees and vendors saw the power and value of this event, and they wanted it to grow and expand in new directions,” said Phil Becker, founder and conference co-chair of Digital ID World. “To better serve this community, we are joining forces with IDG World Expo, giving us the capability to be very responsive to the demands of this rapidly growing industry. We now have the tools to make this event even more impactful and valuable for vendors and attendees, while continuing our tradition of vendor-neutral industry advocacy.” 


Digital ID World will combine the identity industry expertise of Phil Becker, Founder and Conference Co-Chair of Digital ID World, with IDG World Expo’s expertise as a world class event producer. IDG World Expo will manage all aspects of bringing the audience and vendors together, while Digital ID World, Inc. will continue to organize the strategy, develop the conference content and communicate with the identity industry leaders about the direction of the event.


Digital ID World provides business executives and IT managers with an exclusive conference opportunity to interact with thought leaders, developers and providers of identity solutions. With real world deployment case studies focused on the enterprise and presentations covering identity-based technologies, standards, business processes, Web services security and RFID, Digital ID World offers superior networking, in-depth information and practical advice.


“Phil Becker founded Digital ID World in 2002 to help foster and grow the identity industry, and this industry is moving to the next stage of its evolution, in large part because of his diligent efforts,” said David Korse, CEO, IDG World Expo. “We’re excited to work with Digital ID World to help enterprises and vendors who are harnessing identity technologies and solutions.”

Platt’s Law of Assertions

September 16, 2005 By: Andre Category: Ping Identity

In a meeting the other day, we were musing about the consequences of assertion life-time value, noting that most PKI-like assertions were ‘long-lived’ and SAML assertions were optimized for ‘short-lifespan’.

Darren Platt made a comment which stuck in my mind when he stated that ‘shorter assertions, when the infrastructure is capable of handling them, will always be used over longer assertions.’.

I’ve not had time to analyze the trends with which assertion life-time values are declining, but it occurred to me that this statement is quite profound, in a Moore’s Law sort of way.

We live in a world of long-lived assertions ‘tokens’ (assertions of identity), both physical, and in the case of PKI certs, digital (think of VeriSign’s SSL Certs). The lifetime of these assertions in many cases is measured in years. I suspect over time, as new infrastructures arise to deal with these assertions, such as federated identity infrastructures capable of building and receiving SAML assertions, the gates of accessibility will become increasingly tied to ‘real-time’ policy enforcement.

While this thought has not been completely flushed through, I’d like to refer to this as Platt’s Law of Assertions, which simply put, states that “shorter assertion lifetimes will always prevail over longer assertion lifetime values, given the infrastructure to deal with them is in place.”