Andre Durand

Discovering life, one mistake at a time.

Archive for the ‘Ping Identity’

SAML 2.0

March 15, 2005 By: Andre Category: Ping Identity

SAML 2.0 is a milestone for the federation industry, and will likely be
a major accelerant of adoption. Fragmentation amongst the standards
efforts has kept the market confused and implementation overly
complicated. At this point, mainstream adoption of identity federation
is no longer inhibited by standards, but by quality products which are
tested secure and validated interoperable.

Go Ahead and Federate Away

March 07, 2005 By: Andre Category: Ping Identity

Download PingFederate v2.0.

We launched Ping’s first commercial product two weeks ago — PingFederate v2.0. After nearly 15 months of development, rigorous testing and several successful deployments, we believe it to be the best federation server on the market. What’s likely most interesting about it is our pricing model. We took a novel approach towards pricing and completely changed the way we intend to go to market. 

After months of debate, we determined that a traditional sales model around what amounts to enterprise security software just didn’t make sense. We would have had to raise a ton of additional capital to support and succeed at this model. Instead, we opted to go-to-market leveraging a more viral, organic and guerrilla marketing approach, which was more consistent with our DNA anyway. 

Basically, companies can download and install as many PingFederate identity gateways as they wish. Each installation is allowed up to 100k federated transactions for free. Beyond that, we figure companies have validated both PingFederate and the federated approach as providing value, and we offer flexible subscription or perpetual pricing from there, depending on a companies needs. We call it our “pay for success” pricing model, and its being very well received.


Digital ID World 2005

January 03, 2005 By: Andre Category: Ping Identity


Well, with 2005 officially here, it’s time to start thinking about this year’s Digital ID World, which is moving to San Francisco in May. This year’s theme — All Roads Lead to Identity, is appropriate given the current state of information security, border security, spam, phishing, compliance and the management of both identity risk and fraud. We’ll continue to focus on Identity Management, but will expand this theme to identity-enabling web services. We also anticipate breaking out strategy, implementation and emerging technologies, something we’ve not done before…  

Border Security

January 03, 2005 By: Andre Category: Ping Identity

I was watching a special MSNBC report on border security. The expert was talking about the fact that they need better cross-country, cross-border coordination of identity and authentication. It’s interesting to listen to the terminology they use, which has direct parallels to the terminology used in information security and with the federation of identity. No doubt our government issued identities will at some point be linked (federated) as part of their attempt to stop the flow of potential terrorists into this country. Funny how this too puts more emphasis on the point of initial identification and vetting.    

Timing of Personal Identity

December 07, 2004 By: Andre Category: Ping Identity

There appears to be a resurgence of energy, discussion and initiatives aimed at tackling personal identity. While I’m a believer that people will indeed care about and actually actively manage their digital identity (their distributed personal information), I’m generally skeptical that it will occur “in-mass” in the near term. That said, John Udell in a December 3rd article on InfoWorld describes one of the more compelling drivers I’ve heard about for actively managing ones personal identity information when he states, “But when others assert facts (attributes) about you — as they increasingly will — the tide could begin to turn. Individual acts of self-defense may ultimately combine to bootstrap the semantic Web (or active management of ones personal identity).”

Rise of the Attribute Horde

September 21, 2004 By: Andre Category: Ping Identity

I read a great Editor’s note in CIO Insight this month on the effective end of privacy as corporations build massive customer databases in an attempt to better understand how, who, when and what to sell to people. In federation terms, I call this ‘attribute-hording’, the concept that companies aggregate our attributes and then leverage the aggregation of these attributes to build ever more complex algorithms for predicting our behavior. While I’m generally OK with trading privacy for convenience on a per company basis, I’m less enthused about allowing that implied privacy relationship to be federated without my knowledge — but that’s another topic.

I wanted to hone in a particular line of business which specializes in aggregating our personal attributes for the purpose of resell. I think these companies are particularly dangerous, as they become concentrators of data which could be used in a variety of unpredictable ways, most of which not necessarily beneficial to the attribute owner him/herself. Unfortunately, they already exist in many forms, and it’s already big business in a variety of markets, so I doubt there is little we can do to stop the ones that seek to aggregate attributes that we consider to be private.

Federated Identity & PKI Collide

September 17, 2004 By: Andre Category: Ping Identity

We’re coming across more and more initiatives where PKI and Federation seemingly overlap. As is the case with most technologies, there is some overlap both in use-cases and where the technology can and will be applied. We took the time the other day to summarize some of the key differences between the two, attempting to outline where they were strong, where there was overlap and where there wasn’t. A summary of these findings is listed below. 


  • PKI and Federation are not mutually exclusive.

    • Federation leverages PKI heavily for server-to-server and client-to-server security.

    • PKI is particularly good for enabling a strong authentication which can then be federated. Federation is authentication method agnostic.

  • While PKI can provide a vehicle for attribute distribution, it is not particularly good at accommodating the more dynamic use-cases where authorization decisions will be made on-the-fly (via rules-based engines).

  • To the contrary, federation is particularly strong for enabling a scalable infrastructure for the sharing of dynamic attributes (attributes which are more dynamic than those carried with long-lived credentials).

  • Leveraging PKI for strong-authentication of the end-user is likely a good thing in the long-term. Leveraging the strong PKI authentication for session-based assertions (aka — not performing strong-auth everywhere, but instead porting that strong-auth via federation assertions within a particular user session) is also a likely outcome of the convergence of the two technologies.





  • Authentication-method independent

  • Authentication Assertions based upon authentication done outside of pure-federation protocols.

Used for Strong Authentication with Certificate granted through:

  • Registration Authority which performs Identity Proofing

  • Certificate Authority Manages Policies

High assurance and high security

Longevity of Credentials / Assertions

  • Federation particularly good for short-lived identity-related assertions (via tokens)

  • Life of an assertion typically short (minutes) – i.e. “a session.”

  • PKI particularly good for enabling long-lived tokens — in the certificate

  • Life of the certificate can be several years

Primary Utility

  • Federated authentication represents a methodology for extending authentication to multiple ‘replying parties’ via short-lived authentication assertions.

  • PKI represents a methodology for binding an entity to a long-lived credential for the purposes of enabling strong-authentication at the point of use.

Where Authentication is Performed

  • Authentication provided at Identity Provider/ Credential Service Provider  (IdP/CSP) according to methodology in use at that Identity Provider  (could be password, token, certificate, or other)

  • Authentication performed at Service Provider / Relying Party based on root CA (in cert), expiration date (in cert), and check against revocation (CRL or ODSP)

Where infrastructure is Dynamic vs. Static

  • Federation provides for a dynamic infrastructure, ie trust of the IdP/CSP can established at any time through adding IdP/CSP to federation list

  • Static infrastructure, ie certificate chain to root contained in the certificate; SP/RP must know and trust the root

Anonymity & Pseudonymity

  • Enables anonymity / pseudonymity where access can be granted based on ‘role’ rather than on individual identity

  • Pass assertions containing identity ‘handle’ to receiving site

  • Identity is represented by a unique ID within the certificate

  • Use certificate identity for authentication at all SP/RPs

Handling of Attributes

Federation is particularly strong at providing an infrastructure for flexible, dynamic attribute sharing:

          multiple attributes can be in any assertion

          attributes can differ by site

          attributes can be dynamic values

          enables rule based policy based on attributes

Attributes placed in certificate at time issued;

          no easy/scalable method for updating static attribute list


Cost to Deploy

Server infrastructure cost and complexity does exist. However, deployment costs and complexity when extended to end-user does not scale proportionately the same way as PKI does for the same use-cases.

Can be expensive and complex to deploy and maintain all the way to the end-user. Appropriate where security requirements are high and static attributes not an issue.

Summary Findings





Very good for assertions based on a recent/session authentication


Very good strong authenticator


Makes sense for re-use of authentication across multiple domains


Makes sense for secure access to a single domain


Most appropriate for internet-scale applications where very high volume and dynamic infrastructure are considerations


Most often used method to protect server-to-server or client-to-server conversations


Dynamic attribute support


Weak attribute sharing support


Enables dynamic partnering


Requires pre-determined trust list


Short-lived token

Persistent credentials



Chalk one up for simplicity

August 10, 2004 By: Andre Category: Ping Identity

It’s interesting to me how all of the AAA vendors have scouped up provisioning companies in the last 18 months. I hear through the grapevine that provisioning products are ‘selling like hotcakes’, while traditional AAA grows at a 3% rate annually.

What’s funny about this is that AAA vendors have traditionally sold the value of their products on the merit that having identity, authentication and authorization policy in one location, saying that this is more secure and easier to manage than keeping identity embedded in every application. Yet provisioning products do little to forward this cause, but instead provide a band-aide for dealing with reality of decentralized and unconnected identity as it exists today. 

As enterprise struggles with entropy, products which deal with today’s heterogenous and distributed nature will continue to do well. This speaks well to the future of identity federation (loosely coupled identity systems).

Sun & Microsoft to cooperate on SSO

June 29, 2004 By: Andre Category: Ping Identity

Sun and Microsoft plan to detail Phase One of their historic partnership in late summer, Sun Chairman and CEO Scott McNealy said Tuesday at JavaOne.

The first phase of the partnership will be to “solve single sign-on” and facilitate interoperability between the LDAP model of the directory and identity management products in Sun’s Java Enterprise System and Microsoft ActiveDirectory, McNealy told attendees in his morning keynote at Sun’s annual Java developer confab in San Francisco.

Once Sun and Microsoft make their software interoperable, “users can log into the network once without having to remember multiple passwords and have their authentication travel across software infrastructure from both Sun and Microsoft,” McNealy said.

Speaking at Supernova – June 24-25, 2004

June 10, 2004 By: Andre Category: Ping Identity

I’ll be speaking at Kevin’s Supernova conference at the end of this month on the topic of identity federation. If you plan to be there and want to get together, send me a note at