Andre Durand

Discovering life, one mistake at a time.

Archive for May, 2007

1st Identity Conference – Europe

May 10, 2007 By: Andre Category: Identity

I just returned from Munich and a Q&A session with Tim Cole at the opening of the 1st European Identity Conference.

The conference was well attended, reminding me a lot of our first Digital ID World. Tim Cole, Martin and Jorg did a class job with this event, attracting a solid representation from the states and throughout Europe. While deployments lag some months behind the US, there was really good awareness and a pretty deep understanding of most of the issues. I was impressed.

The Shutdown Statement

May 10, 2007 By: Andre Category: Identity

I’ve found there are two things that can be said in a business context for which there is simply little response. It almost doesn’t matter what the context, if you want to stop someone dead in their tracks, these two lines will nearly always do the trick.

  1. “You’ve got it wrong, it’s not about XXX, it’s about the business.”
  2. “You’re being naive.” or “You’re being defensive.” (thanks Jason)

Let me illustrate.

Someone comes in your office and says, “Our servers have crashed, we don’t have a backup because YOU didn’t authorize it, our largest customer just canceled next years subscription and our lead engineers have quit! I told you this would happen but you didn’t listen. What are you going to do about it?

You’re response in this situation should be, “You’ve got it wrong, it’s not about you, or me, or the servers crashing, I don’t want to hear your excuses, it’s about the business, and minimizing the business impact!”

Of course, feel free to improvise. Adding words to the end give the statement added punctuation, befitting nearly any circumstance. For example, it could be about ‘business impact’ or ‘business value’ or ‘business policy’ — just as long as it’s about the business.

BTW, these statements appear to work equally well when given up-steam in the chain of command — perhaps even better. The next time your boss comes in and says, “I’m worried about meeting our deadline.” your response should be, “…it’s not about deadlines, you’re being naive, it’s about getting the job done and maximizing business value.”

Mind you, this is a powerful weapon,  and should not to be abused.

PingFederate 4.4 with Citrix, WebSphere & SAP Netweaver Integration Kits – Now Available

May 02, 2007 By: Andre Category: Identity

Ping Identity today announced the immediate availability of PingFederate 4.4, with functionality required for E-Authentication SAML 2.0 certification. We also released three new integration kits for Citrix, SAP Netweaver and WebSphere.

These new product upgrades are coming so fast recently, we can hardly keep up around the rest of the company. We announced PingFederate 4.3 only a few weeks ago during SaaScon. PingFederate 4.3 had functionality for Software On-Demand providers, now PingFederate 4.4 adds functionality for the Federal Government and the E-Auth 2 initiative for SAML 2.0.

Other features in PingFederate 4.4 include:

New features with this release include:

  • Attribute Value Transformations
    – PingFederate supports an expressive and flexible syntax to transform
    attribute values. The transformation expressions (which can be simple
    to highly elaborate) are created, tested and validated within the
    administrative console prior to deployment.

  • Multiple Network Interface Support
    – In complex data center environments where servers contain multiple
    network interfaces, customers may require that particular types of
    traffic, such as partner, administration and cluster messages, be
    routed to explicit interfaces. PingFederate supports the ability to
    listen for specific traffic on multiple interfaces, which increases
    server security and prevents administration tasks from competing with
    partner requests over the same network.

  • Signed Metadata File Support
    – Metadata files are used to rapidly configure federation partner
    connections. In addition to unsigned files, signed metadata files may
    be imported into and generated by PingFederate. When a signed metadata
    file contains an invalid signature, PingFederate prevents its

  • Certificate Revocation List (CRL) Enforcement
    – When a partner certificate for signature verification, SSL, or
    encryption contains a reference to a CRL distribution point from a
    trusted Certificate Authority, PingFederate verifies that the
    certificate has not been revoked and prevents its use if it has been

  • Improved Administrative Interface
    – Changes have been made to the Main Menu and Local Settings views in
    the administrative console that improve usability and reduce
    post-installation work. The Main Menu utilizes a more intuitive layout
    that clearly separates Identity Provider and Service Provider roles as
    well as general server-wide settings.

  • SOAP Binding
    – PingFederate supports the SAML 2.0 SOAP binding, which enhances
    interoperability and benefits customers who implement custom

Sucking Wind

May 02, 2007 By: Andre Category: Identity

As I’m simply trying to keep the 5 guys from Ping who rode last Saturday within visual range, I’m reminded, always hire people better than you.

The picture pretty much tells the story. Bill Wood (pictured to my left) dropped back just for a bit of encouragement.


Identity Continuity

May 01, 2007 By: Andre Category: Identity

Burton’s recent report, “In Search of the Internet Identity System: Contrasting the Federation Approaches” by Mike Neuenschwander does a really nice job comparing / contrasting the various approaches at identity federation. While I agreed with the summary below, and I can’t speak to the other vendors, I can tell you it won’t take Ping Identity several years to remix these technologies into a workable solution. We’ll do it in well less than a year. The reason being this has been given such a high priority here at Ping is that everyone loses if we don’t really focus on creating continuity for end-users and businesses implementing this technology. Things can be messy under the covers, but from an end-user experience, this all has to look / work smooth.

“As WS-SX, SAML, and OpenID vie for the hearts and minds both of developers and Internet users, it may seem
that one of these technologies will soon displace the other two to become the dominant identity federation
standard. That is unlikely to happen. Although these technologies are often represented as competitive solutions
for web SSO and identity federation, each technology serves a different legitimate purpose and each will therefore
find some measure of success in the market segments it serves best. More important, no single technology is
sufficiently versatile to dominate the SSO market.

A synthesis of the best ideas in SAML, WS-SX, and OpenID—combined with higher-level services and
applications—will form the basis of a next-generation and (hopefully) workable, holistic approach to Internet
identity. Although the communities are already interacting, it will take several years to remix these solutions into
viable products. In the meantime, each approach will continue to garner support from its respective market