Andre Durand

Discovering life, one mistake at a time.

Archive for the ‘Ping Identity’

Google Enterprise Apps & SAML?

October 26, 2006 By: Andre Category: Ping Identity

I missed the original announcement, but apparently on Tuesday Google announced Google Apps, a collection of collaboration tools which can be tied into existing identity directories and SSO. While this is being rolled out in education first, you can see where it could and likely will be extended to enterprise in the future. Here’s some of the article by John Fontanta.

The unique aspect of the education version is a set of APIs that
lets users tie the Google services to existing backend infrastructure
such as directories and single sign-on platforms. Google is using
standards such as the Security Assertion Markup Language to support
single sign-on and a Representational State Transfer (REST)-based XML
interface to link to directory services.

The API set is a hint at what Google plans to offer corporate users when it introduces an enterprise edition of Google Apps
before the end of the year.

are the kinds of things we are thinking about for the enterprise
edition,” says Rajen Sheth, product manager for Google Apps for
Education. “Integration like this is what will be important for the
enterprise edition as well.”

Ping is Hiring

October 18, 2006 By: Andre Category: Ping Identity

If you are passionate about identity, and want to join a company that shares
that passion from top to bottom, call us. We’re hiring in nearly every department:
engineering, quality, sales, marketing and support.

Ping Identity’s mission is to
build one of the greatest identity companies ever, and there couldn’t
be a better time to get on-board in the identity industry.

You can send
resumes to me personally, and I’ll forward them to the appropriate
individual here in Ping.

The Perfect Storm

September 20, 2006 By: Andre Category: Ping Identity

I came in early today, juiced. What a fantastic time to be involved in the identity industry. Weather forecast –the perfect storm.


User-Centric Identity & Federation

September 15, 2006 By: Andre Category: Ping Identity

At this years Digital ID World in San Francisco, you could feel the conversation between “user-centric identity” and identity management and federation begin to normalize in scale and scope. Personally, nothing could be more exciting, because I believe it’s not until these disparate and somewhat independent conversations come together that we will truly realize the power of identity over the internet.

I believe the N-state for the identity industry from an Internet infrastructure perspective has got to normalize the requirements of three constituents (user, identity provider and service provider), and so in classic web2.0 fashion, the mashup of federation and user-centric identity is a critical moment in our history, and a great time to be involved in this particular market opportunity.

To put it more succinctly, I believe there are fundamentally only 3 constituents in the identity conversation, a triad that can be visualized as follows.


In order to gain the right perspective, one must look at the equation from the top, and not through the prism of any-one node. i.e. you cannot look at the needs and requirements of identity providers and service providers through the prism of an end-user, without seeing them as distant second cousins. Conversely, you should not look at the needs and requirements of the end-user through the goggles of either an identity provider or a service provider; for fear that the end-users needs for privacy are left unmet.

Instead, viewing all three from the top, gives one a perspective that all nodes are indeed equally important, and that we will only delay the inevitable if we too heavily weight any one constituent over the remaining.

When one considers that a primary goal of both federation and user-centric identity is to separate and free identity from any one domain to roam as necessary with convenience, privacy and security, then one must consider the N-state to be comprised of a large number of permutations, (user-to-user, user-to-business, business-to-business), each equally valid depending on the context.

More on this topic to follow…

The next big challenge for federation

September 15, 2006 By: Andre Category: Ping Identity

I’ve been spending a lot of time lately thinking about the intersection of user-centric identity and federation as well as issues surrounding both trust and scale.

My sense is that “Federation Simplified.”, the Ping mantra for the past 18 months will only get us so far, and beyond that, we’ve got some work to do. I put together this slide for the Federation Users Group at Digital ID World this week, and thought I’d share it and a few other ideas while I’m at it.


Conclusions thus far are as follows:

  • pair-wise trust, as denoted by the hub-and-spoke topology of identity federation in it’s current state of adoption by enterprises and their partners, will likely never be fully replaced by some top-down, user-centric model. because the use-cases in the back-office are so diverse, some level of ‘hard-coding’ is not only acceptable, but likely just the reality. therefore, to take federation one step further, we’ve got to get to “one-click federation”.
  • a break-through in trust models is likely to occur, but I suspect with regards business interests, only in the customer-facing interactions between users and businesses. One variance to this theme is the federation communities which will likely form business-to-business in a few select verticals such as auto, health, government, aerospace and pharma.
  • federation at scale needs to therefore breakthrough two major barriers, the technical / legal barriers associated with hub and spoke deployments  and  the  intersection of user-centric and federation as it exists today need to normalize at the protocol / infrastructural level.

CardSpace Demo of Managed Identity Provider

September 09, 2006 By: Andre Category: Ping Identity

Cardspace is a Microsoft identity initiative which is to be shipped with Vista. While many of the use-cases surrounding Cardspace extend to the public internet and the average Internet user, it will likely also have a large impact on how enterprises deploy identity management systems. At this years 2nd annual Federation Users group and onstage with Kim Cameron of Microsoft at Digital ID World 2006, Ping will demo the latest version of it’s Cardspace server, now complete with both Managed IdP as well as Service Provider capabilities. As an added bonus, we’ll demo how to chain passive and active federation seamlessly, allowing for on-the-fly privacy context switching, and real-world use-cases where passive federation gives way to active and vice-versa.

The Digital ID World demo will show two scenarios in an attempt to depict how passive federation (via SAML 2.0 Web SSO Profiles or WS-Federation) and active federation (via CardSpace) can both play a role in enabling a seamless user experience for accessing outsourced apps. The plan is not to state that active is better than passive or that active replaces passive, but to demonstrate how passive and active federation work together to enable a myriad of different business use cases.

Scenario 1: An enterprise employee leverages their internal employee portal to access applications that are hosted externally. In the first case we plan to show how SAML 2.0 Web SSO (passive federation) is used to enable seamless access into the web site. The use has no control over this as the employer has deemed that the use of is critical to their business and they want no friction for their sales force in entering information for forecasting purposes. The use has no choice. In the second case we plan to show how CardSpace is used to ‘optionally’ enable seamless access into the employees Employee Benefits web site. As the Employee Benefits web site is made up of a mixture of personal and corporate information (i.e. 401k, health and payroll) the employee is given the choice of whether to enable SSO via the use of CardSpace. The Employee Benefits web site is enabled with CardSpace. After the user clicks on the ‘Benefits’ link in their corporate portal, they are prompted with different Cards (Employer and Benefits) which they can then choose between for accessing the Benefits web site. If they choose Employer then they will be enabled with SSO from the Corporate Portal in future interactions.

Scenario 2: An enterprise employee is traveling and loses their cell phone. They use their laptop to access their corporate cell phone provider in an effort to have the phone replaced immediately. The employee would normally access this web site via SSO from their corporate portal. The cell phone provider web site is enabled with Card Space to simplify the IdP discovery and selection process. The employee is prompted to use their Employer card to authenticate to their employers authentication service. The cell phone provider web site leverages CardSpace to handle IdP Selection rather than having to discover this themselves. Once the user has authenticated to their employer the returned security token contains the relevant information to service the employees request for a new cell phone.

Other use case scenarios we planned on discussing in our presentation but will not demo:

Scenario 3: Standard (non-web) UI metaphor for employee use of Strong Authentication

Scenario 4: Standard (non-web) UI metaphor for employee authentication reduces risk of phishing attacks against employees.

Scenario 5: New UI metaphor allows user to choose different roles for accessing different applications. (i.e. manager authenticates as manager role which requires strong auth). This is also useful when delegation occurs and allows temporary use of a ‘Managers’ card when the Manager is on vacation.

InfoCards Demo

June 12, 2006 By: Andre Category: Ping Identity

We’ll be demo’ing the Ping Identity Java InfoCards Server this week at Catalyst in the Microsoft Hospitality Suite. It was built on top of PingTrust, but will likely become a module of PingLogin. I really appreciate the kind words from Kim Cameron, he’s been great in helping us get this far. The demo will also show how an InfoCards authentication can then be federated via SAML and WS-Federation to one of several security domains via PingFederate and our turn-key integration kits.  


PingFederate 4.0 Released – Download Today

June 05, 2006 By: Andre Category: Ping Identity

We released PingFederate 4 today. You can download it from our website at 4.0 can legitimately be called ‘robust’.

Notable Features:

  • Multi-Protocol SSO & SLO Support — SAML 1.0, 1.1, 2.0 & WS-Federation
  • 100% Use-Case Driven GUI Configuration
  • Advanced Out-of-Box Data-Source Integration (LDAP, RDBMS, Custom SDK)
  • Role-Based Administration
  • Advanced Support for Identity Linking & Mapping
  • Support for Advanced Failover and Clustering Configurations
  • Turn-Key Integration Kits for Java, .Net, Siteminder, COREid, & NTLM (Windows login)
  • PF4

    Best of all, you can use PingFederate for free for 100,000 transactions. Download Now.

    Boeing Federates leveraging Ping

    May 10, 2006 By: Andre Category: Ping Identity

    As an entrepreneur who’s been slogging it away in the trenches of identity and federation going on 6 years (yea, I’m feeling a bit old lately), it’s nice to have a few big wins every now and then. This one’s big for us.

    Boeing Pioneers Federated Identity Management with Partners
    Bert Latamore   

    May 10, 2006 (Computerworld) —  “We are at the beginning of a very big thing,” says Mike Beach, associate technical fellow at The Boeing Co. “We are on the edge of a huge uptake of this idea of federated identity over the Internet, and in coming years that will be the way people do business.”

    The reason, he says, is expense control. The concept of federated identity basically is single sign-on at the browser level, not just for a few applications inside a company but between organizations. If a person is authenticated by his employer, under a federated identity model that authentication is accepted automatically by business partners with which that company has federated agreements, allowing that employee to access information at those other entities to which he has access privileges without having to reauthenticate himself.

    Specifically, it means that Boeing’s 150,000 employees and 40,000 retirees can log onto Boeing’s network once and then access benefits information at any of the several financial institutions involved without having to log on to those companies’ networks or applications. And mechanics at Southwest Airlines, which piloted federated identity with Boeing, can access the latest maintenance manuals, bulletins and other information on Boeing aircraft without having to enter passwords or other identification information on Boeing’s portal. Instead, the individual’s identification comes embedded in each transaction using the Security Assertion Markup Language (SAML) standard, part of the XML standard set.

    This provides three key benefits. For the user, it makes accessing specific information to which he is authorized on multiple private networks as transparent as accessing public Web pages on the Internet. Actually, most of these transactions travel over the Internet between corporate networks in encrypted form. But the key business driver is that it eliminates the need to manage intermediary passwords, which is estimated to be as high as $500 to $1,000 per user per month. It also simplifies and improves security for the service provider, which no longer needs to track changes in status of people in partnered organizations. So if a mechanic at Southwest Airlines, for instance, leaves the company, Boeing does not need to be informed. As soon as the former employee’s access to Southwest’s network is revoked, he can no longer access Boeing’s information.

    Boeing and Southwest Airlines have been pioneering their federated connection for three years, while several business, legal and technical issues were worked out. “For the last couple of years, industry in general has been wrestling with the legal and business implications of federation, the liability issues, and who owns what,” says Beach, “And there were issues with competing standards in the industry. So we were in a holding pattern.”

    As those were worked out, Boeing ran into a practical problem. “As we established new agreements with our benefits providers, we added a clause specifying that they would provide a SAML-based federated identity connection,” Beach said. “Many said, ‘Sure, we will be happy to do that.’ Then frequently Boeing would get a call from the provider’s security people asking, ‘Just what is SAML, and how do we set up federated identity?'”

    Obviously Boeing’s business partners needed to be educated. Rather than take that on itself, Boeing contracted with Ping Identity Corp. in Denver, a network consulting and software company specializing in federated identity management, to write a manual and educational material covering all the information Boeing’s partners need to set up their end of the federated identification connection and to provide educational and technical support as needed.

    Then just as Boeing’s identity management seemed cleared for takeoff, it ran into another snag. The SAML standard was evolving rapidly toward Version 2.0, which will incorporate both of the competing standards. But the software that Boeing was using had not been extended past Version 1.0. Once again Boeing turned to Ping, whose federated identity management solution supports all published versions of SAML.

    “Since late last year we have added a half dozen connections with different companies,” Beach says. “We have about 10 customers that are in the process of putting the federated linkage together, and I hear we have talked with more than 20 others. Obviously in the future this is the way business will work.”

    Drivers for mass end-user adoption of identity

    March 15, 2006 By: Andre Category: Ping Identity

    Having spent several months contemplating the end-user side of identity, I’m convinced that utility, not convenience and re-action, not action is required to drive mass adoption.