Andre Durand

Discovering life, one mistake at a time.

Archive for September, 2006

Believe and Think Big

September 29, 2006 By: Andre Category: Life

For those of you that know me, you know I no longer look nearly as young as the photo in the upper left. My goatee’s got gray hair and the frosting’s gone — although I have been known to raise the hair on occasion. I’m convinced the reason is not just that I’m approaching forty, but that I’m actually approaching 5 years in the identity industry.

Two events last week have given me ground for renewed energy. First, I met a truly interesting individual, Tom Bogan, currently a Partner at Greylock Ventures and Chairman of Citrix and formerly the President of Rational, where he built the company from $80M to over $800M before selling it to IBM. My dinner with him and our conversation gave me perspective on what it takes to build a billion dollar software company (factoid: I was told there have only been around 35 in all history — I’m shocked) and the importance of thinking big and never letting go of ones dream. Unfortunately, reality has a way of chipping away at those big dreams over time, and it was nice to get back in touch with some of the unbridled optimism which defines so many entrepreneurs.

Secondly, I read a fantastic book, Ship of Gold in the Deep Blue Sea. It’s about the sinking and recovery of one of America’s great steamer ships around mid 1800’s. With 149 survivors out of 600, it’s a tale of tragedy, hope, courage and luck, but mostly, about determination, vision and focus and how these traits can overcome any obstacle. What some people label impossible, others view as a challenge and dream for the taking.

This month marks a turning point for me and for Ping. After five years, some of the passion and hard work here at Ping by is finally starting to pay off. I’m smiling and looking forward to the future.  

  • We just had our biggest month ever
  • We blew by our total 2005 sales this quarter
  • We’ve broke all previous records for new customers & deals both in a month & for a quarter
  • We just received our eAuth Certification for selling into Federal
  • We were notified this week that we won our first Federal deal
  • And best yet, we’re entering Q4 with the largest pipeline to date

The Perfect Storm

September 20, 2006 By: Andre Category: Ping Identity

I came in early today, juiced. What a fantastic time to be involved in the identity industry. Weather forecast –the perfect storm.


User-Centric Identity & Federation

September 15, 2006 By: Andre Category: Ping Identity

At this years Digital ID World in San Francisco, you could feel the conversation between “user-centric identity” and identity management and federation begin to normalize in scale and scope. Personally, nothing could be more exciting, because I believe it’s not until these disparate and somewhat independent conversations come together that we will truly realize the power of identity over the internet.

I believe the N-state for the identity industry from an Internet infrastructure perspective has got to normalize the requirements of three constituents (user, identity provider and service provider), and so in classic web2.0 fashion, the mashup of federation and user-centric identity is a critical moment in our history, and a great time to be involved in this particular market opportunity.

To put it more succinctly, I believe there are fundamentally only 3 constituents in the identity conversation, a triad that can be visualized as follows.


In order to gain the right perspective, one must look at the equation from the top, and not through the prism of any-one node. i.e. you cannot look at the needs and requirements of identity providers and service providers through the prism of an end-user, without seeing them as distant second cousins. Conversely, you should not look at the needs and requirements of the end-user through the goggles of either an identity provider or a service provider; for fear that the end-users needs for privacy are left unmet.

Instead, viewing all three from the top, gives one a perspective that all nodes are indeed equally important, and that we will only delay the inevitable if we too heavily weight any one constituent over the remaining.

When one considers that a primary goal of both federation and user-centric identity is to separate and free identity from any one domain to roam as necessary with convenience, privacy and security, then one must consider the N-state to be comprised of a large number of permutations, (user-to-user, user-to-business, business-to-business), each equally valid depending on the context.

More on this topic to follow…

The next big challenge for federation

September 15, 2006 By: Andre Category: Ping Identity

I’ve been spending a lot of time lately thinking about the intersection of user-centric identity and federation as well as issues surrounding both trust and scale.

My sense is that “Federation Simplified.”, the Ping mantra for the past 18 months will only get us so far, and beyond that, we’ve got some work to do. I put together this slide for the Federation Users Group at Digital ID World this week, and thought I’d share it and a few other ideas while I’m at it.


Conclusions thus far are as follows:

  • pair-wise trust, as denoted by the hub-and-spoke topology of identity federation in it’s current state of adoption by enterprises and their partners, will likely never be fully replaced by some top-down, user-centric model. because the use-cases in the back-office are so diverse, some level of ‘hard-coding’ is not only acceptable, but likely just the reality. therefore, to take federation one step further, we’ve got to get to “one-click federation”.
  • a break-through in trust models is likely to occur, but I suspect with regards business interests, only in the customer-facing interactions between users and businesses. One variance to this theme is the federation communities which will likely form business-to-business in a few select verticals such as auto, health, government, aerospace and pharma.
  • federation at scale needs to therefore breakthrough two major barriers, the technical / legal barriers associated with hub and spoke deployments  and  the  intersection of user-centric and federation as it exists today need to normalize at the protocol / infrastructural level.

CardSpace Demo of Managed Identity Provider

September 09, 2006 By: Andre Category: Ping Identity

Cardspace is a Microsoft identity initiative which is to be shipped with Vista. While many of the use-cases surrounding Cardspace extend to the public internet and the average Internet user, it will likely also have a large impact on how enterprises deploy identity management systems. At this years 2nd annual Federation Users group and onstage with Kim Cameron of Microsoft at Digital ID World 2006, Ping will demo the latest version of it’s Cardspace server, now complete with both Managed IdP as well as Service Provider capabilities. As an added bonus, we’ll demo how to chain passive and active federation seamlessly, allowing for on-the-fly privacy context switching, and real-world use-cases where passive federation gives way to active and vice-versa.

The Digital ID World demo will show two scenarios in an attempt to depict how passive federation (via SAML 2.0 Web SSO Profiles or WS-Federation) and active federation (via CardSpace) can both play a role in enabling a seamless user experience for accessing outsourced apps. The plan is not to state that active is better than passive or that active replaces passive, but to demonstrate how passive and active federation work together to enable a myriad of different business use cases.

Scenario 1: An enterprise employee leverages their internal employee portal to access applications that are hosted externally. In the first case we plan to show how SAML 2.0 Web SSO (passive federation) is used to enable seamless access into the web site. The use has no control over this as the employer has deemed that the use of is critical to their business and they want no friction for their sales force in entering information for forecasting purposes. The use has no choice. In the second case we plan to show how CardSpace is used to ‘optionally’ enable seamless access into the employees Employee Benefits web site. As the Employee Benefits web site is made up of a mixture of personal and corporate information (i.e. 401k, health and payroll) the employee is given the choice of whether to enable SSO via the use of CardSpace. The Employee Benefits web site is enabled with CardSpace. After the user clicks on the ‘Benefits’ link in their corporate portal, they are prompted with different Cards (Employer and Benefits) which they can then choose between for accessing the Benefits web site. If they choose Employer then they will be enabled with SSO from the Corporate Portal in future interactions.

Scenario 2: An enterprise employee is traveling and loses their cell phone. They use their laptop to access their corporate cell phone provider in an effort to have the phone replaced immediately. The employee would normally access this web site via SSO from their corporate portal. The cell phone provider web site is enabled with Card Space to simplify the IdP discovery and selection process. The employee is prompted to use their Employer card to authenticate to their employers authentication service. The cell phone provider web site leverages CardSpace to handle IdP Selection rather than having to discover this themselves. Once the user has authenticated to their employer the returned security token contains the relevant information to service the employees request for a new cell phone.

Other use case scenarios we planned on discussing in our presentation but will not demo:

Scenario 3: Standard (non-web) UI metaphor for employee use of Strong Authentication

Scenario 4: Standard (non-web) UI metaphor for employee authentication reduces risk of phishing attacks against employees.

Scenario 5: New UI metaphor allows user to choose different roles for accessing different applications. (i.e. manager authenticates as manager role which requires strong auth). This is also useful when delegation occurs and allows temporary use of a ‘Managers’ card when the Manager is on vacation.