Andre Durand

Discovering life, one mistake at a time.

Archive for February, 2007

SSO Becoming Agentless within Enterprise

February 13, 2007 By: Andre Category: Identity

Ping Identity’s Patrick Harding and I have been discussing the natural evolution towards SAML for conveying user identity and session cross domain. With it’s rise in popularity, it’s inevitable that packaged enterprise applications will begin to embed native SAML SP capabilities in future releases of their products. This will likely take 3 years or so, but in the end, the N-state will likely see the the demise of the ‘one big proprietary cookie domain’ concepts of today’s WAM products. Patrick developed these graphics which do a good job at displaying the evolution.

The Trends

  • Enterprises are asking for Web SSO support from their ISV’s
  • ISV’s reluctant to implement proprietary WAM cookie schemes
  • ISV’s looking at standards-based SAML as answer
  • ‘SAML is to User SSO’ as ‘LDAP was to User Auth’


  • Mix of WAM agent based SSO and Microsoft Kerberos SSO

  • AD becoming single directory and employee identity store

  • SAML for SSO between disparate security domains or to ESP’s

  • ISV applications support LDAP for single password user authentication


  • Agent-less SSO – Kerberos, ADFS and SAML

  • AD is employee identity store

  • SAML for SSO between disparate security domains and to ESP’s

  • ISV applications support SAML for agentless SSO

United: First Choice to Last Resort

February 11, 2007 By: Andre Category: Identity

I’ve flown nearly 500k miles with United Airlines, and rode them through some of the worst periods of customer service imaginable during their employee strike a few years back. I’m by nature a loyal person, so I was willing to ride through the tough times with them, and while I’m a big fan of loyalty programs, and United had one of the premiere programs for the past several years, their service, pricing and loyalty perks simply no longer add up.

Denver has been one of United’s largest hubs, so it used to be the only choice for flexible flight schedules into and out of Denver non-stop. New competition such as Frontier changes that. But I have to admit, it’s not the introduction of competition that’s got me rethinking this loyalty,

  • customer service reps are hamstrung by restrictive policies which limit their ability to assist customers at ticket counters
  • computer algorithms which run their planes so tight that I’m consistently put in the back of the plane — even having flown 80k miles last year,
  • the sense of being nickel and dimed to death at every interaction,
  • prices that appear to be at least 20% to 30% higher than other airlines on many flights,
  • phone service that has been outsourced to those whose English is very hard to understand,
  • and upgrade tickets and awards travel miles that have such tight restrictions on travel dates so as to make them all but useless.

Don’t get me wrong, I’m glad that United has emerged from bankruptcy status and I’d hate to see a US company such as United go out of business, but I also can’t imagine I’m the only executive business flyer questioning my choice of airlines given the above. I think it’s time to support a different airline.

Open Source CardSpace Apache Module

February 07, 2007 By: Andre Category: Identity

In addition to the CardSpace/OpenID demo Ping Identity is showing at the RSA conference and this paper (just released) comparing and contrasting the various schema’s for internet-scale identity, we just this morning released a new open source CardSpace module for Apache. Download it here.

The Apache Authentication Module for CardSpace allows applications using an Apache Web server to use Information Cards as an additional authentication mechanism. It allows LAMP-based Web applications written in Perl or PHP to act as CardSpace relying parties (RP) by means of simple configuration. The module is responsible for decrypting the token submitted by the CardSpace identity selector, retrieving the claims and making the claims available for the application’s use.

“This is an amazing new piece in the identity puzzle,” said Kim Cameron, Chief Architect for Identity and Access, Microsoft Corporation. “Now the benefits from Information Cards and Windows CardSpace can be extended to the full group of Apache users to enable increased security against phishing attacks.”

You Finish where you Start

February 06, 2007 By: Andre Category: Identity

When you start a business, one of the most important things to consider is where you start, because your entire future trajectory will be largely predicated upon, perhaps even ‘constrained’ by this initial decision. Not all starting points are equal.

Would Microsoft have dominated the PC the way they have had they not started with operating systems? Would Yahoo or Google have become who they are without starting with search?

With respect to start up ventures, much of a ventures future success, rate of growth and ultimate point of ascension can be known, perhaps even predicted very early, and much of it, more than I gave credit to until now, has to do with how carefully (or lucky) the entrepreneur is in selecting the very initial point of attack.

Of course, I am a big believer that will power, hard work and a world class team can both grow and overcome not only most obstacles, but also perhaps even the gravity of their own initial genetics, so I’m not suggesting that all businesses are beholden to their initial selection of a starting point, but the point is, starting points matter more than many give them credit.

I’ve always wanted to create a butterfly, but having chosen my start when and where I did, I might need to settle instead for simply becoming the biggest, fattest caterpillar in my space. But that doesn’t mean I won’t put up a fight to change my lot.

You finish where you start.