Andre Durand

Discovering life, one mistake at a time.

Archive for May, 2007

Switzerland of Federation Servers

May 25, 2007 By: Andre Category: Identity

Around 18 months ago we set out to close the gap in PingFederate last mile integration by developing a suite of turn-key adapters designed to simplify SAML integration. The notion was, if we’re going to position PingFederate as the Switzerland of federation servers, we had better achieve multi-protocol capabilities and integrate equally well with every target environment.

As time went on, the full scope of what needed to be done became more and more daunting. There were no short cuts, and the task was clearly not going to be easy. For each target system, we had to become near experts.

With perseverance and exceptional management however, two ingredience which can conquer nearly anything, we’ve now completed the vast majority of these integration kits.

Living up to the ‘Switzerland’ positioning of PingFederate is now complete as we can now federation enable applications in all of the following target environments.

PingFederate Integration Kits

AOL Supports SAML

May 23, 2007 By: Andre Category: Identity

Patrick came across this blog post today which describes AOL’s Simple Federation implementation of SAML 2.0.

AOL supports simple federation with SAMLv2

In addition to the work AOL is doing to support OpenID, we’ve also been working with SAMLv2
to provide a simple federation profile for our partners. This allows
users to federate an account at a partner to an account at AOL so that
SSO is enabled from the partner to AOL or vise-versa.

This implementation uses the “SAMLv2 Lightweight Web Browser SSO Profile” and “SAMLv2.0 HTTP POST SimpleSign Binding”.
Since the current use cases are fairly restricted we simplified the
process even more such that only source-first SSO, using an unsolicited
<Response> message is supported.

The actual federation of
identifiers is done during the registration process using existing AOL
protocols. SAML is then used for the SSO Assertion between the
partners. The flow goes something like this…

  1. User goes to browser and loads site A
  2. User authenticates at site A using the account credentials associated with site A
  3. User clicks on link to partner site B
  4. Site A generates the SSO Assertion for site B using site B’s pre-determined federation identifier
  5. Site A uses the http POST method to post the SSO Assertion to site B
  6. Site B validates and verifies the SSO Assertion
  7. User is “signed-on” to site B with site B’s federated identifier
the Simple-Sign binding significantly simplified the development effort
as XMLDSIG is one of the more complicated parts of SAML. As more tools
for XMLDSIG become available this will be less and less of a barrier to

PingFederate Single Connection License

May 23, 2007 By: Andre Category: Identity

Yesterday Ping Identity announced a new license for PingFederate Single Connections. It’s for those enterprises looking to take their first step into federation. We’ve focused for years on making federation easy and cost effective. This is just another step along that path.

  • Fast Deployments – PingFederate can be downloaded, installed, configured and tested in hours, not weeks or months. Deploy SAML 1.0, 1.1, 2.0 or WS-Federation in hours.
  • Standalone – PingFederate has no dependencies. There is nothing additional to buy to deploy PingFederate.
  • Compatible – Pre-built Integration Kits make PingFederate compatible with virtually every type of software organizations use to manage user identities and deploy Web applications.
  • Conformant – PingFederate has been certified Liberty Alliance SAML 2.0 interoperable and GSA E-Authentication compliant.
  • Upgradeable – A single connection server can upgrade to a full multi-connection hub with a simple upgrade of licensing. No further changes to the software are required.
  • Affordable – A one-year PingFederate server subscription supporting a single partner connection with unlimited transactions, applications and users is:

USD $9,000 with Ping Identity’s Bronze-level support

USD $10,000 with Ping Identity’s Silver-level support

USD $11,000 with Ping Identity’s Gold-level support

Oh yea, and btw, I was in London recently. Whoa, that 2:1 exchange rate is a KILLER for those of us from the US. So if you’re in the UK, you’ve basically got the 50% off sale!

Scamming the Scammers

May 23, 2007 By: Andre Category: Identity

I watched “To Catch a Con Man” on MSNBC the other night with a big smile on my face. They basically set out to catch some of the criminals behind the 419 Nigerian scams.

I don’t know about you, but I have a feeling of near helplessness when I see these things. There are just so many of them, and they’re coming from several countries outside of the US where we have no jurisdiction. Furthermore, many of them are organized crime syndicates. The entire thing is nearly overwhelming, every con man with access to an Internet Cafe can reach across the ocean and scam unsuspecting individuals around the world. One part of me says that people should know better, but then I speak with my mom, and it reminds me that there are whole generations that simply have not been exposed to this sort of remote malicious intent.

Like so many crimes, at the heart of the abuse is identity — or the lack thereof in this case, but that’s going to take some time to fix. If there were actually a private sector business model to catching these criminals, nothing would give me more pleasure than doing so. In the mean time, I guess I’ll just contribute a few small tools and services to help protect the innocent.

The Bleeding Edge

May 22, 2007 By: Andre Category: Identity

I’ve observed an interesting phenomenon recently worth sharing. It has to do with individuals who are the most daring and most willing to try and adopt a new or emerging technology who unfortunately, never end up benefiting.

There is a term for these people, they are the ‘bleeding edge’. Aptly named, these individuals jump in a little too early, which is unfortunate, as their tolerance for risk actually paves the way for others success. These individuals hope to leverage emerging technology for competitive advantage, but stumble, likely because the technology wasn’t yet ready for prime time or because there were other market factors at play outside their control. Unfortunately, these individuals form an early negative opinion which sticks with them well beyond its useful life, and it’s this phenomenon that keeps them from then acting when things are indeed ready, and first mover advantage is actually obtainable.  

The road to success in emerging technology is paved with the skeletons of bleeding edge innovators, many of which never actually realize the fruits of their early risk-taking nature. It’s sort of sad in a way.  

Where at first you do not succeed, try try again.

Timing, Timing, Timing

May 22, 2007 By: Andre Category: Identity

As the saying goes in real estate, “it’s all about location, location, location.” Well, in technology, it’s all about timing, timing, timing. There is no such thing as right product, right market, right team, without ‘right time.’

I’m convinced that a large part of ‘being lucky’ is in fact tied to the notion that all you need to do to succeed is position yourself as standing on right corner when the bus drives by. A lot harder to do in practice than one might think. It’s like catching a wave if you’ve ever tried to surf. 90% of the challenge is positioning your board at the base of the break, nose-pointed into shore.

My epitaph will likely read, “Loving and devoted husband and father. Spent the bulk of his career trying to position himself into the right time zone.” Many successful people will tell you they spent several years banging their heads against a particular market, only to finally succeed and have people say, “look, an instant success!”

Ping Identity is Hiring!

May 21, 2007 By: Andre Category: Identity

We have lots of open positions right now at Ping Identity. If you’re passionate about what you do, and want to join a company that will both appreciate your skills but also stretch and improve them, and you’re looking to make a difference in identity, please contact us!

Ping Identity is a team oriented company and we have managers who are at the top of their field and the top of their game. We produce high quality products that push the envelope on what’s achievable in identity, and it’s only going to get more fun from here. Now is a great time to join Ping Identity. With 100 of the largest enterprises in the world as customers, we’re no longer a start-up, but we’re not a big company either — we get things done, fast. 

Open Positions

More information

Dependent vs. Independent Identity

May 17, 2007 By: Andre Category: Identity

This is a follow-on to the Three Tiers of Identity.

It’s likely a natural part of any evolving landscape, that is, the tension created between differing views, beliefs and approaches, but there are, rightfully, at least two distinct types of identity. While I don’t know if the infrastructures that support them will converge, I do know at the very least, we should respect them for what they are. 

Dependent Identity
Within the enterprise, your ‘identity’ is wholly dependent upon your employment. Your role, your access and your rights are dictated by your employer. In short, your identity is dependent upon your employer. Call this an ‘enterprise identity’, or ‘corporate identity’, it doesn’t matter, it’s still dependent upon your relationship with that entity.

In this setting, you’re identity has very few independent attributes. You can chose to leave the company, in which case your corporate identity will be removed or revoked (you’ll be de-provisioned), but you don’t control very much about that identity while you’re there, and you have even less control over which attributes the company moves around its network in the process of supporting and securing its business.

SAML and WS-Federation and what we now know as ‘federation’ have been optimized to meet the needs of enterprises as they secure access to cross-domain resources both internally, and externally. A high degree of security, explicitly managed trust and control over the who, what, when, where and why is given to the enterprise, rightfully. In the early days of Ping, I referred to this as a Tier 2 identity, or an ‘issued identity’. Dependent is simply a new name for the same thing. Net/net, the company doesn’t own you or your identity, but they do own your employee identity which enables you to perform your job while on their networks.

Independent Identity
Contrast this with Independent Identity, or ‘user-centric’ identity. With independent identity, your identity is, well, independent of anyone else. An independent identity is YOUR identity, which you should rightfully control and use to your benefit. This identity transcends any one particular silo of interaction, or your current employer, much the same way your Gmail or Yahoo email account transcends your corporate email address.

Independent identity is neither better than dependent identity, nor more morally significant, it’s simply different as it serves the individual first and foremost, and the individuals desire for privacy, security and control, the same way an enterprise seeks to control, protect and secure its assets.

Independent identity is the same as user-centric identity, but with one important exception, it recognizes, not chastises, the value and importance of dependent identity.

Digital ID World 2007

May 16, 2007 By: Andre Category: Identity

Strange Bedfellows

May 16, 2007 By: Andre Category: Identity

IT Gets Around.

Federate. Smart.