ADFS 2.0 will issue info cards – but interoperable identity systems will work with or without Microsoft
By Simon Bisson & Mary Branscombe in Editorial
Posted in Privacy, Enterprise, Identity, Networking, Internet, Microsoft on
On the Internet, nobody knows you’re a dog. You can put up a Facebook page, send spam, pretend to be a bank; as long as you can read distorted characters, you can leave comments on a blog under any name you choose (I’d like to see at least one Mickey Mouse commenting to this post). Passwords are well past their sell-by date but proving your identity securely matters more and more. Identity online covers everything from throwaway accounts on forums to online banking and no one system is every going to ‘win’ - but they can learn to work together.
You can buy a hard drive from any vendor you like; as long as it fits in your PC and uses a standard interface, your operating system will take care of accessing the hardware and loading the drivers, leaving you to enjoy the storage space. The identity metasystem will do the same thing for user information, identity providers and sites that accept user details in the form of information cards. The terminology comes from Microsoft, the impetus comes from a wide range of customers and the technology comes from everybody from Oracle to Sun, IBM to Novell, the Liberty Alliance to the Higgins Project. Does it all work together yet? Not quite - but the Project Concordia interoperability workshop that opened the RSA conference today was a step forward.
Not least because for the first time Sun demonstrated an information card logon that used no Microsoft software at all; Sun’s Pat Patterson showed a system using OpenSSO v1 build 4 - which Sun will ship in the summer as Federated Access Manager 8.0, with an Oracle identity provider and Novell’s identity selector to deliver the same experience of logging in with an information card as a Vista user gets on the system using CardSpace.
Microsoft showed CardSpace sending SAML 1.1 and SAML2 tokens to a WS-Federation system. Ashish Jain of Ping Identity demonstrated a system using an information card from Sun to log into Gmail, running Vista in a virtual machine on a Mac talking to a Linux system. And systems from Ping, SymLabs, FuGen and Shibbloeth talked to each other and to Sun, Oracle and Microsoft systems using WS-Federation and SAML, transferring not just the identity of the user from a managed information card provided by a trusted identity provider rather than one the user had created themselves but also information like whether the user had provided a password or a smartcard rather than just clicked on a link.
Who needs that heterogenous a system? General Motors for a start, which is why Bob Haar, an IT architect at GM was chairing the workshop along with Microsoft’s Mike Jones and Eve Maler from Sun. Jones repeated what Microsoft is hearing from customers; “Some of the more interesting business discussions have been about risk. Certainly in the automotive industry, a decision has been made that there’s both at least cost savings and possibly minimisations of risk by going to federated authentication for collaboration with suppliers. Think about how many companies are involved in building a GM automobile or a Boeing airplane; it’s mind boggling.”
Haar explained that in a little more detail. “We think the federation gives us more control in real time to monitor and control access. There are legal and contractual aspects of setting up the business relationships and supporting for activities about auditing - if there’s a question about who changed this financial data or when it came through the federated environment, we have to have systems and procedures in place to make that happen.”
Sun’s demo didn’t use any Microsoft products at all and Patterson took something of a cheap shot by apologizing to Microsoft for that. Mike Jones smiled back and said actually, Sun had given him two of his three wishes. “I said three years ago we’ll know the metasytem is succeeding when interactions occur that use no Microsoft software, where Microsoft receives no revenue and Microsoft has no idea the interaction is taking place.” Today, the point is for the companies to be talking so they can make this all work. When it does all work, Sun wouldn’t need to tell Microsoft anything to have happy customers who could use CardSpace against a system that uses Oracle to issue identity information to connect through to another system that uses ADFS to do it. Assuming ADFS could issue and understand identity beyond Active Directory…
There isn’t a name for the next version of ADFS, or a shipping date but Microsoft promises, it will issue and consume information cards. This has gone in and out of the feature list for the next version of ADFS as shipping schedules and priorities shifted, but it’s back on the table says Jones - and Visual Studio will get tools for working with identity. “We probably wouldn’t have gotten permission to show SAML2 token support in the next version of our identity server products if we were not going to put tools into deployers hands to easily build and consume these tokens. We get that until it’s easy for developers to do this, a lot won’t. We’re looking at federation and information cards not as separate things but as parts of a spectrum people can deploy as it makes sense for them.”
Standards are good, runs an old joke; that’s why we have so many of them. Whether it’s a proprietary approach that’s become popular enough to document or a philosophical difference in approaches, there’s hardly anything in technology that you can’t do in two completely incompatible ways by following different standards. What’s happening in identity is a remarkably grown-up approach to tackling a problem. When did you last see Microsoft, IBM, Sun, Novell and Oracle playing nice together without government interference? Instead of expecting to own the marketplace, all the major players are putting in the effort to get their systems working with each other and with the standards. Imagine if all the effort spent arguing about whether OOXML and ODF could both be ISO standards had gone into writing translators to move documents between the two.
But once it’s easy for a service to accept identity logons from a variety of information providers, what is the user experience going to look like? The test sites had buttons to log on with every combination of service and they exposed the debug information so you could see what was happening; real sites won’t have that. But they shouldn’t have umpteen buttons to choose which information provider I want to use either; that way madness and another set of chances to get me to do something insecure lie.
Every credit card I have has its own branding, and there are plenty of different card readers in shops, but they all have a slot I put the card into and a keypad where I type in the PIN. I don’t have to press a button saying I want to use a MasterCard or an Amex card before I start - I put in the card and the reader works it out, hides the process and asks me for the important thing, my PIN. Sites using identity should do the same thing. Don’t give me a button for OpenID or SAML or Ping or Oracle or whatever underlying identity system I’m going to use happens to be, and make me click it and then click again to pick an information card. Use the same identity selector I’m going to give you my information card in; that way your Web site doesn’t have to have five otherwise identical pages and CardSpace or the Higgins identity selector or whatever the experience is on my OS and browser can do the hard work. All I have to do is say yes, I do want to use this information card with this site and you can concentrate on building something that works better because you know who I am without either of us having to care about passwords.
Not yet rated
Loading ...Comment by Paul - July 2, 2008 on 4:18 pm
Interesting read.
Make a comment
Tag cloud
Archives
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
Most commented posts
- Java’s SSVAGENT.EXE: training the monkey
5 comments
- Wubi Tuesday
- Not very open, not very social
- The best mobile game ever
- A Big Day In The Enterprise IT World
- Employees are our most valuable asset (snigger)
- Biometrics - it's not the technology that's broken
- More battery life, fewer explosions
- Spam Fighting in Exchange
- IDF: Will SSD mean the end of 5GB free?
Highest Rated Blog Posts
- Nobody knows what Web 2.0 really is (100%)
- Songs of distant satellites (100%)
- Log in and lock in (100%)
- Mommy, why is there a home server in the office? (100%)
- Employees are our most valuable asset (snigger) (100%)
- Locking down IT or blocking creativity (100%)
- Video opera? What would you do with huge bandwidth and millions of pixels? (100%)
- Consumer BlackBerrys are good for business (100%)
- HD Trek (100%)
- Top tips for speeding up Vista (100%)