Identity Infrastructure Is
Our Area Of Expertise

The subjects discussed here include technologies, standards, architecture, implementation, and applications ... a broad range, to be sure. Each area is evolving rapidly due to the dramatic increase in scope and importance of identity for services and applications. LDAP, virtual directories, federation, and SSO are now key ingredients in an IT infrastructure. The ability to get maximum performance from them is absolutely critical. We are fortunate to have a "behind-the-scenes" view, and hope the observations we share from that perspective prove useful to our readers who care about these topics.

Follow Symlabs
More Information
Blogroll
Entries By Topic

Entries in Liberty Alliance (5)

Wednesday
May122010

Impressions From EIC 2010

DateWednesday, May 12, 2010 at 07:44PM

This year's Kuppinger-Cole European Identity Conference confirmed that many of the players in the identity market are now trying to work more closely to improve future technologies and increase their uptake. The conference centered around 'the Cloud', a rather nebulous term for services provided over the Internet. As expected, discussions focused on security issues and on ways in which identity data could be leveraged to improve business in an environment where data is becoming increasingly distributed. In summary, it was apparent that, while some areas of contention regarding security have been settled by agreeing that different protocols should be used to achieve different ends, there are still many issues which need to be resolved.

As for improving revenue and management in the identity sphere, things seemed a lot more vague, and mostly hinged on the hope that businesses would come to see the benefits of these technologies on their own. This was most evident in a talk about Identity Cards, where roll-out approaches vary widely. The German approach enforces compulsory enrollment but offers services to businesses that may help reduce infrastructure costs, while the Swiss approach pushes the business cases for uptake but allows for voluntary adoption. Although some interesting ideas about potential ways the technology could benefit businesses were presented, it will only become clear over time whether businesses actually see these benefits.

Perhaps the most positive aspect of the conference was the impression that many of the big players in the market are trying to work together toward a common goal. However, opinions are still fairly divided, and I was somewhat concerned to observe a few high-profile players in the industry suggest that identity federation through SAML (and, in particular, the work that Liberty Alliance has done, now continued by Kantara Initiative) looked like it would die in the water. This thinking is a little uninformed and, when chatting with other visitors to the conference, it was good to hear that SAML is ubiquitous in the Australian education sector and is widely used across Sweden as well as Denmark in various other governmental sectors.

This confidence in SAML was certainly reflected in a talk by Fulup Ar Foll, who accepted that while OpenID had won ground in the Web 2.0 space, SAML is the natural choice in the commercial and enterprise sphere, as is InfoCard for user interfacing and identity selection. This unofficial armistice between competing technologies has allowed the market to move forward, and everyone in the identity market seems to agree that authentication is a necessary evil, but not the end goal. Now that we have settled some differences over the roles that these technologies play and the arenas in which they belong, we can start looking toward ways that they can enable other identity services to provide real and tangible benefits for businesses and consumers.

Although touted as an 'experts conference', it is clear that the real goal was to educate potential customers and vendors about new identity technologies. Actually, many of these technologies are not really that new. As already mentioned, the Liberty Alliance federation technologies have been developed over the last 10 years or so, and InfoCard has been in development for almost as long. Instead of explaining the practical usage of many of these technologies and demonstrating them in action, the conference speakers still discuss them in a very theoretical way. In talking to many of the integrators and visitors attending the sessions, I sensed that there was a general frustration with this tendency to keep to the theory and to continue talking about the future. Integrators felt that there was little focus or guidance on how to handle the very real problems that they face today, and that all of this looking toward tomorrow (when things will be much better) was not genuinely helpful.

A few of the visitors seemed overwhelmed by the sheer mass of acronyms, protocols, and jargon that was being used. Perhaps it would be fair to say that this type of conference is simply not geared toward people who lack an understanding of the basic theory already out there - but if one needs to be grounded in theory to really understand all of the talks, then there should be little need for the talks to remain theoretical. As an industry, we really need to be careful of not simply 'blinding our consumers with science'.

There seems to be a genuine need to balance conferences like EIC with some advisory workshops where integrators, developers, and architects can learn how to begin working in a direction that will help resolve current issues in a way that won't paint them into a corner in the future. I attended the Authentication and Authorization track entitled 'How to make your software security architecture future-proof' which was presumably intended to have precisely this effect. The panelists pushed the work they were doing and suggested moving away from connection-based authentication and a 'pull-based' identity infrastructure. However, there was little guidance on how to actually achieve this, or how to work it into an existing architecture that more than likely would be built around these types of technologies. The obvious time limitations in a big conference make it difficult to move beyond a high-level schematic of what these technologies involve and into any deeper discussion, so it is hard to be very critical of this. However, it may help to garner support if we can show practical examples of how these technologies are solving problems right now. Indeed, this was highly evident in the talk on OpenID development being done at Microsoft, where we were able to see a prototype solution to many problems using OpenID, as it currently stands, in action. More kudos to you, Ariel Gordon.

To illuminate my perspective for these comments, I'll note that Symlabs has an interesting history. Our core product is designed to resolve many of the immediate issues associated with distributed identity data and connection-based authentication. Much of our software is built around the theme of dealing with problems that people face today. Over the years, particularly through our involvement with Liberty, we have also genuinely explored future technologies. We built Symlabs Federated Identity Suite around many of these concepts. In this way, we have attempted to maintain a presence in both arenas. But one thing is clear to us - while interest in federation is slowly picking up, the majority of our customers are looking to solve today's problems today.

EIC 2010 in Munich was a great opportunity to meet some new people and catch up with many other familiar faces. It was interesting to see how many of the issues that used to be so divisive are now playing out, and it was a genuinely positive experience. I just hope that, when the next one comes around, the experience is a little less ethereal and we see a bit more of an effort to address the problems in existing infrastructures so it can match up to the forces driving these technologies.

Rowan Puttergill

AuthorRowan Puttergill | CommentPost a Comment |
in , , ,
Thursday
Sep252008

Trust In New Mobile Applications - Part 3 (Conclusion)

DateThursday, September 25, 2008 at 03:53PM
Although we've had a bit of a gap in our thread on this topic, I'd like get back to it at last and finish it up. Working from the architecture I described in the last section, let's assume this view continues to develop, and Telcos push ahead with implementing SAML 2.0 APIs as a general rule. For ASPs, then, adopting this open security model will be both straightforward and very beneficial. They'll have plenty of options for adding the technology to their application that will allow the widest variety of ASPs to participate, no matter what underlying hardware or software they built it on. When their application needs to validate itself to the Telco network, it can use standard SAML 2.0 authentication methods to do it. When it needs information from the user's profile to incorporate into the service, it can use standard ID-WSF application queries or something more advanced such as People Service, if it's available, to obtain it securely.

The fact that SAML 2.0 and ID-WSF are open standards not only means a level playing field for all the ASPs and Telcos in terms of functionality, it also means solid security for the information under their control. But, while SAML 2.0 and the various ID-WSF protocols are the main instruments for securing identity information in this environment, the "identity-related services" that are defined in the ID-WSF model will play an important role in the big picture for mobile users.

Going forward, the applications that will be most desirable for mobile users generally need some personal and profile information to create their value, but that should not necessarily mean releasing any sensitive information. After securely validating the identity of the participants (the user, the ASP, the Telco) and their authority take part in a particular transaction at any place and time, the services in the ID-WSF model can be made available to all the participants for secure, controlled delivery of that personal information in a standardized format, while safeguarding sensitive information.

This gives ASPs and Telcos a safe, flexible, and easy way to utilize information in end-to-end services on behalf of a user. Because it's open and standardized, an ASP can develop to APIs that will work with a variety of Telco networks and Telcos can incorporate a wide range of ASPs and make their services available quickly - neither has to create special access, security, or formats to protect and exchange privileged information. In fact, using this model, the ID-WSF services that manage and deliver this information are themselves a potential market for ASPs.

While some types of information might naturally associate with a network, like user location or handset model, other types, like personal contacts and associations, are related to the user, and still others, like automobile registration are related more to an outside authority. ID-WSF is a rich environment that defines services such as geolocation, contact book, personal profile, and ID-DAP to not only objectify the information in a standard way, but also create a layer of security with access that can be granted or controlled by the appropriate authority (i.e., user, network administrator).

The end result, when developed and done properly, is the ability to create applications like Wizi, offer them in a variety of networks from a single ASP platform, and allow them to become a unique service experience in each implementation by combining other participating ASPs or features particular to that Telco. This, of course, brings us back around to the front of the discussion, and why we are so energized to work on standards activities, proofs-of-concept, and demonstrations with ASPs, Telcos, and the assortment of other companies and organizations that have similar interests. We really think this will result in some important and powerful capabilities that can dramatically change how people go about a great many of their daily activities.

Everything we learn, plus anything useful we create in these activities gets incorporated into Symlabs Federated Identity Suite. We tailor specific packages based on some of these activities, for example our IdP Telco package has everything they need to utilize the protocols, operate an Identity Provider, and connect to ID-WSF services in their network. We also offer packages designed to build and manage various ID-WSF services such as Personal Profile, Geolocation, or People Service.

I hope I have given you a enough of an overview for this exciting environment that we get watch unfolding firsthand, and are fortunate to participate in creating. In the event that you have any questions, are interested in trying Symlabs Federated Identity Suite for yourself, or have some ideas you'd like to explore, please visit our website. You can download our products, obtain more information, or contact us with your suggestions.

Pablo Sánchez

AuthorPablo Sánchez | Comment1 Comment |
in ,
Wednesday
Jun112008

Trust In New Mobile Applications

DateWednesday, June 11, 2008 at 03:39PM

We've recently been involved in some technology demonstrations that I think have a lot to say about how the future of security and trust in mobile networks is taking shape. As everyone can now see, a new breed of mobile applications is emerging that extend the Web 2.0 social networking and mashup metaphors into a pervasive space that users will tailor to serve them in the context activities that involve dynamic communities of their daily lives. Some good examples are coming into focus, and one in particular that we participated in took the prize at Orange's API and Widget contest in Portugal this April.

Most people are regular users of various mapping and location services on their desktop, and now a lot of folks use location services on their mobile phones as well. When coupled with GPS-enabled phones, these familiar applications take on a new usefulness by reacting to changes in the user's environment. Similarly most people have established communities that shape their online activities according to relationships and interests. While for some it's still email and IM that manage their communication with those communities, for many it's rapidly evolving from a combination of those plus Web 2.0 tools on the desktop to mobile interfaces that give them rich interaction with their friends, families, business associates, interests, and urges whenever and wherever they choose. And it's becoming clear to many of us that this is a sweet spot for mobile applications - not just what media can I access, but how can I utilize it now, who can I share it with now, where can we meet to experience it now, and what can make accomplishing that easy for me ... now.

The application that most recently prompted me to write about this is Wizi. Wizi is the free location sharing and traffic information application that won first prize in the Orange API and Widget contest. (You can get it at www.wizi.com.) It has obvious uses for families or business people who are coordinating a schedule because it combines some key attributes of daily life in a dynamic, real-time way - where relevant people are, their destinations or meeting places, how they'll get there, and what's in the way. It can do similar duty for groups with other interests, such as when you want to choose between attending an after-work party, joining some friends for a dinner and a movie, or going a football game where you'll see lots of acquaintances who cheer your club. And, these are the obvious uses - only the collective imagination of a Web 2.0 enabled world can tell how it goes from there.

So, what does a company that specializes in Identity Management, Virtual Directories, and LDAP have to do with any of this? I'll suggest an answer to that by posing a different question: how much of the information that needs to be shared in the scenarios above would YOU like to have cross all groups? While you may want your family members to have your location at any moment in time, is that something you'd like visible to all the members of the football club? And for that matter, would you be pleased if your preferences such as football club or other affiliations was open to all your business colleagues? For most people, their real-time location and their affiliations are things they want to share very selectively. And, after you give it some thought, you'll probably agree that we're only scratching the surface in conceptualizing the schemes we'll really want to have for managing information that discloses our real-time, activity-centric, choice-driven self as it becomes a dynamic attribute in our daily lives. It's about TRUST - who and what gets it, when, and where.

In the collection of networks and applications that support delivering this vision on mobile phones, there needs to be an infrastructure that allows this identity information to be accessed and moved quickly, shared securely, managed actively, delivered flexibly, and operated on automatically in order for the end-user experience to be powerful, satisfying, and easy-to-use. And, if it isn't, then there won't be a sweet spot, after all. This, of course, is where Symlabs specializes - in that infrastructure and in the sharing and management of that information. That's why we've been working with Wizi on APIs, with BT and Intel on Identity Capable Platform (more on that later), and with Liberty Alliance on Advanced Client and Trusted Modules. Sound complex? It is, but in Part 2 I'll talk a little bit about how those technologies come together and how they work to deliver an efficient, trust-enabled platform that hits the sweet spot.

Pablo Sánchez

AuthorPablo Sánchez | CommentPost a Comment |
in ,
Wednesday
Dec062006

Authentication Context In Practice

DateWednesday, December 6, 2006 at 12:19AM

The idea of Authentication Context, as defined by Liberty Alliance and SAML 2.0, has been a subject of some interest lately. As a way for Service Providers and Identity Providers to add additional meaning to an authentication dialogue, it has great practical value to businesses.  Dave Kearns recently wrote an interesting article about it in his newsletter, and he was inspired by a post on Paul Madsen's blog that touched on the subtle power of context.  Dave asked to see more examples from the vendor community, and that was inspiration enough for me.

At Symlabs, we see our customers using AuthnContext for information about how a user was provisioned in the first place, and also how the user was authenticated for the current session. This requirement came originally from our customers who are wireless operators, but it makes a lot of sense for other service providers as well.

Remember that it is possible to buy mobile phone service through a subscription (post-paid, with a contract), or anonymously (pre-paid, without a contract). It all comes down to liability - the type of "trust" that you would want to extend to an anonymous user who paid cash for a mobile phone from the local drug store versus a user that you know and have had a business relationship with for years.

There are times when the context can have liability implications, therefore it is important to set this context appropriately and based on the business relationship. For example, a company may have tiered partnerships (i.e., "platinum", "gold" and "silver") with other companies. The tier could then be one of the factors used to determine the maximum liability allowed for different ID assertions.

Symlabs was instrumental in getting the mobile authentication contexts defined, because our wireless operator customers requested our participation in this area. Generalizing what we learned from the mobile world, the Symlabs Federated Identity Suite can be configured with any business logic, factoring in any number of data sources to determine the appropriate authentication context to issue.

The SAML and Liberty specifications are silent regarding an aspect of authentication contexts that has practical value to a business: what their ranking should be, or rather, which one is better. Therefore, in Symlabs Federated Identity Suite we chose not to hardwire any ranking, but instead allow for the insertion of customized business logic to evaluate the ranking.

Last (but not least), through the use of flexible business logic, customers can create an implementation that delivers complete control by defining contexts and assigning semantics of their own, in any way they please. Symlabs Federated Identity Suite provides this powerful capability by allowing configuration of custom contexts that can participate in the ranking and business rules just like any official context.

AuthorAdministrator | Comment1 Comment |
in ,
Wednesday
Oct112006

What Could Be

DateWednesday, October 11, 2006 at 04:46PM

Hi, it's Felix again. I'm writing another entry to talk about provisioning, and I think it will be about as long as the last one on identity management by the time I'm done. While I'm finishing it up, I'd like to post just a few words about what we are doing here at Symlabs to turn some of these concepts into practical benefits for users. You see, we think this is not only an interesting field of technology to work in, but we really believe that once the infrastructure for identity management is rolled out so that everyone has access to it, the positive results for end users and providers will be tremendous.

It's our feeling that the picture of "what could be" is not widely appreciated yet (maybe because underlying technologies like LDAP, virtual directory, SAML, etc. are complex, or because a lot of different companies need to cooperate to deploy it), so getting the word out and proving that the solutions work in real world situations are high priorities if we want to lead the parade that delivers these benefits. And, we do.

With that in mind, I'd like to call your attention to a few events happening right now that Sampo Kellomaki, my colleague and Symlabs' Chief Identity Architect, is participating in for us. First up is ePortfolio 2006 in Oxford, England from October 11-13. This show is a huge international forum for the exchange of ideas about how to use electronic portfolio solutions in education, government and corporate infrastructures, and Symlabs is participating in the PlugFest on October 11 where we will demonstrate a solution for automated resume processing based on Human Resources XML interoperating with Liberty Alliance ID Web Services Framework (HR-XML and ID-WSF for those of you already familiar with the terminology). When this capability becomes routinely available it will let the HR industry incorporate a set of tools for identity-based and role-based access authorization to improve the security and operation of their online processes, while, from the user perspective, identity web services ensure the privacy of their information and simplify access to services with features like single sign-on. I'll talk more about these applications and individual pieces like single sign-on in upcoming posts, but if you can take advantage of a couple of industry shows that are right around the corner, Sampo will be delivering some very informative talks that we hope will give you a nice view of the picture ("what could be"), show you something about how it works, and maybe even get you to join the parade.

Sampo will be speaking at the ISSE 2006 Conference in Rome, Italy on October 12 about how to use the Liberty Alliance People Service in eGovernment applications, covering document submission in particular, such as corporate tax returns. At RSA 2006 Europe in Nice, France on October 25 he will be talking about Liberty People Service, but this time with a focus on consumer applications. Liberty People Service is the industry's first platform for managing social applications centrally, providing consumers (and enterprise users) with a single view of social relationships in a secure and privacy-respecting federated social network. Sampo will also demonstrate Liberty People Service at RSA 2006 Europe, by the way.

So, go look or listen if you can, and it would be nice if the parade gets bigger.

AuthorFelix Gaehtgens | Comment1 Comment | Reference3 References |
in , , ,