SSO Much Fun: Identity Update

OpenID is slowly slowly gaining adoption.  Here is a list of resources relevant to cloud identity, authentication, and authorization.

  • Conflicting Visions of Cloud Identity, Kim Cameron, Microsoft Identity Architect, speaking at the European Identity and Cloud Conference points out that many people thinking about the cloud are still thinking about private clouds.
    • “The cloud motor runs on identity.”   You need to think about a graph of services, and your identity needs to cross all of those.
    • A “domain based” identity model is a non starter, you can’t have a boundary.
    • First generation federation identity provider is a start, but ultimately won’t work either.  You need to deal with a plethora of identity sources.  The claims of identity will be distributed.  We need “Identity Management as a Service” (IDMaaS) to keep costs down and enable power needed.
    • 12 essential  capabilities: registration, attributes, creds, claims issuance, slaims acceptance, claims augmentation, claims transforms, roles, groups, relationships, audit, and directory.
    • Privacy and Security Imperative. Cloud service provider can not even know which identity is using which service.  Example of IRS: ways for a person to use an identity that is easy to remember, but not retained by the service for later abuse.
    • The IDMaaS avoid the “all-seeing identity provider.”  Embrace cloud without giving contextual separation.
  • 7 Laws of Identity – Kim Cameron from 2005
  • Laws of Identity: A conversation with Kim Cameron – John Fontana interviews Kim Cameron on the current state of the laws and identity.
  • Landscape of Web Identity Management, Mario Hoffman at Fraunhofer Institute provides a nice infographic of various aspects of identity on the web.
  • OpenID Connect – New draft available (May 26) for this lightweight specification for that provide a framework for identity interactions via RESTful APIs.
  • The Most Complete History of Directory Services You Will Ever Find – nice compendium
  • OpenAM – originally branded as OpenSSO by Sun Microsystems, seems to cover authentication, authorization, and federation.  Compatible with OAuth.  Strangely, no mention of OpenID anywhere.  That makes me suspicious.  I did find an open source project that translates OpenID to OpenAM so they clearly overlap.  There appears to be an “extension” to support OpenID.
  • Cloud Identity Summit scheduled for July 16 – 20
  • Nat Sakimura’s list of key specifications in the OpenID space.
  • Why OpenID leads to Information Cards, Kim Cameron gives a demo of a phishing attack possible with OpenID when the OpenID provider automatically pops up a login screen.  Some OpenID providers refuse to offer automatic login screens for this purpose.  Of course, Information Cards (a la CardSpace) is his solution from Microsoft.  Another solution might be browser support for OpenID but he didn’t mention that.
  • Reimagining Active Directory for the Social Enterprise – more Microsoft viewpoint on how identity will work with Azure and other cloud technology.

4 thoughts on “SSO Much Fun: Identity Update

  1. Pingback: SSO Much Fun: Identity Update | Collaborative Planning & Social …… « oracleidentitymanagement

  2. Keith, I like your sense of humor. There are many pearls in Kim’s speech and proposal. Just one, for example, “A “domain based” identity model is a non starter, you can’t have a boundary” – it is priceless saying to business that it cannot have boundaries and protect its core assets (via identity control)… only Microsoft can say such things seriously. 🙂

    • in your mirth, you have confused access control with identity. Of course all organizations need access control to assets, but that has nothing to do with identity. Identity is like your NAME. It is quite silly to suggest that protect company assets, the company needs to give you a new NAME. It is equally silly to control access based on your name: (i.e. all the people with the first name ‘Dave’ will have access to the secret papers, if you need access we will give you the name ‘Dave’ so you can do this.) Companies don’t need “Name control” to protect anything. The point is that you can function in any company with any name, and similarly, you can function in any on-line environment with any ID. Having a particular name does NOT give you special access to things, and similarly having a particular ID does not (necessarily) give you access to anything either. I suspect you are not alone in thinking that a company needs to identity control in order to control access. In the past it was common to give access to things to everyone who has a company ID, but this concept has to disappear in the hypersocial world that is forming around us.

      The problem with boundaries comes when people of one company want to cooperate with people of another company. I have direct interactions with certain people from special customers of Fujitsu. Forcing those people to get a Fujitsu ID in order to share things with me is an undue burden on them, and for me to get an ID at all those special partners is similarly unsatisfactory. The only solution is for me to use my ID (like my NAME) and they use their IDs (like their NAMES) and have a system that allocates access not based who gave the ID (or NAME) but instead as a separate mechanism that has nothing to do with ID. Do you see how organization-specific ID’s are a non-starter?

  3. Pingback: SSO: What is it « Agile Software Craftsmanship

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s