We released a nice article on Federation, as well as links to many useful resources, in the November edition of Sun’s Inner Circle Newsletter. Click the image below to check it out.

OK. Liz Matthews beat me to the punch on her new blog and posted blackmail pictures from the Gartner IAM event. I planned to post these pictures on my blog to humiliate my coworkers, but did not plan to include any pics of me. (Rats!) Noticed she forgot to include a few folks. So . . . If I’m going down they’re going down with me.

Based on the way they dress, I’m worried the Vaau team will be high maintenance. Kevin Gallagher and Brent Thurrell have a bit of an Ivana Trump complex


Melissa Carvahlo, our Canadian federation guru, and Julio Tapia, partner alliances, “entertaining” customers. The extent to which they will go to serve our customers is not yet known.

A bit of shameless self-promotion . . .
Check out my new article, Identity Federation: The Inside Story, in the latest edition of the Sun Identity Insights Newsletter. The picture brings new meaning to the word geek.

I’m happy to announce that Sun’s Access Manager was included in Gartner’s leaders quadrant for web access management. According to Gartner we kick butt with regards to execution. True dat!
I don’t necessarily agree with them regarding vision, but we’ll just need to keep talking with Gartner and continue to show them all the great things we’re doing including identity services, web services security, dynamic federation and access management.
We’ll also need to start talking more about how this relates to other exciting things going on at Sun including XVM Opcenter, Server virtualization, and Solaris. Lots to do so onwards and upwards!
To access the latest Gartner Magic Quadrant for Web Access Management, please visit:
http://www.sun.com/software/products/identity/index.js

There have been great strides in the OpenSSO community and one of the areas I am particularly proud of is the addition of identity services. Applications that authenticate end users using identity services can securely pass their attributes to OpenSSO without the need of an agent or labor-intensive kit. Identity Services can be invoked using REST or WSDL interfaces in the IDE of your choice. This means no agent is required to protect a resource. The identity services in OpenSSO (and available in our Spring release of Federated Access Manager 8.0) include:
* Authentication — Verification of user credentials
* Authorization — Permission for authenticated users to access secured resources
* Attributes — Collection of the profiles of authenticated users
* Audit Log — Ability to audit and record operations
Below is an example of the authentication identity service being invoked using Netbeans. This service is IDE agnostic and can also be used in Eclipse and Visual Studio.

If you’re interested in exploring this functionality download OpenSSO and begin playing today. Also, Aravindan Ranganathan, one of our talented software architects at Sun, wrote a nice technical article titled Securing Applications With Identity Services, Part 1: Authentication. He will be publishing three more technical articles on the remaining services shortly – Authorization, Attributes, and Audit Log.

Last week I attended Catalyst Europe in Barcelona. It was a great conference and there was a lot of focus on access and federation, which made me very happy. One of the events we participated in was an OSIS interoperability event. The goal of the interop was to demonstrate interoperability with Microsoft Cardspace. For us, the true benefit of the session was to demonstrate our Secure Token Service, which is available in OpenSSO and will be released in Federated Access Manager 8.0.
A Secure Token Service is a foundational component to an organizations web services security infrastructure. The STS answers the question how does a Web service verify the credentials presented by a web services client? The STS verifies the credentials presented by a web services client, and then in response, it issues a security token that provides proof that the client has authenticated with the STS. The client presents the security token to the Web service, which then verifies that the token was issued by a trusted STS, which proves that the client has successfully authenticated with the STS. A key benefit of an STS is it can do token translation based on the security policy of the web services client and web services provider (e.g. — request is issued in SAML 1.1 and translated to SAML 2.0).
Below are a few screenshots from the interop providing a flavor for our STS capability in OpenSSO.
1. The first step of the demonstration shows a user logging in to OpenSSO configured as a Managed Card provider.

2. Te user enters their credentials and the Managed Card Provider generates an information card that can be saved to the desktop.

3. The users saves the information card to their desktop.

4. The user uploads / imports the saved Managed card (InfoCard) into Windows CardSpace.

5. The Sun OpenSSO Test Card is now uploaded in to Cardspace and available for use.

6. The Sun OpenSSO Test Card for TestUser shows the OpenSSO STS end point under the Card ID field.

7. The user goes to the xmldap service provider to login with the OpenSSO Test Card.

8. The user select the “Login with an Infocard” link and selects the OpenSSO Test Card.

9. The user enters password and sends a WS-Trust request to OpenSSO STS.