Identity Rants & Raveshttp://www.shutuplaura.com/journal/en-US2010-07-30T08:55:53ZSquarespace Site Server v5.11.5 (http://www.squarespace.com/)Shiny ADFS Interop demohttp://www.shutuplaura.com/journal/2010/7/19/shiny-adfs-interop-demo.htmlLaura E. Hunter2010-07-19T20:35:21ZADFS Identity techThe inimitable Mike Jones and others have posted a demo of an “Identity mash-up” consisting of components of OpenID, ADFS, WIF, and PHP, established by Microsoft, PayPal and Medtronics.

http://blogs.msdn.com/b/interoperability/archive/2010/07/09/identity-mash-up-federation-demo-using-multiple-protocols-openid-and-ws-federation.aspx

]]>Microsoft Online Feature Roadmaphttp://www.shutuplaura.com/journal/2010/7/19/microsoft-online-feature-roadmap.htmlLaura E. Hunter2010-07-19T20:27:50ZADFS Active Directory techAt the Worldwide Partner Conference, we got to see an official roadmap for current and planned features for Exchange Online, SharePoint Online, and Office Communication Server Online.

Very nice visual breakdown in the ZDNet article here: http://www.zdnet.com/blog/microsoft/microsoft-shares-officially-its-future-bpos-plans/6857

]]>The Windows Azure “One-Pager”http://www.shutuplaura.com/journal/2010/6/22/the-windows-azure-ldquoone-pagerrdquo.htmlLaura E. Hunter2010-06-22T14:59:33ZtechOf all the articles I’ve seen offering an introduction to cloud computing, I think this one has done the best job thus far:

http://arstechnica.com/microsoft/guides/2010/06/microsoft-azure-for-nubcakes.ars

Compares and contrasts the various vendor cloud offerings: Azure, EC2, etc., along with the different storage models that each of them use.

]]>ADFS2/Shibboleth interophttp://www.shutuplaura.com/journal/2010/6/21/adfs2shibboleth-interop.htmlLaura E. Hunter2010-06-21T19:15:28ZADFS Identity techI’ve had a few people ping me lately about setting up ADFS 2.0 to federate with a Shibboleth instance, now that everyone speaks SAML 2.0 and we all get to hold hands and sing Kum-ba-ya in a happy interoperable way.

There are a few “tricks” to make the conversation work well, though, particularly as regards formatting of claims from one org to the other. The ADFS PG has published a walk-through describing a PoC setup here.

Happy federating!

]]>Bouncy Slide with a Twisthttp://www.shutuplaura.com/journal/2010/6/20/bouncy-slide-with-a-twist.htmlLaura E. Hunter2010-06-20T21:25:53ZADFS Identity techMatt Steele whiteboards the process of using ADFS to project federated identities to an application hosted in Windows Azure: http://bit.ly/b6GEYk

]]>Creating an ADFS/CA SiteMinder SharePoint SSO labhttp://www.shutuplaura.com/journal/2010/6/20/creating-an-adfsca-siteminder-sharepoint-sso-lab.htmlLaura E. Hunter2010-06-20T17:53:19ZADFS Identity tech“Creating a Virtual Organization Using Federated Identity Services with CA SiteMinder and Microsoft Active Directory Federation Services”

White paper (DOCX or PDF) available from the Interop Vendor Alliance here.

Happy downloading!

]]>Federation Trust Partner Certificateshttp://www.shutuplaura.com/journal/2010/5/29/federation-trust-partner-certificates.htmlLaura E. Hunter2010-05-29T15:36:24ZADFS Identity techSo we all know that the thing that breaks AD FS is PKI. What’s sometimes frustrating? Is that it’s not always “your problem”.

In a federated trust relationship, an AD FS-protected application will often fail because a certificate on the partner side has expired, often without the partner being aware of it. Which makes for a fun day of trying to track down “the ADFS guy” in the other organization to convince them that they need to go update their (most often) token-signing certificate.

Now, there’s no actual way to prevent this from occurring – you don’t control your partner’s infrastructure, and that’s kinda the point.

But AD FS 2.0 will at least try to alert you that a problem may be about to occur, by logging an event when one of your configured partner’s certificates is about to expire, or has actually expired:

Event ID 389
AD FS 2.0 detected that one or more of your trusts require their certificates to be updated manually because they are expired, or will expire soon.

If AD FS 2.0 is a major part of your operational life, this event needs to trigger an alert in your monitoring system of choice.

]]>Information Card Issuance CTPhttp://www.shutuplaura.com/journal/2010/5/26/information-card-issuance-ctp.htmlLaura E. Hunter2010-05-26T16:26:17ZADFS Community Identity techhttps://connect.microsoft.com/site642/content/content.aspx?ContentID=16878

“The Information Card Issuance Community Technology Preview (CTP) Add-On for Active Directory Federation Services 2.0 RTM enables issuance of IMI 1.0- and IMI 1.1-compliant information cards from the released version of AD FS 2.0.

The goal of the CTP is to enable the community to continue to exercise the capabilities of the identity metasystem, as relates specifically to information card issuance, in testing, pilots, and other non-production environments.”

MS “have also adding two new mechanisms for interaction and feedback on this topic, a dedicated Information Card Issuance Forum and a monitored e-mail alias ici-ctp@microsoft.com.”

]]>Windows Azure Architecture Guidancehttp://www.shutuplaura.com/journal/2010/5/25/windows-azure-architecture-guidance.htmlLaura E. Hunter2010-05-25T21:09:17ZADFS Identity techhttp://wag.codeplex.com/releases/view/45438

Eugenio Pace’s current Patterns & Practices project, Part 1 at least is in Release Candidate stage.

]]>Kim Cameron on Identity, Federation and the Cloudhttp://www.shutuplaura.com/journal/2010/5/25/kim-cameron-on-identity-federation-and-the-cloud.htmlLaura E. Hunter2010-05-25T20:06:06ZADFS Identity techhttp://www.halbheer.info/security/2010/05/25/identity-in-the-cloud

Presentation, slides and interview. A good listen, as always, from Kim.

]]>