Identity Rants & Raves

Shiny ADFS Interop demo

Laura E. Hunter — Mon, 19 Jul 2010 20:35:21 +0000

The inimitable Mike Jones and others have posted a demo of an “Identity mash-up” consisting of components of OpenID, ADFS, WIF, and PHP, established by Microsoft, PayPal and Medtronics.

http://blogs.msdn.com/b/interoperability/archive/2010/07/09/identity-mash-up-federation-demo-using-multiple-protocols-openid-and-ws-federation.aspx

Microsoft Online Feature Roadmap

Laura E. Hunter — Mon, 19 Jul 2010 20:27:50 +0000

At the Worldwide Partner Conference, we got to see an official roadmap for current and planned features for Exchange Online, SharePoint Online, and Office Communication Server Online.

Very nice visual breakdown in the ZDNet article here: http://www.zdnet.com/blog/microsoft/microsoft-shares-officially-its-future-bpos-plans/6857

The Windows Azure “One-Pager”

Laura E. Hunter — Tue, 22 Jun 2010 14:59:33 +0000

Of all the articles I’ve seen offering an introduction to cloud computing, I think this one has done the best job thus far:

http://arstechnica.com/microsoft/guides/2010/06/microsoft-azure-for-nubcakes.ars

Compares and contrasts the various vendor cloud offerings: Azure, EC2, etc., along with the different storage models that each of them use.

ADFS2/Shibboleth interop

Laura E. Hunter — Mon, 21 Jun 2010 19:15:28 +0000

I’ve had a few people ping me lately about setting up ADFS 2.0 to federate with a Shibboleth instance, now that everyone speaks SAML 2.0 and we all get to hold hands and sing Kum-ba-ya in a happy interoperable way.

There are a few “tricks” to make the conversation work well, though, particularly as regards formatting of claims from one org to the other. The ADFS PG has published a walk-through describing a PoC setup here.

Happy federating!

Bouncy Slide with a Twist

Laura E. Hunter — Sun, 20 Jun 2010 21:25:53 +0000

Matt Steele whiteboards the process of using ADFS to project federated identities to an application hosted in Windows Azure: http://bit.ly/b6GEYk

Creating an ADFS/CA SiteMinder SharePoint SSO lab

Laura E. Hunter — Sun, 20 Jun 2010 17:53:19 +0000

“Creating a Virtual Organization Using Federated Identity Services with CA SiteMinder and Microsoft Active Directory Federation Services”

White paper (DOCX or PDF) available from the Interop Vendor Alliance here.

Happy downloading!

Federation Trust Partner Certificates

Laura E. Hunter — Sat, 29 May 2010 15:36:24 +0000

So we all know that the thing that breaks AD FS is PKI. What’s sometimes frustrating? Is that it’s not always “your problem”.

In a federated trust relationship, an AD FS-protected application will often fail because a certificate on the partner side has expired, often without the partner being aware of it. Which makes for a fun day of trying to track down “the ADFS guy” in the other organization to convince them that they need to go update their (most often) token-signing certificate.

Now, there’s no actual way to prevent this from occurring – you don’t control your partner’s infrastructure, and that’s kinda the point.

But AD FS 2.0 will at least try to alert you that a problem may be about to occur, by logging an event when one of your configured partner’s certificates is about to expire, or has actually expired:

Event ID 389
AD FS 2.0 detected that one or more of your trusts require their certificates to be updated manually because they are expired, or will expire soon.

If AD FS 2.0 is a major part of your operational life, this event needs to trigger an alert in your monitoring system of choice.

Information Card Issuance CTP

Laura E. Hunter — Wed, 26 May 2010 16:26:17 +0000

https://connect.microsoft.com/site642/content/content.aspx?ContentID=16878

“The Information Card Issuance Community Technology Preview (CTP) Add-On for Active Directory Federation Services 2.0 RTM enables issuance of IMI 1.0- and IMI 1.1-compliant information cards from the released version of AD FS 2.0.

The goal of the CTP is to enable the community to continue to exercise the capabilities of the identity metasystem, as relates specifically to information card issuance, in testing, pilots, and other non-production environments.”

MS “have also adding two new mechanisms for interaction and feedback on this topic, a dedicated Information Card Issuance Forum and a monitored e-mail alias ici-ctp@microsoft.com.”

Windows Azure Architecture Guidance

Laura E. Hunter — Tue, 25 May 2010 21:09:17 +0000

http://wag.codeplex.com/releases/view/45438

Eugenio Pace’s current Patterns & Practices project, Part 1 at least is in Release Candidate stage.

Kim Cameron on Identity, Federation and the Cloud

Laura E. Hunter — Tue, 25 May 2010 20:06:06 +0000

http://www.halbheer.info/security/2010/05/25/identity-in-the-cloud

Presentation, slides and interview. A good listen, as always, from Kim.