Identity Future

Marc Canter leapt to OpenID’s defense against Michal Migurski’s criticism.

…there are those who think we DON’T need anything more than simple single sign-on. In fact I had lunch with the CEO of SixApart (Barak Berkowitz) who said Brad Fitzpatrick is fairly skeptical of anything beyond his original simple scenario.

But, says Canter, “we need the attribute exchange to make this thing really take off.”

Then all the skeptics will realize that the authentication layer HAD to come first - but was just a first step. Along the way we’ll figure out standards for user intrerface and usage flow.

But for now - the critics are right - OpenID as it stands right now is just authentication and that ain’t gonna rock nobodies world - except for Bard Fitzpatrick’s world - I guess.

attribute exchange, authentication, evolution, marc canter, openid, single sign-on, sso

InCommon, an identity management federation serving US higher education, announced that it is substantially expanding its community to include an additional ten universities, four service providers, and a private identity provider.

“The research and education community, which today depends upon online resources through its partnerships with content and service providers, has been at the forefront of deploying the federated identity management approach,” said Tracy Mitrano, director of Information Technology Policy, Cornell University and chair of the InCommon Steering Committee.

InCommon provides the framework for the partners and sponsors to share protected online information and resources. The resource sharing needs to be done in a highly secure manner while keeping the privacy of those who access this material just as safe. InCommon which uses Shibboleth Technology helps to ease the troubles of the partners by providing single sign-on capabilities to access multiple resources.

“To meet the increasing campus demand for using external applications and online resources, we developed and implemented solutions that efficiently use our existing information infrastructures securely and safely in such a way that we maintain control over the release of personal information for people at Penn State,” said Kevin Morooney, vice provost of Penn State University. “InCommon is a vitally important part of this infrastructure and helps put us in a position to provide a richer, easier to use, safer online experience for Penn State students, faculty, and staff.”

higher education, incommon, indentity management, universities

Oracle announced on December 6, 2006, the release of their new Identity Management Suite providing Single Sign-on. This suite will help to incorporate many of Oracle’s applications to help with access control and passwords.

“The availability of Oracle Enterprise Single Sign-On Suite further enables customers to improve security throughout their entire organizations and to more easily meet compliance mandates while reducing costs,” Hasan Rizvi, vice president of security and identity management products at Oracle, said in a statement.

The five elements that comprise this suite are:

• Logon Manager: Allows users to access their Web-based and legacy applications with a user name and password but without having to constantly change and update passwords
• Password Reset: Enables users to set or recover lost passwords through a protected self-service interface in Windows environments
• Authentication Manager: Lets businesses use a combination of tokens, smart cards, biometrics and passwords to manage access to applications throughout the network
• Provisioning Gateway: Allows businesses to control their identity administration software, such as Oracle Identity Manager, to provision application accounts that can be accessed through Single Sign-On Manager
• Kiosk Manager: Enables users to access applications in a secure manner at multi-user kiosks and workstations, so that users can work from several locations throughout the day

[tags]oracle, single sign-on, identity management suite[/tags]

From NoSheep.net’s article:

In SunGard Higher Education’s Luminis product one of the many add-on packages you can install is CAS support. CAS is an acronym for Central Authentication Service. This WebISO solution is one of the most common in higher education. CAS was created originally by Yale, but ongoing support has been taken over by JA-SIG. When the CAS package is installed in Luminis, it makes Luminis act as a CAS authentication provider. Coupled with this built-in Luminis support, we use a CAS library called phpCAS that adds to the simplicity of deploying this within our environment.

Time and again, CAS has been proven an effective and simple way for us to quickly drop authentication ability into our homegrown PHP applications. Once a function was developed, this was easily reused across dozens of applications within a few short months. The ease of deployment made it easy to convince various developers to switch from custom authentication schemes.

He then goes on to provide example code of how CAS deployed through Luminis can be leveraged with PHP.

authentication, cas, luminis, nosheep, php, phpcas, sct, sungard, sungard higher education, webiso, yale, yalecas

Educause is hosting CAMP Shibboleth: Enabling Campus and Federated Single Sign-On on June 26–28, 2006 in at the Wyndham Burlington, in Burlington, Vermont.

Unsure about what the Shibboleth System is about and how it can be used in production on your campus? Looking for a Web single sign-on package that can be used both for local applications and in federated environments?

Internet2’s Shibboleth is being deployed nationally and internationally to solve real-world problems associated with intra- and interinstitutional authentication and authorization. For Web-based access control, it leverages campus identity and access management infrastructures to authenticate individuals and then sends information about them to the resource site, enabling the resource provider to make an informed authorization decision.

Many consider the Shibboleth System to be federating software, which it is; however, more and more campuses are asking what value they get, if any, from deploying separate intra- and intercampus single sign-on systems. Increasingly, these campuses are deploying Shibboleth for both purposes. It’s a tool that enables Web authentication and provides authorization information for applications and services, independent of who’s offering them.

This CAMP will offer concrete practice and real-world experience from institutions running Shibboleth in production for controlling access to both on and off-campus services. Featured in this workshop will be an Application Showcase where campuses and vendors will demonstrate the Shibboleth System in action.

Both IT management and technical staff will find sessions of interest on the program and guidance for running Shibboleth in production. Participants will:

CAMP Shibboleth: Enabling Campus and Federated Single Sign-On, June 26-28 in Burlington, Vermont, will give you the opportunity to:

• Learn strategies for managing identity and privilege information used by the Shibboleth System
• Understand the management issues involved in running a Shibboleth-enabled learning management system
• Discover Shibboleth’s value as a campus Web sign-on package
• Learn about SAML 2.0, the mechanism that carries the identity information
• Find out the questions you should ask your information/library vendors about SAML and Shibboleth System support
• Hear practical advice for running the Shibboleth System on server clusters

Participants are encouraged to have a sound knowledge of IdM to learn the most from the sessions. Those interested in knowing more about IdM can review the Enterprise Directory and Authentication Implementation roadmaps.

camp, educause, identity, identity management, idm, middleware, nmi-edit, saml, shibboleth, single-sign on, sso

A concise Single Sign-On definition from NoSheep.net:

Single Sign-On:
One userid, one password, entered one time, with passage allowed from one system to another without interruption

Sometimes there is debate over the meaning of the term, I accept this definition as true, and all further references I make henceforth will be based off this.

definition, identity management, integration, single sign on, sso