Archive for the 'Interoperability' Category

February 17, 2012
OpenID Connect Interop in Progress

OSIS logoOpenID logoThe Third OpenID Connect Interop is currently under way – this time based upon approved Implementer’s Drafts. Currently 7 implementations are being tested, with I believe more to be added. The interop is designed to enable people to test the implementations they’ve built against other implementations and verify that specific features that they’ve built are working correctly. This has several benefits: it helps debug implementations, it helps debug the specifications, and it results in greater interoperability among OpenID Connect implementations.

As background, like the other OSIS interops, the OpenID Connect interop is an opportunity for implementers to try their code against one another’s in a systematic way. It is not a conformance test; participants do not “pass” or “fail”. There is no requirement that you must support particular features to participate or that you must participate in all aspects of the interop.

If you’d like to participate in the interop, join the OpenID Connect Interop mailing list and send us a note there saying who your interop contact person will be, the name of your organization (can be an individual), the name of your implementation (can be your name), and a list of the online testing endpoints for your implementation. Testing is performed online on your schedule, with results recorded on the interop wiki. That being said, an in-person meeting of interop participants will also be held on Friday, March 2 in San Francisco (the week of RSA) for those who are able to attend.

April 4, 2011
AD FS 2.0 Interop Step-By-Step Guide: IBM Tivoli Federated Identity Manager

Microsoft has published the fifth in a series of step-by-step guides on configuring AD FS 2.0 to interoperate with partner products. This guide describes how to configure AD FS 2.0 and IBM Tivoli Federated Identity Manager to federate using the SAML 2.0 protocol. The guide is available in HTML format and soon also Word and PDF. Thanks again to author Dave Martinez for making this series a reality!

November 22, 2010
AD FS 2.0 Interop Step-By-Step Guide: Ping Identity PingFederate

Microsoft has published the fourth in a series of step-by-step guides on configuring AD FS 2.0 to interoperate with partner products. This guide describes how to configure AD FS 2.0 and Ping Identity PingFederate to federate using the SAML 2.0 protocol. The guide is available in Word and PDF formats and also HTML. Thanks again to author Dave Martinez, and special thanks to Ping Identity for sponsoring this guide.

October 21, 2010
AD FS 2.0 Interop Step-By-Step Guide: Shibboleth 2 and the InCommon Federation

Microsoft has published the third in a series of step-by-step guides on configuring AD FS 2.0 to interoperate with partner products. This guide describes how to configure AD FS 2.0 and Shibboleth to federate using the SAML 2.0 protocol. There is also an appendix on federating with the InCommon Federation. The guide is available in Word format and HTML. Thanks again to author Dave Martinez.

August 31, 2010
Information Card SAML Token Profile Committee Specifications

Information Card IconOASIS logoAs editor of the OASIS IMI TC, I wanted to bring to your attention that the committee specifications for the SAML V1.1 Information Card Token Profile Version 1.0 and the SAML V2.0 Information Card Token Profile Version 1.0 specifications have been posted by OASIS. These specs are standard profiles for SAML 1.1 and SAML 2.0 tokens when used with the Identity Metasystem Interoperability Version 1.0 (IMI 1.0) specification for Information Cards.

Thanks again to Scott Cantor and the OASIS Security Services (SAML) TC for driving the creation of these profiles.

August 2, 2010
AD FS 2.0 Interop Step-By-Step Guide: Oracle Identity Federation

Microsoft has published the second in a series of step-by-step guides on configuring AD FS 2.0 to interoperate with partner products. This guide describes how to configure AD FS 2.0 and Oracle Identity Federation 11.1.1.2, as delivered in Oracle Identity Management 11.1.1.3, to federate using the SAML 2.0 protocol. The guide is available in HTML and Word formats. Thanks again to author Dave Martinez.

July 8, 2010
Identity Interop at Catalyst San Diego, July 2010

OSIS logoI’ll be participating in an Open Identity for Business Interop being held by OSIS at Catalyst in San Diego this month. This multi-protocol interop event includes exercising the US Government identity profiles developed as part of the Open Identity Solutions for Open Government initiative. Microsoft is hosting testing endpoints using AD FS 2.0 and the Card Issuance CTP. The public interop demonstration is on Wednesday, July 28th. Hope to see you there!

Catalyst North America 2010 Interop Banner

July 7, 2010
AD FS 2.0 Interop Step-By-Step Guide: CA Federation Manager

Microsoft has published the first of a series of step-by-step guides on configuring AD FS 2.0 to interoperate with partner products. This guide describes how to configure AD FS 2.0 and CA Federation Manager r12.1 to federate using the SAML 2.0 protocol. The guide is available in HTML and Word format. Thanks go to author Dave Martinez for his expert and detailed treatment of the topic.

May 21, 2010
Card Issuance CTP for AD FS 2.0

Information Card IconToday Microsoft released a Community Technology Preview (CTP) of software for issuing Information Cards that works with the recently released Active Directory Federation Services (AD FS) 2.0 server software. This means that as well as supporting identities using WS-Federation and SAML 2.0, people can try out scenarios where their identities are based on Active Directory, AD FS 2.0 provides the claims for them using WS-Trust, and cards using the AD FS 2.0 WS-Trust endpoints are issued using the CTP.

As well as working with the current CardSpace 2.0 beta, these cards work with CardSpace 1, which shipped with Windows 7 and Windows Vista and is available for download on Windows XP. They should also work with other identity selectors, both on Windows and on other platforms.

You can ask questions about this at ici-ctp@microsoft.com or by participating in the CardSpace forum.

May 5, 2010
AD FS 2.0 Has Shipped

Active Directory Federation Services (AD FS) 2.0 shipped today. In addition to supporting WS-Federation, as the first version did, this release also supports the SAML 2.0 and WS-Trust protocols.

At this milestone, I’d like to thank the numerous partners who did extensive interop testing with us as AD FS 2.0 was being developed, helping ensure that it works well with other’s products. Milestones along the way included early interop testing with Shibboleth, IBM, and Ping Identity during Beta 1, interop work with CA, Novell, and Sun during Beta 2, the Federation Interop at Catalyst in July 2009, the Liberty Alliance SAML 2.0 testing last summer, and the OASIS IMI interop at RSA in March. Plus, we’re grateful to the numerous customers who test-drove and gave us invaluable feedback on AD FS 2.0 and the other “Geneva” wave products as they were being developed. This release is far stronger because of all of your contributions!

April 9, 2010
Public Review of Information Card SAML Token Profiles

Information Card IconOASIS logoOn Monday, OASIS announced the commencement of the 60-day public review period for the SAML V1.1 Information Card Token Profile Version 1.0 and the SAML V2.0 Information Card Token Profile Version 1.0 specifications. These specs propose standard profiles for SAML 1.1 and SAML 2.0 tokens when used with the Identity Metasystem Interoperability Version 1.0 (IMI 1.0) specification for Information Cards.

Special thanks go to Scott Cantor and the OASIS Security Services (SAML) TC for driving the creation of these profiles. You can provide feedback to the IMI TC on these specifications at this page.

March 2, 2010
U-Prove Specifications Licensed and Sample Code Released

U-Prove logoThis morning at the RSA conference, Scott Charney announced that Microsoft has licensed the U-Prove technology under the Open Specification Promise and released sample implementations in C# and Java under the BSD license. Implementers will be interested in two specifications: the “U-Prove Cryptographic Specification V1.0”, which documents U-Prove’s cryptographic operations, and “U-Prove Technology Integration into the Identity Metasystem V1.0”, which documents how to use U-Prove tokens with WS-Trust. These specifications are intended to enable interoperable implementations.

The U-Prove technologies enable two key properties: minimal disclosure and unlinkability. For more about U-Prove and today’s Community Technology Preview (CTP) release, see the Microsoft U-Prove site, the post announcing the release, and Vittorio’s post (with links to videos).

December 18, 2009
Updated Federated Identity Product Releases

Today Microsoft announced the availability of new releases of several identity products: Active Directory Federation Services (AD FS) 2.0, the Windows Identity Foundation, and CardSpace 2 (which collectively were formerly referred to as “Geneva”), as well as Federation Extensions for SharePoint. See Announcing the AD FS 2.0 Release Candidate and More and Announcing WIF support for Windows Server 2003 for the release announcements as well as links to numerous step-by-step guides, samples, docs, and video. Thanks to all those who did interop work with us (including at Catalyst, Liberty, and pair-wise) to help ensure that these releases will work well with other’s implementations.

September 30, 2009
Liberty Alliance SAML 2.0 Interoperability Testing Results

Liberty Interoperable logoI’m pleased to report that Microsoft passed the Liberty SAML 2.0 interoperability tests that it participated in, as did fellow participants Entrust, IBM, Novell, Ping Identity, SAP, and Siemens. Testing is an involved process, as you can read about on the team blog, with numerous tests covering different protocol aspects and scenarios, which are run “full-matrix” with all other participants. Microsoft participated in the IdP Lite, SP Lite, and eGov conformance modes, which our customers told us were important to them.

As Roger Sullivan reported in the Liberty press release, this round of testing included more vendors than ever before. Related to this, I was pleased that Microsoft decided to let other vendors know up front that it would be participating. (Typically vendors don’t say anything about their participation until there’s an announcement that they’ve passed.) This openness enabled me to personally reach out to others with SAML 2.0 implementations, many of whom did choose to participate (and of course who might have also done so without my encouragement to join the party!).

For more about this accomplishment, see John Fontana’s ComputerWorld story, the Interoperability @ Microsoft blog, Vittorio’s blog, and the full test results.

September 7, 2009
CA and Microsoft Identity Products Interop

Microsoft logoCA logoCA and Microsoft have published a whitepaper describing interop work the two companies have done between their identity products, ensuring that they work well together. SiteMinder and CA Federation Manager from CA and Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation from Microsoft were the products tested. The interop work covered both the SAML 2.0 protocol and the WS-Federation protocol, with each companies’ products configured in both Identity Provider and Relying Party roles. For instance, one scenario tested was using using a CA-hosted identity to access a SharePoint 2007 installation via the Windows Identity Foundation using the WS-Federation protocol. You can download the whitepaper either from CA or from Microsoft.

I’d like to thank Dave Martinez for all the expert work he put into getting this done, which included configuring products, running tests, doing the writing, and herding cats! I’d also like to extend my sincere thanks to Wes Dunnington, Mark Palmer, and Jeff Broberg of CA, who have been exemplary and diligent partners throughout this effort, rolling up your sleeves and working closely with your Microsoft counterparts to diagnose issues that arose, until we demonstrated all the scenarios working.

I’ll close by quoting a note that Wes sent to both teams upon the successful conclusion of our work together:

We are truly happy that this joint effort has resulted in the successful interop between our two products. This kind of work is crucial to get more and more businesses to adopt standards based solutions as they start to reach across the Internet for their application needs.

I couldn’t agree more!

August 31, 2009
Interoperable Verified Identity Claims Progress

Many of us share a vision of an Internet where people can have authorities that they trust make verified claims about themselves in contexts that they choose. For instance, using an identity that can issue “age-18-or-over” or “age-21-or-over” claims for me may enable me to utilize services at a site accepting those claims from that issuer that might otherwise be closed to me. More specialized interoperable verified claims, such as “coppa-certified-adult”, are also possible, and may open other doors for me. Before another month goes by, I wanted to draw attention to two new Information Cards that have been issued that represent progress in making this vision for interoperable verified claims a reality.

Privo CardPrivacy Vaults Online (a.k.a. Privo) launched a Privo parent card that can make the claim that the person has been certified as an adult using a method that satisfies the US COPPA regulations. Indeed, this is the “coppa-certified-adult” claim referenced above, and is defined in the ICF Claims Catalog so that others can use it as well. The Privo card also broke new ground in utilizing a “verification-method” claim, so that the relying party can tell how the information was verified, and the “verified-claims” method, so the relying party can tell which claims were verified. It also offers the same “age-18-or-over” claim that the Equifax card does. See the press release for more information, including sites where you can use your Privo card.

Acxiom CardAcxiom issued the Acxiom Identity Card, which a person can use to make verified name and address claims about them self online. It also makes a new ICF-defined claim “icam-assurance-level-1” asserting that “the security token is issued according to the requirements of the U.S. federal Identity Credential and Access Management (ICAM) Assurance Level 1”. See the press release for more information about the Acxiom card.

August 28, 2009
Catalyst Federation Interop

I’m writing to thank the Burton Group for sponsoring the federation interop demonstration at the 2009 Catalyst Conference in San Diego. As you can see from the logos, they attracted an impressive set of interop participants. It was great working with the knowledgeable and enthusiastic colleagues from other companies to assure that our products will work together for our customers.

Catalyst North America 2009 Interop Banner

Microsoft demonstrated SAML 2.0 interoperation using our forthcoming Active Directory Federation Services 2.0 product (no, it’s not named “Geneva” Server anymore). We federated both to and from numerous other implementations. For instance, those attending in person got to watch yours truly demonstrate using AD FS 2.0 to log into SalesForce.com and WebEx, among other scenarios.

But why write about this now, one might ask? Isn’t the interop done? Not necessarily! In fact, one of the cool things about online interops is that the participants can continue testing well after “the event” is over. For instance, we’ve done some WS-Federation testing with participants since Catalyst, as well as just invited participants to re-test with a more recent drop of our server bits if they’d like to.

Finally, I’d be remiss if I didn’t thank the Eternal Optimist herself for doing the work to enable the Catalyst interop to be hosted the OSIS wiki. Doing the interop online with public endpoint information helped the work go as smoothly as possible.

July 1, 2009
Information Card Standard Approved!

Information Card IconOASIS logoI’m thrilled to announce that the Identity Metasystem Interoperability Version 1.0 specification has been approved as an OASIS standard, with 56 votes in favor and none against. This standard benefitted substantially from the input received during the process. Numerous clarifications were incorporated as a result, while still maintaining compatibility with the Identity Selector Interoperability Profile V1.5 (ISIP 1.5) specification.

While this is often said, this achievement is truly the result of a community effort. While by no means a comprehensive list, thanks are due to many, including the OSIS members whose diligent efforts ensured that Information Cards are interoperable across vendors and platforms, the Information Card Foundation members for their adoption and thought leadership work, and the IMI TC members, including co-chairs Marc Goodner and Tony Nadalin, and Mike McIntosh, who was my co-editor. Paul Trevithick and Mary Ruddy get enormous credit for starting and leading the Higgins Project, as does Dale Olds for the Bandit Project. Kaliya Hamlin and Phil Windley were instrumental behind the scenes by running the IIWs. Axel Nennker has been a tireless force, producing both ideas and software, as has Pamela Dingle. Jamie Lewis, Bob Blakley, and Craig Burton all provided insightful guidance on the practical aspects of birthing a new technology. Arun Nanda deserves enormous thanks for doing the heavy lifting to produce the ISIP 1.0 spec. And of course, none of this would have occurred without the leadership and vision of Kim Cameron. Thanks one and all!

June 4, 2009
Information Card Specification Standards Approval Vote

Information Card IconOASIS logoOASIS has scheduled the standards approval vote for the Identity Metasystem Interoperability Version 1.0 specification for June 16-30. My thanks to everyone who submitted comments during the public review. Numerous clarifications have been incorporated as a result of your comments, while still maintaining compatibility with the Identity Selector Interoperability Profile V1.5 (ISIP 1.5) specification.

May 11, 2009
“Geneva” Beta 2 is Here

Microsoft announced the availability of the second beta of its forthcoming “Geneva” claims-based identity software today during Tech•Ed. This is a significant milestone for the team along the path to releasing production versions of the “Geneva” software family, which includes the server, framework, and CardSpace. I’m personally particularly proud of all the interop work that has been done in preparation for this release. I believe that you’ll find it to be high-quality and interoperable with others’ identity software using WS-*, SAML 2.0, and Information Cards.

For more details, see What’s New in Beta 2 on the “Geneva” Team Blog. Visit the “Geneva” information page. Check out the Identity Developer Training Kit. Learn from team experts on the ID Element show. Download the beta. And let us know how it works for you, so the final versions can be even better.

Enjoy!

Next »