Archive for the 'Software' Category

February 17, 2008
Information Cards, i-names, OpenID, Ruby, and Interop!

ooTao logoMy congratulations to ooTao and LinkSafe for enabling account creation and login at LinkSafe’s i-broker using Information Cards. Building on what I wrote earlier about I-names without Passwords at LinkSafe, Andy Dale recently wrote:

Working together Microsoft, LinkSafe and ooTao have developed the first Info-Card enabled i-broker. You can register for an i-name at LinkSafe and subsequently log in to any OpenID 2.0 relying party without ever entering a password. All of the security can be Info-Card driven.

We have made the Ruby RP Module deployed at LinkSafe available under BSD license along with a simple ‘hello world’ app that demonstrates driving the module.

inames logoSee Andy’s post for instructions on where to get the software and for a demo site where you can try it out.

And as long as I’m on the topic of trying out software, I thought I’d mention that the latest OSIS User-Centric Identity Interop is under way! Visit the new OSIS page and browse through the Interop Participants, the Software Solutions, and the Cross Solution Results. There’s more to come, including more participants (contact me if you’re interested!) and feature-specific tests, but I wanted to let people know that we’re out there testing our software together now, including both Information Card and OpenID implementations, with Interop demonstrations to occur at the RSA Conference in April. And of course, ooTao and LinkSafe are participating!

February 7, 2008
Information Card Relying Party Software for Python

While you’ve seen posts about Information Card Relying Party code for lots of programming languages and environments here (ASP.Net, Ruby, Java, PHP, C) one language I haven’t posted about before is Python. To make up for that, here’s information about two Python implementations.

Bandit Code logoTurns out that the Bandits, in their inimitable style, have been quietly churning out useful code. In this case, Duane Buss built Python relying party code to use at the Bandit Project’s Code pages (Bandit Trac) and also released it for general use. After only minimal cajoling, he also created a demo Python relying party.

JanRain logoMeanwhile JanRain, another group well-known for producing high-quality identity code, also built a Python relying party implementation, in their case to use at As Brian Ellin just wrote, JanRain has released their Python code for accepting self-issued Information Cards for all to use. Have at it, Python hackers!

December 21, 2007
ASP.Net Information Card Relying Party Software

Dominick Baier recently extended his Information Card relying party ASP.Net Control to be able to be used on no-SSL sites in the same way as sites employing SSL. It’s available under an MIT License, so everyone should be able to use it.

At my urging, he also added a demo site where you can try it out, both with and without SSL, and with both self-issued and managed cards. I’ve added the demo site to my page of Sites Using Information Cards.

December 15, 2007
Firefox Information Card Add-on Collaboration

Firefox logoThe new release of the Firefox Information Card add-on recently announced by Axel Nennker is notable not only for its features, but also because it incorporates contributions by Andy Hodgkinson of the Bandit Project that make it work with the DigitalMe Identity Selector. This means that the same Firefox add-on can now be used with at least three Identity Selectors – openinfocard, DigitalMe, and Windows CardSpace.

The benefits of sharing this core piece of Information Card infrastructure became apparent when some recent releases of Firefox broke the add-on in some scenarios. Because several copies of the code were in use by different projects by then, all the projects had to make their own fixes in their copies, both duplicating effort, and increasing the chances that different selectors would behave differently in quirky and non-obvious ways. I’m really pleased that Andy pitched in and contributed his fixes to the add-on project and that Axel incorporated them in a way that I believe means that DigitalMe won’t have to use a separate add-on anymore. Hopefully the other identity selectors will also follow suit soon, eliminating any unnecessary forking in this key project.

One nit with Axel’s post though… While he suggested calling the add-on “CardSpace for Firefox”, even though I’m a fan of CardSpace, the add-on is intended to work with any Identity Selector – not just CardSpace. Therefore I’d prefer selector-neutral names for the project like “Firefox Information Card add-on”, “Firefox Identity Selector add-on”, “Information Cards for Firefox”, etc. What selector-neutral term for the project do others prefer?

November 19, 2007
New Version of CardSpace Available

.NET 3.5 Default Card ImageI’m pleased to announce that the .NET Framework 3.5, which includes a new version of Windows CardSpace, is now available for download. The CardSpace team has been blogging about the new features and usability improvements at the team blog CardSpace: Behind the Code. I highly recommend reading it to understand the details of what the team has included in this release.

I did choose a picture for this post, however, that is emblematic to me of the many usability improvements, large and small, that have been made since the initial CardSpace release in the .NET Framework 3.0. The colored image is the new default self-issued card graphic. The previous default image was sepia-toned, making it difficult to visually distinguish between “full-color” and grayed-out versions of the image (which are shown when the card does not meet the requirements of a relying party). Based on customer feedback, we changed the default image so that it’s now easy to tell the two apart. This is but one example of the numerous improvements we’ve made to CardSpace based on feedback from actual use.

Like its predecessor, the new version runs on Windows XP, Windows Server 2003, and Windows Vista. Download it and give it a whirl!

November 4, 2007
New Release of Firefox Information Card Add-on

Firefox logoI wanted to call your attention to the new release of the Firefox Information Card add-on that Axel Nennker posted this week. Axel’s changes address a number of issues identified during the Interop at Catalyst in Barcelona. Among other things, with this add-on, Firefox now supports:

  • privacyUrl and privacyVersion, which enable privacy policies to be shown,
  • issuer and issuerPolicy, which enable the use of Relying Party STSs, and
  • sites that don’t use SSL certificates (which use http rather than https).

I believe that this brings Firefox up to feature parity with the Information Card support in IE7 when used with CardSpace, as well as enabling the use of Firefox with additional identity selectors such as the openinfocard selector and others. Thanks for the great work Axel!

October 24, 2007
User-Centric Identity Interop at Catalyst in Barcelona

Logos of Barcelona Interop Participants 2007

Last night OSIS and the Burton Group held the third in a series of user-centric identity Interop events where companies and projects building user-centric identity software components came together and tested the interoperation of their software together. Following on the Interops at IIW in May and Catalyst in June, the participants continued their joint work of ensuring that the identity software we’re all building works great together.

This Interop had a broader scope along several dimensions than the previous ones:

An excerpt from Bob Blakley’s insightful-as-always commentary on the Interop is:

The participants have posted their results on the wiki, and a few words are in order about these results. The first thing you’ll notice is that there are a significant number of “failure” and “issue” results. This is very good news for two reasons.

The first reason it’s good news is that it means enough new test cases were designed for this interop to uncover new problems. What you don’t see in the matrix is that when testing began, there were even more failures – which means that a lot of the new issues identified during the exercise have already been fixed.

The second reason the “failure” and “issue” results are good news is that they’re outnumbered by the successes. When you consider that the things tested in Barcelona were all identified as problems at the previous interop, you’ll get an idea of how much work has been done by the OSIS community in only 4 months to improve interoperability and agree on standards of component behavior.

Be sure to read his full post for more details on what the participants accomplished together. And of course, this isn’t the end of the story. An even wider and deeper Interop event is planned for the RSA Conference in April 2008. Great progress on building the Internet identity layer together!

October 9, 2007
More Open Source Information Card Relying Party Software Projects

Today at the ZendCon conference in San Francisco, Microsoft announced two additional open source Information Card Relying Party software projects. These projects for the PHP and C languages complement those that were previously announced for Ruby and Java. All make it easy for web sites to add the ability to accept and create accounts with Information Cards.

The PHP software is being built by Zend Technologies. It can be used either as a stand-alone component or in combination with the Zend Framework. The C software has been built by Ping Identity. It implements core crypto and SAML token processing code for accepting Information Cards that can be utilized from any development environment.

See these sites for details on the projects:

C Relying Party code:

PHP Relying Party:

Ruby on Rails Relying Party:

Java Relying Party:

September 11, 2007
DigitalMe Identity Selector for the Mac

Today Andy Hodgkinson announced a binary release of the DigitalMe Identity Selector for Mac OS X. Now Mac users can use Information Cards with just a drag-and-drop install! This release builds upon the earlier success of their binary release for SuSE Linux.

As Andy wrote: “I would encourage anyone interested in using information cards on the Mac to install DigitalMe and the Firefox plug-in.” I’ll second that. Go check it out!

Congratulations again to the Bandit team!

DigitalMe Mac screen shot

August 26, 2007
Information Cards for OpenIDs

Sxip Identity just finished a draft specification that enables a really useful form of convergence between OpenIDs and Information Cards: presenting your OpenID as an Information Card you select rather than as a string you type. Johnny Bufu’s OpenID general mailing list note introduces this specification for community review.

This combination has several advantages over standard OpenID usage. First, there’s no OpenID string to type when you use your OpenID, which should make OpenIDs easier for more people to use. Second, this is a phishing-resistant authentication method. Finally, it lets you recognize and choose your OpenID visually, based on the card graphics supplied by the OpenID provider.

Sxip also backed this specification by a sample implementation, which you can check out at Now for some more details….

Here’s how it works: In this model, the OpenID relying party asks for an OpenID Information Card using an object tag on the page rather than having the user type the OpenID as a string (while probably also giving the user the option to instead type in the string for backwards compatibility). The user’s Identity Selector then lets the user choose which OpenID card to send to the site. The card transmits the actual OpenID string to the site as a claim. From that point on, standard OpenID protocol interactions ensue.

For instance, the sample relying party page asks you to “Login with an OpenID InfoCard” and requests the card using this evocative graphic:

OpenID InfoCard

Upon clicking the graphic, my identity selector is invoked, which shows me that I can use this OpenID Information Card at the site (which I’d previously obtained here):

Sxip OpenID InfoCard

After that, the sample performed a standard OpenID attribute exchange and the relying party greeted me with:

Welcome! You have logged in using your OpenID identifier.

Phone: (omitted)
Country: USA
City: Redmond
Address: One Microsoft Way, Building 40/5138
LastName: Jones
FirstName: Mike

Behind the scenes, the relying party had received this OpenID assertion:

<openid:OpenIDToken xmlns:openid="">openid.ns:
openid.ext1.value.attr5:One Microsoft Way, Building 40/5138

One final technical note that will be of interest to some of you: OpenID Information Cards do not use SAML tokens. They use one of two variants of openid:OpenIDToken tokens (depending upon whether the OpenID relying party uses OpenID 1.1 or 2.0 authentication).

Go get yourself an OpenID Information Card and give it a spin! Read and comment on the spec. Or even better yet, implement it and tell us about your experience!

June 28, 2007
Initial Release of Bandit Project’s DigitalMe Identity Selector

Let me be the first to congratulate the Bandit and Higgins project members on the release of the DigitalMe Identity Selector for SuSE Linux! Now, for the first time, Linux users have an installable Identity Selector available to them that enables them to use Information Cards in a way that’s compatible with Windows CardSpace. See Novell’s press release “Bandit Project’s Cross-Platform Card Selector Gives Users Control of their Internet Identities”, the Identity Selector Service page, and the Identity Selector Service Download page for more details.

This announcement lets people who aren’t developers start to use Information Cards on Linux and builds on the interoperability successes demonstrated at Brainshare. And as the downloads page says, “Work is under way to provide packages for other Linux distros, OS X and Windows.” Great stuff!

Congratulations again!

June 27, 2007
Information Card Relying Party Resources

Today Microsoft released two related code samples for Information Card relying parties: the Information Card Kit for HTML and the Information Card Kit for ASP.NET 2.0.

The HTML kit is platform-independent JavaScript and CSS code that can be used to dynamically detect client Information Card support and tailor the web site’s interactions with the user accordingly. If Information Cards are supported, this code will request an Information Card for the site. Utility code included can also be used to display passive notifications. Additional code will be required at the server to consume the security token sent by the user. Download the HTML kit here.

The Information Card Kit for ASP.NET 2.0 contains code that can be used on the ASP.NET 2.0 platform to accept Information Cards. This code enables the server to consume the security token delivered to the server when the person uses an Information Card. Download the ASP.NET 2.0 kit here.

June 24, 2007
WS-Federation code checked into OpenSSO

Great news from Pat Patterson of Sun Microsystems about support for WS-Federation now being checked into the OpenSSO project:

The WS-Federation service provider and configuration CLI code was committed into OpenSSO yesterday – this PDF gives some basic instructions on getting started with WS-Fed and OpenSSO. Note that this is just the initial drop of code – still to come is identity provider support.

Give it a whirl and send us feedback at dev(at)

May 25, 2007
Hands-On Information Card Interop at IIW

On Tuesday afternoon at IIW representatives from numerous Information Card projects sat down at the same table (actually, 3 tables so we would all fit :-) ) and systematically used our implementations together, exercising the different possible combinations. The session notes, as posted on the OSIS wiki, tell the story:

Notes from IIW 2007a

The OSIS group sponsored an Information Card interoperability connect-a-thon on May 15, 2007 as part of the Internet Identity Workshop 2007 A in Mountain View California. Participants collaborated to work through combinations of Identity Provider, Identity Agent, and Relying Party scenarios, in order to identify and workshop problems with interoperability. The following representatives were present and participated:

5 Information Card Selectors

  • Ian Brown’s Safari Plugin
  • Windows Cardspace
  • Higgins IdA Native
  • Higgins IdA Java

11 Relying Parties

  • Bandit (basic wiki authentcation)
  • Bandit (elevated privileges)
  • PamelaWare
  • CA
  • Windows Live RP (used to obtain a managed card)
  • Windows Live/single-issuer (where you can use the managed card)
  • Oracle RP
  • Identityblog RP (based on Rob Richards’ library)
  • Identityblog helloworld token RP
  • UW/Shibboleth

7 Identity Providers

  • Higgins
  • Bandit
  • UW/Shibboleth
  • LiveLabs
  • HumanPresent
  • Identityblog HelloWorld IdP

4 Token Types

  • SAML 1.0
  • SAML 1.1
  • helloworld
  • username token

2 Authentication Mechanisms

  • username/password
  • self-issued (personal) card

Many combinations interoperated as expected; several issues were identified and are being fixed in preparation for the coming Information Card Interop event to be held at the Burton Group Catalyst Conference in San Francisco (June 25-29).

One of the things I love about IIW is that it’s a working meeting — not a series of mind-numbing presentations. This interop was a great example of the industry coming together and doing work together. And of course, this session was a dry run for the upcoming User-Centric Identity Interop event coming at Catalyst next month, where even more projects will be represented. Hope to see many of you there!

May 23, 2007
Open Source Information Card Relying Party Software Projects

Today at the Interop Conference in Las Vegas, Bob Muglia announced Microsoft’s sponsorship of four open source projects that are producing Information Card Relying Party software for important web programming environments: Ruby on Rails, Java, PHP, and C. The press release, which also talks about extending the Open Specification Promise to the Information Card Specifications, contains supportive quotations from several friends in the identity community: Paul Trevithick and Mary Ruddy, Tony Nadalin, Dale Olds, and Gerry Gebel.

Details on the Ruby and Java projects were announced, with details on the PHP and C projects to follow. See these sites for details:

Ruby on Rails Relying Party:

Java Relying Party:

May 23, 2007
Shibboleth Supporting Information Cards

Today Internet2 announced that it is adding Information Card support to Shibboleth. This will enable the millions of members of the academic and research communities with identities provided by Shibboleth software to use those identities under user control through Information Cards at sites where they are accepted. Microsoft is a sponsor of this work, just as it sponsored the earlier Internet2 work to add WS-Federation support to Shibboleth.

I had the pleasure of test driving an early version of this software running at the University of Washington during IIW last week during the user-centric interop session there on Tuesday afternoon, courtesy of RL “Bob” Morgan. Very cool!

« Prev