Enterprisey thoughts – John Gøtze
Web services
Digital Identity Management – Challenges and Benefits
45 years ago
Amir Hadziahmetovic has published his MSc in IT thesis, which he made under my supervision. It is in English and is called Digital Identity Management – Challenges and Benefits (Download PDF). Besides giving a nice introduction to and analysis of Identity Management, Amir makes some interesting observations about the identity management situation in Denmark. I recommend everyone to read this good thesis.
I’ve extracted a few central paragraphs introducing the project:
The main research problem is how to find the optimal model that will solve Digital Identity (DI) management and the data interchange for electronic business in new network economy. The problem lies in unknown path of how to make choices for interoperable DI, and how to find the optimal strategy to implement chosen model. The research will commence with exploring the area of general Digital Identity Management, continue with analyzing platform for interoperable management and exchange of DIs, including implementation challenges, and end with listing the benefits of having such a platform implemented.
Imagine the sewerage management of a bigger city where each building block has a container for waste waters instead of a city-wide sewerage system. Without drain-pipes connecting the containers, every now and then a container would fill up, and for emptying a pump-trucks would be needed. They would pump out the content from a container, and spill it out at some depot outside the town. This would be very complex system of containers and trucks, difficult to control and manage. Some of the containers would certainly get overfilled, causing flooding and bad smell. With the growth of the city, the system would get even more unreliable. Therefore the majority of today’s cities have outspread sewerage system, which connects the depots, automating the spill of waste waters.
The similar problem modern business has with today’s DI management: Identity data in containers, filling up quickly; the system unable to exchange data with other systems; difficult to maintain and automate the spill of data. To enable development of electronic business, more reliable system for DI management is required.
Business trends today push organizations toward strengthening of cooperation and linking of business processes between them. Many companies and governments are tending to expand their activities by integrating online services and systems, and letting external users access internal data. Individual users want comfortable Web experience, and minimal effort in getting tailor-made products and services. Inability of today’s IT systems to match these trends is choking present development of business. Strengthening of cooperation and linking of business processes is putting pressure on IT systems and belonging infrastructure, requiring that Digital Identity data is created in unified fashion, and safely exchanged between organizations.
Digital Identity Management (IM) is a fundamental part of integrated company systems and online services. It defines who has access to what in some cases, and identifies customers and users of the services in other cases. IM architecture of today has to evolve from predominantly silo to common, interoperable architecture, based on open standards. This kind of architecture is a fundament for Federated IM, where identities are safely exchanged.
This project will try to look at Digital Identity Management, technology and architecture in relation to business goals and strategies. The main concepts of Digital Identity Management will be addressed i.a. concepts like Federated Identity, Single Sign-On (SSO), and Open Standards. The report will present a study of business and technical implications of Federating Identity, where Identity management is the central issue.
An analysis of the practical as well as architectural aspects of Federated Identity will be covered. An analysis of open standards for interoperability will be covered, especially those advised by Danish National IT and Telecom Agency and their Reference Model for Identity. The report will focus on standards from the Model such as Role-Based Access Control (RBAC), Security Assertion Markup Language (SAML), Lightweight Directory Access Protocol (LDAP) and Public certificates for electronic services – OCES Digital Signature, but also will discuss alternatives. Finally privacy issues will be considered.
The fundamental objective of any enterprise IT system must be full support to business flexibility and agility in ever-changing business environment. The ultimate goal of this project is to perceive the challenges of the IM evolution path, and to show how Identity Management supports connection between the systems and the processes, providing users with better web experience.
Method: The project will list general theoretical issues, comparing different views on these issues, and presenting own reasoning.
The obstacles in relation to acceptance of Reference Model for Identity will be analyzed. The analysis will be based on empirical research including feedback from involved organizations, interviews with individuals from selected organizations, conferences, and forums.
Again: Download Amir’s thesis (PDF).
Assertion of Intent
05 years ago
by John Gøtze
in Web services
IDABCs eGovernment Observatory brought this story out in English yesterday: The Danish IT Architecture Committee has decided to stand firm on SAML 2.0 as the recommended standard for federation.
Once broken into English, the story was quickly brought around internationally. SecureID News basically copied the IDABC-story, Danish Government says ‘yes’ to SAML 2.0 and encourages Microsoft to support those specifications.. Computer Business Review follow-up and talked to Liberty Alliance: Identity next public sector battleground for Microsoft?.
There is actually more to the story. First, the decision is actually more than a month old. The National IT Architecture Committee’s decision was made on 21 March. They did send out a Danish press release at that time, but it took a while to get the news out internationally. [maybe I should have blogged it ...]
Anyway, let me dig into the story a bit. Because there is a bit more to it than the international coverage caught. Basically, the committee decision was about an open letter to Microsoft. Written by my former collegue, Søren Peter Nielsen from the IT-Strategic Office in the Danish Ministry of Science, Technology and Innovation, the letter to Microsoft, and sent via Microsft Denmark to Don Schmidt, senior program manager for Microsoft’s Identity and Access group, the letter is worth quoting at length:
In the Danish Ministry of Science, Technology and Innovation we have the responsibility to select and recommend IT standards for public sector usage as also create shared services for public sector. This work is undertaken in an open process that involves all levels of public sector institutions.
The Danish public sector decided early in 2005 to recommend using SAML 2.0 for federated identity and access management. This was among other based on the momentum for the standard in product support from various suppliers, plans for actual usage in public sector solutions worldwide, proofing og interoperability
through testing, and also very important SAML 2.0 being a ratified OASIS standard.We now understand that Microsoft has chosen not to support SAML 2.0 in the add-on to Active Directory that you has brought or soon is bringing to market.
We would like to understand your motivations for not supporting SAML 2.0 as basically every other supplier of identity and access management solutions support – or plans to support SAML 2.0. So far our only source for information has been news articles (as here) about your decision not to support SAML 2.0. These articles may not contain a valid representation of your message, and even if this is the case really their content doesn’t help us understand the Microsoft motivation. Based on this I have asked Anders to forward to following questions for you:
Does the article faithfully reflect the essence of your motivation for not supporting SAML 2.0? Assuming this more or less is true (and I will ask you to respond in all circumstances):
- You are cited saying: SAML 2.0 protocols are fine for strictly Web single sign-on. In your view is exchange of attributes, and assertions about access rights a part of Web single sign-on? Or do you assert that SAML 2.0 isn’t well suited for these tasks?
- You are cited saying: SAML 2.0 does not have reliable messaging or transaction support. As far as we can tell neither have WS-Federation, and obviously such functionality should be covered in standards that focus on reliable messaging and transaction, so is your position that SAML 2.0 will not work well with the standards for reliable messaging and transactions that OASIS is working to finalize?
- What other motivations does Microsoft have for not supporting SAML 2.0 in the currently released product?
Assuming the article is not true
- Can you supply us with the correct information about why Microsoft does not want to support SAML 2.0 in its current product?
- We understand that Microsoft has a big interest in WS-Federation as Microsoft has been the main driver in developing the specification. However, in the marketplace we see several vendors that in their product supports several standards like SAML 2.0 and at the same time the WS-Federation specification to allow customer choice. This tells us that it is a feasible task to add product support for both SAML 2.0 and WS-Federation. So even though Microsoft may feel that SAML 2.0 isn’t as well suited for the vision Microsoft is having for federation in the future why don’t you support it, and let your customers decide?
If you feel Microsoft supports customer choice in the federation space though not supporting SAML 2.0 can you please elaborate on what kind of choice it is that you support? Will Microsoft support SAML 2.0 in future products? ….snip….
I know Søren Peter is on holiday, so I can’t yet ask him about whether he got a response. I’ll be sure to ask him as soon as I see him.
[Disclaimers: a. I work for OASIS (SAML is an OASIS standard), and b. I was heavily involved with making SAML a Danish standard when I worked in the ministry.]
My bookshop
25 years ago
by John Gøtze
in Web services
Several years ago, I created Gotzemazon, an Amazon-WS-driven shop. People out there are actually using it (thank you!), so I thought it was time to refresh it a bit. I see some opportunities in thematic bookshops, for example an EA Bookshop and an XML bookshop (these are just simple rewrites of bestseller lists). If only one had time to play … Well, I did play around a little. In playing with the rewrite rules, I created a “short” URL – http://slashdemocracy.org/booksearch/ – that I (and you, if you want) can use for quick searches, such as a search for XML-books: http://slashdemocracy.org/booksearch/xml. It’s nothing special, but might be handy.
Speaking of XML: Mr Safe is back!
Literally as a document
7 years ago
by John Gøtze
in Web services
There is progress in my development of a web service for the Danish Interoperability Framework. The web service, which I have a developer, Dat, in Vietnam helping me develop, was originally modelled after the Google api, and used rpc-encoded bindings. But in order to enable “interoperability by the book”, the updated version of the web service now uses a document literal binding method in the WSDL.
I would like to invite web service practitioners to evaluate the service. My intent is to make the service fully standards complaint, but I am challenged by the spec, and can’t get the test tool to run.
I am using a few online tools to play around with the service:
- Mindreef SOAPscope with ws4lsql.wsdl
- Xmethods.net with ws4lsql.wsdl
- Strikeiron.com (enter wsdl-link)
It seems the service works, but I did find a few bugs, and invite bughunters and -reports.
I am pretty excited about the web service 
It is beginning to be a “serious” thing, although everything is done in my spare time and with a very small budget. My excitement is not only about the service itself, but also about the nature of the solution. The web service is made as a plugin – codenamed WS4LSQL – to a popular web application system (Gossamer Threads Links SQL), and can with a bit of work be reused on the thousands of sites that run LSQL (need SOAP::Lite on the server). I have released the code to the community, but still await someone else than myself to adopt the plugin.
The WS4Gotze web service over at GotzeLinked runs on the same plugin (old version) but I know somebody out there is using the service, and hereby give them a word of notice, since things are changing there too soon. You should drop me a mail and let me kknow if you are using my web services.
