Posted 10:35 AM (0) comments

EIC 2010: Kim Cameron on Minimal Disclosure

German blogger "mrtopf" has posted an excellent summary of Kim Cameron's keynote, delivered yesterday at the European ID Conference in Munich.

In his talk Kim disclosed his new project, the Federated Directory Project. Using the cloud, claims, minimal disclosure and roping in (one way or another) most of the existing ID protocols and systems.

It was a breath-taking tour-de-force as only Kim can deliver it.

There'll be a lot more to come as Cameron tries to bring as much input as possible to bear on his project. Watch for opportunities to get involved in a community that will (hopefully) coalesce around this.

Stay tuned!

Labels: Active Directory, ADFS, architect, cloud, EIC, federation

Posted 9:11 AM (0) comments

Geneva was better

At it's Worldwide Partners Conference today, Microsoft announced the formal names for the products and services that had been going under the code name "Geneva":

• Active Directory Federation Services – formerly known as “Geneva” Server(and a name in use since at least 2005. See this press release )
  
• Windows Identity Foundation – formerly known as “Geneva” Framework (this name was suggested back in 2006, but for a slightly different product).
  
• Windows Cardspace – same as current version (also around since 2006).
  

Not nearly as catchy as "Vista", but that name has too much baggage. My preference would have been for Geneva Federation Services, Geneva Identity Foundation and GenevaCards. But, then, I don't make the big bucks!

Labels: cardspace, federation, Geneva, metasystem, Microsoft

Posted 2:31 PM (0) comments

Self-service de-provisioning

The always intriguing Pam Dingle has come up with what I believe is an entirely new feature for IdM systems - self-service deprovisioning!

In a typical self-service system, a user's accounts, authorizations, applications, etc. are pre-configured and are installed/activated the first time the user signs in. But in a post called Federated De-provisioning, Pamela extends this capability of self-service to the de-provisioning event. She describes it as:

"There is no reason why an authority could not return a set of claims at the time a terminated user attempts to authenticate to the Relying Party that says (a) do not authenticate, and (b) de-provision immediately. If the authority is set up to do so, the Relying Party is home free! The urgent use case has been taken care of (ie abuse), and the non-urgent cases can be dealt with at leisure, because the associated risk is dealt with. Who cares if it takes a month to actually delete the account, if you can guarantee that should the terminated user attempt to access the resource during that time, a real-time status check will occur and the termination will be discovered?"

Brilliant!

Let's see who's first to market with this...

Labels: federation, provisioning, SAML