Last month, I worked with my colleagues at Twobo and w/ Twobo's partner, Dopter, to organize the first every all-API-related event in the Nordics. It was great fun, and I'm really happy to play a part in the development of the API community here in Northern Europe. Thanks again to all those who attended and to the sponsors!

We had originally planned on a half-day event, but it filled up weeks ahead of time. So, we added an encore in the morning that included most of the afternoon's presentations. Besides Twobo and Dopter, we also had folks w/ us from Ping Identity, Layer 7 Technologies, Jayway, Axiomatics, Samtrafiken, and others. We've uploaded all the slides and you can find the recordings of the afternoon sessions on the Nordic APIs YouTube channel. I gave one on API security and another about secure social media integration, which I outlined a couple months ago on this blog. Here's the recordings of my talks; would love your feedback.

The events were so well received that we have arranged a handful of others over the next few months. In May, we'll be in Copenhagen, DenmarkSundsvall, Sweden and Aarhus, Denmark. In early June, we'll go up to Norway to a city called Trondheim. These events will be free, half-day conferences like the one in Stockholm last month. We'll be joined by folks from Telenor Comoyo, BlueVia (an initiative of Telenor and Telefonica), Sogeti, and others. In the fall, we'll be joined by a number of speakers and presenters from the Nordics and elsewhere for a 2-day event in Stockholm. The format should be very personal and engaging w/ an unconference, panel discussions, demo track, concurrent talks, and, hopefully, a group dinner on the first evening.

You can read more about this new series of events on, in this press release from Twbo and Dopter, on ProgrammableWeb, and on the Twobo Web site. Really hope you'll join in the conversation that's taking place on Twitter, share your thoughts in a comment below, and join us for one of these upcoming events.
I'll be heading up to Stockholm next week where I'll be presenting on BYOD. I'll be joined by others from StjärnaFyrkant, Ping Identity, PwC, Nokia, Sony, Telia, UnboundID, and my colleagues from Twobo. (I think some of the guys from Axiomatics will be around too.) You can find the full agenda here. My session is entitled "Turning your Organization into a Platform: Securely exposing data to apps running on employees' devices." During my talk, I'll present on how social media, mobile, cloud, and big data are having a "platformification effect" on organizations, forcing them to open up data and processes in new ways. I'll give a few examples of orgs who have done this, including my favorite, Pearson. As organizations undergo this shift, it is important that the APIs which they expose take into account the identity of the user who invokes them. Coupling this w/ information about the app/client, location, device, and other context, organizations can make calculated decisions about whether or not they should return the requested resources or not. In this way, BYOD and COPE are irrelevant. What's relevant is who the user is and what they are allowed to do in a given situation. I explained this in more detail in a whitepaper that you can find on Twobo's site (in English and Swedish). I also blogged about this on a few weeks ago, so check there for a bit more detail. The event is February 21, and it starts at 12:00 w/ lunch. So, come in time to grab a bite and talk about how BYOD is effecting Europe and beyond. Attendance is free, and you can find directions here.

Next month, at Nordic APIs in Stockholm, I'll also be giving a very exciting presentation about some innovative new things that we're doing at Twobo with the Janrain API. During my talk, I'll show how organizations can safely and securely use this service to integrate social media into their Web site as well as to publish back to them using a single API. I'll show how Janrain's service can be used with SiteMinder from CA to ensure that only authorized users gain access to sensitive parts of a Web site. What I'll demo allows Web site operators to uniformly consume anonymous, social and more trusted identities that are unaffected by the use or implementation of any particular upstream social network. I'll also show how Web site operators can combine Janrain's social media aggregation API and our integration with SiteMinder with other third-party tools, like Google Analytics, to use social more effectively. This event will be on March 21 at Jayway's office in downtown Stockholm. We'll be joined by presenters from Dopter, Jayway, Ping Identity, and Radio Sweden. We'll start w/ lunch at 12:00 and go till at least 16:00. (We might be joined by one or two more companies, so we may go till 17:00.) The event is free, and we are almost booked up, so RSVP today! More details on the agenda, speakers, etc. can be found on the Nordic APIs Web site.

[Disclosure: Twobo, my company, has a commercial relationship with Ping Identity, StjärnaFyrkant, UnboundID, Jayway, Dopter, CA, and Axiomatics; it also has an interest in both of these events.]
This fall, I'll be presenting at IDentity.Next on behalf of my company, Twobo Technologies. At this conference, which takes place November 20th and 21st in the Hague, I'll be diving into various scenarios and use cases for the emerging provisioning standard, System for Cross-domain Identity Management (SCIM). This will be a sequel of sorts to the talk I did at the Cloud Identity Summit in July where I gave an intro to the new protocol. If you're planning on attending and want to do your prep work, have a look through this slide deck:

Solving the provisioning problem is one thing we must do to benefit from this new IT delivery model. Next month, I'll be traveling down to Amsterdam to discuss this and other challenges with hundreds of other attendees of the Broadband Cloud Summit that's taking place as a part of this year's Broadband World Forum. From the 16th to 18th of October, I'll be joined by tens of thousands of speakers and delegates from tons of organizations who are seeking to find new ways of using digital identity, mobile computing, and the cloud to capitalize on emerging opportunities that they present to telcos and other service providers. Among these will be UnboundID, a partner of Twobo's, and hundreds of other exhibitors. 

So, if you're going to be in the Netherlands over the next couple of months, drop me a line. I'd love to connect w/ you while there. If you're not, keep an eye out here, on Twobo's blog, and on Twitter w/ the hash tags #BBWF and #idn12. As a speaker at IDentity.Next and an official blogger for the Broadband World Forum, I'll certainly have more to say about these events.

(This blog post was sponsored in part by Informa, organizers of the Broadband World Forum.)
The SCIM crew descended on Paris two weeks ago for the IETF 83 meeting. We kicked it off by testing the interoperability of our SCIM implementations for the second time. (IIW last fall was the first.) We paired up about a half dozen clients with roughly the same number of servers, and ran them through two dozen use cases. Participants were there from BCPSOFT, Courion, Gluu, Nexus, SailPoint, Salesforce, UnboundID, WSO2, and I was there testing Ping's new on-demand cloud identity management service, PingOne. It was a great time, and the results were very positive.

tower.jpgThe next morning was the Birds of a Feather (BoF). Trey Drake of UnboundID and Morteza Ansari of Cisco WebEx gave an overview of SCIM 1.0, and talked through the proposed charter of an IETF Working Group (WG) that would define the next version of the protocol. I have never participated in the formation of a WG before, so the process was unfamiliar to me. I was expecting the WG to be formed on the spot, but, apparently, that's not the way it works. Instead, BoF attendees raise issues that are ironed out on the mailing list. After the issues are addressed, an IETF Area Director (AD) will decide if the WG should be formed, who should chair it, etc. This will take about 2 to 3 months, so stay tuned.

In the meantime, some of us will be chatting at EIC on a panel about SCIM, we'll be doing more interop testing at IIW 14 (or nearby), and we'll be discussing stuff on the new IETF mailing list. So, come join the growing SCIM community in Munich, San Francisco, or in cyberspace :-)

A question that has been coming up a lot lately is how does one send a SAML bearer token to downstream WCF service? In each of the recent cases, a front-end app was being presented with a token that it needed to convert to SAML before calling the back-end service. To do this, the Web app would send the incoming token or some other credential to an STS, get the SAML token back, and include it in its request to the next service as shown in the following sketch:


To create such a system using .NET requires certain config on the client and server, so I'll enumerate what's required on each. At the end of this post, you'll find links to other blog entries w/ more detail and a link to download a sample project.

Web Service Client

Web Service

  • Use the WS2007FederationHttpBinding binding w/ transport security (as in the client)
  • Like in the binding of the client, set the Message.IssuedKeyType to SecurityKeyType.BearerKey
  • Make sure it's expecting the assertion to be signed by the cert of the STS (by wiring up an IssuerNameRegistry that will check)
  • Configure the audience restriction to be the same one included in the SAML assertion
If you're self-hosting your WCF service on Windows 7, check out this write up from Aviad P. about using netsh to configure HTTPS. (This was the part of all this that took the longest for me. Grr!)

If after reading the above, things aren't quite clear yet, check out these blog posts for more details:

If you're still stuck, have a look at this sample (licensed under the GNU GPL), leave a comment here, and/or email me.