Travis Spencer - Software Engineer

Imagine you have a scenario where you want to authenticate end users to your Web site with a consumer-grade authentication protocol like OpenID, OAuth, Facebook Connect, etc. from many different Identity Providers (IdPs). Also, suppose you need to SSO from your site to another or you want to invoke a partner's Web service that requires calls to be secured w/ a WS-Security token. For instance, imagine you have an e-commerce Web site. To increase engagement, conversion rates, yadda yadda, you want to allow customers to login w/ their Twitter, Yahoo!, Facebook, or Google accounts. When a user posts a question in your forum, which you've outsourced to a third-party, you need to SSO to that partner's site which exposes a SAML endpoint. Imagine you also want to publish the user's activity in the forum to one or more of their social networks. Tall order! How might you accomplish this? I've been wondering this, and here's my idea.

My solution leverages PingFederate and Gigya Connect (both of which are sold by companies I'm affiliated w/). Gigya Connect is used as an abstraction that hides all the IdPs and provides a unified representation of a customer. PingFederate marshals this abstract notion of the user into a SAML, WS-Federation, or WS-Trust message for SSO purposes. From a high level, we have this:



In the sketch, I am trying to show how each of the IdPs sends their own types of tokens (T_T, T_Y, T_FB, T_GOOG) to Gigya which normalizes it into a Gigya token (T_G). When the Web app receives this, it can send user-related info to PingFederate, and it sends a SAML message (T_SAML) to the partner (i.e., the Service Provider or SP). At the SP, it can use the Gigya API and the user's ID passed in T_SAML to publish activity back to Twitter, Google Buzz, FB, etc. Sounds easy when I write it all out like this, but the devil's certainly in the details on this one.

To make this work, I started w/ the HTML doc I wrote after chatting w/ David Brisebois on Twitter the other day. Literally, all I had to change was the location the form was submitted to (nice!):
   
<body onload="onLoad()">
    <p>Please Sign In using one of the following providers:</p>
    <div id="loginDiv"></div>
    <form method="post" action="https://idp:9031/idp/startSSO.ping?PartnerSpId=localhost:gigya:entityId:sp">
</form>

If you look at the whole doc, you'll see in the JavaScript that I dynamically added each of the Gigya user object's properties to the form that is being submitted to the highlighted URL. That is a special PingFederate endpoint that instructs it to start an SSO transaction.

Here's the magic: PingFederate can't make sense of the Gigya user data, so I used its SDK to create an adapter that converts it into something it can understand and will put into a SAML assertion. The code basically loops over the form parameters dynamically added to the request in the JavaScript and hands them back to PingFederate in code like this:

public class AuthenticationAdapter implements IdpAuthenticationAdapter
{
    ...

    public Map lookupAuthN(HttpServletRequest request, HttpServletResponse response, ...)
    {
        Enumeration e = request.getParameterNames();
        Map result = new HashMap<String, String>();
           
        while (e.hasMoreElements())
        {
            String name = (String)e.nextElement();
            String value = request.getParameter(name);
               
            result.put(name, value);
        }
           
        return result;
    }

    ...
}

(It's a good thing the Java code wasn't much harder than this. I was a Java programmer once, but I'm not anymore, and, boy, am I glad! The tools and the verbosity of the language are dreadful IMHO.)

The class also has code in it that creates a Gigya-specific configuration GUI in PingFederate that can be used to provide my adapter w/ config data (e.g., the secret key). Here's what it looks like:



After you've configured the adapter, you need to specify what attributes will be passed in from it to PingFederate. I decided to make almost all of Gigya's user attributes extended properties. In hind sight, they should have been core attributes, especially considering my while loop above.



This forms the connection between Gigya and PingFederate. After that, it can be used to create a federation connection. This is standard PingFederation stuff; no more magic at this point.

In my case, the SAML Response send from PingFederate to the partner used the Gigya user ID as the SAML subject. This would allow the SP to not only use the values in the token, but also use the Gigya API to publish events back to the user's social networks when they perform activities there.

The ability to use Gigya and PingFederate like this is very cool and gives you a federation Swiss army knife that you can use to carve up all sorts of new business opportunities. I know that this writeup leaves a lot out and that things might not be clear, so I may make a screencast showing this in a bit more detail. In the meantime, feel free to drop me a note if you have questions.

I've started to mess around w/ Gigya's service which abstracts away the different APIs of various identity providers (IdPs) and their protocols. The unified API is a lot simpler and doesn't require a Web application to be coded to all the various protocols (e.g., OpenID, OAuth, Faceboook Connect, etc.). On top of their API, they have created a plug-in that can be added to a Web page using a little JavaScript and allows an end user to pick an IdP that they'd like to login w/.

Things can get more sophisticated if needed. For instance, I was talking w/ David Brisebois on Twitter about the widget's default behavior of redirecting the user to a page w/ the information gleaned from the IdP tacked onto the query string. Brisebios didn't like this and would have preferred that the results be posted. This is a fair grievance IMO, and his dislike gave me the chance to kick the tires a bit. After a little JavaScript refresher (it's been years!), I came up w/ this little snipped that's based on the getting started example. I thought I'd pass it on in case it helps anyone besides me and Brisebios. The complete sample can be found in my stash, but the noteworthy part is how the onLoginEventHandler is wired up to the widget and used to create form elements dynamically like this:

function onLoad()
{         
    var conf = { APIKey: '...'};
     
    gigya.services.socialize.addEventHandlers(conf, {
      onLogin:onLoginEventHandler
    });

    gigya.services.socialize.showLoginUI(conf, {
        ...
    });     
}
   
function onLoginEventHandler(eventObj)
{
    for (var f in eventObj.user)
    {
      var el = document.createElement('input');
       
      el.type = 'hidden';
      el.name = f;
      el.value = eventObj.user[f];
      document.forms[0].appendChild(el);       
    }
     
    document.forms[0].submit();     
}

In the future, I may be blogging about other aspects of Gigya's services and show how they can be used in conjunction w/ ADFS, PingFederate, and other sorts of things that I'm always going on about on this blog. In the meantime, if you have questions on Gigya or anything else you read about on my blog, please don't hesitate to reach out to me.

The final day of the Cloud Identity Summit was great. I missed Andrew Nash and Chuck Mortimore unfortunately, but I did get a chance to hear John Shewchuk talk about what he and his colleagues at Microsoft think identity may look like in 2020. In his talk, he listed some requirements to achieve the sort of identity-related scenarios they are envisioning for the next 10 years. Here's a summary:

1. Support for rich identities
2. Existence of a multifaceted federated profiles
3. Flexible authentication that includes new factors (e.g., visual, voice, etc.)
   
4. Flexible access control

With these, we may see, Shewchuk said, things like TVs that can recognize that a family is watching and recommend shows that are appropriate and preferred by both the parents and the children. When the kids go to bed, the TV will see that they are gone, and suggest shows that include more mature content.

This sounds very exciting, but this sort of technology has a lot of other applications that are not as exciting to me. The possibility of marketers using this rich identity data and profile information to target our society with tailored messages could radically alter our culture. Me and my colleague, Andy Phenix, talked about this in great depth on the way down the mountain. It was a thought provoking and stimulating conversation that was a great conclusion to the week-long identity dialogue.

Thanks to the sponsors, organizers, and, most of all, to the other attendees that made it such a wonderful time!

Day 2 of the Cloud Identity Summit kicked off w/ Ping Identity's CEO, Andre Durand, discussing the importance of identity and the need for us to come together as a community to discuss it in the context of cloud computing (similarly to what other thought leaders said at RSA). He handed it off to Gunnar Peterson who said that there are four fundamental technologies necessary to enable broad adoption of cloud computing:

• Security Token Services (STSs),
• Policy Enforcement Points (PEPs) and Policy Decision Points (PDPs),
• Gateways, and
  
• Monitoring.

I totally agree that STSs are a core component of this new architecture. They will one day be on par w/ DNS, DHCP and other infrastructure services that enterprises need to operate. While this technology helps answer the first fundamental question of who you are, it doesn't address the question that we're actually interesting in knowing the answer to: what are you allowed to do? This is where the PEPs and PDPs come in, and I completely agree that these are critical to the adoption of cloud computing.

Eve Maler picked up on this theme in her talk on User Managed Access (UMA), a protocol for authorization that's being incubated by Kantara. In addition to birthing new standards, this organization, Pamela Dingle explained after Maler's talk, is also a Trust Framework Provider (TFP). This and similar organizations are essentially abstractions around IdPs. The US Government is defining profiles of certain protocols (e.g., Info Card, OpenID, etc.), and stipulating that TFPs must ensure that all IdPs that they vouch for conform to these profiles. (I imagine that attribute contracts are also specified, but I don't recall Dingle saying that.) The output of these TFPs is metadata which is analogous to a Certificate Revocation List (CRL) in PKI. Because the "CRL" can be traced from the TFPs back up to the US Government, RPs can pick and choose IdPs willy nilly knowing that they are all reputable and capable of asserting someone's identity.

This abstraction would have come in handy during Lee Hammond's talk that he did w/ Brian Kissel. In it, Hammond spoke about how his record label is using Janrain's Engage product (formerly RPX) to shield his Web apps from the assortment of protocols supported by the IdPs he relies on. Using Janrain's identity protocol mediation service, music fans are able to seamlessly login once to the Web sites of multiple musicians on his label. During his presentation, Hammond didn't want to give a live demo because Twitter was giving him a fail whale earlier in the day. If his protocol aggregator depended on the TFP instead of the actual IdP (Twitter in this case), it may actually (e.g., if Hammond configured it to do so), fail over to some other comparable IdP.

There were a lot of other great things discussed during the day. If you want to know more, drop me a line. Also, be sure to check back here tomorrow for the final report on what's happening in the cloud identity community. It's exciting stuff!

Today was the first day of the Cloud Identity Summit in Keystone, Colorado. The quality of the workshops and value of the interaction with other industry experts was only outdone by the breathtaking views of the mountains surrounding the conference hall. To give you a small idea of what it was like, here are some highlights from Gerry Gebel's workshop on XACML:

• Version 3 of the spec will probably be released by the end of this year.
• The new delegation model makes XACML especially pertinent to SaaS providers.
• Gerry and Doron Grinstein, the CEO of BiTKOO, did not know of any production installations that use a PEP from one vendor and a PDP from another.
• There's a new profile looming called the XACML Intellectual Control Profile (IPC) which is being shepherded through OASIS by Boeing.
• BiTKOO is on the verge of open sourcing a PDP and a PEP. (No details given.)
• Gerry didn't think the XACML technical committee was interested in defining the transport mechanism used by the different actors in the architecture, and everyone in the room seemed (from what I could sense) that the spec had limited value until they did.
• Patrick Harding, CTO of Ping Identity, thought that the standardization of the client-side API used in PEPs would help speed adoption as was the case w/ LDAP.

If you're interested in other things that were said, ask in a comment below or let me know. Be sure to keep an eye on my Twitter stream for more updates, and check back tomorrow for day two.