Linux in Government: Understanding Federated Identity Management
Back when Scott McNeally and Steve Ballmer took to a stage and began jumping around like a couple of squares dancers headed out the barn, I couldn't for the life of me figure out what they were so happy about. I guess it just goes to show that they had some secret they thought was gonna make them even richer. They even put a hex on the next hockey season with all their fan-dangling around holding up Detroit Piston jerseys and all.
I didn't understand what was so important. So when Steve stood up and said he was giving Mr. McNeally $700 million to resolve pending antitrust issues and $900 million to resolve patent issues and then smiled, well more than few heads turned that day. In addition, Sun and Microsoft agreed to pay royalties for use of each other's technology, with Microsoft making an up-front payment of $350 million and Sun making payments when Microsoft's technology was incorporated into its server products.
Back then, most of us did not realize that technology was the important issue of that day. Sun had a fairly substantial lead on everyone except IBM in large scale computing environments to manage user identities, authentication and authorization. In fact, Sun's Federated Identity management products ran about even with IBM's Tivoli in every category that mattered. Meanwhile, Microsoft needed a partner to catch IBM.
Another thing comes to mind now that Sun has sworn off the Linux desktop. Microsoft wants into the big metal game, something IBM has refused to permit. With Microsoft paying off IBM for attempting to cut off its "air supply", our friends from Redmond just might wind up on big Sun iron while giving IBM a fat raspberry.
As a result of Sun and Microsoft's agreement, their engineers began to cooperate on identity information. That originally sounded like Linux would get to log on to Active Directory. In fact, it meant that Active Directory and Java System Identity Server would work together. Most people including the press thought Sun's ability to log on to Active Directory looked like the big win. Today, we realize that Microsoft needed Sun, not the other way around.
Actually, we should be asking how important is FIM. It's the lynchpin of digital convergence and probably one of the most important technologies of the modern era. Soon, we will begin to swim in digital television, multifunctional phones, devices of all kinds, and at the core of making all these things work together with our computer networks and the Internet lies identity management. At the core of identity management lies federation.
People use FIM to refer to a system that allows individuals to use the same user name, password or other personal identification to sign on to the networks of more than one enterprise in order to conduct transactions. You might see it referred to as single sign-on (SSO).
Partners in a federated identity management (FIM) system depend on one another to authenticate their respective users and vouch for their access and privileges to services. Each partner involved relies on the other for verification. The partners comprise a circle of trust.
For example, a federated system allows a company such as AT&T to build a service where dozens of third-party suppliers come together for one-service offering. I use AT&T's voice over IP service myself. As it turns out, nearly every service on the system comes from a third-party, including billing, activation and management of the VoIP telephone adapter, voice-mail, call filtering, e-mail, caller ID, three-way calling, call forwarding, fax and modem support, call waiting and so on.
Without AT&T's federated identity management system, each service provider would require you to have a separate ID and password. A company will have to trust its partners to vouch for their own users. Each partner must rely on the other partner to say, "This user is okay; let them access this application."
Standards do exist and that's a problem. It's such a problem that President Bush had to issue a directive called Homeland Security Presidential Directive/Hspd -12. That directive morphed into Federal Information Processing Standard 201 (FIPS 201). According Mary Dixon, deputy director of the Defense Manpower Data Center, quoted in Government Computer News:
A big issue for us is interoperability between vendor cards. We also have to figure out how to make sure everyone we hire goes through the National Agency Check. That is a big challenge for everyone.
Standards allow companies to share applications without needing to adopt the same technologies for directory services, security and authentication. Within a company, directory services have permitted companies to recognize their users through a single identity. Asking other organizations to match technologies or maintain user accounts for their partners' employees creates chaos.
A struggle exists to get everyone on board. We have the following standards making bodies attempting to emerge as the final candidate.
OASIS and SAML
We can begin with the Security Assertions Mark-up Language (SAML). The Organization for the Advancement of Structured Information Standards (OASIS) developed SAML as an XML-based specification. Now in it's second version, SAML initially provided a common language for three kinds of assertions:
Authentication assertions, which are declarations about a user's identity
Attribute assertions containing particular details about a user
Authorization decision assertions, which specify what the user is allowed to do on a particular site
SAML authorities, which are server-based applications, issue assertions. When an entity requests access to a resource, a SAML authority provides a digitally signed token that the entity can use for further requests without needing re-authentication.
Microsoft, IBM and WS-Fed
Microsoft and IBM published a joint white paper outlining a roadmap for a set of Web service security specs. WS-Security originally offered methods for attaching security tokens to messages. These token include tokens for identity.
In my opinion, Microsoft often gets into a standards effort and creates havoc. It seems that monopolizing an area of technology remains the company's underlying purpose for getting involved. Microsoft's WS-Fed did not arise from participation in a standards making body. You would have to consider WS-Fed a homegrown attempt to create a de-facto standard, such as Microsoft's XML file formats for its Office productivity line.
A majority of industry partners initiated the Liberty Alliance. They provide three basic specs:
Liberty Identity Federation Framework (ID-FF). ID-FF allows for a single sign-on, account linkages, anonymity, affiliations and various options for meta-data exchange.
Liberty Identity Web Services Framework (ID-WSF). ID-WSF provides features for permission-based attribute sharing, identity service discovery, interaction service security profiles and identity services templates.
Liberty Identity Services Interfaces Specifications (ID-SIS), ID-SIS provides for buildable interoperable services on ID-WSF. Buildable services could include an address list, contact book, calendar or applications with geo-location data. ID-SIS offers interoperability through the use of agreed upon context-dependent schemas.
These specifications can be used independently as well as in combination. IBM joined the Liberty Alliance, and synergy between SAML and Liberty exists for developing an accepted converged standard.
Practical Task Scheduling Deployment
July 20, 2016 12:00 pm CDT
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.Register Now!
- Stunnel Security for Oracle
- SourceClear Open
- Murat Yener and Onur Dundar's Expert Android Studio (Wrox)
- SUSE LLC's SUSE Manager
- My +1 Sword of Productivity
- Managing Linux Using Puppet
- Google's SwiftShader Released
- Non-Linux FOSS: Caffeine!
- Parsing an RSS News Feed with a Bash Script
- Doing for User Space What We Did for Kernel Space
With all the industry talk about the benefits of Linux on Power and all the performance advantages offered by its open architecture, you may be considering a move in that direction. If you are thinking about analytics, big data and cloud computing, you would be right to evaluate Power. The idea of using commodity x86 hardware and replacing it every three years is an outdated cost model. It doesn’t consider the total cost of ownership, and it doesn’t consider the advantage of real processing power, high-availability and multithreading like a demon.
This ebook takes a look at some of the practical applications of the Linux on Power platform and ways you might bring all the performance power of this open architecture to bear for your organization. There are no smoke and mirrors here—just hard, cold, empirical evidence provided by independent sources. I also consider some innovative ways Linux on Power will be used in the future.Get the Guide