Win2K3 R2 TechNet with Michael Murphy, Dig It?
March 1, 2006 | 3 Comments
Point of fact, no.
Yesterday I attended a Microsoft TechNet event with Michael Murphy. My interest in this specific TechNet was to learn what I could about Microsoft’s federated identity management plans.
The good news is that Active Directory Federation Services (ADFS) is now released. This package implements the WS-Federation standard for federated single sign on (SSO).
To Murphy’s credit he started the federated discussion with what I think is the perfect analogy, the drivers license. I’ll talk more about that at a later point, but I loved his quote: “Where is my drivers license for the Internet?”
It was when he started to be asked questions about their solution that his shallow knowledge and inexperience in this field became readily apparent. A gentleman asked the question, “How does this relate to the Liberty Alliance?” Murphy was not at all familiar with “Liberty” and basically dismissed the question. Unfortunately this would be like someone presenting about SQL Server and not being familiar with MySQL…
Anyway, another participant tried to get at what might allow LA and ADFS to interact, he asked: “Is this product SAML compliant?” Murphy said he’d never heard of SAML, and to him it sounded “like a camel named Sam.” Obviously this response was not useful to anyone…
At this point I piped up and asked about how ADFS exchanged authorization information with the service provider, the question was something like “how does it assert authorization and attribute information?” Murphy said it doesn’t. Unfortunately I knew this had to be untrue…
ADFS could not possibly be ONLY about authentication and completely ignore the authorization issue. I re-framed my question saying that attributes and authorizations were key to identity. He said they were not, this system addressed the authentication issue and attribute information was never communicated. Fear of sounding more like a dink led me to give up at this point…
I should have asked “What good is your drivers license without attributes for your age, sight restriction, etc.?” Maybe he would have “got it” then…
Moving on, Murphy demo’d how the interaction would occur using some virtual servers he had. The interface for managing and setting up these federated connections seemed pretty easy and intuitive.
When Murphy logged into the service provider interface in the demo, I immediately noticed that the newly created account already had a bunch of attributes. Most notably, a $500 spending limit.
I had to ask: “How does the service provider know this newly created user has a $500 spending limit?” Murphy stumbled with this, but threw out a blatantly off the cuff and incorrect response.
At this point a guy behind me asked “Can you scroll down?” This was it, clearly my fears for a half implemented federated system were really just due to a poor presenter. A pile of attributes, including custom defined ones including title were being listed in a textarea as the things being passed.
So anyway, ADFS has potential, but we’ll have to try it out for ourselves.
Stuff that intrigued me from other sections of the event:
Can we run Active Directory Application Mode (ADAM) centrally to manage our authorizations for all web-based applications? ‘Cause this would rock.
Windows Server Update Services (WSUS) could be useful for PSU…
Distributed File System (DFS) and the Branch Office Management seems partially implemented, not well thought out, and overall garbage.
The Cygwin replacement, or is there more to it?
Finally, did Michael Murphy learn his presentation style from Billy Mays?
Tags: "Active Directory Application Mode", "active directory federation services", "billy mays", "distributed file system", "liberty alliance", "michael murphy", "UNIX Interoperability Components", "windows server 2003 r2", "Windows Server Update Services", active directory, ad, adam, adfs, cygwin, dfs, federated identity management, identity management, microsoft, presentation, saml, technet, unix, windows, ws-federation, wsus
Summit 2006 Presentation Proposals
October 3, 2005 | 2 Comments
I finally put together all my material to submit proposals for Summit presentations. I looked back at what we’ve been doing in the portal this year and the following is what I came up with. Overall it’s been a busy year, I was surprised to come up with as many as I did.
My Title: Portal Administrator and Senior Web Developer
My Bio
Zach Tirrell is from Plymouth State University in northern New Hampshire. Zach is both portal administrator and senior web developer for the institution. The main areas of his concentration revolve around integrating systems and identity management, Luminis has become a perfect enabler of this. He is often looking to get just a bit more out of Luminis than what is delivered.
Collecting Stats in Luminis
By leveraging the underlying UPortal infrastructure, learn how to take advantage of RDBMSStatsRecorder to generate detailed numbers on who is logging in, logging out, how often, and by role. You can then use these numbers to better understand how effective your portal strategy is. Tracking user adoption and growth over time becomes essential to decision making about the portal.
This presentation is for technical audiences.
YaleCAS in Luminis
One of the most common WebISO solutions is the Central Authentication Service developed by Yale (YaleCAS). In Luminis III.2 CAS became available as an installable module. Learn how to get YaleCAS installed, configured, and where it might fit in your organization. See how Plymouth State University has leveraged the phpCAS libraries to CAS’ify all their internally developed PHP web applications as well as a few third-party ones. What’s best, it only takes a couple lines of code!
This presentation is for technical audiences.
Luminis and Identity Management
While deploying Luminis, or maybe immediately after, lots of questions arise related to identity management. Are you using a central authentication point like LDAP or Active Directory? How do technologies like CPIP or YaleCAS fit into your authentication scheme? What applications should and can use SSO? Are you centrally managing authorization? Is shibboleth something you should be thinking about? How is your password policy? What’s you level of assurance on accounts you have assigned? All these questions and more will be discussed. Come prepared for lots of crowd participation.
LDI Implementation Tips and Tricks
Plymouth State University is starting to reap the rewards of its integrated campus portal strategy. PSU started its Banner migration in 2001, deployed Campus Platform 3 with its legacy SIS in 2002, publicly deployed Banner in 2003, and in 2004 with the migration to Luminis and implementation of LDI for eLearning, has finally reached “critical mass.” Luminis provides the infrastructure and LDI provides the glue that connects Banner, WebCT, the library, and other services. The presentation details Plymouth State University’s implementation and discusses the problems and solutions we faced along the way, with an emphasis on LDI and Luminis. Plymouth State has used this technology to realize the benefits of a unified digital campus.
This is a repeat from last year
Implement and Deploy Banner Channels
Banner 7 comes with a huge pile of exciting new channels. These channels greatly leverage the relationship between Luminis and Banner, however, implementation is complicated and deployment even more so. Banner channels are fantastic, but they need to be rolled out carefully. Plymouth State University has already run this gauntlet, come hear some of the concerns and pitfalls so you can avoid them yourself.
Tags: active directory, banner, campus portal, cas, channel, channels, identity management, integrate, integrated, integration, ldap, luminis, php, plymouth state university, portal, sct, sso, summit, sungard, sungardsct, tirrell, webiso, yalecas, Zach Tirrell, Zachary Tirrell