Optimal IdM wins best of Tech Ed for Cloud Products

Posted on June 6, 2013 | Leave a comment

Great news, our VIS for Office 365 product won the Windows IT Pro Best of Tech Ed award.

It really is a great product. The key is that it dramatically simplifies Office 365 adoption for customers with complex multi-forest AD environments.

→ Leave a comment

Posted in Authentication, Cloud computing, Microsoft

Tagged , , ,

HTTP PUT vs LDAP Modify

Posted on April 26, 2013 | Leave a comment

The StormPath blog has an interesting article exploring HTTP PUT vs POST in REST based APIs for managing identity information. The article is interesting and worth reading, but misses the bigger picture. It points out that both HTTP PUT and POST can be used for sending updates in a REST API, but the HTTP spec mandates the HTTP PUT be idempotent. The idempotent requirement dictates that for an HTTP PUT, all values must be sent on the request, not just the ones being modified by the client.

Now I am sure idempotent PUT operations are important to people that design ways to update html documents. But I’m not in that business and neither are you. I am in the business of designing and enabling distributed identity systems, and in that business you never send a modification request that passes data you don’t need to modify. Simply put, you have to assume multiple concurrent updates to the backend data.

Put another way the article could simply have said “Never use HTTP PUT for data modification”. And herein lies the most important lesson of REST APIs: the REST mechanism is the means by which to build distributed systems, not an end to itself. The fact that you are using REST does not obviate the principals of basic distributed system design.

Oh, but it gets worse. Assuming your data model is attribute-value based, some of those attributes are going to be multi-valued attributes. Just as a client should only transmit the attributes that are modified, it should also only transmit the value modifications for multi-valued attributes.

That’s why LDAP Modify works as it does. One common mistake developers make using LDAP is not doing proper multi-valued attribute updates. Likewise your REST API will not only need to support partial record updates but partials attribute value updates.

→ Leave a comment

Posted in Identity, Identity Management, LDAP, Programming, SOA, SOAP

Tagged , , , , ,

Tell us how you really feel…

Posted on March 28, 2013 | Leave a comment

Okta has some choice words about ADFS in this recent post. I always felt that if you can’t say anything nice… don’t blog about it.

Jackson Shaw points out that the operative four letter word is FREE.

Claiming your product is better than a free product is a losing argument. A better approach is to make a product that co-exists with, and extends, a free product.

That’s where VIS and VIS Fedaration come in. ADFS is a great tool for a lot of enterprises. But for some enterprises it needs a little help. The OptimalIdM products work side by side with ADFS and AD and extend their capabilities.

[Full disclosure: I am an employee of OptimalIdM]

→ Leave a comment

Posted in Cloud computing, Identity, OptimalIdM, SAML

Tagged , , , ,

Who watches the watchers?

Posted on January 25, 2013 | Leave a comment

From the Orlando Sentinal is this report about police abusing the FL DMV database. The is more about it at the Reason blog.

Government databases will always be abused. That’s the nature of man and there is no use fighting it. Which is why massive government databases should not be created to begin with, unless there is no alternative.

→ Leave a comment

Posted in Freedom, Privacy, Security

Tagged , ,

Next war on passwords

Posted on January 24, 2013 | Leave a comment

Google is the latest vendor to try to slay the password beast. I wish them the best, I really do. But password authentication hasn’t been the defacto security for this long without a reason.

Still, if any vendor has a shot it’s Google.

→ Leave a comment

Posted in Identity, Password Management, Security

Tagged , , ,

Exactly how big is a kg?

Posted on January 8, 2013 | Leave a comment

Standards fascinate me. One of the most problematic standard in use almost universally today is the kilogram (kg). The problem is that no one really knows exactly how much mass a kilogram actually has. By extension that means that no one knows how heavy a pound is either since the US government defines it in relationship to the SI kg unit.

Originally the metric system was supposed to be defined in terms of “natural laws” that the common man could measure for himself. The kg was originally defined as a cubic decimeter of water under certain conditions. This is probably what you were taught in school, one of many metric misconceptions (see why everything you know about the metric system is wrong).

But that approach was jettisoned as impractical due to variations in water density, temperature, etc. In 1889 the standard became defined by a set of “physical prototypes” that were manufactured and distributed to major countries. So what was a standard based on “natural laws” became based on an arbitrary hunk of platinum and iridium.

Only that has not worked either (at least not to the number of significant digits desired). The problem is that the different physical prototypes are changing mass by a small but measurable amount. So today there is effectively no precise consistent definition of a kilogram, and thus by extension the pound.

The plan going forwards is to define the kg in terms of basic physical properties, similar to what has been done with the meter and the second. But for now, kg is only an estimate for given levels of precision.

→ Leave a comment

Posted in Science, Skeptic, Standards

Tagged , ,

OAuth 2.0 and authentication

Posted on January 4, 2013 | Leave a comment

Vittorio Bettocci from Microsoft has a great write up of OAuth 2.0 and how it relates to  authentication protocols (but is not one itself). You can read it here.

→ Leave a comment

Posted in Authentication, OpenID, Standards

Tagged , ,