Truth in SOA

It looks like Microsoft has released their long-awaited Active Directory Federation Services v2.0 ('ADFS v2.0') component for Active Directory.

Simultaneously with this release, Microsoft is pushing the concept of "claims based identity" as the new thought "superstructure" that according to Microsoft, is a seminal event in the history of thought for identity management.

Here is my favorite quote from Microsoft's book "A Guide to Claims-based identity management".

"The claims-based model embraces and subsumes the capabilities
of all the systems that have existed to date, but it also allows
many new things to be accomplished."

I must say this is quite a claim.

Let's step back and take a look at what ADFSv2 is actually doing on the wire, which is where the truth ultimately lies.

The model proposed by Microsoft equivalent to the assertion model of identity. In all cases, whether it is a web service, web site or SaaS application, the user authenticates himself or herself to ADFSv2 for a specific application and then receives a SAML assertion for that specific application which they then take to the target application in a browser or "smart client" (web service).

Microsoft is trying to elevate it's technology to greater philosophical importance by using the word "claim" in place of "attribute" or "role" or "property" of a user. This makes for some good marketing, but the SAML assertion that comes from ADFSv2 will have very specific attributes in it targeted for very specific target application. This is an important point because it means you can't simply take the SAML assertion and "federate it" anywhere as it will have "claims" (e.g. attributes) designed for a specific application, some of which might be quite sensitive.

For instance, a claim for an expense reporting application might have an employee's cost center as an attribute in the SAML assertion. This is great for federating the assertion to the expense reporting application, but not so great when federating the assertion to other applications, such as a partner website.

I looked around for a sample SAML assertion generated by ADFSv2 with some sample claims to dig in to the details, but they are hard to come by. I wonder why...

Notwithstanding my criticism, the model is a good one because moves the authentication and authorization logic further away from applications and into a centralized, trusted assertion. This is a step in the right direction and follows the trend of security decoupling that has proven to be useful for other technologies such as SSL and web services security in the past.

To conclude this post, I am leaving two unanswered thought provoking questions:

#1: What is the difference between a claim and an attribute? (Credit for the seed of this idea goes to Dr. Babak Sadighi of Axiomatics during a conversation we had at the recent Kuppinger show)

#2: Is there a need for "claims filtering/protection" - e.g. on-the-wire gateway functionality that can obfuscate, encrypt or delete sensitive claims in ADFSv2 issued SAML assertions when these assertions leave the Enterprise perimeter?

A colleague forwarded me this link from Lustratus Research. Incredibly, the analyst makes the following claim:

"I say “appliances” in inverted commas because Intel’s product is wonderfully described as a software “appliance”. Surely the award for the most spin in a product category goes to Intel."

I was a bit taken aback by this. I hope the analyst was being provocative on purpose. I wrote the following reply (which was subsequently deleted), as a clarification:

"Hello There – It seems that this is a very provocative report, especially with respect to the statements made regarding the Intel product.
First, off I have to say that I am from Intel, so as you must, please take my comment with a grain of salt.

I hope, however, that the analyst does not confuse and equivocate a nuanced product available in multiple form factors for different usage models with “marketing spin.” The facts speak differently in this case.

In fact, the Intel(R) SOA Expressway product (like some of its competitors) is available in three form factors (hardware, software and virtual image) – each of which can be properly called an appliance.

“Appliance” here does not necessarily reflect a strict category of hardware only, but instead set of management and monitoring capabilities such as a real-time dashboard, self-healing capabilities, alarms, alerts, management clustering, and high availability with a familiar web-based interface and easy management.

It is these capabilities that primarily characterize a software appliance. In this case we can think of a hardware appliance and then subtract out the physical security features. It is only natural that we can take this same form factor and package it for a virtual machine and we will arrive a similar form factor designed for a virtual private cloud. Incidentally, this is something especially difficult for a product only available as a pure hardware appliance.

Finally, because the Intel product relies primarily on a software layer that performs machine language processing of XML, the addition of hardware adds only physical security prowess, and is not a necessary form factor for a high performance deployment. All in all, the product is truly available in all three form factors – no spin required. Perhaps some of these facts can “spin” the customer closer to the truth about this particular product.

Blake Dournaee"

Is truth denied? I just wanted to make sure that our customers know that our appliance form factors (software, hardware and vm) are not elements of spin!

Blake