Many Pies

Many Pies

Tuesday, October 30, 2012

Federated identity - using Twitter to log into your intranet at work

Following up on my previous post, here's some stuff to help you get your head around Federated Identity. (The wikipedia article I linked to in that post isn't that good. I wish I head a grasp of the concepts enough to improve it. The one on Identity Management needs even more work.) The video in this blog post Federated Identity 101 is a good start.

Some questions that people might ask have come to mind as I've started thinking about this stuff. Here's the first:

Why can't I use Twitter to log into my intranet at work?

There are a few things preventing this from being possible. Although using existing logins makes life easier for the user the people who provide the systems have justified concerns. (Jargon sidenote: authentication is checking you are who you say you are. Related is authorisation which is checking what you're allowed to do. A service provider is a system you are trying to use.)

So if I'm a service provider running the intranet and the users are asking to use their twitter account, here are my concerns:
  • I know that Fred Bloggs is an employee, but how do I know that @FredBloggs (who seems to be doing quite well making money at home) is the same person?
  • Even if I do verify that, how can I be sure that Fred Bloggs twitter password isn't easy to guess? If Twitter's password policy is weaker than our existing password policy, then it's like putting a big lock on the front door, and leaving a side window open. Judging by the number of people who have their Twitter accounts hacked, their password protection isn't that strong.
  • Even if Twitter's policies are good, then say they remove your account after 6 months of inactivity and someone else signs up with the same username. They the other FredBloggs can log into your intranet even though they aren't an employee.
These issues are all around the issue of identity assurance (apologies if you find italics patronising) and the last one in particular is identity lifecycle.

From time to time I think of this Dilbert cartoon when it comes to the latest Big New Thing, whether it be SOA, Cloud or Federated Identity.


So when your equivalent of the point haired boss comes up to you and says "I think we should build a Federated Identity system", you could ask him what colour he wants it, or ask him about identity assurance.

Edit: Here's the cartoon that Giddie mentioned below:

Wednesday, October 17, 2012

Why analysing a hung SQLServer database helps Bible Translation

Our Executive Director sometimes tweets something like "Today I am helping the task of Bible Translation by writing papers for the board". (I can't find a recent example to embed.)

I just tweeted
Actually, I'm not doing that, but I'll tell you why at the end.

I thought I'd bridge the gap between the two parts of the sentence.

  • The SQLServer database hung while I was adding a new linked database.
  • The linked database connects to our worldwide personnel database.
  • (Although we're an  autonomous UK charity, we work in partnership with many other organisations, many of whom are also called Wycliffe. We send people to many of those other organisations, so we need a common personnel database.)
  • If you're working on Bible Translation then it's good to know who's working for you so you can look after them.
There are other links too:
  • The SQLServer has our Raiser's Edge database on it. That's the system we use to keep track of donations and mailings.
  • We send mailings to our supporters so they can hear about what's going on and pray for us.
  • We need to keep track of who gave us money, so we can thank them and Gift Aid (where appropriate) their donations.
  • We need to keep track of where the money's going to, so that it goes to the right place and so that we can keep to the legal principle that you have to give the money for the purpose with which it was given.
  • Money pays for translators salaries, amongst other things, so the translation can happen.
If the database keeps on hanging then that stuff can't happen, so I need to find out why.

Actually, I'm not finding out why it hung, I'm writing a blog post about it. That's because one of the unstated (until now) reasons I write this blog is so that IT people can see how they can use their skills in Bible Translation!

Tuesday, October 16, 2012

Ada Lovelace day - Aleks Krotoski

As today is Ada Lovelace day I'm responding to the request on the Finding Ada website to "Write about a women in science, technology, engineering or maths whose achievements you admire".

I've chosen Aleks Krotoski. She's just good at so many things:

  • She's an academic. She's got a PhD and when she writes about things it's pretty well researched and not just a blogger's opinion.
  • She's good at broadcasting, including the BBC's Virtual Revolution programme, Radio 4's The Digital Human and the Guardian Tech weekly podcast. As those are group efforts I don't know how much she is involved in the compilation of these programmes, but if the stuff she's written with her...
  • ...journalistic skills in the Untangling the Web column is anything to go by, a lot of it is her work. As the research is done in plain view on her blog it's interesting to see what's gone into making up the final words.
Anyone of these would be admirable, but to have all three in one person is more so.

Friday, October 05, 2012

Federated Identity and Identity Assurance - why you should care

Yesterday I read a blog entry from the UK Government Digital Service about Identity Assurance.
We’re helping develop a secure service that lets people log in to online government services more easily.
They link to this article by the Telegraph which describes it well (apart from the headline).

I've blogged before about the Polder Consortium where we're thinking about such things. Identity Assurance is part of Federated Identity. If you're in IT then I expect you're going to get friends and family asking you if it's OK to use your Facebook login to access government services. (I suspect a Facebook login may not reach the required standard of assurance.) I'm personally encouraged by the fact that they are consulting with people who worry about privacy.

I think, though, that if you're in IT it's worth understanding about federated identity, authentication, authorisation and assurance levels so at least you can have an informed opinion. (I'll point to a document that's soon going to become available when it does.)

In other news, as they say, the Polder Consortium has released some new standards, recommendations and notes, either because they've gone to Proposed state or because we've decided that some drafts are worth making public.