Federated Authorisation, my late thoughts

There has been a lot of talk over the past week on the topic of “Federated Authorisation”. This was instigated by James McGovern but then received responses from a number of people including Pat, Conor, Paul and Paul.

I have been reading with interest the comments that have been made and think the the idea of integrating SAML with XACML is a very interesting one. As Pat said, this hasn’t been built in any commercial products yet but could be something for the opensource community (with the likes of OpenSSO) to take on.

I must admit that I haven’t had chance to read the entire thread of discussions but wanted to get my thoughts down before the topic moved on.

In particular I wanted to pick up on a particular comment that I first saw from Paul Squires (I think Conor made a similar comment as well). There have already been a number of issues flagged up with how you might get, effectively an IdP to act as an authorisation point (latency, response etc being just some of the issues). Personally, I don’t see this approach working or wanting to work. Would you really trust someone else to make authorisation decisions for your resources that are under your control. The SAML model already gives the facility (in my eyes) to cope with this at the moment anyway. As Paul quite rightly points out, Roles provide a good mechanism to allow an IdP to assign “permissions” to users while allowing the SP to retain the actual control over their resources by stipulating what a particular Role is capable of doing. This is completely different to getting the IdP to say exactly what resources on an SP a user should get.

I can see more of an argument where the IdP is not the Policy Decision Point (PDP) and this is delegated to some 3rd party that may specialise in holding extra information about a user. However, we have to be careful that we aren’t just talking about attribute querying instead of federated authorisation. If, for example, I wanted to ask the DVLA IdP (the DVLA issue driving licenses in the UK) if UserA had a driving license, I am more likely to ask the question directly using the existing attribute query mechanisms supported by SAML than to ask “User A is trying to get to the car hire section of my website, should they be allowed?”.

I will try and finish reading the entire thread and then i’m sure I will have more thoughts.

Technorati Tags: , , , ,


Great comment whilst on the train

I have been a fairly regular commuter to and from London over the past 4 months. On the train you can always tell the regular commuters. For the first 20 minutes of the journey from London Kings Cross, none of the regular travellers even attempt to use their phones as it is tunnel after tunnel and a constant roller coaster of a signal.

On the flip side to this, you can always tell the non-regular travellers by their “Hello, can you hear me” and “Sorry about that we hit a tunnel……….Hello, can you hear me  (as the second tunnel appears)”.

However, I heard a great comment from a women on the train on Friday. She was clearly trying to talk to a friend on the other end but had a bad signal (again, due to the tunnels). However, after nearly losing the call once, referring to the poor signal, she exclaimed:

“It must be your end, i’m not moving”.

Maybe she wasn’t moving in her seat but doesn’t she think the 125MPH that the train was traveling has any effect.

People never fail to amaze me!!

Birth of my Second Life

Having read the hype for the past few months I have decided to give Second Life a go. So, tonight, I have signed up for my Basic Account.

I will be sure to keep you posted on my thoughts over the coming weeks as I explore the world.

Anyone got any experiences, good or bad? Please share them!

As always, i’m really interested to know what people think.

Technorati Tags: ,

Free Internet Security Suite

After getting home from a long week in London, I was catching up on the many blogs I follow (How do some people find the time to post so often) and came across Dave Kearns newsletter (here) announcing that CyberDefender are not doing a free version of their fully fledged Internet Security Suite.

This couldn’t have come at a better time. As a frequent subscriber to the Norton suite, I am familiar with seeing the annual subscription renewal box popping up. As it happens, my subscription ran out last week so I have just taken Norton off and decided to have a look around to see what else was about. Up until I downloaded CyberDefender, I was running a combination of AVG Anti-Virus (free), Windows Defender beta (free) and Spybot (free, but offers donations).

Up until now I haven’t found a fully fledged suite that is free. I know that there is an argument for buying software you want, but as a great advocate of open-source, I like to always look for free alternatives where appropriate. As you can see from my links page, I use a number of open-source projects.

Anyway, this was just a quick post to say that I have installed CyberDefender. Upon initial scans it found a few dodgey registry entries and cookies that Windows Defender seems to have missed and is currently ticking away in the background quite happily. I haven’t quite got the confidence to uninstall AVG etc, but give it a few days and (assuming no problems) I will.

Early observations are that I would recommend at least a look and see what you think for yourselves.

Technorati Tags: , , , , , ,

Google’s Amazing Story

For those of you who read my blog regularly, you will know that I am reading quite a lot of books at the moment. Having finished Identity Crisis a few weeks ago, I was browsing through a local bookshop when I came across The Google Story. Since I have not really followed the ins and outs of Google as a company since they started, I thought it would be an interesting read. So, as you would expect, I immediately put the book back on the shelf and went home to order it from Amazon (far cheaper).

I have just finished the book and can certainly say it was an eye opener. Its amazing to think that when Google was started as a company by Larry and Sergey, they weren’t even concerned with how to make money. This came later when they actually needed some. To understand how they came to be the successful (and profitable) brand that they are today is an extremely interesting story.

I don’t want to give all the juicy details away so I suggest you go and read it for yourselves. Its definitely worth it. Even if you know the history of the company, its worth getting just for the last chapter which talks about where Google are heading with research into genetics.

Rating: Well worth it!

Technorati Tags: , ,


I know its a bit belated but I want to say a big


to my good friends and ex-colleagues Mel Holloway and Brent Thurrell who took up the reins as Director of Operations EMEA and Director of Sales EMEA (respectively) for VAAU on 1st January. Both Mel and Brent are very competent and enthusiastic professionals in the field of IAM and I’m sure they will do very well in their new roles, selling Roles 🙂

Well done to both of you. you both deserve it. I hope VAAU realise what great assets they now have working for them in EMEA.

Security works in the strangest of ways

The client that I am currently working for has just, this week, introduced new security barriers into the foyer. Since my contract with the client was due to finish at the end of December but was extended my old pass has expired and I haven’t had chance to get a new one. Therefore, I have to sign in the visitors book everyday and get issued a temporary pass.

Now, in my experience with any of these security barriers, temporary passes usually either just let you through and back out again, or you have to be let through by one of the security guards. However, my client has got an interesting approach.

The pass that they issue you will get you through the security barrier going in but it programmed not to let you back out again. Therefore, I can quite happily swipe myself in and walk unchallenged around the entire building but when it comes to leaving, I have to be let out by one of the aforementioned guards.

When asked why this was I was told that each swipe card costs £5 and they didn’t want people walking off with them.

Its certainly an interesting approach to minimising costs. I would have thought is would be easier just not to issue swipe cards at all. After all, they are only on the front barriers, not on any internal doors.

Good old British moan

I heard a comedian on TV last night say that the British only like two things; queuing and moaning. The only reason they like queuing is so that they can have a good moan about it!

Well, in the spirit of being British I would hate to let the side down so here is my first rant of the new year.


Since September I have been travelling from my home to London every week. This means getting the train on a Monday morning and returning on a Friday evening. For 3.5 months this worked fine. The train operator GNER sold just the ticket for me. It included a return ticket, two buffet vouchers and parking for 5 days. Sensible pricing by them I thought. This ticket is designed for the business traveller and is even called the “Business Saver Standard Package”

However, as the new year came so did the price rises. The rise itself doesn’t bother me. It was quite high but I can live with that. However, in their infinite wisdom, GNER have decided to change the package they offer. Now instead of giving me the sensible 5 days parking, they have reduced it to 3. Since the package is designed for the business traveller, what moron within GNER decided that the business person only goes anywhere for 3 days.

With my cynical hat on I would suggest that it is just a ploy for them to gain more revenue without directly putting a huge chuck of inflation on the base ticket price.

This now means that when I get back to the station on Friday, I have to go through the hassle of paying for the extra 2 days parking that I have used instead of just getting in my car and driving home to see my wife and kids.

I have informed GNER of my displeasure and hope they will come to their senses soon.


God, I feel better for that 🙂

Technorati Tags: , , ,

“The futures bright”……..new ISP

After a couple of years with Pipex I finally decided it was time to change ISP. Why, I hear you ask? Basically, I was paying too much for a 1MB line. Yes, believe it or not, I still only had a 1MB connection at home. For an IT professional I am fully ashamed of myself.

However, after looking around to find the best deal I finally plunged for Orange as my ISP. The package they were offering seems really good:

  • up to 8Mb/s download
  • Unlimited downloaded
  • Free UK calls over the internet
  • all the usual email etc

All for £19.99 per month.

One of the things that has always put me off switching before was the hassle and also the thought of been without the Internet at home for even a day (sad I know!) However, deciding to take the make the move I warily phoned up Pipex to cancel and ask for my MAC code fully expecting to be offered all sorts of deals to stay. “No problem, it will be with you between 5 and 7 days” said the lady at Pipex. “What no pleading?” I thought. Apparently not! That was fairly painless.

After signing up on the Orange web site, I duly got my hardware through the post. Their broadband service comes with what they call a Livebox. They seem all the rage now from ISPs with BT offering a similar “Home Hub”. Basically, this is a box that support wireless and also allows me to plug a phone into for my free calls. I even get a local rate phone number so people can dial me on it. The main purpose of this box is to allow me to make internet calls without having to put my PC on (not that its off much these days).

I have now been with Orange for a couple of weeks. The transfer from Pipex to Orange was painless and resulted in no downtime at home. I can now get approx 6Mb/s download at a constant stream which isn’t bad to say I live in a village in the middle of nowhere.

The only gripe that I have with Orange is that they have decided that all outbound email you want to send MUST go through their SMTP server. Any address you try and telnet to on port 25 results in a response from Orange’s SMTP server. I have had limited success sending mails from my other external accounts using their servers. However, if that is the only limitation, I can live with that. There’s always webmail.

Anyone in the UK who is looking for a change of ISP, I would highly recommend Orange.

Technorati Tags: , , , ,