This is part 2 of the series of post which I am planning to write on Identity Management. If you wish you can read Identity Management – Part 1 – The Basics which gives a brief introduction to Identity management. One of the major part of Identity management is how to simplify the user logging in into the system and thus how to achieve single sign on capabilities in Web. At enterprise level generally it is easy to achieve single sign on as there is only one single Identity provider. But when you want to achieve single sign on between multiple organizations it gets complicated. In this post we would go through “What is federation and federated Identity?” , “What are various ways by which we achieve SSO?”
In the previous post we discussed Identity as an entity which uniquely identifies an object or user. This identity would generally valid and trusted only with in a domain, just like how your company ID card or college ID card is valid only with in your workplace or school.
So, when a system assembles an identity based on the information collected from one or more security domain and is used across security domain the assembled identity becomes a federated identity. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. The setup and standards which enables federated identity is called federation. There are multiple scenarios in federation of an identity which are of significance like cross domain authentication (web based Single sign on) , Cross domain user account provisioning (Managing a user in your domain based on federated identity), cross domain user entitlement and attribute management. We would take a small peek on various ways by which we can achieve web based Single sign on.
SAML
Open ID Protocol
What is SAML?
SAML stands for Security Assertion Markup Language. It is a XML based standard used for exchanging the authentication and authorization data between two security domains. SAML defines assertions, protocols, binding and profiles. Assertions are the major information which is carried as a part of SAML response. SAML Protocol denotes the set of rules and regulation by which the Service consumer and Identity provider communicate. SAML binding is mapping between protocol message to the communication formats like SOAP etc. A SAML profile describes how SAML supports a particular use case. The guidelines defined by SAML forms an abstract framework and is denoted as SAML framework.
SAML’s Web SSO profile describes how to set up single sign on using the SAML assertions. Which we will go through in our next part.
What is Open ID protocol?
It is an open decentralized protocol / standard used for authenticating users, allowing users to use single identity across various services / domain. The Open ID protocol uses plain http request and response and is a concrete implementation. It also defines how the user experience should be. In my personal opinion Open ID protocol is the simplest protocol for single sign on but at the same time is also restricted. We would see more about the Open ID protocol in the subsequent posts.
One point to note is in both the cases the real authentication is left to the Identity provider. Identity provider can use Active directory or smart card or bio metrics to perform authentication of the user. These standards define how this identity is shared across two domain and hence there needs to be a trust relation ship between the identity provider and the consumer and various systems which form the federation.
In this series of posts I am going to document about Identity management and corresponding things that I have learnt. This post answers the question “What is Identity?” , “What is authentication?” and what is “Single Sign on?”
Identity is defined as a handle by which you identify someone. For example your name is your identity. your photo can be your identity. In olden days to get access to a place or to verify your identity there used to be a secret code word which is shared between the two parties and once they confirm you by verifying whether you know the code word properly. Later to prove your identity we ID Cards were introduced, which generally carries the name and photo of yourself and is vouched by someone. So, to verify your identity you get challenged to show your ID proof which is signed by an issuing authority. This process of challenging you and verifying your ID is known as Authentication.
In the virtual world, it is more or less the same. You need to have an identity on the online world and when the services where not inter connected every service provider had their own identity management system. This resulted in you having multiple identities. Your Yahoo user name is an Identity of you. Your MSN passport is an identity of you. Your Google user name is an identity of you. All these systems created a separate identity in their respective system and shared a previously agreed secret just like the old days. So, to use the service you have to tell the service provider your identity and also the secret which you have shared before to verify you. There are various ways by which the user ids and passwords are stored and will be discussed in the future posts. This system of sharing a secret and having a ID with every service provider led to lot of confusion as people has to remember their user names in every system.
So, there came the principle of single sign on (SSO). Single sign on is a process by which you use your single identity across various services by entering your user id and password only once. So, when you log into GMail, you can get singed into Google account and use the same account to access other services provided by Google. But SSO didn’t solve all the problem. You cannot log into Yahoo mail using your Google account. To address these kind of problems in web and in enterprise level came the identity management systems. In next part, I would explain about Open ID protocol, how it address the SSO problem across various providers and helps you with one single identity.
Summary
What is Identity?
Identity is a handle or property by which you identify someone. In real world your name is an Identity which is used to identify you. Similarly in Online world, you would have an id and your Google / Yahoo / MSN ids are example of your identity.
What is Authentication?
Authentication is a process by which your identity is verified and confirmed. It could be a shared secret or flashing an ID card signed by an issuing authority.
What is Single Sign On (SSO)?
Single sign on is a concept which will allow you to access various system by authenticating only once.
Today, I ran across an issue and thought of documenting it over here. I was implementing a FileDependency based caching scheme and wanted to verify the caching works good. The basic testing by changing the file impacted the application and from functionality perspective everything looked good. But, I wanted to verify the file is not being read for every request. I started by loading the the FileMon to see how frequent the file was being read. To my surprise the file is being accessed on every request.
I thought there was something wrong with my implementation and tried to monitor of an item for which we were already using the File dependency caching and FileMon showed it is also accessed for every new request.
I added the “ASP. NET Applications \ Cache API Entries” and “ASP.NET Applications \ Cache API Turn over rate” counters to the performance monitors and it showed the entries are being reset to 0 and spikes for the turn over rate showing the cache is getting invalidated for every request.
To understand this further I enabled further logging and added a CacheItemRemovedCallback and logged the reason for which the cache item was removed.
I was expecting CacheItemRemovedReason.Expired but, the log showed the items are being deleted from the cache due the CacheItemRemovedReason.Removed. Trusty MSDN Documentation tells
Removed -
The item is removed from the cache by a Remove method call or by an Insert method call that specified the same key.
But in my case, I am not doing an explicit Remove / Insert. I am just using Add. So, added further tracing information to log the stack trace. The stack trace had the below entries
at System.Web.HttpRuntime.Dispose()
at System.Web.HttpRuntime.ReleaseResourcesAndUnloadAppDomain(Object)
That showed the application for some reason is recycling. So, CaheItemRemovedCallback is getting called with Removed as a reason when the application restarts. To confirm this, I loaded the performance monitor (perform.exe) and loaded the “ASP.NET \ Application Restarts” counter The counter kept increasing for every request, showing the Application restart is happening. So, I enabled the application start and application stop event logging by adding the below entry to the web.config. For more information check out the MSDN article
This logged only the application start event but for every request but no application end event. This thrashed my only hope for finding the the reason for application restart. But, when looking at the event logs, for every application start event there is another information logged by a in house event source informing about an Event source registration. So, I re-installed the component causing the event and that stopped the Application from re-cycling.
Application started to respond quickly and also, the performance monitor’s Cache counters showed the cache is maintained.
Hi folks, I have RSS Cloud enabled my blog. For all those who are asking what is RSS Cloud, it is just another version of real time web. You can read all my posts at real time, if your feed reader supports it.
Every one in the tech industry very well know about the Microsoft’s love for Yahoo. But if you look closely its not love for Yahoo, but love for search share. But as long as you don’t have quality results people are not going to try. Yahoo do have better quality compared to Live (I don’t even remember what they are calling it now) search, but there are multiple overlapping products.
So, what I feel is Microsoft should go after twitter which can dramatically improve its search results. Google’s secret sauce for its search result is PageRank. Page rank uses the linking structure to determine the weight of a given page. The higher the weight the more important is the page and hence appears on top of the page.
PageRank relies on the uniquely democratic nature of the web by using its vast link structure as an indicator of an individual page’s value. In essence, Google interprets a link from page A to page B as a vote, by page A, for page B. But, Google looks at more than the sheer volume of votes, or links a page receives; it also analyzes the page that casts the vote. Votes cast by pages that are themselves "important" weigh more heavily and help to make other pages "important". – PageRank
Now, if we slightly modify the parameters used for determining the PageRank and add some real time web into it, we get TweetRank. A Tweet with a link like
, contains valuable information regarding the following
Link
Tags / Keywords associated with a link
The user who recommended it.
And twitter as a system has the below information.
Number of times the link is tweeted / re-tweeted uniquely by a given user. (These are to be considered as inbound links in page rank)
The authority of the user who recommended the link (based on the followers, This has to be considered as the authority when some one links to the page)
And all these in real time, can provide valuable data for indexing the web. So, Microsoft don’t let this skip away if you really want to get some search share.
I was composing an email today at office and when I hit the send button, there came my favaorite (favorite) tool the spell checker. I just cannot imagine myself how it would be without this small usefull(useful) tool.
It all started when I was a small kid. During the times when we learned to write the the albhabets(alphabets) i always had a confusion between b/d/p. I used to struggle a lot to get that “B” right. Also, I am very famous for my bad figures. When doing the math , I will write a number in the flow, when I try to read is again, I will not be able to get easily get what number it is. Ahh the number 8 – it took me so much practise(practice) to get it right.
My teachers will go crazy looking at my spellings. It will be consistently inconsistent. Like in a paragraph if a word repeats itself, there would be different spelling in different places. And my most favaurite(favorite) is – sawpping (swapping) of “since” and “science”. In all my science exams, in the answer sheet top, I used to write since and in all places where I have to write since I would write science.
To overcome this, I used to practice words and now thanks to the spell checker, I am saved. I suspect two problems over here. One the speed at which my mind computes is not matching my speed of writing and mind, ignores to look for this minor details. Later after seeing the movie Tarae Zameen Par I came to know that this is a common Phonological disorder known as Dyslexia. (note: OMG I wrote one paragraph without spelling errors)
One thing to remember is, this is not something which cannot be fixed. With continious (continuous) practice this can easily be addressed. For all those who know my laziness, I just worked around it, by choosing this computer industry where I can always have my close buddy spell checker review everything I type.
So, I thank whole heartedly all my teachers from Akilandeswari Vidyalaya from where I did most of my schooling, my tution(tuition) teacher Kalyani mami for their constant support and encouragement which has helped me to be successful.
Double Checked Locking (DCL) is commonly used pattern / anti-pattern for creating singleton objects in a multi threaded applications. This is denoted as anti-pattern because the implementation is broken and in versions before Java 1.5. As of JDK5, there is a new Java Memory Model and Thread specification. With respect to .NET its controversial. People suggest to avoid DCL in .NET. But the .net framework itself relies on DCL when instantiating providers.
If you use Reflector and navigate to the Membership / Roles class Initialize method you could see them using the DCL.
So, care must be taken while using the Double-checked locking pattern to ensure safety of your code
Its always sweet when you talk about friends, and its always sweeter to remember your first friends. Yes, childhood friends. Days where we used to play merry go round, and live our own world with dolls, build castles using sand and chasing the colorful butter flies, without the worries. man – that’s life.
So, this post is about my first friends. Kids of my same age group where we used to play before even joining the KG. There were three friends. Sudhakar, Vyshalya and Suresh. We were staying in the same neighbour hood and their respective caretakers used to meet together in the evening and thus we became friends.
The time passed by and I never realized I had bid farewell to them. Lost touch with Sudhakar from 1st standard, Vyshalya on 5th std and Suresh way before UKG. But, the world is small. Suresh and myself again met in Higer secondary and thanks to the Internet we are still in touch.
Sudhakar, met him on my higher secondary for brief amount of time, and my mother remembered me how we used to play. I was not able to recognize him. I did not realise to get his email id at that time.
Vyshalya, she was my best pal in LKG. It seems my teacher complained to my parents that, I spoke only with her in the class and not to any one. My mom still makes fun of me with that. As we grow the distance also grew and she left my school at 5th std. Haven’t heard about her after that.
Time could has passed by. I may not even recognize them, but their names always remain in me and I can never forget those good old days. Thanks you guys
He talks about three important things in this wonderful speech.
Connecting the dots
Love and loss
Death
So, I would like to share my experience a.k.a experiments with few of his story. Also, I would like to add one more important thing to this mix. That is Learning from mistakes.
He beautifully says
you can’t connect the dots looking forward; you can only connect them looking backwards. So you have to trust that the dots will somehow connect in your future. You have to trust in something — your gut, destiny, life, karma, whatever. This approach has never let me down, and it has made all the difference in my life.
And, the link that it would really get connected is because of what he mentions in his second story.
You’ve got to find what you love. And that is as true for your work as it is for your lovers. Your work is going to fill a large part of your life, and the only way to be truly satisfied is to do what you believe is great work. And the only way to do great work is to love what you do. If you haven’t found it yet, keep looking. Don’t settle. As with all matters of the heart, you’ll know when you find it. And, like any great relationship, it just gets better and better as the years roll on. So keep looking until you find it. Don’t settle.
I consider myself successful (many may disagree). Mine may not be great comeback, but every one has the right to believe theirs is one of their greatest comeback. So, back to my story. I was doing pretty good at my studies till my 10th. Then in my higher secondary, I lost miserably. I was able to score just 80% with which I am not even eligible for an Enginnering college. But, I was passionate towards computers. I was way involved into programming. So, my Dad made a gamble and believed in me and got me a seat in a good professional college. In college, I did above average. After three years of college, it all came down to what I was expecting for last three years. Campus interviews.
The first one to visit our campus was big consultancy which has more than a lakh employee strength. I was rejected in HR as, I didnot answer questions other than programming properly. (It was something related differentiation and integration). I didnot bother and had my belief that, this may not be the right place for me. The second one was another MNC with nearly 50K employee base. I did great in technical round. But I was not able to do good in HR where I was given a stress test.
So, the LESSON LEARNT at that time,is to handle the pressure which STILL helps me in my job. That experiment made me to figure out how to make my brain work under pressure. How to concentrate on the work and ignore other external factors. Third company is my current employer with 10K employee base. From there, I got a good recognition for my work, and right now as I write this I am representing my company at my client location in US for last 5 months and I keep learning new things daily required when you develop a new application. And all this happened in just 2 years time frame.
From my failure in higher secondary to my current status, I feel I am successful. so, if I connect the dots, everything happened for a purpose. The credit to this, should go to the confidence my dad had on me and on my passion – computers and coding and most importantly the lessons LEARNT from my failures.
And for every one of you, who are starring at the dark or not happy with what you currently in do, believe in what you love. keep looking. Don’t settle. Keep learning and the dots would connect eventually.
