Preventing SUNburn?

So it’s finally beginning.  Identity Management vendors are percieving the departure of Sun IDM from the landscape.   CA is now offering Sun Users the ability to switch over to CA’s IDM product.

I’ve not heard much lately about what the eventual plans are for Sun IDM, but something’s going to have to be announced soon before the other IdM vendors pull the rug out from under Sun/Oracle.

Application Centric Identity?

I’ve been listening / reading to information lately on “Application Centric Identity ” and how it’s supposed to be the new wave in Identity Management.  Frankly I’m a bit confused.

Basically it sounds like what’s being discussed is the creation of an authoritative store, something I’ve been working with in Identity Management for about 5 years now.

The “newness” to this offering seems to be the implementation of SOA / Web-services architectures to make it more interesting and accessible to authentication / authorization services.

I’ve always felt that by gathering the authoritative attributes from each enterprise repository and linking them together in an authoritative store (metadirectory) you create the clearest picture of what each identity “looks” like.  Furthermore, these authoritative entries can then be used as the basis for provisioning new application entries and update existing ones.

To me it seems like the backers of this school of thought are finding a new way to talk about the integration of Enterprise level ERP systems with Identity Management.  This is not a bad thing.  The one thing we need to do is break out of the idea that Identity Management is solely provisioning or Access Management. One without the other is worse than useless given the potential for malicious behavior.

New Whitepaper

The Identity and Access Management team here at SECUDE Global Consulting has created a new White paper called “Strategies for Creating an Authoritative Store”.  The paper is currently being hosted on the Business Trends Quarterly site and will be on our corporate website soon as well.

From the White paper:

Creation of an Authoritative Store is a key component of an Identity Management Infrastructure. The Authoritative Store can be created using a number of different strategies. The determination of the best strategy is by a thorough analysis of sources, database resources, available data synchronization tools and the IAM tools in use by the organization.

In the meantime if you would like to read the paper, please email me at (matthew dot pollicove (at) secude-consulting dot com) or register (it’s free!) on BTQ’s website where you can get more information on BI, GRC and other important technology areas.

I will post an update as soon as the paper is available on the corporate website.

Bug with md5 hashed security answers

When working with the recover password task in IdM we came across a bizarre bug with the security questions/answers used to authenticate a user so that they may change their password.

When a user sets up their security questions and answers, if they happen to use an uppercase letter in at least one of their answers, and if you’ve chosen to store the security answers as an MD5 hash in the identity store, your user will not be able to recover their password. Why? Because the php page for the “Recover Password” task has a line of code that goes ahead and impulsively converts your security answers to lowercase. This results in your answers never being able to match your security answers that were originally hashed with all uppercase letters intact.

This buggy line of code exists in the “changepassword.php” file of the workflow interface, on line 717:

$md5Value = md5(strtolower($outputArray[$key]));

removing the “strtolower” function from the above line of code makes it look like this:

$md5Value = md5($outputArray[$key]);

And, that should fix the bug. It’s quite a strange error and if you’re not aware of where it stems from you could waste many hours looking in the wrong place.

Queue runaround (tip)

Let’s say you have a couple of jobs/tasks sitting in your provisioning queue, but you’ve changed your mind and you don’t want them to run anymore; what do you do? Well, instead of wasting your time trying to create a job to ‘Clean (your) provisioning queue’, try this:

  1. Log on to your Monitoring module.
  2. Click on the ‘Provisioning queue’ link in your menu.
  3. Once there you should see all the jobs/tasks waiting to execute.
  4. Clicking on the ‘queue size’ link for each entry will bring up another window that should give you the option to ‘Cancel’ the job/task.
  5. Click ‘Cancel’‘ to remove the job/task.
  6. Repeat steps 4-5 so as to remove all the jobs/tasks or just specific ones.

Hopefully, this will save you some time and frustration.