22 Nov 2006 12:00 AM EST

posted by Albert Grandville

Hello and welcome to our Identity and Access Management blog, and in particular, a very hearty welcome to what we call Callisto our quest here at Citrix to deliver the very best in Application Delivery Infrastructure solutions we obviously need to take a keen interest in authentication and single sign-on, after all these form the end user front door onto their access experience and are parts of the administrator protection from the outside world!

Project Callisto is a long-term strategic project within Citrix to consider the world of authentication and single sign-on, and to determine standards and technologies that Citrix can leverage in order to improve the security, consistency and interoperability between all of our products and with key 3rd-party vendor systems. Indeed achieving specific improvements in these areas is the mission of Project Callisto, a mission that we on the Callisto Team are strongly committed to.

Having said that, this is an ideal moment to introduce you to the Callisto Team comprised of members from various departments within Citrix who come together to pool their respective experience and creativity. Mike McFarland and Al Grandville (me) represent Product Management and are responsible for owning the high level vision and establishing product requirements, coordinating these between teams in Citrix, and for defining any overall deliverables and milestones for the project. Chris Mayers represents the Architects group both as a project architect who is responsible for creating the concrete representation of the high level vision, and also as a security architect responsible for ensuring that stringent security guidelines are adhered to and security is built in during the development stage. Finally Nick Wise represents Engineering and is responsible for the actual technical details of delivering on Chris architectural blueprint. Of course as with any good team there is an even more important cadre of people behind the scenes supporting, assisting and advising us along the way.

Over time the Callisto Team intends to tell you all about our thinking around authentication and single sign-on, and we would also like to invite you to share with us your thinking in these areas. We hope to establish a dialogue that will allow all of us to be better informed and better prepared for the future, and to allow us to take mutual advantage of exciting new technologies such as Microsoft Active Directory Federation Services (ADFS) and other Security Assertion Markup Language (SAML)-based services, and to make better use of the existing ones such as Kerberos. In addition some of our colleagues will be posting their views on how these technologies are affecting their specific products, for instance Andrew Innes (the Web Interface Guy) wrote a post introducing ADFS, and Jay Tomlin wrote a post on federation in the world of Web Interface.

In the near future we intend to bring you a lot more detail on our current thinking, and to talk more about our intention to address this vast space in more manageable phases. We are currently only in 1 but don let that fool you. think we have a lot to say but more importantly with your help we know there a lot we can learn.

So please, we invite you to share your thoughts and experiences relating to authentication and single sign-on with us. Feel free to ask questions and to talk about your experiences with our products to date, your current and future plans for authentication and single sign-on, specific pain points that you may be experiencing today, and especially your dreams and desires for connected business in the coming years.

Sincerely,

The Callisto Team

Permalink | Comments (6) |

Comments  (Hide Comments)

I am delighted to report that Web Interface 4.5 has officially been published on MyCitrix this week,

Posted by Anonymous at Nov 24, 2006 00:00 | Reply To This

Federation is a very interesting area, of which federated security is only a part. In general, issues of federation arise because one's universe contains multiple administrative domains. "Federation transparency", as we might call it, is the art (or science) of making the borders of those admin domains appear invisible; SSO does this in the context of login administration, and as it's necessary to check credentials when logging in, achieving SSO in a federated world means having admin B accept that admin A's credential check is valid. Mechanisms vary, and may come and go, but essentially this situation can only work if there is agreement between the administrations (political, technical, business, SLA) as to both how and how well the admin domains can be glued together. The situation is complicated by the fact that there are multiple kinds of admin domain (which may or may not overlap or nest). However, a good approach to federation issues is always to consider the boundary, examine what is differs across that boundary, and then work out at what level of abstraction one has to view the situation to make these differences disappear. Hugh

Posted by Anonymous at Nov 28, 2006 00:00 | Reply To This

Hi Hugh, As you say, Federation is a very interesting area in many ways above and beyond the technology involved. At a high level one might think that the technology surrounding Federation is relatively simply and indeed not entirely new. Given the clear benefits that have been outlined frequently by Gartner [http://www.gartner.com/7_search/Search2Frame.jsp?keywords=Federation], Forrester [http://www.csoonline.com/analyst/report3172.html], InfoWorld [http://www.infoworld.com/article/04/09/03/36FEidentityfed_1.html] and many other analyst and press columns [http://www.google.co.uk/search?q=identity+federation], a question being asked is why has this technology not taken off at the pace predicted? Reading through a lot of the current data available shows that the issues you raise are on the minds of many potential customers of Federated Identity solutions. The "agreement between the administrators" is something that we would really like to talk about as part of this blog, and I would love to hear stories about these issues from the people who are actively engaged in working through them. One thing that really interests me is to try to understand if there is any way that the technology can make these political, technical, business, SLA issues easier to solve, or provide assurances or other capabilities that would smooth such necessary agreements. Please, if you have any insight into these problems, join in the conversation. Has anyone else found that "a good approach to federation issues is always to consider the boundary, examine what is differs across that boundary, and then work out at what level of abstraction one has to view the situation to make these differences disappear"? Are there other approaches that have been found to work? How about problems? Is there anything that happens time and time again, if someone posts about an issue that you have experienced also you could add your experience to the mix? If we join together we are more likely to understand the real problems in the field. I believe that a better understanding can lead to a better solution in the end. Thanks for joining in! Nick

Posted by Anonymous at Dec 05, 2006 00:00 | Reply To This

Those interested in multi-protocol identity federation with Citrix environments can find more information Here: http://www.pingidentity.com/resources/88 and here: http://www.pingidentity.com/about/show/156

Posted by Anonymous at Dec 06, 2006 00:00 | Reply To This

Thanks very much for sharing Ryan, the more information available the better in my mind. People may also be interested in Jay tomlin's blog post following up on federation with Web Interface titled "The New Citrix Authentication Landscape". (Link: http://www.jaytomlin.com/blog/2006/12/post.html) Nick

Posted by Anonymous at Dec 07, 2006 00:00 | Reply To This

test comment

Posted by Anonymous at Nov 21, 2007 00:00 | Reply To This