If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
I make my living designing solutions around and implementing other people’s products, which means I often have to live with the quirks without having the same direct line to the development teams that I would with an in-house solution. Ease of use and the increasing “commoditisation” of identity management products and solutions is both a blessing and a curse - obviously the easier these solutions are to deploy the less demand there is for my services, but conversely it enables my time to be better spent doing the fun stuff rather than tedious configuration.
This was driven home to me this week when I was setting up a demonstration, showing SAML 2.0 between a CA SiteMinder IdP and Ping Federate SP. Neither product is really that difficult to configure and all was well until I got to the stage of generating keys and certificates for signing the assertion (as required when using the SAML post profile). It’s a minor step in the whole process and should have taken moments - I’ve not set up a SiteMinder IdP recently so checked the documentation.
The private key needs to be RSA, DER encoded in PKCS8 format (snore) so I fired up OpenSSL to generate the key and the CSR (certificate signing request - to be sent to the CA) - should be simple enough in theory but getting the order of commands right (to convert encoding and format) might be a challenge! I eventually got there - but then discovered that the CSR wouldn’t work for the DER encoded key. Eventually (thanks to a colleague) I managed to work around it - put the key in both PEM and DER, use one for the CSR and import the other into SiteMinder’s key database (along with the signed cert)….
The same process using Ping Federate as an IdP is much, much easier. Literally a case of point and click within the UI - generate a key and CSR, get a signed cert, then import it. It should be pretty obvious which product is most likely to be recommended in future 
I’ve hit occasional problems with Ping software itself - including an annoyance with the license keys during the course of setting up this demo - so they don’t get off scott free, but frankly, I also know which organisation I hold more hope of getting a fix from for a bug report in a timely manner!
UPDATE @ 15/05/07 21:02 : I received a nice email from Andre Durand (CEO of Ping Identity) yesterday evening as a follow up to this - hopefully we’ll have plenty of reasons to work together in future and it show’s one of the wonders of the modern Internet and how companies can use this to their advantage. I wonder if anyone in the marketing departments of companies like CA monitor blogs for mentions…
Loading ...