Sunday, December 16, 2007

MOSS Audiences with SharePoint Groups and AD Groups

I’ve done a number of posts on Audience targeting, and many people have commented or e-mailed me with issues regarding using SharePoint Group based on AD groups. They typically want to use target audience at a web part level using SharePoint Group based on AD groups, without import anything in MOSS repository. This works for AD users, but not for AD Groups. Similar problems are also described in posts like ,
and in

It is obviously some kind of issue here, Christopher White seems to be onto something, he says:

“By using the SPUser.Groups property you can easily enumerate the groups that a user has been assigned to. However one problem with this approach is that if the user is a member of a domain group that has been allocated to a SharePoint group, then this group does not appear in SPUser.Groups.”

So, if the SP Groups audience targeting mechanism were based on the ".Groups" property then this could be the problem. But only MS can know this...

One reader have opened an incident to Microsoft on this. I will keep you informed.

© Copyright 2007, Tomas Elfving

Monday, December 10, 2007

Inkblot service, OpenID and SSO

Didn't really explain the link between the inkblot service and the OpenID SSO solution in my previous post. The real benefit is linking it with Web-based single sign-on (SSO). You create one really strong password using the inkblots and use it to log into an OpenID provider. The OpenID provider then validates your authentication to any OpenID-compliant site on the Web where you have a password-protected account. That means you don' t have to create a password for each Web site you visit because the Web site trusts the OpenID provider to do that authentication. So the benefit is you don't have all those passwords for different sites. You don't have to do the "remember password" thing and then have the password in clear text stored in your in-box folder. Of course, the one password system requires the user have a strong password and this is where the inkblot method comes in handy. It is a single point of failure. If someone cracks that password they can get into all your accounts. For this combination of technologies to fly , OpenID has to become more widely accepted. It is picking up steam, Microsoft supports it in CardSpace, and version 2.0 of Open ID was just released and together with a productified inkblot service, it has the potential to be a both secure and userfriendly service.

© Copyright 2007, Tomas Elfving

Saturday, December 8, 2007

Microsoft Research releases the Inkblot service

Microsoft Research has as a part of its backing of the OpenID standard released an experimental provider. It's basic idea is as follows:

You will be presented with a series of inkblot pics. Think of a description for each inkblot, then type the first and last letters of that description. For example, if the inkblot makes you think of "cloud" then enter "cd". Use a singular term, since it's hard to remember whether you were thinking of "car" or "cars".

Every time you type two characters, you'll advance to the next inkblot, until you have produced a quite difficult-to-guess password. Enter the two-letter descriptions again in the second box. Here, the inkblots appear in a different order, to encourage you to use the inkblots to build associations.

Whenever you are asked to log in, you will be presented with the inkblots to remind you of your associations. After a few logins, you'll no longer even need to look at them: you'll have memorized a strong, difficult to guess password.

Try it out on !

© Copyright 2007, Tomas Elfving

OpenID 2.0 released

The OpenID 2.0 (or to be precise OpenID Authentication 2.0 and OpenID Attribute Exchange 1.0) was released a few days ago on the Internet Identity Workshop in Mountain View CA. Both specifications have evolved through extensive community participation and feedback and each have been stable for a number of months.
Both Microsoft and Google shipped OpenID features in beta products. Microsoft Research announced the Inkblot Service as an an experimental Provider while Google announced the ability to comment on Blogger blogs using OpenID.
There are a number of of open source libraries out there including Google’s Blogger (via Sxip’s library) and Drupal who did their own implementation of the specifications. Multiple OpenID Providers including MyOpenID, Sxipper, and VeriSign’s PIP already have support for both of these specifications. Today the following libraries exist which implement OpenID Authentication 1.1 and 2.0, OpenID Attribute Exchange 1.0, and OpenID Simple Registration 1.0: This SSO standard is definately any public site developer should consider.

© Copyright 2007, Tomas Elfving