Impressions from European Identity & Cloud Conference 2013

English on May 26th, 2013 No Comments

Big Data, life management platforms, extended enterprise++, fusion drive, dead standards and  identity Silo relaunched. European Identity & Cloud Conference 2013 had lots of new and old topics. The 7th EIC was held for the 3rd time in the Dolce Ballhausforum from 14-17th May, gathering many digital identity thought leaders and making Unterschleissheim the Identity capital of Europe or even the World.

As always the conference was well organized in a pleasant environment with a noticeable Bavarian touch. Exhibitors and visitors from 33 countries, 5 parallel tracks and 150 speakers gave insight into new trends in identity, access management and cloud computing. The number of visitors were slightly increasing compared to last year, with end user representing the majority of visitors now.

As usually the conference started with some half day pre-workshops, continued with 2 ½ days of tightly packed conference and an additional workshop day at the end. KuppingerColes team of analysts again was growing with Peter Cummings and Rob Newby, proven experts with practical project implementation experience, joining the team.

As known from previous years the conferences started with a series of keynotes from sponsors, customers and academics. The first keynote delivered by Martin Kuppinger speaking about identity and cloud trends and on “setting the right direction”. The three biggest trends were called the “Computing Troika“, which is made of Cloud Computing, Mobile Computing and Social Computing. Information security receives more perception – it makes it to the 8′o clock news – and is now a business success factor. “Risk” is the common language which aligns IT and business viewpoints. Identity and privacy incidents can massively damage the reputation of a company. For that reason IAM is closer to business than ever. KuppingerCole BII is a business impact indicator for information technology which graphically indicates the value of a particular IAM technology in terms of: business alignment, business enablement, cost savings and compliance fulfillment. The KuppingerCole CIO GPS helps you finding your path in governance, privacy and data protection and security. It shows which technologies are the best for achieving specific targets. Another topic that he discussed was the API Economy also named the Extended Enterprise++, which reveals big potential for business enablement in the extended enterprise ( business partners and customers).

What were the main topics in the conference?

Data Privacy and Protection Laws
Due to Karsten Kinast, an attorney concentrating on data protection and IT law, joining the KuppingerCole analyst team, a stronger focus on legal topics were obvious. Presentations and discussions on EU regulation shaped one track of the conference.

Big Data

Another big topic was Big Data. What is meant by Big Data in the IAM context? There is no exact definition available – something that we already know from the “cloud”. According to a track session of Mike Small and Sachar Paulus it is s.th. like a big datawarehouse based on data that is publicly available. Big Data’s characteristics are

  • Volume: according to a IDC report: 2.8 Exabytes of data have been created in 2012
  • Velocity: lots of data events
  • Variety: can be text, voice, photos, video

Technologies used to deal with Big Data:

  • Hadoop: Map/reduce
  • Elastic map reduce (amazon)

And to deal with velocity:

And with variety:

  • natural language processing
  • Graph stores
  • XML stores

Why is Big Data handled in the conference? Transforming Big Data to smart data by analyzing and combining creates information and confidentiality problems. Existing access controls cannot be placed because you cannot define protection levels if you don’t know how and what will be processed and analyzed. Smart data becomes relevant as business can benefit from it by improving competitiveness or transforming products.

Life management platforms (LMP)

Life management platforms are the evolution of today’s social networks personal data stores. S.th. that might be the result of the user’s wish to get more control over his data. Something which becomes more prevalent in times were everyone has the feeling that too much of personal data gets collected by the Google’s, Facebooks etc and used for their consumption. In times where a SmartTV is able to track which programs you are viewing and Microsoft is reading your Skype messages checking hyperlinks that were sent, users see a need for a change. But the road to LMP also means a fundamental change in attitude from quick profit to trust.
According to a keynote from Craig Burton: the life management platform is not a product. It is extensible, API enabled with privacy by design (proxy façade). LMP is not a personal data store. LMP is not a social network. It follows the controlled push and informed pull with privacy controls. Controlled push means that a customer only provides controlled partial information of his data to a service which ensures privacy. Informed pull describes the concept where a user requests information from different sources guarantying confidentiality of the data towards competitors of the service. Issues on the success of LMPs arise with the need that vendors must cooperate in sensitive areas – a schema must be defined. According to Burton’s rule of thumb adding an element to a schema needs 1 year. Adding 10 elements lasts 10 years. A possible solution might be the Graph API. Microsoft cloud directory is schema independent.


European Identity & Cloud Awards:

One of the highlights of the conference is the Award Ceremony which was introduced with the 2nd conference and was now held for the 6th time. Martin Kuppinger noted that this year a significant number of nomination were available which emphasizes the increasing maturity in some of the IAM areas. He mentioned that a few years ago it was difficult to find successful mature projects.
This year prices in 11 different categories were awarded:

1. Best Identity and Access Management project
Winner: Virgin Media represented by Paul Edmondson from aurionPro SENA: “Infrastructure for the Olympic Games: WiFi for the tube with high numbers of authentications every time a train is entering a station”

2. Best Access Governance and Intelligence Project
Winner Deutsche Bank – represented by Carolin Pfeil: “Manage complex SOD rules in a very large institution”

3. Best access Governance and Intelligence Project II
Swiss Re represented by Daniel Frei: “Dynamic access management, based on DirectoryX and Axiomatics”

4. Best Cloud Security Project
Evry represented by Anne Bergersen: “Multitenant IAM infrastructure in the cloud which brings together a way of identifying customers and citizens in Norway. Based on NetIQ”

5. Best approach on improving governance and mitigating risks
Universtitäts Krankenhaus Hamburg-Eppendorf represented by Juerg Staebler – IBV Informatik AG:
“Privileged account management in health care industry leveraging Liebermann software. Now using one time password instead of plain text passwords. Project implemented in 3 days.”

6. Best innovation /new standard in information security
An obvious choice: OAuth 2.0 – the OAuth standard team represented by Mike Jones, Microsoft “new and influential it feels like it is around for a longer time”

7. Lifetime Achievement Award
Kim Cameron, Microsoft – Evidently being deeply affected by the reward.

8. Special award: Bridging the organizational gap between business and IT
Volkswagen Financial Services represented by Marek Bingel: “Well defining guidelines and processes which enables to move forward”

9. Special Award: Rapid and lean implementation of IAM/IAG
E.ON Global Commodities –represented by Carsten Mielke. “Governance project based on CrossIdeas”

10. Special award: Rapid re-design and re-implementation of the entire IAM
Schindler Informatik AG represented by Reto Tomasini and Gary Edward Stewart: “Identity provisioning infrastructure based on Quest Identity Manager”

11. Special Award integration of Provisioning and Access Governance in a complex banking environment
HypoVereinsbank represented by Ulrich Haumann: “Provisioning combined with Governance of a large number of applications based on Microsoft Forefront Manager”


In an interesting panel discussion by Craig Burton, Mike Neuenschwander, Gerry Gebel and Martin Kuppinger on the future of IAM, the panel quickly turned to a discussion on “dead standards”, a topic which became a running gag during the entire conference. Motivated by a blog article of Forrester’s Andras Cser this year’s “dead standard” candidate number one was XACML (as basically all XML based standards). Craig Burton stated that he does not expect to see a product deployment with XACML in its current form. Gerry Gebel retorted that AuthZ is very important and that XACML is working on JSON/REST profiles to move more towards APIs.

The topic on standards and its practical usage was continued in another panel session on the second day by Craig Burton, David Brossard of Axiomatics speaking for XACML, Daren Rolls of SailPoint for SCIM, Paul Madsen, Ping, for SAML and Michael B. Jones, Microsoft for OAuth. Jones pointed out the OAuth 2.0 was designed with simplicity in mind as the 1.0 spec turned out to be too complicated. OAuth 2.0 is designed to use existing security layers like TLS and by being REST-based the developer does not even need a library. Paul Madsen replied that the “S” in SAML does not stand for “simple” like in SCIM but for “security”. SAML sets the bar for the industry. And everything comes with a price – in that case with 800 pages of specification. For security SAML was historically designed to reflect the legal contract between parties. A question on the “liveliness” of AuthZ profiles within SAML was answered, that a few years ago it was recognized that SAML is more suited for authentication and attributes. XACML is the better fit for AuthZ – and that SAML and XACML work good together. David Brossard declined that XACML is losing attraction. He, as a XACML product vendor, is seeing more adoption and the focus is now more on developers and profiles to make XACML simpler. Daren Rolls replied on the question about SCIM versioning not being stable after transferring SCIM to IEFT that SCIM 1.1 can be implemented. A good conclusion was given by Paul Madsen on the question what he would recommend to customers if they were asking for a specific standard: What fits best depends on the use case. SAML is not optimized for mobile. Ping would not push it for mobile. OpenID Connect may be a problem if the partners do not support it. SAML is definitively more widespread (a quick poll in the audience initiated by Pamela Dingle confirmed that). The best measure of the mortality of a standard is the number of deployments. Someone of the audience added, that a measure could also be the open source implementations available. SAML has several, XACML mainly for the 2.0 version, SCIM with UnboundId – but as OAuth a simple REST based protocol does not really need a library implementation.

People like Craig Burton, Fulup Ar Foll and others are always good for some catchy quotations.  I noted some of them:

We need the hacker to stay in business.

If I BYOD, I have the right to install malware.

There are public APIs and DARK APIs.

OAuth and REST are the fusion drive for the API economy.

Banks and operators are too fat, lazy and rich to take the risk to compete with the Facebooks and Googles.

Some links worth mentioning:

Datownia, with an interesting developer use case demonstrating how APIs can be used to enable frictionless integration with Windows Azure AD and the Windows Azure Graph Store by using the Datownia system developed by Release Mobile Ltd.

Dutch authentication and authorization for legal entities: eRecognition

bwIDM: Federation on non web based services like HPC between Universities of the state of Baden-Württemberg. The solution is called FACIUS.

www.trustindigitallife.eu: Consortium focusing on TRUST in digital Life

FIDIS: Future of Identity in the Information Society

AZA – Native Authorization Agent: enabling mobile SSO cross native apps.

Topics I missed :
Not much about Cloud Crypto. New companies in this area were not represented at the conference.

My personal winner at EIC 2013:
OAuth 2.0: fast specification, quick adoption, feels like it has been around for much longer time.

Last but not least: The European Identity & Cloud conference 2014 will be held from 13.-16. May. Guess where? In the identity capital Unterschleissheim. See you there.

Tags: , ,

Time for change: Is OpenAM or OAM the better fit for replacing OpenSSO?

English, OAM, OpenAM, OpenSSO on January 26th, 2013 No Comments

Once upon a time there was a computer company that loved open source software but they forgot to make money. Another big successful company came and bought the other. The big company did not like open source but they know how to make money. Since they already had similar closed-source software products, they decided to put the open source in second place. Quite understandable – remember they don’t like open source but they know how to make …

It is now more than 3 years when Sun was taken over by Oracle. Sooner or later customers who invested a lot of work and money to implement and maintain their OpenSSO infrastructure must decide on how to go forward with the product.

Oracle decided to put OpenSSO in maintenance mode. What does this mean? In the last two years a few updates/patches to the product were released but no major release and no new features. There is no roadmap. For web policy agents it is even worse. Almost no patch releases, no support for newer operating system versions. It does not mean that there is no support if you run into problems. But you have first to run into already known problems to file bugs and get a patch. Even for real critical bugs. That’s tedious …

Customers are safe and get support from Oracle, if they don’t need new features, but at one point in time OpenSSO customers have to make up their mind and develop a migration strategy. The first software that comes into consideration will be Forgerock’s OpenAM, a fork of OpenSSO. So the migration promises to be quite straightforward. The second thought would be to look at Oracle’s Access Manager (OAM). Oracle might have had reasons to abandon OpenSSO in favor of OAM. Oracle normally does not leave its customer alone and offers tools for a smooth migration.

A decision in favor of OpenAM or OAM might be the result of different aspects. Technical guys will primarily look at features and architecture. For business and strategical thinking people a close look on the companies behind the products might be important as well. On the one hand there is Forgerock, a small but ambitious startup company and on the other hand Oracle, the software giant, that promises more stability and investment protection.

Forgerock started in 2010 when it became obvious that OpenSSO will not survive. Sun used to release Express versions of OpenSSO. Right before Express 9 should be released, Oracle stopped Express roll-outs. OpenSSO Enterprise 8.0 was at that time equivalent to Express 6 (today it is still this version with bug fixes and some minor feature enhancements mainly in the web service security space). This was the time when Forgerock stepped in, forked Express 9 and released their own version. In the beginning many people were skeptical whether Forgerock will be able to execute. But after 2 years, backed with a 7 million funding from Accel Partners, they not only proved to be able to run the business, they also expanded the portfolio with OpenDJ (a fork of OpenDS, Sun’s JAVA based directory server) and OpenIDM (a self written provisioning software).

There is not much to say about Oracle as a company. Let’s look at their Access Management software Oracle Access Manager. The roots of OAM are going back to Oblix, a company and a software product which was acquired by Oracle in 2005. If you have a closer look on OAM up to version 10g you will notice that the software architecture is quite different from what we were used from OpenSSO. OAM had separate server processes written in C++ and did not have a central server side user session. Session information was stored in the cookie. In addition to OAM, you need to deploy Oracle Identity Federation (OIF), if you are using federation protocols like SAML 2.0 in your OpenSSO deployment. With OAM 11g things changed. The software is now implemented in JAVA (either written from scratch or ported). With that in mind and if you take into consideration that the development from 11g to 11g R2 is really very dynamically catching up with features, you can argue that OAM 11g is a 1.0 version and not very mature. The latest OAM release also has now SAML 2.0 federation capabilities built in. So you might not need to deploy OIF anymore. At least if you are only running a service provider and not an identity provider.

What are your thoughts, plans or experience for the migration? We are happy to take your input as comment to the blog or through our contact form as we are preparing a deeper look into the topic.

Tags: , ,

User attributes in the SAML assertion

English on November 30th, 2012 No Comments

It is nothing really new, but it was a missing feature in the administration GUI of our Public IDP: Configuring which user profile attributes should be sent as an AttributeStatement in a SAML assertion.
The feature has always been there, but administrators had to open a service request to have attributes configured. Now, you can select which attributes to insert during importing of Service Provider metadata. A sample is in the screen shot below:

Tags: , , ,

Impressions from European Identity Conference 2012

English on April 25th, 2012 No Comments

This year’s European Identity & Cloud Conference took place from 17.-20. April with the last day being a workshop day to deepen some of the topics. The event is one of the most important IAM meetings in the world and continues to increase its impact. Almost 600 visitors from allover the world and 40 exhibitors constituted to a 35% growth. As every year the vendor landscape showed some dynamics with NetIQ acquiring Novell’s IAM business, ATOS taking over Siemens IT Solutions and Services (DirX), new rising stars appearing like ForgeRock, Symplified and The Dot Net Factory to name a few, Ping Identity expanding its presence and big companies like VMWare participating for the first time.

The most discussed new topics this year have been “The Open API Economy” and “Life Management Platforms” (Personal Cloud).
API economy: most presenters agreed that open APIs are important to the businesses today as they can bring new business opportunities and allow cloud users to orchestrate their applications into MashUps delivering the service that the business really needs. And even more for some companies it will be crucial to provide APIs to stay in business. In Andre Durand’s speak: “A business without a cloud API is like a door without doorknob”.
Life Management Platforms provide more than personal data store. They offer an answer to the need of people to share data in a very controlled and secure way. An example mentioned is the insurance contract number that is needed to be accessed from abroad in case of a car accident. These platforms follow a minimum disclosure approach which is totally different from those of social networks a la Facebook as we know them today (Remember: as soon as you entered your information, the data belongs to Facebook) . Life Management platforms are expected to replace the existing social networks in a 10-15 years time frame.

For me one of the main take-aways of the conference is the fact that now identity and information security really matters. Finally it has arrived on the agenda of the boards.

As usual the conference started with a set of pre-conferences on Tuesday morning: Kantara Initiative Summit, OASIS and ISACA workshops and the OpenId community reviewing the status of OpenID Connect, OAuth 2.0 and Account Chooser.

The actual conference itself began in the afternoon with Martin Kuppinger’s keynote. The KuppingerCole team itself changed with Craig Burton, Fulup Ar Foll and Alexei Balaganski joining as analysts and Tim Cole stepping back due to health reasons. In absence of the charming, entertaining Cole the moderator’s task was taken over by Nigel Cameron bringing a more rigid timeliness the the conference schedule.

The IAM world today is not characterized by fundamental new aspects but undergoes a more evolutionary development. In his keynote Kuppinger describes these changes as a development process from manufacturing to industrialization which manifests itself in the need of IT departments to meet changing requirements. IT departments feel that they now must compete against external (cloud) offerings. This is similar to the pressure that we know from outsourcing considerations but with cloud computing becoming more prevalent the rivalry is more tangible. Kuppinger describes the new demand in his “IT Paradigm”, a standardized model for building future IT. The paradigm illustrates how IT departments can provide the services the business really wants by enforcing information security, mitigating risks and being compliant by enforcing an enterprise-wide Governance approach.

According to KuppingerCole the Trends 2012 are:

  • Data Loss Prevention which will be the number one topic for IT departments
  • BYOD (Bring Your Own Device) will continue to be an issue in 2012
  • Cloud computing standards like SCIM (Simple Cloud Identity Management) need to be supported by providers as cloud users demand for standards increases. But standards for authorization and auditing in the cloud are still missing
  • IAM will move to the cloud more than ever before
  • Continued breaches of trust providers which will not be limited to digital certificate authorities
  • GRC, data governance and data loss prevention will merge as business realize that DLP includes data loss mitigation (what to do when things happened)
  • Ubiquitous encryption will become a hot topic (encryption of all data everywhere)
  • Companies will start to redefine their IAM infrastructure to become future-proof
  • all mobile platforms will remain under attacks of all forms
  • regulatory pressure is still pushing IAM and GRC

In the reminder of the first day the agenda’s tough schedule provided for a number of keynotes (9 keynotes without a break …) which brought the known and highly valued mixture of business and academical thought leaders as well as keynotes by sponsoring vendors. Speakers, some of them known from previous years, presented their viewpoints and vision. Enrico Mordini postulated “the new gold is identity” , Reinhard Posch reported on eID projects and their challenges especially in the cross border usage (see STORK https://www.eid-stork.eu), Kim Cameron (“through a series of bizarre events and the fact that it is hard to retire” he returned to Microsoft) stated that the new cloud requires a new identity model. IDMaaS (Identity Management as a service) is needed to assemble claims from multiple sources and organizations will selectively expose their directories to other applications. “The cloud motor runs on identity”, he said. Supporting concepts: Microsoft U-Proove https://connect.microsoft.com/site1188 (Remark: and IBM Idemix http://www.zurich.ibm.com/idemix/details.html). Speakers from Cyber Ark presented on PxM, Shireif Nosseir, CA on the transformation of the security model, Peter Weierich of IC Consult on externalized authorization, Laurent Liscia of OASIS on evolving cloud standards, ID-Cloud (ID in the cloud) and TOSCA (portability for the cloud), Jonathan Sander of Quest, Barbara Mandl of Daimler on consumerization of IT, Doc Searls about “free customers are the new platform” in contrast to the old captured customer (See: http://lockerproject.org/, http://www.kynetx.com/ – Kinetic rule engine and KRL the cloud programming language), Mike Neuenschwander now with Oracle and Patrick Parker, CEO of The Dot Net Factory completed the spectrum.

The second day started early at 8:30 with three keynotes by speakers mainly from the banking sector and then split up in five tracks, one being a track dedicated on legal topics and one a round table discussion on consumer identity. As last year the cloud audit track elaborated the need for cloud audit standards which are required so that the customer is able to compare providers and otherwise stays unclear in what he really buys. A statistics was shown which measured the cloud readiness of countries concerning their legal and regulatory structure. The result ranks Japan, Australia and Germany as the first three countries. (Some references: Cloud Services Measurement Initiative – CSMIC, http://www.cloudcommons.com/, ENISA http://www.enisa.europa.eu/activities/application-security/test/, ISAE3402 replaces SAS70 http://isae3402.com/, ISO/IEC WD TS 27017 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=43757) .

In the afternoon and the following day several successful examples of large scale federations were shown which came mostly from the educational sector (The Danish Federation with their own profile OIOSAML, WAYF best practice in out sourced federation in Denmark, REFEDs with astonishing 27 federations, 1815 IDPs and 2755 service providers (Reference: https://refeds.terena.org/index.php/Main_Page).

Craig Burton moderated a session with the provoking statement “Is SCIM a Scam?” A very lively track with statements like “SOAP is dead”. Burton and the other participants came to the conclusion that SCIM is not a scam because it is simpler than SPML (basically providing only CRUD operations and not trying to reflect the whole provisioning object model) and the specification work involved big names in the cloud like Google and WebEx who are expected to implement SCIM for their services contributing to make 2012 the year of SCIM.

In the Life Management track, Drummond Reed (http://connect.me) and Marcel van Galen (http://www.qiy.com/) presented on their services, VRM (Vendor Relationship Management), the personal cloud and relationship as a service.

The evening of day two concluded with keynotes from Andre Durand, Ping Identity “IT problems are fractal: your job is never done” and “a business without a cloud API is like a door without a doorknob”, Eberhard Faber on challenges security managers should watch (bring your own device = bring your own vulnerability), Stephan Bohnengel of VMWare and the European Identity Award Ceremony.

European Identity Award Winners 2012

  • “Best IAM Project”: Siemens AG, Project HRS DirX, a IAM project that involves international deployments and leveraging hybrid cloud environments.
  • “Best Access Governance and Intelligence Project”: Europol, the European law enforcement agency, received the award for a stategic IAM project with central auditing in a very sensitive environment.
  • “Cloud Security Project”: In this category two projects received the award: Daimler AG, consulted by IC-Consult, for a project that involves hybrid cloud by reuse of existing infrastructure and Sanofi S.A. for a federation project which was successfully implemented in a very short time frame using Ping Identity solutions.
  • “Best Approach on improving Governance and mitigating Risks”: Aeroport de Paris S.A., a Privileged Account Management project using Cyber Ark and Qualys.
  • “Best Innovation/New Standard in Information Security”: OpenID Connect for its elegantly simple design.
  • A new category was introduced in this year’s EIC: “The Lifetime Achievement Award for Identity” business: Prof. Dr. Reinhard Posch. CIO for the Austrian Federal Government.
  • Special award “Mobile Security”: Swisscom with MobileID, a product which uses SIM card security build on ETSI mobile security standard. (Remark: in Germany a similar product was announced by Vodafone with “Secure SIM”.)

My unofficial award for the acronym of the year goes to a very old and known acronym “API”. I have never expected that API’s will get such an ineffable importance for businesses not just application developers.

The third conference day started with presentations given by ATOS, Jacques Bus of Digital Enlightment Forum and Kai Rannenberg of University of Frankfurt (http://www.m-chair.net). Rannenberg lectured on a more privacy friendly Internet. (References: ABC4TRUST https://abc4trust.eu/ a EU Project on attribute-based credentials for trust, and partial identities, ISO/IEC JTC 1/SC 27/WG http://www.iso.org/iso/iso_technical_committee.html?commid=45306) STORK https://www.eid-stork.eu/, Microsoft U-Proove https://connect.microsoft.com/site1188 based on blind signature and IBM Idemix http://www.zurich.ibm.com/idemix/details.html. based on zero knowledge proof, ISO/IEC 24760 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=57914).

The tracks of day three gave insight on best practice experiences of IAM projects (e.g the Province Trentino), the use of open source in IAM, a real IAMaaS solution provided by Swisscom and an interesting panel with Craig Burton, Martin Kuppinger, Kim Cameron, Fulup Ar Fol and Steven Willmott from 3scale on “IT model and the API economy” describing the openness cycle of APIs:
Raw Data → internal reuse → customer reuse → partners and distribution
with all steps providing values.

To summarize the conference all in all was a very interesting and informative event and as always organized perfectly by the KuppingerCole team.

Tags: , ,

SAML Request Online Decoder / Encoder

English, Toolbox on March 31st, 2012 No Comments

SSOCircle Toolbox Part 3:

Continuing our series on field tools that help troubleshooting SAML federation problems, we are now adding online decoder and encoder to translate SAML messages into readable text. In many cases you need to see what is in the SAML messages even if you have no access to the servers log files. Although transferred via the browser the base64 and sometimes zipped content is not directly readable.
The tools:

allow to copy and paste the request into a form and decode the contents.
The following images show how to use the tool. Just copy & paste the contents of the request into the form. Use a tool like the firefox addon “tamper data” to log the request.

SAML Online Decoder : encoded text

Click on decode and switch to XML view:

SAML Online Decoder: decoded text

SAML Online Decoder: decoded text

We use these tools often to see for example which attributes are in the assertion or whether constraints are set as expected.

Stay tuned with more tools to come.

Tags: ,

Securing Google Apps/Gmail – Part I

English on January 22nd, 2012 No Comments

In December Google announced the availability of SAML SSO and other APIs within the free edition of Google Apps. SAML was already introduced for the premium/business and educational versions back in 2007. But now you can benefit from this feature to make access to all versions of Google Apps more secure.

This article has two parts. Part I describes how to secure access to Google Apps using SSOCircle IDPee with password-free X.509 client certificate authentication which is a good countermeasure against phishing attacks often practiced to capture user name and password in order to gain access to your Gmail account. Remember the attack against U.S. officials Gmail accounts by phishing attacks originating from China (see CNN: “Massive Gmail phishing attack hits top U.S. officials”).

Part II describes how to leverage certificates to encrypt and sign emails with a standard browser and Gmail. Take the next step to protect your email communication from everyone including the service provider. Do all these with your standard browser.

This is what you need for Part I (Secure access to Google Apps):

  • Google Apps account (e.g. free Standard Edition)
  • SSOCircle IDPee account

Follow the steps below to configure the application. We assume you already have user accounts created at Google Apps and SSOCircle IDPee.

A. Configure Google Apps for SAML SSO

  • Login to your Google Apps account as administrator
  • Go to “Advanced tools” and “set up single sign on”
Configure SAML SSO in Google Apps

Configure SAML SSO in Google Apps

  • Enter the fields as described in the screen shot
  • The certificate needed as a verification certificate can be downloaded from your IDPee at <my-hostname>.idpee.com/cert.cer

Google Apps SSO configuration screen

Google Apps SSO configuration screen

B. Import Google Apps configuration data into SSOCircle IDPee

  • Login to your SSOCircle IDPee account as administrator
  • Go to “Manage meatdata” and click “Add new service provider”
Manage Meta data

Manage SAML Meta data

  • Enter the metadata of your Google Apps.

You can retrieve a sample of meta data on the SSOCircle web site and replace the string “YOUR_GOOGLE_APPS_DOMAIN” with the name of your domain.
Copy & paste it into the form:

Import Google Apps meta data

Import Google Apps meta data

You will now see that your Google Apps meta data was properly as shown in the following screen:

Service Provider meta data listing

Service Provider meta data listing

C. Enroll certificate for your user account

Finally after getting the Google Apps – SSOCircle IDPee integration in place, you need now to enroll for a personal client certificate. SSOCircle IDPee provides automatic enrollment pages for Firefox, Internet Explorer and Chrome. Read the following screens to see how simple it is:

  • Install your personal certificate into your browser by using the automatic enrollment page
Certificate autmatic enrollment page

Certificate autmatic enrollment page

After clicking on the link for your browser a key generation and certificate enrollment page appears. Choose a key length that fits your requirements and submit the page. A process is started that gernerates a private – public key pair locally and submits a certificate signing request to SSOCircle IDPee. SSOCircle will sign the certificate and send it back to the browser for import in the local certificate store.
This is done fully automatically:

Certificate key generation and enrollment

Certificate key generation and enrollment

The browser displays a message that the certificate issued by the CA was successfully imported. Now you are ready to go to authenticate to SSOCircle IDPee and Google Apps without a password send over the wire. Just click on the three-locks symbol at the authentication page. A certificate chooser is displayed by the browser. Choose your personal certificate generated in the previous step and you are logged in …

X.509 certificate authentication

X.509 certificate authentication

Cloud security made simple – SSOCircle. Contact us for more information.

Tags: , , , , , , , ,

ServiceNow SAML SSO Online Demo

English on November 27th, 2011 No Comments

It is already a year ago when we published the article “Service-now.com: On Demand IT Service Management supports SAML 2.0″ which ended with the sentence “Looking forward for more to come …”

One year after we have set up an online demo showcasing SAML single sign on between SSOCircle and ServiceNow. With Google Apps offering office, email, calender, spreadsheet, etc, Salesforce offering cloud CRM and ServiceNow IT service management our demo “Cloudified Company” is becoming more and more reality.
The added value that SSOCircle offers is not only about a more convenient access to applications via single sign on but also about improved security by leveraging strong authentication means. Try it out by registering an user, enroll a X.509 client certificate and use it to authenticate to ServiceNow Online Demo and the other services in the Circle of Trust.

The ServiceNow Online demo is also a good opportunity to check out what the ServiceNow application is about. In this demo we are mapping all SSOCircle Public IDP users to one user with name “itil” at ServiceNow.

ServiceNow Application

A full list of our demo service providers can be found at Service Provider section.

Watch John Andersen’s video on setting up SSO between ServiceNow and SSOCircle. John is the integration expert at ServiceNow.

About Service Now:
ITIL v3 + Web 2.0 + SaaS = Service-now.com, a pioneer of On Demand IT Service Management, combines ITIL v3 guidelines with Web 2.0 technology to a Software as a Service offering.

Tags: , , , ,

OpenSSO / OpenAM Session Cookie Decoder

English, OpenAM, OpenSSO, Toolbox on September 18th, 2011 No Comments

SSOCircle Toolbox Series Part 1

Understanding the “iPlanetDirectoryPro” session cookie can be key to debugging problems like OpenSSO / OpenAM internal session rooting, persistence problems and misconfiguration.

The SSOCircle Toolbox OpenSSO / OpenAM session decoder: http://idp.ssocircle.com/sso/toolbox/ossoDProDecode.jsp

OpenSSO iPlanetDirectoryPro Decoder

The iPlanetDirectoryPro Cookie is used by OpenSSO and OpenAM to reference a specific user session. It consists of an unique random identifier marking the session, a base64 encoded extension part and a tail value. The Extension part itself holds information for internal session routing (some keys are optional and depend on the system architecture):

  • The Site ID
  • Server Instance ID
  • Storage Key for Session Failover (optional and not displayed by the tool)
  • Tail Value after the “#”  (optional and not displayed by the tool)

Tags: , ,

OpenSSO / OpenAM Password Encryption/Decryption

English, OpenAM, OpenSSO, Toolbox on September 18th, 2011 No Comments

SSOCircle Toolbox Series Part 2

OpenSSO and OpenAM store passwords (for example J2EE Policy Agents) encrypted in configuration files. If you need to encrypt a password without having access to the bundled encryption tools, use the SSOCircle Toolbox OpenSSO / OpenAM Password Encryption web tool.

And if you can’t remember what the password was and the only documentation you have is the configuration file with the encrypted service secret, use the SSOCircle Toolbox OpenSSO / OpenAM Password Decryption web tool.

OpenSSO / OpenAM Secret Decryption

Tags: , ,

Cloud Identity Summit 2011

English on August 21st, 2011 No Comments

The cloud conference in the clouds or at least close to the clouds took place from 18.-21. July 2011 in Keystone, Rocky Mountains, at an altitude of 2.830m. The conference was organized by Ping Identity, headed by Andre Durand who put a lot of passion into the conference and into the fostering of the “identity family”. Many Thanks to him, his wife and the Ping crew who made this event possible. Microsoft, Google and Covisint sponsored the event which started with two days of workshops and another two days of conference.

The conference offered a good mixture of technical oriented talks, companies views and analysts visions. The first thing I noticed was the absence of the “big” IAM software vendors. No visible presence of Oracle, IBM …   I am very relieved that other companies are now setting the IAM tone
especially after the disappearance of active players like SUN. These companies are now Ping, Google, Salesforce.com, eBay. I am not sure about the reason for the absence of the big players, but one reason could be that the focus of new trends in identity is more and more shifting to the consumer space. Especially the strong presence and activity of companies like Google, Salesforce.com and others emphasizes that cloud identity is now more and more an API identity topic.

Back to chronology:  In the first two days we had to choose between different workshops. Some of them were sponsored by Google, for others an additional fee was charged. The work sessions duration was 3 hours. Enough time to dig deeper in cloud identity topics. The workshop titles listed below give an overview on the “hot topics” this year:

  • Cloud Security 101; Gunnar Peterson from Artec
  • OAuth 101; Paul Madsen and Brian Campbell, Ping Identity
  • The essential XACML Primer; Gerry Gebel, Axiomatics
  • OpenID & OpenID Connect; Eric Sachs from Google
  • SAML Single Sign On 101;  John Da Silva, Ping Identity
  • SAML & OAuth with Force.com; Pat Patterson from Salesforce.com
  • Challenges of Consumer Identity in the Cloud; Mike Neuenschwander, Drew Clippard and Matt Randall
  • Windows Azure, Office365 and More;  Brian Puhl, Laura Hunterm Vittorio Bertocci from Microsoft
  • Securing & Connecting the Mobile to the Enterprise; Andy Zmolek from LG
  • Integration with the Google Cloud; Eric Sachs, Ryan Boyd and others from Google
  • XACML 3.0 and Hands On Cloud Authz; Doron Grinstein from BITKOO
  • Integrating PingFederate with the Microsoft Ecosystem ADFS/WIF/SP2010; Travis Spencer from Ping Identity
  • The Kantara / OpenID Summit

The conference agenda on day 3 and 4 was made of keynotes and two separate tracks on different topics. The presentation were all scheduled to last 30 minutes and there was plenty of time to network in the breaks, definitely a plus.

A very interesting presentation was held by Farhang Kassaei by Ebay talking on the “Role of Identity in eCommerce”.  Trying to answer the question about the the nature of commercial identity and a commercial IDP and how it differs from a social network identity and a social network IDP. Another question he asked was if one IDP can cover all range of identities. His answers described the identity from a view point of a  merchant: “Identity = Customer”  and identity management is not about SSO but easy on boarding, personalization, transaction, less risk and more security. Of importance to the merchants customer itself is: convenience, value, privacy control, less risk and more security. He pointed out that there is a real business value for merchants to have an (customer) attribute provider that dynamically supplies relevant information about a buyer (e.g. how many merchants have been shipped to the address of the buyer without complaints in the last 6 months) or an IDP that offers methods and techniques to identify that two identities are the same person (entity resolution) which is very important to detect fraud.

Paul Madsen’s presentation on Synergies “You  got SAML on my OAuth” demonstrated how much the portfolio of standards are interrelated and/or play together:

  • SCIM + SAML:  SAML binding for SCIM: SCIM can be used for a just-in-time provisioning through a SSO assertion which holds SCIM attributes. Or more simple by API right before SSO.
  • SCIM + OAuth:  OAuth can be used to secure SCIM API calls. SCIM can be used to provision accounts for subsequent OAuth based mobile access.
  • SAML + OAuth: Hybrids like OAuth token carried in SAML SSO messages. Or assertion profile that uses SAML assertions within OAuth flow.
  • SAML + OAuth + JWT: Use SAML assertion or JWT (speek: joot) for OAuth client authentication or OAuth grant type
  • OpenID + JWT OAuth: OpenID Connect adds identity layer on top of OAuth 2 and stipulates use of JWT for identity tokens
  • UMA + OAuth: User Managed Access extends OAuth 2 to manage access to distributed resources through a centralized Authorization Manager

Eric Sachs of Google “Time to Eliminate Passwords”  emphasized on the user experience aspect which is still in its infancy. Signing in to web applications in the majority of cases means typing in the user name (likely the long email address). Tedious compared to what we are used to in operating system logins (think of Windows 7, Mac, Chome OS login screen). Google launched the Account Chooser project: https://sites.google.com/site/gitooldocs/experiment—account-chooser
which tries to bring the OS login user experience to the web. Web sites who want to adopt Account Chooser will find implementation help by the Google Identity Toolkit GITKit.

John Shewchuk of Microsoft presented on his company’s view on Federated IT and Identity: Office 365 was launched in June in 40 markets and 20 languages and already 50.000+ organizations signed up in the first two weeks. Office 365 leverages Azure’s infrastructure capabilities and enables managed and federated identities. Directories are a critical enabler for federated IT but existing standards need to be modernized. The programmable directory principles need to model not only identity but federation of data, authentication and authorization. For more information take a look at OData and Facebook graph.

This is just a few randomly taken samples of presentation that I described. Lots of interesting presentation at the summit could fill the whole SSOCircle blog. If you are looking for more information on presentations given go to the Cloud Identity Summit web page http://www.cloudidentitysummit.com/Presentations-2011.cfm.

Bookmark summary:
www.simplecloud.info
oauthssodemo.appspot.com
account-chooser.appspot.com
Account Chooser Experiment
login-helper.appspot.com
www.odata.org
graph.facebook.com
openidsamplestore.com

P.S. The next Cloud Identity Summit will be held in Vail, Colorado on 16.-19. July 2012.

Tags: , , , ,