SSOCircle

The second step: Account federations with cloud services and identity providers run by customers

In the first article we introduced the project requirements to get rid of an application identity silo environment and to introduce an identity hub infrastructure. The second part dealt with building a Single Sign On infrastructure leveraging WSO2 Identity Server and OpenID Connect apache agents. In this blog we describe the approach for requirement B:

B. Account federation to cloud services and to identity providers provided by the companies customers allowing SSO to cloud services like Office365 or the in-house applications.

Interoperating with cloud services and especially with services provided by customers is different from handling in-house applications: You barely have a choice and need to work with what the services offers or the customer wishes. As a result you will need to cope with different standard protocols or derivatives of it. In our scenario we had to integrate mainly leveraging SAML 2.0 with varying details: different attributes exchanged, signed elements, etc – facets SAML 2.0 generously allows.

That point of the story turned out to be quite easy to do. SAML is a well-established protocol and obviously old enough so that involved identity providers and service providers are compatible. The challenge arises if you want to dynamically (just-in-time) provision users into your system or establish dynamic account linking on profile attributes. Fortunately WSO2 IS 5.0.0 introduced flexibility with several configuration options.

Making attributes available via OpenID Connect UserInfo endpoint requires some puzzling with claim mappings but at the end it worked.

Requirement B accomplished. Read part 4 of the story for solving requirement C.

The third step: Enabling easy community registration and sign-on.

In the first article we introduced the project requirements to get rid of an application identity silo environment and to introduce an identity hub infrastructure. The second part dealt with building a Single Sign On infrastructure leveraging WSO2 Identity Server and OpenID Connect Apache agents. The third part described account federations with cloud services and identity providers run by customers. In this blog we approach the requirement C:

C. Enable community users to register and sign in with their own social login (Google, Facebook …) to internet accessible in-house applications and probably to cloud services integrated into the community environment (e.g. Zendesk for customer services).

Social authentication or sign-in allows users to access a service by using their Facebook, Google … accounts. No need to remember a new password or user name for the service. Also dynamic user creations eliminates or simplifies the annoying registration process filling out user profile forms, remembering password reset questions etc. Sounds like a good idea – integrating social logins had been a little cumbersome as most services used proprietary protocols or OAuth 2.0 for that. OAuth 2.0 flows are good for authorizing access to user data, but lack processes for transferring identity information. As a result the services implemented their proprietary add-on to the OAuth standard.

In the last months more and more of these services switched to OpenID Connect which builds on OAuth 2.0 but adds an extra identity layer. WSO2 Identity Server has predefined authentication options called “Federated Authenticators” for OpenID Connect, SAML and the derivatives from Facebook, Google, Yahoo Microsoft and some other possibly outdated standards. Making the Identity Bus reality: translating the in-house SSO protocol to the different languages of the multi-protocol-speaking real world.

Requirement 3 accomplished.

One word about provisioning. WSO2 Identity Server has support for SCIM provisioning. Currently not many services support that protocol but in the future a provisioning standard SCIM might play an important role especially when user life cycle processes involving de-provisioning will be tackled.

If you have questions do not hesitate to contact us. And don’t forget to watch the video showcasing the identity bus in action:

In this article we compare the SAML service provider implementation of three popular cloud services:

• Google Apps (which includes GMail, Google Drive and Docs, Calendar)
• Salesforce
• SAP Hana Cloud

Our testing procedure includes verification of the service provider compliance to the SAML 2.0 specification and checking the handling of signature validations.

Abstract:
Secure Assertion Markup Language (SAML) today is the main standard used for signing in to Cloud Services with a single authentication procedure (typically username/password). A correct implementation of the standard is crucial for security. Failing to do so may compromise security and lead to information loss.
Unfortunately SAML 2.0 is very complex and probably over-engineered. Leaving the developer too many degrees of freedom to implement only parts of the security measures envisaged by the standard. The risk even aggravates as the implementation might look like they are functioning correctly: single sign on works and some of the checks against signature or timestamps are processed. But on diving a little deeper security issues or nonconformity will become evident.
In our research we tested Google Apps, Salesforce CRM and SAP Hana Cloud as representatives of modern Cloud Service providers which provide Single Sign On integration with SAML 2.0.

Research method: Tool to run automated tests leveraging the SSOCheck API.

Test cases were divided into different testing areas:

1. Replay
2. General XML
3. SAML Response Message
4. SAML Assertion
5. Digital Signature

Whereas the tests of area 3 and 4 typically refer to the components of the SAML documents as illustrated in the following picture.

Results:
SAP performed best in all categories. Salesforce ranked second. Google was vulnerable to assertion replay and almost completely ignored the response part of the SAML message and several attributes of the assertion.

We informed the security teams of the tested companies about the results before publishing the article. All companies replied in acceptable time. Some involved their development departments which tried to reproduce the tests and some were arguing with risk based approaches. Salesforce being the fastest and most communicative respondent. SAP’s answer was the slowest but the most meticulous. Google took some time to respond but over time a very interesting discussion evolved with participation of several members of the security and product team which leads to the enrollment of product patches. Most parties leveraged SSOCheck tool to understand and reproduce the findings.

The following table summarizes the results found.
Summary Table (% passed tests)

	Test	Google Apps	Salesforce CRM	SAP Hana Cloud
	Replay	0	100	100
	General XML	100	100	100
	SAML Response	16.7	66.7	83.3
	SAML Assertion	50.0	69.2	76.9
	Digital Signature	100	100	100 (*)
	Total	48.5	82.7	88.5

*) SAP Hana Cloud was the only service provider who accepted a SAML response with an evil assertion inserted before the valid assertion. We rated the test as passed since the SAP implementation seemed to totally ignore the evil assertion and therefore could not be used to attack the service.

Total results were calculated as a weighted average of the group results. Giving the SAML assertion tests a weight of 2, general XML tests a weight of 0.5 and the rest a weight of 1.

Detailed test result table:

	Test	Google Apps	Salesforce CRM	SAP Hana Cloud
1	Unmodified SAML – as a positive protocol test
2	Replay Attack – SAML protocol message replayed
3	Invalid SAML Protocol Namespace
4	Invalid SAML Assertion Namespace
5	SAML Response Status Code is set to RequestDenied
6	SAML Response Issuer is invalid
7	SAML Response IssueInstant is set to a value in the future
8	SAML Response InResponseTo is invalid
9	SAML Response Destination is invalid
10	SAML Response Version is invalid
11	SAML Assertion Issuer invalid
12	SAML Assertion IssueInstant is set to a value in the future
13	SAML Assertion Version is invalid
14	SAML Assertion Subject without NameID
15	SAML Assertion subject NameId format set to an unknown value
16	SAML Assertion SubjectConfirmation Method invalid
17	No SubjectConfirmationData element in the SAML Assertion sent
18	SAML Assertion InResponseTo is invalid
19	Recipient in SAML Assertion SubjectConfirmationData is invalid
20	Address in SAML Assertion SubjectConfirmationData is invalid
21	NotOnOrAfter in SAML Assertion SubjectConfirmationData is set to a value 1h into the past
22	Two Assertion SubjectConfirmationData elements whereas the first is the valid one and the second is a wrong value.
23	Two Assertion Subject Confirmation Data elements whereas the first is the wrong one and the second has the correct value.
24	SAML Assertion Condition is inserted which is unknown to the service provider
25	SAML Assertion Condition NotBefore is set to a value of 1h in advance.
26	SAML Assertion Condition NotOnOrAfter set to 1h in the past.
27	Syntax test to check that the SP supports the OneTimeUse element.
28	AudienceRestriction element in SAML Assertion Condition is empty
29	AudienceRestriction element in SAML Assertion Condition is set to a wrong value
30	Two values in one SAML Assertion AudienceRestriction element. The wrong value is the first
31	Two values in one SAML Assertion AudienceRestriction element. The wrong value is second.
32	Two AudienceRestriction elements in SAML Assertion. The first elment holds the wrong value
33	Two AudienceRestriction elements in SAML Assertion. The second elment holds the wrong value
34	Two AudienceRestriction elements in SAML Assertion. Both hold two audience values in different ordering
35	AuthnStatement is missing in SAML Assertion
36	Sets the SubjectLocality of AuthnStatement to a non valid IP address
37	AuthnInstant timstamp of Assertion AuthNStatement is moved one day into the future.
38	AuthnInstant timstamp of Assertion AuthNStatement is moved one day back in time.
39	SessionNotOnOrAfter timstamp of Assertion AuthNStatement is set one day in the past.
40	AuthnContextClassRef of Assertion AuthNStatement is set to “unsepcified” and should be declined by the service provider.
41	Multiple Signature tests: signature exclusion
42	Multiple Signature tests: mangled signature
43	Multiple Signature tests: wrong signature key
44	signature wrapping variants

Conclusion:
All tested Cloud Services did not fully comply with the SAML standard.

SAP and Salesforce did not disclose any severe problems which could lead to a significant exploit. Non conformity to the specification might lead to the non-functioning of specific use cases but can be justified in order to achieve broader compatibility with IDP products or might be argued with risk based approaches.
Google Apps SAML implementation revealed several issues which could be leveraged by an attack scenario. The good news is that Google has rolled out fixes for these findings which we were able to verify.
We especially thank the Google team for a valuable interaction and cooperation.

If you have questions or comments please let me know. We are also looking for other SaaS services, which might be of general interest to run the tests against.

This is to announce a change in the SSOCircle Terms of Use which might affect both existing accounts and new user registrations to the public IDP. From now on we might block registrations with specific email addresses (for example disposable email addresses)  and we will limit (currently 3 – subject to change) the number of user accounts registered to a single contact address.

Why the change? In the last months we are seeing growing numbers of registrations either used for regular training classes and/or large scale quality assurance test runs. Although we advocate these kind of usage, we consider it a matter of fairness for these companies to purchase either our hosted IDPee offering or to subscribe to SSOCheck API private. Both are offering a hosted tenant where any number of users might be created. SSOCheck Private API even adds the opportunity of running additional compliance and security tests against SAML service provider deployments.

This decision was made to protect the investment of our paying customers and to keep the public IDP running as a free service – without annoying advertising.

Please note: Existing accounts not corresponding to the Terms of Use should be changed to be compliant. Non-compliant user accounts will be inactivated in the next days.

If you have questions or comments, please contact us.

What are the hot topics this year? What will be announced dead? These are the questions always accompanying KuppingerCole’s European Identity & Cloud conference which was held for the 8th time from 13.-16. May. The conference gathered more than 600 visitors from 35 countries, 150 international expert speakers and 50 exhibitors discussing about the Internet of Things and the agile, connected business. After years of consolidation in the IAM industry it seems that this year more software and service vendors populated the floor space in the Dolce Ballhausforum in Munich. Almost half of the exhibitors were new compared to last year, demonstrating that there is still a lot of movement in the market and space for new players and segments – worth mentioning the application security testing companies exhibiting this year at EIC.

No big surprise that the NSA scandal, Heartbleed and their implications run like a common thread to many of the presentations as it deeply impacts the awareness for privacy issues in society and the information security business itself. It clearly demonstrates to the information security industry and their customers that protection from today’s complex threads cannot only be accomplished by technical standards and trust in the accurate, uninfluenced implementation in software and hardware products.

And what was killed? Was it the absence of the most provoking speakers like the highly esteemed Craig Burton and Fulup ar Foll? This year it was noticeable the speakers were more reserved and cautious in their statements. Martin Kuppinger said: “If something is declared to be dead, it would be SIEM” but not without adding the next sentence that “Real-time Security Intelligence” is the next big thing. Ian Glazer former Burton/Gartner analyst and now with Salesforce, one of the shiny characters at the conference, killed IDM. Identity management dead? Astonishing announcement in an Identity Conference. But …, he only killed IDM in order to save it. According to him the “new” IDM must a) naturally integrate b) be part of the business and c) be ready for the real world. IDM must evolve away from using Excel and CSV as the most important IDM tools and away from hierarchical modelling of relationships. Although not directly IDM related, I would declare the iPad for dead. To me it was obvious that, compared to past years, most attendees were not using tablets to take notes but their more or less conventional laptops.

Like every year the conference lasted three days from Tuesday to Thursday and an additional workshop day on Friday. As always the agenda was fully packed from 8:30 to around 19:30. With up to 5 parallel tracks it is difficult to decide where to go. The selection of topics described here depends on my personal choice.

From four parallel workshops at the first day I visited the Kantara Initiative Workshop on “Consumer Identity – International Use Cases and Approaches” moderated by Joni Brennan and the OpenID Foundation Workshop on “Enterprise Application of OpenID Connect, Mobile Apps SSO, Account Chooser”. The Kantara Workshop described the evolution of today’s identity management requirements from perimeter IAM – the employees – to perimeter less federation and consumerization. The workshop introduced the Kantara certification program: “Identity Assurance Accreditation and Approval Program” which provides a trust status listing service, provider registry and white listing. Maciej Machulak showed a demo of UMA – user-managed access. The consent pages are similar to OAuth but UMA does not necessarily require a close coupling between resource and authorization server and other users are able to request access to personal data of the resource owner. For an overview on use cases visit the Kantara UMA case study page.
The OpenID Foundation Workshop held in parallel centered on the question of the adoption of OpenID Connect. Microsoft Azure Active Directory will support OpenID Connect. Yahoo and Google will support OpenID Connect next year deprecating the OpenID 2.0 and OAuth 2.0 userinfo and scopes endpoint. Watch Google’s migration timetable. Interesting to note: Although OpenID Connect standard was finalized in February 2014, the single logout profiles are not. A discussion around that topic was started in the workshop gathering the opinion of participants about three approaches, which need to balance cheap and easy implementation versus reliability and completeness:

1. The current logout mechanism in OpenID spec with JavaScript listening for state change at the client. A pattern optimized for Ajax applications but has cons because active Javascript listening is required and it doesn’t work if the browser tab is not active.
2. Use of a logout page with embedded images/iframes linking to the relying parties – the approach Deutsche Telekom is using. The advantage here is the solution’s simplicity which does not need Javascript. Bad is that the IDP has to track active sessions, it does not work when the browser is closed and last but not lease you need these ugly logout pages.
3. Notification over the back channel. Probably the completest approach described here. It works even when the browser is closed. The main disadvantage is that the relying party needs a logic to identify sessions by an explicit identifier which causes scaling issues.

As usual the conference itself started with an afternoon of keynotes. One of the highlights is always Martin Kuppinger’s presentation. He started with a brief history in IT which leads to today’s agile, connected business and the Identity of Things which will be the hot topics of next years. He came up with his gloomy prognosis “Waiting for the disaster …”. To quote him: “Something will happen: hacking the connected car, running out of water and power and/or revealing your secrets.” Raising awareness that privacy needs security and vice versa. The title of his top trends slide was “The Digital Future Buzzword Bingo”:

• Application Security Infrastructure
• Information-Centric Security
• Domain-Independent Security
• Secure Information Sharing
• Layered Security and the next generation Firewalls & AVs
• Realtime Security Intelligence
• Software Defined Environment/Computing Infrastructure
• Secure IoEE (Internet of Everything and Everyone)
• Future of Authentication & Authorization
• Cloud IAM
• Future of eMail Security & Privacy
• Life Management Platforms

Another highlight of the conference was the presentation of Ladar Levison, the founder of Lavabit, talking about building a system that is secure against attacks from an attacker with quasi unlimited computing power and cryptographic expert pool. For more information on the Dark Mail alliance of Silent Circle and Lavabit consult the web site http://darkmail.info. The architecture and protocol specifications are currently under review and will be published by the end of summer. Quoting Ladar: “Publishing date depends on how many protocol holes will be found in the review – but he hopes he will not get so paranoid that he will never release it”. Interesting to watch how the technology will be adopted in the coming years.

One of my personal highlights in day 2 beside the identity award ceremony was the presentations of Paul Fremantle, the founder of WSO2, who propagated the Enterprise Identity Bus Model as the solution to replace the failed single monolithic identity system. The tasks of the identity bus are to bridge between tokens (SAML, OAuth 1.0/2.0, OpenID, OpenID Connect), claims and claim dialects and provisioning SPML, SCIM, Salesforce, Google and other JiT variants.

In the evening KuppingerCole presented the winners of “The European Identity & Cloud Awards 2014” for the 7th time – this year only in 6 categories:

• Best Cloud Security Project: NXP Semi Conductors
• Best Access Governance and Intelligence Project: Banca Intesa Beograd
• Best IAM Project: UK Ministry of Defense
• Best Innovation / New Standard: Kantara Initiative: UMA User Managed Access (OIDC finalized this year, but it already received the award in 2012
• Special Award: Best innovation for Security in the API Economy: IETF with JWT/JOSE
• Lifetime Achievement Award: Ann Cavoukian for Privacy by Design

Award details at the KuppingerCole web site: http://www.kuppingercole.com/article/award2014. For Privacy by Design please read the EIC presentation https://www.oasis-open.org/presentations/eic-2014-dawn-jutla-may-12.pdf.
On day 3 one of the track topics was around adaptive and risk based authentication. The FIDO http://fidoalliance.org/ alliance was founded in February 2013 by 6 members and expanded to 122 members today, clearly demonstrating the need and interest in standardizing authentication. FIDO’s mission is to change the nature of online authentication by developing and submitting technical specifications as well as operating programs to ensure the worldwide adoption. Current specification are: UAF – Universal Authentication Framework and U2F – Universal 2nd Factor which can be downloaded from http://fidoalliance.org/specifications/download.

Last but not least it is worth saying the European Identity & Cloud Conference again was a success and well organized by the KuppingerCole team. Next year’s conference will be held from 5th-8th May 2015 at the same location.

Infosecurity Europe 2014 held on 29. April to 1. May in London – the gathering of information security professionals. It is the largest event of this type in Europe.

You made it to London and despite the Tube strike during the days of the event you reached Earls Court. On entering the conference center you are overwhelmed by more than 325 exhibitors representing the huge portfolio the information security industry provides. Infosecurity Europe is mainly a fair, companies of all sizes showcasing their products in on-stand presentations and creative set-up’s like Pen Test Partners “Security Kitchen” or Ping Identities Lego Mosaic “Keep Identities where they belong”.

But Infosecurity Europe is more than just that. Infosecurity offers keynote presentations, workshops and other educational courses.

The subheading “Security as a business enabler – are you fit for 2014?” highlights the growing awareness of security in organizations today. After NSA scandal and Heartbleed bugs, not only tech guys but business leaders painfully realize the limits of technology and the false sense of security.

Following up this context the Ponemon Institute and Thales e-Security presented the “Global Encryption Trends Study” which surveyed 4.802 individuals across multiple industry sectors in eight countries: US, UK, Germany, France, Australia, Japan, Brazil and for the first time Russia. The research examined the evolvement of the use of encryption and the security posture of organizations during the last 9 years.

Citing from the report the big encryption trends over nine years are

• Steady improvement in the security posture of companies
• Increase in the use of encryption as part of the Enterprise Strategy
• Business units getting more influence in choosing and deploying encryption
• Importance of compliance as the main driver decreases versus privacy considerations – although there is a big difference from country to country
• Key management continues to be a challenge
• Spending in encryption and key management increases

Next year Infosecurity Europe will be held from 02-04 June 2015 at a new location “Olympia”.

Big Data, life management platforms, extended enterprise++, fusion drive, dead standards and  identity Silo relaunched. European Identity & Cloud Conference 2013 had lots of new and old topics. The 7th EIC was held for the 3rd time in the Dolce Ballhausforum from 14-17th May, gathering many digital identity thought leaders and making Unterschleissheim the Identity capital of Europe or even the World.

As always the conference was well organized in a pleasant environment with a noticeable Bavarian touch. Exhibitors and visitors from 33 countries, 5 parallel tracks and 150 speakers gave insight into new trends in identity, access management and cloud computing. The number of visitors were slightly increasing compared to last year, with end user representing the majority of visitors now.

As usually the conference started with some half day pre-workshops, continued with 2 ½ days of tightly packed conference and an additional workshop day at the end. KuppingerColes team of analysts again was growing with Peter Cummings and Rob Newby, proven experts with practical project implementation experience, joining the team.

As known from previous years the conferences started with a series of keynotes from sponsors, customers and academics. The first keynote delivered by Martin Kuppinger speaking about identity and cloud trends and on “setting the right direction”. The three biggest trends were called the “Computing Troika“, which is made of Cloud Computing, Mobile Computing and Social Computing. Information security receives more perception – it makes it to the 8’o clock news – and is now a business success factor. “Risk” is the common language which aligns IT and business viewpoints. Identity and privacy incidents can massively damage the reputation of a company. For that reason IAM is closer to business than ever. KuppingerCole BII is a business impact indicator for information technology which graphically indicates the value of a particular IAM technology in terms of: business alignment, business enablement, cost savings and compliance fulfillment. The KuppingerCole CIO GPS helps you finding your path in governance, privacy and data protection and security. It shows which technologies are the best for achieving specific targets. Another topic that he discussed was the API Economy also named the Extended Enterprise++, which reveals big potential for business enablement in the extended enterprise ( business partners and customers).

What were the main topics in the conference?

Data Privacy and Protection Laws
Due to Karsten Kinast, an attorney concentrating on data protection and IT law, joining the KuppingerCole analyst team, a stronger focus on legal topics were obvious. Presentations and discussions on EU regulation shaped one track of the conference.

Big Data

Another big topic was Big Data. What is meant by Big Data in the IAM context? There is no exact definition available – something that we already know from the “cloud”. According to a track session of Mike Small and Sachar Paulus it is s.th. like a big datawarehouse based on data that is publicly available. Big Data’s characteristics are

• Volume: according to a IDC report: 2.8 Exabytes of data have been created in 2012
• Velocity: lots of data events
• Variety: can be text, voice, photos, video

Technologies used to deal with Big Data:

• Hadoop: Map/reduce
• Elastic map reduce (amazon)

And to deal with velocity:

• Twitter storm http://storm-project.com
• IBM infosphere streams http://pic.dhe.ibm.com/infocenter/streams/v3r0/index.jsp
• Yahoo S4 http://incubator.apache.org/s4/

And with variety:

• natural language processing
• Graph stores
• XML stores

Why is Big Data handled in the conference? Transforming Big Data to smart data by analyzing and combining creates information and confidentiality problems. Existing access controls cannot be placed because you cannot define protection levels if you don’t know how and what will be processed and analyzed. Smart data becomes relevant as business can benefit from it by improving competitiveness or transforming products.

Life management platforms (LMP)

Life management platforms are the evolution of today’s social networks personal data stores. S.th. that might be the result of the user’s wish to get more control over his data. Something which becomes more prevalent in times were everyone has the feeling that too much of personal data gets collected by the Google’s, Facebooks etc and used for their consumption. In times where a SmartTV is able to track which programs you are viewing and Microsoft is reading your Skype messages checking hyperlinks that were sent, users see a need for a change. But the road to LMP also means a fundamental change in attitude from quick profit to trust.
According to a keynote from Craig Burton: the life management platform is not a product. It is extensible, API enabled with privacy by design (proxy façade). LMP is not a personal data store. LMP is not a social network. It follows the controlled push and informed pull with privacy controls. Controlled push means that a customer only provides controlled partial information of his data to a service which ensures privacy. Informed pull describes the concept where a user requests information from different sources guarantying confidentiality of the data towards competitors of the service. Issues on the success of LMPs arise with the need that vendors must cooperate in sensitive areas – a schema must be defined. According to Burton’s rule of thumb adding an element to a schema needs 1 year. Adding 10 elements lasts 10 years. A possible solution might be the Graph API. Microsoft cloud directory is schema independent.

---

European Identity & Cloud Awards:

One of the highlights of the conference is the Award Ceremony which was introduced with the 2nd conference and was now held for the 6th time. Martin Kuppinger noted that this year a significant number of nomination were available which emphasizes the increasing maturity in some of the IAM areas. He mentioned that a few years ago it was difficult to find successful mature projects.
This year prices in 11 different categories were awarded:

1. Best Identity and Access Management project
Winner: Virgin Media represented by Paul Edmondson from aurionPro SENA: “Infrastructure for the Olympic Games: WiFi for the tube with high numbers of authentications every time a train is entering a station”

2. Best Access Governance and Intelligence Project
Winner Deutsche Bank – represented by Carolin Pfeil: “Manage complex SOD rules in a very large institution”

3. Best access Governance and Intelligence Project II
Swiss Re represented by Daniel Frei: “Dynamic access management, based on DirectoryX and Axiomatics”

4. Best Cloud Security Project
Evry represented by Anne Bergersen: “Multitenant IAM infrastructure in the cloud which brings together a way of identifying customers and citizens in Norway. Based on NetIQ”

5. Best approach on improving governance and mitigating risks
Universtitäts Krankenhaus Hamburg-Eppendorf represented by Juerg Staebler – IBV Informatik AG:
“Privileged account management in health care industry leveraging Liebermann software. Now using one time password instead of plain text passwords. Project implemented in 3 days.”

6. Best innovation /new standard in information security
An obvious choice: OAuth 2.0 – the OAuth standard team represented by Mike Jones, Microsoft “new and influential it feels like it is around for a longer time”

7. Lifetime Achievement Award
Kim Cameron, Microsoft – Evidently being deeply affected by the reward.

8. Special award: Bridging the organizational gap between business and IT
Volkswagen Financial Services represented by Marek Bingel: “Well defining guidelines and processes which enables to move forward”

9. Special Award: Rapid and lean implementation of IAM/IAG
E.ON Global Commodities –represented by Carsten Mielke. “Governance project based on CrossIdeas”

10. Special award: Rapid re-design and re-implementation of the entire IAM
Schindler Informatik AG represented by Reto Tomasini and Gary Edward Stewart: “Identity provisioning infrastructure based on Quest Identity Manager”

11. Special Award integration of Provisioning and Access Governance in a complex banking environment
HypoVereinsbank represented by Ulrich Haumann: “Provisioning combined with Governance of a large number of applications based on Microsoft Forefront Manager”

---

In an interesting panel discussion by Craig Burton, Mike Neuenschwander, Gerry Gebel and Martin Kuppinger on the future of IAM, the panel quickly turned to a discussion on “dead standards”, a topic which became a running gag during the entire conference. Motivated by a blog article of Forrester’s Andras Cser this year’s “dead standard” candidate number one was XACML (as basically all XML based standards). Craig Burton stated that he does not expect to see a product deployment with XACML in its current form. Gerry Gebel retorted that AuthZ is very important and that XACML is working on JSON/REST profiles to move more towards APIs.

The topic on standards and its practical usage was continued in another panel session on the second day by Craig Burton, David Brossard of Axiomatics speaking for XACML, Daren Rolls of SailPoint for SCIM, Paul Madsen, Ping, for SAML and Michael B. Jones, Microsoft for OAuth. Jones pointed out the OAuth 2.0 was designed with simplicity in mind as the 1.0 spec turned out to be too complicated. OAuth 2.0 is designed to use existing security layers like TLS and by being REST-based the developer does not even need a library. Paul Madsen replied that the “S” in SAML does not stand for “simple” like in SCIM but for “security”. SAML sets the bar for the industry. And everything comes with a price – in that case with 800 pages of specification. For security SAML was historically designed to reflect the legal contract between parties. A question on the “liveliness” of AuthZ profiles within SAML was answered, that a few years ago it was recognized that SAML is more suited for authentication and attributes. XACML is the better fit for AuthZ – and that SAML and XACML work good together. David Brossard declined that XACML is losing attraction. He, as a XACML product vendor, is seeing more adoption and the focus is now more on developers and profiles to make XACML simpler. Daren Rolls replied on the question about SCIM versioning not being stable after transferring SCIM to IEFT that SCIM 1.1 can be implemented. A good conclusion was given by Paul Madsen on the question what he would recommend to customers if they were asking for a specific standard: What fits best depends on the use case. SAML is not optimized for mobile. Ping would not push it for mobile. OpenID Connect may be a problem if the partners do not support it. SAML is definitively more widespread (a quick poll in the audience initiated by Pamela Dingle confirmed that). The best measure of the mortality of a standard is the number of deployments. Someone of the audience added, that a measure could also be the open source implementations available. SAML has several, XACML mainly for the 2.0 version, SCIM with UnboundId – but as OAuth a simple REST based protocol does not really need a library implementation.

People like Craig Burton, Fulup Ar Foll and others are always good for some catchy quotations.  I noted some of them:

We need the hacker to stay in business.

If I BYOD, I have the right to install malware.

There are public APIs and DARK APIs.

OAuth and REST are the fusion drive for the API economy.

Banks and operators are too fat, lazy and rich to take the risk to compete with the Facebooks and Googles.

Some links worth mentioning:

Datownia, with an interesting developer use case demonstrating how APIs can be used to enable frictionless integration with Windows Azure AD and the Windows Azure Graph Store by using the Datownia system developed by Release Mobile Ltd.

Dutch authentication and authorization for legal entities: eRecognition

bwIDM: Federation on non web based services like HPC between Universities of the state of Baden-Württemberg. The solution is called FACIUS.

www.trustindigitallife.eu: Consortium focusing on TRUST in digital Life

FIDIS: Future of Identity in the Information Society

AZA – Native Authorization Agent: enabling mobile SSO cross native apps.

Topics I missed :
Not much about Cloud Crypto. New companies in this area were not represented at the conference.

My personal winner at EIC 2013:
OAuth 2.0: fast specification, quick adoption, feels like it has been around for much longer time.

Last but not least: The European Identity & Cloud conference 2014 will be held from 13.-16. May. Guess where? In the identity capital Unterschleissheim. See you there.

Once upon a time there was a computer company that loved open source software but they forgot to make money. Another big successful company came and bought the other. The big company did not like open source but they know how to make money. Since they already had similar closed-source software products, they decided to put the open source in second place. Quite understandable – remember they don’t like open source but they know how to make …

It is now more than 3 years when Sun was taken over by Oracle. Sooner or later customers who invested a lot of work and money to implement and maintain their OpenSSO infrastructure must decide on how to go forward with the product.

Oracle decided to put OpenSSO in maintenance mode. What does this mean? In the last two years a few updates/patches to the product were released but no major release and no new features. There is no roadmap. For web policy agents it is even worse. Almost no patch releases, no support for newer operating system versions. It does not mean that there is no support if you run into problems. But you have first to run into already known problems to file bugs and get a patch. Even for real critical bugs. That’s tedious …

Customers are safe and get support from Oracle, if they don’t need new features, but at one point in time OpenSSO customers have to make up their mind and develop a migration strategy. The first software that comes into consideration will be Forgerock’s OpenAM, a fork of OpenSSO. So the migration promises to be quite straightforward. The second thought would be to look at Oracle’s Access Manager (OAM). Oracle might have had reasons to abandon OpenSSO in favor of OAM. Oracle normally does not leave its customer alone and offers tools for a smooth migration.

A decision in favor of OpenAM or OAM might be the result of different aspects. Technical guys will primarily look at features and architecture. For business and strategical thinking people a close look on the companies behind the products might be important as well. On the one hand there is Forgerock, a small but ambitious startup company and on the other hand Oracle, the software giant, that promises more stability and investment protection.

Forgerock started in 2010 when it became obvious that OpenSSO will not survive. Sun used to release Express versions of OpenSSO. Right before Express 9 should be released, Oracle stopped Express roll-outs. OpenSSO Enterprise 8.0 was at that time equivalent to Express 6 (today it is still this version with bug fixes and some minor feature enhancements mainly in the web service security space). This was the time when Forgerock stepped in, forked Express 9 and released their own version. In the beginning many people were skeptical whether Forgerock will be able to execute. But after 2 years, backed with a 7 million funding from Accel Partners, they not only proved to be able to run the business, they also expanded the portfolio with OpenDJ (a fork of OpenDS, Sun’s JAVA based directory server) and OpenIDM (a self written provisioning software).

There is not much to say about Oracle as a company. Let’s look at their Access Management software Oracle Access Manager. The roots of OAM are going back to Oblix, a company and a software product which was acquired by Oracle in 2005. If you have a closer look on OAM up to version 10g you will notice that the software architecture is quite different from what we were used from OpenSSO. OAM had separate server processes written in C++ and did not have a central server side user session. Session information was stored in the cookie. In addition to OAM, you need to deploy Oracle Identity Federation (OIF), if you are using federation protocols like SAML 2.0 in your OpenSSO deployment. With OAM 11g things changed. The software is now implemented in JAVA (either written from scratch or ported). With that in mind and if you take into consideration that the development from 11g to 11g R2 is really very dynamically catching up with features, you can argue that OAM 11g is a 1.0 version and not very mature. The latest OAM release also has now SAML 2.0 federation capabilities built in. So you might not need to deploy OIF anymore. At least if you are only running a service provider and not an identity provider.

What are your thoughts, plans or experience for the migration? We are happy to take your input as comment to the blog or through our contact form as we are preparing a deeper look into the topic.

It is nothing really new, but it was a missing feature in the administration GUI of our Public IDP: Configuring which user profile attributes should be sent as an AttributeStatement in a SAML assertion.
The feature has always been there, but administrators had to open a service request to have attributes configured. Now, you can select which attributes to insert during importing of Service Provider metadata. A sample is in the screen shot below:

This year’s European Identity & Cloud Conference took place from 17.-20. April with the last day being a workshop day to deepen some of the topics. The event is one of the most important IAM meetings in the world and continues to increase its impact. Almost 600 visitors from allover the world and 40 exhibitors constituted to a 35% growth. As every year the vendor landscape showed some dynamics with NetIQ acquiring Novell’s IAM business, ATOS taking over Siemens IT Solutions and Services (DirX), new rising stars appearing like ForgeRock, Symplified and The Dot Net Factory to name a few, Ping Identity expanding its presence and big companies like VMWare participating for the first time.

The most discussed new topics this year have been “The Open API Economy” and “Life Management Platforms” (Personal Cloud).
API economy: most presenters agreed that open APIs are important to the businesses today as they can bring new business opportunities and allow cloud users to orchestrate their applications into MashUps delivering the service that the business really needs. And even more for some companies it will be crucial to provide APIs to stay in business. In Andre Durand’s speak: “A business without a cloud API is like a door without doorknob”.
Life Management Platforms provide more than personal data store. They offer an answer to the need of people to share data in a very controlled and secure way. An example mentioned is the insurance contract number that is needed to be accessed from abroad in case of a car accident. These platforms follow a minimum disclosure approach which is totally different from those of social networks a la Facebook as we know them today (Remember: as soon as you entered your information, the data belongs to Facebook) . Life Management platforms are expected to replace the existing social networks in a 10-15 years time frame.

For me one of the main take-aways of the conference is the fact that now identity and information security really matters. Finally it has arrived on the agenda of the boards.

As usual the conference started with a set of pre-conferences on Tuesday morning: Kantara Initiative Summit, OASIS and ISACA workshops and the OpenId community reviewing the status of OpenID Connect, OAuth 2.0 and Account Chooser.

The actual conference itself began in the afternoon with Martin Kuppinger’s keynote. The KuppingerCole team itself changed with Craig Burton, Fulup Ar Foll and Alexei Balaganski joining as analysts and Tim Cole stepping back due to health reasons. In absence of the charming, entertaining Cole the moderator’s task was taken over by Nigel Cameron bringing a more rigid timeliness the the conference schedule.

The IAM world today is not characterized by fundamental new aspects but undergoes a more evolutionary development. In his keynote Kuppinger describes these changes as a development process from manufacturing to industrialization which manifests itself in the need of IT departments to meet changing requirements. IT departments feel that they now must compete against external (cloud) offerings. This is similar to the pressure that we know from outsourcing considerations but with cloud computing becoming more prevalent the rivalry is more tangible. Kuppinger describes the new demand in his “IT Paradigm”, a standardized model for building future IT. The paradigm illustrates how IT departments can provide the services the business really wants by enforcing information security, mitigating risks and being compliant by enforcing an enterprise-wide Governance approach.

According to KuppingerCole the Trends 2012 are:

• Data Loss Prevention which will be the number one topic for IT departments
• BYOD (Bring Your Own Device) will continue to be an issue in 2012
• Cloud computing standards like SCIM (Simple Cloud Identity Management) need to be supported by providers as cloud users demand for standards increases. But standards for authorization and auditing in the cloud are still missing
• IAM will move to the cloud more than ever before
• Continued breaches of trust providers which will not be limited to digital certificate authorities
• GRC, data governance and data loss prevention will merge as business realize that DLP includes data loss mitigation (what to do when things happened)
• Ubiquitous encryption will become a hot topic (encryption of all data everywhere)
• Companies will start to redefine their IAM infrastructure to become future-proof
• all mobile platforms will remain under attacks of all forms
• regulatory pressure is still pushing IAM and GRC

In the reminder of the first day the agenda’s tough schedule provided for a number of keynotes (9 keynotes without a break …) which brought the known and highly valued mixture of business and academical thought leaders as well as keynotes by sponsoring vendors. Speakers, some of them known from previous years, presented their viewpoints and vision. Enrico Mordini postulated “the new gold is identity” , Reinhard Posch reported on eID projects and their challenges especially in the cross border usage (see STORK https://www.eid-stork.eu), Kim Cameron (“through a series of bizarre events and the fact that it is hard to retire” he returned to Microsoft) stated that the new cloud requires a new identity model. IDMaaS (Identity Management as a service) is needed to assemble claims from multiple sources and organizations will selectively expose their directories to other applications. “The cloud motor runs on identity”, he said. Supporting concepts: Microsoft U-Proove https://connect.microsoft.com/site1188 (Remark: and IBM Idemix http://www.zurich.ibm.com/idemix/details.html). Speakers from Cyber Ark presented on PxM, Shireif Nosseir, CA on the transformation of the security model, Peter Weierich of IC Consult on externalized authorization, Laurent Liscia of OASIS on evolving cloud standards, ID-Cloud (ID in the cloud) and TOSCA (portability for the cloud), Jonathan Sander of Quest, Barbara Mandl of Daimler on consumerization of IT, Doc Searls about “free customers are the new platform” in contrast to the old captured customer (See: http://lockerproject.org/, http://www.kynetx.com/ – Kinetic rule engine and KRL the cloud programming language), Mike Neuenschwander now with Oracle and Patrick Parker, CEO of The Dot Net Factory completed the spectrum.

The second day started early at 8:30 with three keynotes by speakers mainly from the banking sector and then split up in five tracks, one being a track dedicated on legal topics and one a round table discussion on consumer identity. As last year the cloud audit track elaborated the need for cloud audit standards which are required so that the customer is able to compare providers and otherwise stays unclear in what he really buys. A statistics was shown which measured the cloud readiness of countries concerning their legal and regulatory structure. The result ranks Japan, Australia and Germany as the first three countries. (Some references: Cloud Services Measurement Initiative – CSMIC, http://www.cloudcommons.com/, ENISA http://www.enisa.europa.eu/activities/application-security/test/, ISAE3402 replaces SAS70 http://isae3402.com/, ISO/IEC WD TS 27017 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=43757) .

In the afternoon and the following day several successful examples of large scale federations were shown which came mostly from the educational sector (The Danish Federation with their own profile OIOSAML, WAYF best practice in out sourced federation in Denmark, REFEDs with astonishing 27 federations, 1815 IDPs and 2755 service providers (Reference: https://refeds.terena.org/index.php/Main_Page).

Craig Burton moderated a session with the provoking statement “Is SCIM a Scam?” A very lively track with statements like “SOAP is dead”. Burton and the other participants came to the conclusion that SCIM is not a scam because it is simpler than SPML (basically providing only CRUD operations and not trying to reflect the whole provisioning object model) and the specification work involved big names in the cloud like Google and WebEx who are expected to implement SCIM for their services contributing to make 2012 the year of SCIM.

In the Life Management track, Drummond Reed (http://connect.me) and Marcel van Galen (http://www.qiy.com/) presented on their services, VRM (Vendor Relationship Management), the personal cloud and relationship as a service.

The evening of day two concluded with keynotes from Andre Durand, Ping Identity “IT problems are fractal: your job is never done” and “a business without a cloud API is like a door without a doorknob”, Eberhard Faber on challenges security managers should watch (bring your own device = bring your own vulnerability), Stephan Bohnengel of VMWare and the European Identity Award Ceremony.

European Identity Award Winners 2012

• “Best IAM Project”: Siemens AG, Project HRS DirX, a IAM project that involves international deployments and leveraging hybrid cloud environments.
• “Best Access Governance and Intelligence Project”: Europol, the European law enforcement agency, received the award for a stategic IAM project with central auditing in a very sensitive environment.
• “Cloud Security Project”: In this category two projects received the award: Daimler AG, consulted by IC-Consult, for a project that involves hybrid cloud by reuse of existing infrastructure and Sanofi S.A. for a federation project which was successfully implemented in a very short time frame using Ping Identity solutions.
• “Best Approach on improving Governance and mitigating Risks”: Aeroport de Paris S.A., a Privileged Account Management project using Cyber Ark and Qualys.
• “Best Innovation/New Standard in Information Security”: OpenID Connect for its elegantly simple design.
• A new category was introduced in this year’s EIC: “The Lifetime Achievement Award for Identity” business: Prof. Dr. Reinhard Posch. CIO for the Austrian Federal Government.
• Special award “Mobile Security”: Swisscom with MobileID, a product which uses SIM card security build on ETSI mobile security standard. (Remark: in Germany a similar product was announced by Vodafone with “Secure SIM”.)

My unofficial award for the acronym of the year goes to a very old and known acronym “API”. I have never expected that API’s will get such an ineffable importance for businesses not just application developers.

The third conference day started with presentations given by ATOS, Jacques Bus of Digital Enlightment Forum and Kai Rannenberg of University of Frankfurt (http://www.m-chair.net). Rannenberg lectured on a more privacy friendly Internet. (References: ABC4TRUST https://abc4trust.eu/ a EU Project on attribute-based credentials for trust, and partial identities, ISO/IEC JTC 1/SC 27/WG http://www.iso.org/iso/iso_technical_committee.html?commid=45306) STORK https://www.eid-stork.eu/, Microsoft U-Proove https://connect.microsoft.com/site1188 based on blind signature and IBM Idemix http://www.zurich.ibm.com/idemix/details.html. based on zero knowledge proof, ISO/IEC 24760 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=57914).

The tracks of day three gave insight on best practice experiences of IAM projects (e.g the Province Trentino), the use of open source in IAM, a real IAMaaS solution provided by Swisscom and an interesting panel with Craig Burton, Martin Kuppinger, Kim Cameron, Fulup Ar Fol and Steven Willmott from 3scale on “IT model and the API economy” describing the openness cycle of APIs:
Raw Data → internal reuse → customer reuse → partners and distribution
with all steps providing values.

To summarize the conference all in all was a very interesting and informative event and as always organized perfectly by the KuppingerCole team.