This article has two parts. Part I describes how to secure access to Google Apps using SSOCircle IDPee with password-free X.509 client certificate authentication which is a good countermeasure against phishing attacks often practiced to capture user name and password in order to gain access to your Gmail account. Remember the attack against U.S. officials Gmail accounts by phishing attacks originating from China (see CNN: “Massive Gmail phishing attack hits top U.S. officials”).

Part II describes how to leverage certificates to encrypt and sign emails with a standard browser and Gmail. Take the next step to protect your email communication from everyone including the service provider. Do all these with your standard browser.

This is what you need for Part I (Secure access to Google Apps):

• Google Apps account (e.g. free Standard Edition)
• SSOCircle IDPee account

Follow the steps below to configure the application. We assume you already have user accounts created at Google Apps and SSOCircle IDPee.

A. Configure Google Apps for SAML SSO

• Login to your Google Apps account as administrator
• Go to “Advanced tools” and “set up single sign on”

Configure SAML SSO in Google Apps

• Enter the fields as described in the screen shot
• The certificate needed as a verification certificate can be downloaded from your IDPee at <my-hostname>.idpee.com/cert.cer

Google Apps SSO configuration screen

B. Import Google Apps configuration data into SSOCircle IDPee

• Login to your SSOCircle IDPee account as administrator
• Go to “Manage meatdata” and click “Add new service provider”

Manage SAML Meta data

• Enter the metadata of your Google Apps.

You can retrieve a sample of meta data on the SSOCircle web site and replace the string “YOUR_GOOGLE_APPS_DOMAIN” with the name of your domain.
Copy & paste it into the form:

Import Google Apps meta data

You will now see that your Google Apps meta data was properly as shown in the following screen:

Service Provider meta data listing

C. Enroll certificate for your user account

Finally after getting the Google Apps – SSOCircle IDPee integration in place, you need now to enroll for a personal client certificate. SSOCircle IDPee provides automatic enrollment pages for Firefox, Internet Explorer and Chrome. Read the following screens to see how simple it is:

• Install your personal certificate into your browser by using the automatic enrollment page

Certificate autmatic enrollment page

After clicking on the link for your browser a key generation and certificate enrollment page appears. Choose a key length that fits your requirements and submit the page. A process is started that gernerates a private – public key pair locally and submits a certificate signing request to SSOCircle IDPee. SSOCircle will sign the certificate and send it back to the browser for import in the local certificate store.
This is done fully automatically:

Certificate key generation and enrollment

The browser displays a message that the certificate issued by the CA was successfully imported. Now you are ready to go to authenticate to SSOCircle IDPee and Google Apps without a password send over the wire. Just click on the three-locks symbol at the authentication page. A certificate chooser is displayed by the browser. Choose your personal certificate generated in the previous step and you are logged in …

X.509 certificate authentication

Cloud security made simple – SSOCircle. Contact us for more information.

One year after we have set up an online demo showcasing SAML single sign on between SSOCircle and ServiceNow. With Google Apps offering office, email, calender, spreadsheet, etc, Salesforce offering cloud CRM and ServiceNow IT service management our demo “Cloudified Company” is becoming more and more reality.
The added value that SSOCircle offers is not only about a more convenient access to applications via single sign on but also about improved security by leveraging strong authentication means. Try it out by registering an user, enroll a X.509 client certificate and use it to authenticate to ServiceNow Online Demo and the other services in the Circle of Trust.

The ServiceNow Online demo is also a good opportunity to check out what the ServiceNow application is about. In this demo we are mapping all SSOCircle Public IDP users to one user with name “itil” at ServiceNow.

A full list of our demo service providers can be found at Service Provider section.

Watch John Andersen’s video on setting up SSO between ServiceNow and SSOCircle. John is the integration expert at ServiceNow.

About Service Now:
ITIL v3 + Web 2.0 + SaaS = Service-now.com, a pioneer of On Demand IT Service Management, combines ITIL v3 guidelines with Web 2.0 technology to a Software as a Service offering.

Understanding the “iPlanetDirectoryPro” session cookie can be key to debugging problems like OpenSSO / OpenAM internal session rooting, persistence problems and misconfiguration.

The SSOCircle Toolbox OpenSSO / OpenAM session decoder: http://idp.ssocircle.com/sso/toolbox/ossoDProDecode.jsp

The iPlanetDirectoryPro Cookie is used by OpenSSO and OpenAM to reference a specific user session. It consists of an unique random identifier marking the session, a base64 encoded extension part and a tail value. The Extension part itself holds information for internal session routing (some keys are optional and depend on the system architecture):

• The Site ID
• Server Instance ID
• Storage Key for Session Failover (optional and not displayed by the tool)
• Tail Value after the “#”  (optional and not displayed by the tool)

OpenSSO and OpenAM store passwords (for example J2EE Policy Agents) encrypted in configuration files. If you need to encrypt a password without having access to the bundled encryption tools, use the SSOCircle Toolbox OpenSSO / OpenAM Password Encryption web tool.

And if you can’t remember what the password was and the only documentation you have is the configuration file with the encrypted service secret, use the SSOCircle Toolbox OpenSSO / OpenAM Password Decryption web tool.

The conference offered a good mixture of technical oriented talks, companies views and analysts visions. The first thing I noticed was the absence of the “big” IAM software vendors. No visible presence of Oracle, IBM …   I am very relieved that other companies are now setting the IAM tone
especially after the disappearance of active players like SUN. These companies are now Ping, Google, Salesforce.com, eBay. I am not sure about the reason for the absence of the big players, but one reason could be that the focus of new trends in identity is more and more shifting to the consumer space. Especially the strong presence and activity of companies like Google, Salesforce.com and others emphasizes that cloud identity is now more and more an API identity topic.

Back to chronology:  In the first two days we had to choose between different workshops. Some of them were sponsored by Google, for others an additional fee was charged. The work sessions duration was 3 hours. Enough time to dig deeper in cloud identity topics. The workshop titles listed below give an overview on the “hot topics” this year:

• Cloud Security 101; Gunnar Peterson from Artec
• OAuth 101; Paul Madsen and Brian Campbell, Ping Identity
• The essential XACML Primer; Gerry Gebel, Axiomatics
• OpenID & OpenID Connect; Eric Sachs from Google
• SAML Single Sign On 101;  John Da Silva, Ping Identity
• SAML & OAuth with Force.com; Pat Patterson from Salesforce.com
• Challenges of Consumer Identity in the Cloud; Mike Neuenschwander, Drew Clippard and Matt Randall
• Windows Azure, Office365 and More;  Brian Puhl, Laura Hunterm Vittorio Bertocci from Microsoft
• Securing & Connecting the Mobile to the Enterprise; Andy Zmolek from LG
• Integration with the Google Cloud; Eric Sachs, Ryan Boyd and others from Google
• XACML 3.0 and Hands On Cloud Authz; Doron Grinstein from BITKOO
• Integrating PingFederate with the Microsoft Ecosystem ADFS/WIF/SP2010; Travis Spencer from Ping Identity
• The Kantara / OpenID Summit

The conference agenda on day 3 and 4 was made of keynotes and two separate tracks on different topics. The presentation were all scheduled to last 30 minutes and there was plenty of time to network in the breaks, definitely a plus.

A very interesting presentation was held by Farhang Kassaei by Ebay talking on the “Role of Identity in eCommerce”.  Trying to answer the question about the the nature of commercial identity and a commercial IDP and how it differs from a social network identity and a social network IDP. Another question he asked was if one IDP can cover all range of identities. His answers described the identity from a view point of a  merchant: “Identity = Customer”  and identity management is not about SSO but easy on boarding, personalization, transaction, less risk and more security. Of importance to the merchants customer itself is: convenience, value, privacy control, less risk and more security. He pointed out that there is a real business value for merchants to have an (customer) attribute provider that dynamically supplies relevant information about a buyer (e.g. how many merchants have been shipped to the address of the buyer without complaints in the last 6 months) or an IDP that offers methods and techniques to identify that two identities are the same person (entity resolution) which is very important to detect fraud.

Paul Madsen’s presentation on Synergies “You  got SAML on my OAuth” demonstrated how much the portfolio of standards are interrelated and/or play together:

• SCIM + SAML:  SAML binding for SCIM: SCIM can be used for a just-in-time provisioning through a SSO assertion which holds SCIM attributes. Or more simple by API right before SSO.
• SCIM + OAuth:  OAuth can be used to secure SCIM API calls. SCIM can be used to provision accounts for subsequent OAuth based mobile access.
• SAML + OAuth: Hybrids like OAuth token carried in SAML SSO messages. Or assertion profile that uses SAML assertions within OAuth flow.
• SAML + OAuth + JWT: Use SAML assertion or JWT (speek: joot) for OAuth client authentication or OAuth grant type
• OpenID + JWT OAuth: OpenID Connect adds identity layer on top of OAuth 2 and stipulates use of JWT for identity tokens
• UMA + OAuth: User Managed Access extends OAuth 2 to manage access to distributed resources through a centralized Authorization Manager

Eric Sachs of Google “Time to Eliminate Passwords”  emphasized on the user experience aspect which is still in its infancy. Signing in to web applications in the majority of cases means typing in the user name (likely the long email address). Tedious compared to what we are used to in operating system logins (think of Windows 7, Mac, Chome OS login screen). Google launched the Account Chooser project: https://sites.google.com/site/gitooldocs/experiment—account-chooser
which tries to bring the OS login user experience to the web. Web sites who want to adopt Account Chooser will find implementation help by the Google Identity Toolkit GITKit.

John Shewchuk of Microsoft presented on his company’s view on Federated IT and Identity: Office 365 was launched in June in 40 markets and 20 languages and already 50.000+ organizations signed up in the first two weeks. Office 365 leverages Azure’s infrastructure capabilities and enables managed and federated identities. Directories are a critical enabler for federated IT but existing standards need to be modernized. The programmable directory principles need to model not only identity but federation of data, authentication and authorization. For more information take a look at OData and Facebook graph.

This is just a few randomly taken samples of presentation that I described. Lots of interesting presentation at the summit could fill the whole SSOCircle blog. If you are looking for more information on presentations given go to the Cloud Identity Summit web page http://www.cloudidentitysummit.com/Presentations-2011.cfm.

Bookmark summary:
www.simplecloud.info
oauthssodemo.appspot.com
account-chooser.appspot.com
Account Chooser Experiment
login-helper.appspot.com
www.odata.org
graph.facebook.com
openidsamplestore.com

P.S. The next Cloud Identity Summit will be held in Vail, Colorado on 16.-19. July 2012.

Before diving into details my overall impression was that the identity community is finally reaching a state of reflection. Compared to last year, where I experienced a more enthusiastic atmosphere and speakers, the 2011 conference was strongly influenced by academics and organizations. Keynote topics like “where will identity be next year” and personal changes like that of Kim Cameron who recently left Microsoft inspired Jackson Shaw to present a retrospect bolstered thoughtfulness.

In addition the human part of identity is coming more and more into consideration. At EIC2011 we had the chance to listen to speakers like Emilio Mordini, a psychoanalyst and founding director of Centre of Science, Society and Citizenship or Stephan Humer, a sociologist from Berlin University of Arts whose presentations demonstrate that sociological aspects play a very important role in acceptance and success of digital identity and internet security.

We finally reached the social human being and not only the user account. identity acceptance development cycle, shown below, demonstrates these iterations which might lead to new rethinking and specifications.

This is a great achievement. In other areas it seems we are not at that point yet. Looking at the evolution of OpenID which is finally approaching a new level with OpenID Connect reinventing the wheel that SAML 2.0 already did but with less complexity replacing SOAP and XML security with REST and JSON. That looks to me like taking the first shortcut in the identity acceptance development cycle due to missing implementation acceptance at least in the consumer identity space. Listening to Barbara Mandl from Daimler revealed that there are also several instances of shortcut 2 caused by business not technical reasons. In summary there is still a lot to do for the identity community, despite that most technologies are mature, the digital identity in a social world is very complex and subject to change.

In my eyes the most dynamic fields are:

• OpenID Connect
• OAuth 2.0
• XACML 3.0
• SCIM

the integration of mobile devices as a whole and the formation and establishing of Trust Frameworks.

But continuing with details of the conference in chronological order. As always it is subjective due to my interests and the selection of presentations visited.

Day 1:

Preconferences:

The conference started similar to the years before with a set of preconferences. One of these was an update and overview of OpenID staffed with Eric Sachs, Google, David Recordon, Facebook, John Bradley, Nat Sakimura and Don Thibeau, OpenID Foundation, Mike Jones and Anthony Nadalin, Microsoft; The upcoming version of OpenID is expected for IIW in November and will be named OpenID Connect, the AB for artifact binding will be removed from the name. It’s goal is to make “easy things easy and harder things possible”. Its design is modular with focus on integrating mobile devices. It will replace the 3.5 years old OpenID 2.0 spec and will introduce some advanced concepts known from the SAML spec, like level of assurance similar to SAML auth context and session management, like single logout, but less ambitious than the one known from SAML 2.0. OpenID connect is based on OAuth 2.0 which itself will be finalized in the next months.

Announcements:

In a press conference Drummond Reed, known from his work on XRI, XDI, Information Card, OIX and OpenID foundation, launched a new start-up called connect.me. Connect.me is the first personal respect trust network in which you can vouche/vote for a person in a specific respect. With joining the network people agree to 5 principles called promise, permission, protection, portability and proof. Connect.me is not a new social network but constitutes a layer above other social networks. By vouching for a person at http://vote.connect.me you are giving a person “trust points” for a specific respect. For me this is comparable to the seller rating in ebay. I am curious to see how this will develop and if we all get personal ratings in the new future. I expect that in next year’s EIC agenda there will be the rating mentioned right behind the speaker’s name. We will see if leaving Microsoft will change Kim Cameron’s rating from AAA to AAA+ or AAA-.

Keynotes:

As usual Martin Kuppinger gave the opening notes with an overview on the the hottest topics which are:

• Cloud Computing
• Information Security
• Business-driven service management (far more than ITIL)
• Make BYOD secure

BYOD stands for “bring your own device” and reflects that many employees nowadays want to use their own private devices (iPad, iPhone etc) in business. This poses a new thread on corporate security.

Cloud: In cloud computing more standards will evolve and there will be no success without security. Recent security breaches like SONY or Amazon give us a new awareness of users, company CIOs and politics that accelerates the development.

GRC: continuing progress towards one GRC for business and IT. Regulatory pressure will reach other industries.

IAM: PxM, privileged x=(Access,Account,Identity, User) Management, is the important topic in 2011. Externalization of authorization is becoming reality and versatile authentication will become more widespread. The RSA breach as one of the reasons.

Mobile:

BOYD as a new phenomena and the circumstance that the built-in security is not sufficient. Kuppinger compared the security of mobile devices to the security standard of PC in the 80s.

CIO key topics in 2011 will be

• How to make the cloud part of the IT
• How to enforce and privacy protect data (SONY)
• How to reach enterprise GRC maturity
• How to reach governance
• How to optimize investments and close gaps
• How to improve information security

First day keynotes on “the future of identity” continued with presentations by Laurent Liscia, executive director of OASIS, Wolfgang Hirsch of Siemens IT solutions, Maurizio Griva of Reply. Kim Cameron’s keynote was canceled and replaced by an interview in which Tim Cole eagerly tried to get information about Cameron’s real reasons for leaving Microsoft. Was it Microsoft’s recent strategy? No answer from Cameron except a comment expressing his feelings: “hey man, I am feeling so free”. Jackson Shawn (Quest Software) keynote directly influenced by Cameron’s “retirement” gave a retrospective of the development of identity from 1991, 1996, 1999 and a forecast how it may look like in 10 years from now. Illustrated with photos from Cameron and him as they were close fellows all these years. Shawn said that the start-up companies he is watching right now are Oka, Biznet3, SecureAuth and Symplified.

Prof. Reinhard Posch, CIO for the Austrian Government, presented on eID cards and the cloud and Jörg Asma from KPMG gave his view on future hot topics: Facebook as an identity manager and application hoster. Cloud computing driven by the use of devices like iPad etc. BYOD, the use of private devices for business purposes. Interesting his statement from HR on attracting new talent: today you don’t need a fancy car to attract new hires but cool lifestyle devices like the iPad or iPhone.

Day 2:

Starting with three keynotes from Dave Kearns on integrated identity management, Rolf von Rössing, VP of http://isaca.org. ISACA is an independent , nonprofit, global association, ISACA engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. Framework examples are: Cobit 5 bringing the GRC frameworks to the public, Risk IT, Val IT and BMIS. Professor Eberhard von Faber presented on froward strategies to protect corporate data in the cloud: Encryption is important to protect data in the cloud but has its limitation in server side batch processing for example in BI systems.

Alternatives are homomorphic encryption, not now but maybe in 10 years, or peudonymisation which can solve some problems. [Remark: fully homomorphic encryption is a encryption in which a service provider can operate (add, multiply) on the encrypted data without being able to decrypt data. That means a cloud service can work on data without knowing it.] Other means to secure the data are database encryption and database activity monitoring. Access restriction only protects from outside. Most service provider lack in protection from inside attacks. Limiting access to data (e.g. by terminal server or not having full access to “data files”) and EDRM (enterprise data right management) as well as VPN against eavesdropping and protection against access of data from other tenants are important. Securing the cloud isn’t easy. It still need to be easy to use. User awareness, control and monitoring are key for successful cloud deployments.

Breakout:

The conference offered four parallel tracks from which I selected the Directory & Federation track. Martin Kuppinger gave an introduction with the statement: you cannot make federation which relies on data quality if you do not have your directory in order. Federated directories are a solution to that problem as the single directory does not work due to complexity and privacy. Here comes virtual directories or cloud directories into play, whereas use cases for the latter are authentication of customers, directories for specific applications or the migration of in house directories to the cloud. Kuppinger expects directories in 2020 being similar as they are today.

I was surprised seeing an overcrowded room when visiting “How to authenticate for the cloud”. A panel discussion lead by Sebastian Rohr with Judith Little, CloudID, Mark O’Neill, Vordel, Travis Spencer, Ping, and Tom Stewart, SecureAuth. The better way to do the authentication to the cloud is to authenticate internally and then federate to outside. This will increase adoption as too much different methods lack user acceptance. Authorization to the cloud is still difficult to handle as there are mainly proprietary methods used.

“Federation lessons learned” with Matthew Gardiner, CA & Kantara, Nishant Kaushik, Oracle and Travis Spencer, Ping, concluded that federation is now main stream. Success of facebook connect demonstrates that federation still profits from the federated SSO use cases but that reinventing over and over with new technology is problematic. A business sponsor and a aligned strategy is needed. One question asked by Mike Small was if there is a reason to not use federation. Spencer answered that there is no reason except there are some use cases for mobile devices with limited capability that can be overcome by OAuth or WS-*. Cloud business becomes a major driver for federation which does not stop at SSO. Provisioning, authorization and audit are getting more and more important.

Cloud standards adoption track: in the absence od Laim Lynch, eBay, Mike Small gave an introduction to the topic. Analyzing the risks in cloud computing. Starting with the risk of vendor locking which is more prevalent with SaaS than with PaaS or IaaS. Other risks are “Legal risk: contract”: we need a trusted standard for a provider contract; “Loss of governance”: standards for provider certification and auditing required; “Privacy legislation”: standard how well a provider meets privacy laws; “Impersonation”: is user name/password sufficient?; “Insider abuse of privilege”, “Management Interface”; “Ineffective data deletion” ; “Poor authorization model”;

Mike Small also pointed out that current cloud provider assurance frameworks are far too complex with 148 control points. He introduced a star rating method scoring the major controls reducing the list to 5 basic and 11 risk factors.

In the evening Kuppinger and Cole presented the annual European Identity in several categories:

• Cloud provider offerings
  • WSO2: multi tenant identity as a cloud service with OpenID and XACML support build on open source
• On premise to cloud migrations
  • NHS Trust/ King’s College London: Secure infrastructures for researchers
• Identity and Access Management
  • BrokerGate : Secure federation broker for insurance brokers to manage federations instead of managing all users
• Integrated identity & access management
  • Telefonica O2 Czech Republic: successful deployment of a large scale IAM implementation covering provisioning, sso, audit, efficient application on-boarding and more
• GRC
  • BT managed fraud reduction service: shared service providing real-time assessment of online transactions and analyzing fraud
• Privacy
  • Qiy: Innovative approaches to manage the personal identity in the internet
  • connect.me: recommendation network
• Identity related e-government project
  • Postecom CECPAC: certified, free email platform open to all Italian citizens for their communications with public administrations
  • Finland: Tunnistus.fi/KATSO: government to citizen/business services established in Finland now used by more than 70% of the Finnish companies
• Influential standardization efforts
  • XACML 3.0: standard driving the externalization of security out of application for centralized management and control
• Special award entitlement management
  • State of California: tax service based on external authentication and authorization using XACML 3.0

Day 3:

Three keynotes from Niels von der Hude, Beta Systems, Emilio Mordini, CEO of Centre for Science, Society and Citizenship, and Barbara Mandl from Daimler.

Mordini, a psychoanalyst, presented on the secrecy in the post wikileaks era. He elaborated the meaning of secrecy, s.th. hidden, kept separate from other things and invisible or unspoken. He asked the question: Do we still need secrecy in modern information society? His answer: we need secrecy and publicity and compared that to the life in a small village: everybody knows where you are, who you are what you are doing. But people do that with discretion: they pretend to ignore knowing the information. He concludes that ICT should address access rights. But strong data protection and security are often useless. True power is not to remember and to be remembered but forget and to be forgotten.

Back to reality: Barbara Mandl pointed towards the real problems a global corporation is confronted with. Data protection requirements in Germany, the US or Japan are total different. For example in Japan the working counsel supports to store and evaluate log in and log out times in active directory. Federation itself is not a solution as a whole. Contracts with every supplier and contracts for special applications pose challenges to legal departments. Both on Daimler and supplier side.

She also pointed out that things that work perfectly in private space, (e.g. security awareness in private online banking) due to protecting own belongings. But: the same people do not care about these things at work.

Legal track:

EIC offered a three hour crash course on international privacy and IT security law for IT professionals which compared the data protection legislation in the EU, the US and China and gave an introduction to the European legal requirements for data protection, IT security, encryption and audit. I remember a tweet saying: “It seems like two words can dissolve all the reputedly strong EU privacy & data security protections: contract or consent “. And that is exactly the point: opt-in rather than opt-out.

In another track on privacy Stephan Humer, Berlin University of Arts, presented on the sociological aspects of eID cards: technical people are problem centered. Normal people are not necessarily, they might act chaotic …

A talk from Maarten Wegdam, Novay, and a panel discussion analyzed topics like “Consumer and citizen identities; Governmental issued or trust frameworks? and “Identity assurance frameworks are now upon us. But what are they good for?”.

In the best practice track the winner of the EIC award “BrokerGate” reported from their project setting up a SAML identity provider service for 10.000 brokers and 20 insurer (final goal) in Switzerland with versatile authentication methods. In a final presentation Vassilia Orfanou from EUReID, the pan-european network of eID practitioners introduced the platform to consolidate documents and information, support networking and exchange of information related to eID projects in Europe: http://ePractice.eu.

Final words: a very successful conference and thanks to KuppingerCole for a perfect organization and composition of interesting topics. For interested readers: the European Identity Conference 2012 will be held on 17-20. April. So the fixed star has moved a little bit.

The signing certificate of SSOCircle IDP will expire on 22/May/2011. We will replace the signing certificate and the SSOCircle CA certificate on 21/May/2011. Please be prepared to replace the certificates at your service provider as well.

Download configuration data:

Current Meta Data

Current SSOCircle CA Certificate