X.509 Certificate generation and keygen

English on March 25th, 2020 No Comments

Background: In SSOCircle Public IDP we provide client certificates as a mean of strong authentication. For more than 10 years we offer PKI functionality to ease the generation of private/public key pairs as well as generate and enroll X.509 certificates. In the past most browsers supported HTML keygen tag or CertEnroll / Xenroll Active X to complete the key generation tasks.

Back in 2016 we blogged on the vanishing support of the <keygen> HTML element in Chrome Browser as of version 49. From that time keygen was only working after modifying some privacy settings.

As of today, the current support across the major browsers has almost completely faded away. The following table lists the status as of now (for desktop OS).

firefox Firefox keygen support ended as of version 69 (September 2019)
chrome Chrome keygen support ended as of version 57 (March 2017)
Limited support as of version 49
edge Edge no support for keygen or CertEnroll
internet-explorer IE supports CertEnroll Active X
safari Safari 1.2+ keygen supported
opera Opera 3+ supports keygen


We have recently got a lot of feedback about the missing PKI functionality in the SSOCircle public IDP. From the beginning we provided a #PKCS10 certificate creation form to enroll and bind the certificate to the user. Creating keys manually with the correct subject was tedious and error prone. Thanks to our user Ming Yu who provided a tutorial of how to enroll the certificate and avoid pitfalls, many users were able to manage that part. But many users were still missing the automatic enrollment by just simply clicking the “keygen” button.

So, what’s next: We have now modified the fuctionality to generate RSA key pairs, create and enroll the certificate by the virtue of a click … and a manual import step into the certificate manager …
As #PKCS12 files are supported by all certificate managers/browsers/OS we think we provide a way which supports all.
Details can be read here. Go and test it at the Public IDP

Certificate enrollment with #PKCS10 signing requests

English on July 24th, 2019 No Comments

Author: Ming Yu

This is a step-by tutorial focusing on how to log in with a X.509 certificate to SSOCircle IDP instead of using username password (REM: the process described here is not related to the use of certificates in SAML SSO). The tutorial uses Chrome browser and Windows OS.

1. Log in with your username and password and get into your user profile. From the left navigation bar, choose “My Client Certificate”.
csrtut1

2. Click “New Certificate Enrollment”, choose “Certificate Enrollment PKCS#10″ and you will be asked to enter Certificate Signing Request(CSR).
mingy2

3. Now we need some tools to generate a Certificate Signing Request (CSR). In this tutorial, OpenSSL for Windows is used. After installing, open CMD prompt and go to the bin folder where OpenSSL was installed, entering following command:

openssl req -new -newkey rsa:2048 -nodes -out tutorial.csr -keyout tutorial.key -subj "/C=DE/O=ssocircle/CN="
mingy3

You will get two files, “tutorial.key” and “tutorial.csr”. Open “tutorial.csr” with your favorite editor (e.g. notepad) and copy & paste the content into the form described in the previous step and click “submit”.
mingy4

As a result the certificate is generated, displayed and provided for download.
mingy5

4. You got a file named “user.crt”, cut and paste it into the folder location where “tutorial.key” is stored. You now need to merge both files into a #PKCS12 pfx file. The command is:
openssl pkcs12 -export -out tutorial.pfx -inkey tutorial.key -in user.crt

5. Double click “tutorial.pfx” file and import it into Windows Certificate Manager. After successful install, you can see it listed in the certificate manager.
mingy6

As a successful test you can now logout and login again by clicking “Certificate Log In”, if the certificate was installed correctly, a selection window pops up where you need to choose the certificate and then you are logged in without entering username or password.

Tags: , ,

Impressions from European Identity & Cloud Conference 2019

English on May 30th, 2019 No Comments

eic2019
Going deep on Decentralized Identity (DID) and Artificial Intelligence, as they turned out to be the main topics of KuppingerCole European Identity Conference 2019 (EIC19), which was held in Munich from 14th-17th of May 2019. The leading Identity and Access Management event in Europe attracted almost 1.000 visitors and a growing exhibitors area expanding over two floors. Again KuppingerCole Analysts AG did a tremendous job of gathering the thought leaders and practitioners of the industry. And it is always a real roller coaster to be energized by visionary’s view and then be deflated by reality. For all students it is worth noticing: KupppingerCole introduced this year the Young Talents Program which offers all students to attend KC events free of charge.
The concept of the European Identity Conference is a well-established mixture of keynotes, workshops, breakout sessions and panel discussions. But the identity week itself already started on Monday with events like the half-day FIDO Authentication workshop and the AI Innovation night. On Tuesday morning pre-conferences were held on Blockchain ID, AI and meetings of the OpenID and Kantara initiatives.
Tuesday afternoon the conference is started as usual by Martin Kuppinger setting the tone for the conference with his opening keynote “Navigating IAM into the Digital Age: Connected Consumers, Connected Business, Connected Data & AI”. Connect consumers but leaving them in control of their identity by BYOD (bring your own identity). Having identity, payment, commerce going hand in hand and getting rid of the cumbersome KYC process. Sharing data to get artificial intelligence as the fuel of the business transformation which happens now. Rethinking the entire IAM and moving to a set of service which allows to connect everything “the identity fabric”

“We give people back their identity”

Evernym

Decentralized Identity (DID) or Self Sovereign Identity (SSI) is a solution approach in order to put users back into control of their identity. In general SSI/DI means that not a single company or organization owns the identities. Many speakers emphasized that for enterprises storing and owning identity data of consumers constitutes a risk which should be avoided. Most products and solutions for DID utilize blockchain technology. But in fact, that is not necessarily a must. There are some offers based on alternative technologies.
An intensively discussed topic at the conference was “Artificial Intelligence”. Ethical questions and the problem of liability as pointed out by Karsten Kinast by the need of a new legal framework for AI. Currently liability is only applicable to a person but not to AI, as no person can be attached to a real learning artificial intelligence machine an issue of liability arises. Ethics in AI also leaves many questions open, one example mentioned: Think of AI in autonomous cars, where the machine has to decide in a inevitable crash whether to kill the younger or the older person … a decision also not allowed in many jurisdictions.

The European Identity & Cloud award the ceremony hosted by Jennifer Haas, in which KuppingerCole honors outstanding IAM projects, is always the highlight of the conference. This year following winners in eight categories were presented:

  • Best Enterprise IAM Project
  • BP and their IAM team for driving and supporting the company’s digital business initiatives.

  • Best Consumer Identity and Access Management Project
  • Telia’s Identification Broker Service for the Finish trust network build on different modular services

  • Best IoT Security Project
  • Rabobank for implementing a system for secure onboarding of customers by using the national ID card in combination with a smartphone and focusing on user experience

  • Best Consumer Authentication Project
  • Allianz with IC Consult for building a central authentication API platform based on open standards supporting web and mobile clients.

  • Best Blockchain ID in Self Sovereign Identity Project
  • Evernym was given the award for their trust platform based on blockchain. To quote them: “We give people their identity back”

  • Best Identity Platform Project
  • The Economist for their one-click authentication platform helping them to meet GDPR requirements while still maintaining a good user experience. Technology based on Auth0.

  • Best Blockchain ID in Consumer Identity Project
  • Traficom, the Finnish Transport and Communications Agency for their scalable personal data sharing MyData Wallet

  • Best Future Technology / Standard Project
  • W3C’s WebAuthn as being most recognized and FIDO Alliance’s FIDO 2.0 standard for future development.

Some other conference picks worth mentioning:

Paul Fremantle from WSO2 introduced the OpenSource IAM Consortium with the members WSO2, Gluu and ZmartZone.

Ian Glazer gave a nice talk about such simple thing as the username: “the most forgotten thing in identity management”. Usernames are not secrets, are classified as public, should be memorable, unique and recoverable…

Mark Stephen Meadows, CEO of Botanic Technologies, introduced Seedtoken.io. Seed is providing an OpenSource economy for AI personalities, bot assistants and video bots. Blockchain enables seed to authenticate conversational user interfaces and compensate developers for their contributions.

Fooling machine learning systems was topic of another session. Frederic Stallaert gave this sample of a simple picture held in front of the body fooling a person recognition camera:

As a result of a recent formal security analysis of OAuth 2.0 it is recommended to not use implicit grant type and it is very likely it will become deprecated in the standard. Torsten Lodderstedt presented about OAuth security and introduced the upcoming OAuth 2.0 Security Best Current Practice RFC, a draft can be found: https://tools.ietf.org/id/draft-ietf-oauth-security-topics-10.html

Do not use the OAuth Implicit Grant any longer!

Torsten Lodderstedt

Last but not least, many thanks to the KuppingeCole team for putting such a conference together. And don’t forget to mark the date of EIC2020 in Munich from May 12th to 15th.

Tags: , , , , ,

Impressions from European Identity & Cloud Conference 2018

English on May 22nd, 2018 No Comments

EIC18Technology meets Legal, Standards meets Best Practices, Vision meets Reality. All this happens when KuppingerCole Analysts calls together the Identity Community to meet at the 12th European Identity and Cloud Conference (EIC) in Munich from 15th-18th May 2018. It is the leading Identity and Access Management event in Europe and probably in the world with more than 800 participants and 60 exhibitors, attracting identity enthusiasts from all over the world even from Australia, New Zealand and Japan.

Not very surprisingly the big topics of the conference have been, on the one side fueled by the Cambridge Analytics scandal, the General Data Protection Regulation (GDPR) which will be effective at May, 25th and, on the other side, Blockchain Identity, also known as Self-Sovereign Identity, SSI. A new upcoming topic was actively discussed and most likely will be a major topic at EIC 2019: The impact of Microservices on Identity Management and vice versa.

Blockchains are here to stay – Blockchain might deliver the UNIVERSAL ID

Martin Kuppinger

Although Blockchain Identity is still in an early stage there is a controversial discussion about what problem it is actually solving. Martin Kuppinger stated in his Keynote: “Blockchains are here to stay – Blockchain might deliver the UNIVERSAL ID” but success depends on reaching the critical mass and achieving interoperability between legacy identity systems and other blockchains. Easy-to-use wallets, Privacy-by-Design, predictable and affordable costs are critical to broader adoption. Challenges remain as Blockchain Identity does not solve the privacy problem per se. Off-chain storage of PPI data and “the right to be forgotten” problem still require adequate solution.

GDPR is just one week away, but what exactly will happen after the effective date? Most participants expect that the authorities will start to chase the big ones (the Googles and Facebooks) – if at all. Implementation details are still unclear and actively discussed. Subject of one of the panels was: “How to decide between Consent and Contract as a Lawful basis for Processing under GDPR”. Allan Foster formulated the answer motivated by the use case described by someone from the audience in which a company processed employees private address data in order to create groups for a newly introduced carpooling: “When a User is surprised with what you do with his data, ask for consent”

When a User is surprised with what you do with his data, ask for consent

Allan Foster, Forgerock

The concept of the European Identity Conference is a mixture of keynotes, workshops, breakout sessions and panel discussions. In 2018 the panel discussions were very well received and successfully put together by KuppingerCole’s team. The panel “How will Authorization Look in Future? XACML, OAuth, Proprietary?” turned out to be an intense discussion on the differences between OAuth and XACML:

OAuth is not authorization, it is just access delegation

David Brossard, Axiomatics

Some things noteworthy to mention from the more practical day-to-day identity reality:
Mike Schwartz, GLUU, introduced the Open Trust Taxonomy for OAuth2 Kantara Workgroup (OTTO) which tries to define basic structures of multi-party federations like APIs and related data structures to manage trust between entities and to discover members and service details of federations (https://kantarainitiative.org/confluence/display/OTTO/Home)
Andrew Hughes and Corné van Rooij presented the Kantara Consent Management best practices Working group which will collect best practices fot management of privacy notices

Rainer Hörbe talked about Privacy by Design in Federated Identity Management: Tackling FIM related privacy risks: Observability of behavior by central instances, Linkability by introducing common identifiers and Impersonation by IDPs due to weakness in SSO mechanism by using approaches like late binding of user attributes, constrained logging proxies or blind proxies.

European Identity & Cloud Awards 2018: As always, the ceremony is a highlight of the conference. The following winners were presented:

  • Best IAM Project: Munich RE insurances for a mature IAM implementation
  • Best Consumer Identity Project: If P&C Insurance for developing an innovative Mobile App for Health Insurance
  • Best IoT Security Project: Hager Group implementing a Smarthome Operator Service via website and smartphone
  • Best IT Risk Management Project: Deutsche Bank for its IAM program in a complex, highly regulated environment
  • Best Innovation Award: OpenID Certfication Program for the successful introduction of self-certification of OpenID providers
  • The new Blockchain Identity Award: Taqanu Bank for a horizontally scalable Blockchain solution and its unique consensus algorithm

Concluding this post by thanking the unbelievable KuppingerCole team for putting together this challenging agenda and for the perfect event organization (as always). Looking forward to the 13th European Identity & Cloud Conference from May, 14th to 17th 2019

Some links and acronyms:
DIF: Decentralized Identity Foundation http://identity.foundation/
DLT: Distributed Ledger Technology (not Digital Linear Tape)
IDPro: The First-Ever Digital Identity Professionals Organization https://idpro.org

Tags: , , , , ,

SAML SSO to Amazon AWS from SSOCircle

English on September 19th, 2017 No Comments

Many people were asking about doing SSO to Amazon AWS from SSOCircle. Since SSOCircle Public IDP has a common Circle of Trust the Service Provider EntityIDs are shared and must be unique.

AWS provides a single SAML Service Provider Metadata file at https://signin.aws.amazon.com/static/saml-metadata.xml for all AWS customers. As the AWS SP is already imported into the Circle of Trust, the EntityID specified in the Metadata file is already taken. The next user importing the same Metadata will get the error:


A urn:amazon:webservices entity already exists. Go to the *Manage Metadata*, and delete the existing urn:amazon:webservices entity first

As the SP is bound to another user, it is not possible to delete the SP.
The good thing is, because the AWS Metadata is already trusted, the import step can be skipped.
The bad thing is, that every AWS user who configures trust for SSOCircle accepts SAML assertions from any user logged in to the Public IDP. If someone knows or guesses the Role ARN of another AWS instance this is potentially dangerous. Because of this we do not expose the configuration of the AWS Role in the GUI. Instead Premium subscribers can open a ticket for that.

NOTE: This does not apply to hosted IDP’s (IDPee) instances who do have individual Circle of Trust and Metadata. These are fully configurable via the GUI for AWS

For users who go with the SSOCircle Public IDP and AWS, we strongly recommend to further restrict the access for SAML to AWS with additional conditions:

Follow these steps of configuring the IDP and create a Role with at least the following condition. Change yourSSOCircleUserId to the value of your SSOCircle username.

aws-iam-config-2

Tags: , , ,

Impressions from European Identity & Cloud Conference 2017

English on May 19th, 2017 No Comments

EIC_2017_Logo_rot_grauNo new standards, no protocol declared dead – but new compliance directives which have huge impact on business practices and deployed IAM services. The General Data Protection Regulation (GDPR) and the Revised Directive on Payment Services (PSD2) will be applied in 2018 after a two-years transition period.

From the importance of establishing a legal identity for developing countries as part of every person’s basic human rights and as a precondition for access to health and wealth services, via SSI (self-sovereign identity, aka decentralized blockchain based Identity, via Cognitive Security (AI, Machine Learning applied to security analytics), via Customer IAM (CIAM) to Security of the Connected Car: The European Identity Conference is definitely the one-stop in identity topics in Europe that you should not miss.

The KuppingerCole European Identity Conference (EIC) is definitely the one-stop in identity topics in Europe that you should not miss

The 11th KuppingerCole European Identity Conference took place in Munich from May 9th to 12th with a record breaking number of attendees of 700. From year to year the spectrum of the conference is getting wider and wider. And in fact, mirrors the impact of digitalization to everyone and everything. The KuppingerCole team again did a fantastic job by not only inviting representatives from IAM vendors and their customers, but also bringing speakers from NGOs, initiatives like Taqanu Bank (a bank for refugees), visionaries, lawyers and technical people together to discuss and share identity topics.


The morning of the first conference day is traditionally a forum for several organizations to present to a broader audience the project done in different working groups. This year workshops were held by Kantara Intitative, OpenID Foundation, OASIS Privacy Engineering and Forum Systems.

Some facts from the OpenID Workshop: Three OpenID Connect (OIDC) Logout Implementer’s Draft were approved in March 2017. OIDC certification for Relying Parties is available since December 2016. 34 profiles have been certified for 12 implementations and 11 organizations. Certification for OPs, which is available since 2015, was granted for 124 profiles to 39 implementations and 36 organizations. The certification is a self-certification available at $200 for members or $999 for non-members. Additional profile tests are planned: refresh token, logout, OP initiated login and self-issued tokens. Update on AccountChooser: Google donated the code of their project OpenYOLO – a password manager with Open API integrated as privileged app into Android OS.


The conference itself started in the afternoon as always with Martin Kuppinger’s keynote on “Can Artificial Intelligence close the gap between Cyber-Adversaries and their victims? Looking on solving the skills shortage in Cyber-Security by applying technology.” He described five axioms of Cyber Security which describe the state of cyber security:

  • There is no 100% security
  • Once a system, a device, or thing is connected, it is under attack
  • Every individual and every organization is/has been attacked successfully
  • There are backdoors to hardware, software and networks – your keys may already have been duplicated
  • There are not enough sufficient skilled people out there to staff your Cyber Defense Center

He came to the conclusion that Cognitive Security can help to better defend against the attackers by minimizing unknown events and faster detecting and identifying incidents. Cognitive Security can provide tools to close the skill gap, but organizations should also invest in education of their existing teams and teams should not try to do everything themselves but should seek for help from managed security providers which benefit from the economies of scale.

Everything is called machine learning, even if the machine learns nothing

M.Kuppinger


Some excerpts from the keynotes and the break out sessions:

Ian Glazer gave an update on the IDPro.org, an upcoming professional organizations focused on identity management. The organization was proposed by him in last year’s EIC16. It is now an Kantara incubate and intends to open up in June for founding members. The organization will provide membership services, a body of knowledge and a code of practice for identity professionals.

There is no Identity Meetup in Germany – the 3rd largest economy in the world

Ian Glazer

Doc Searls presented CustomerCommons. Terms will be created to help with privacy issues similar to what CreativeCommons provided to overcome copyright issues.

Mike Jones on strong authentication using asymmetric keys in devices: The draft Web Authentication: An API for accessing Public Key Credentials WD-05 was published the Friday before the conference (May, 5th). The FIDO 2.0 CTAP (Client to authenticator protocol) is still private to the FIDO Alliance members. The IETF token binding specifications will be released as a final RFC in a few months.

Balazs Némethi gave an update on Taqanu Bank, whose story was started at last year’s EIC16. The bank tries to provide banking service to refugees by replacing the traditional KYC principle with an identity created on basis of the person’s digital footprint and blockchain technology.

Because most refugees have a smartphone, they have digital footprint

Balazs Némethi

Drummond Reed and Phil Windley presented on Self-Sovereign Identity (SSI), blockchain based decentralized identities: Sovrin which was discussed first in EIC16. It was built to solve the hard problems of SSI – governance, scalability, pseudonymity, data privacy and revocable attributes.

Oliver Naegele introduced his new Frankfurt-based FinTech startup Blockchain Helix which provides blockchain based identity and data services.


The highlight of the conference, as every year, was the award presentation ceremony moderated charmingly by Jennifer Haas and Rob McCabe. The winners were chosen by the KuppingerCole analysts from among outstanding projects, applications and ideas in IAM, GRC and Cloud Security.

The winners 2017 in several categories are:

Best approach to improving governance and mitigating risk: Mitsubishi UFJ Securities
Mitsubishi UFJ Securities implemented a program based on the RSA IdaaS solution to meet regulatory compliance.

Best consumer identity project: Moneyou (ABN AMRO Bank)
Moneyou used ForgeRock software to build a system for its new and innovative services treating identity as a key enabler and differentiator.

Best IAM project: Nestlé
Nestlé implemented an Identity and Access Governance solution called AMIGO based on One Identity with a 20 member team in 10 months.

Best IoT security project: Danfoss
The price for the category was rewarded for the first time. Danfoss and Nixu implemented a security framework for Danfoss Drives.

Future Technology Award: IBM Watson
“AI for the masses” – IBM Watson provides cognitive services that can be used to build leading-edge solutions.


The next European Identity Conference will be held at Munich from 15-18 May 2018. But note: KuppingerCole is hosting additional conferences: Consumer Identity World in Seattle, Paris and Singapore; The Next Generation Marketing Executive Summit and the Digital Finance World in Frankfurt.
eic17

“Meet the Expert”, the Cyber Security Experts Stage was well received.


Again, a great thanks to the KuppingerCole team for a well-organized conference.

Tags: , , , , , , ,

Relationship Based Access Control in IoT and User Managed Access

English on April 25th, 2017 No Comments

Relationship Based Access Control (ReBAC) models originate from access control considerations made for Online Social Networks (OSN). In original ReBAC studies User-to-User (U2U) relations determine the access control decision made whenever a user (accessor) tries to access a resource. Policies typically evaluate the type, depth and strength of the U2U relation between the accessor and the resource owner (see Fong et al, Carminati et al).

Example: The friend of my friend has access to the picture that I posted.

Considering only U2U relations implicitly assume an “owns” relationship between resource and user. Access rights to the resource are determined by the U2U relation between the accessor and the owner. Other use cases in OSNs exist in which U2U relations are not sufficient and User-to-Resource (U2R) relations need to be considered (see Sandhu et al)

Example: The commenter of a blog entry might be allowed to contact another commenter of the same blog entry.

These expanded ReBAC models require U2U relationships (e.g. friend, parent, child) and U2R relationships (e.g. like, commented, tag). The relation “user commented on a blog entry” constitutes a U2R relation between the commenter and the blog post. The relation between two commenters of the same blog entry is a 2-hop U2R relationship.

Deriving access control decisions require policies (e.g. only direct friends are allowed to comment on my posting). In the context of OSNs it is assumed that many resource objects (pictures, postings) exist and have similar access policies. There are only few relation types (typically friend) and/or user groups (e.g. circles, friend lists). With that in mind a few policies are sufficient to represent access controls to many objects.

In case of the Internet of Things (IoT) access control need to be more granular. There is a need to have many more relation types between identities (U2U) and policies which govern the access to resources. A model as used for OSN would be very complex and policies would be very difficult to overlook and manage. Typically, this approach would lead to a vast growth of relation types and policies. Something similar to what we already know as role explosion from RBAC.

The aspects described above led us to another way of looking at ReBAC. We started to model the permissions directly as relations (edges) into the graph and reduced the number of policies to a single policy which basically says that an identity is allowed to access a resource if a path of a specific type between the identity and the resource exists.

Example: The delegate of a user with access permission to a third party resource has access to that resource as well

View from Ron' perspective. Seeing the permission path from Delgado to Ron's UserProfileData

View from Ron’ perspective. Seeing the permission path from Delgado to Ron’s UserProfileData

The policy evaluation function is:

F(A, R, P) = {0, 1}

with A = Accessing Identity, R = Resource, P = minimum permission type, {0,1} = the deny or permit decision

Under this model permissions are described as U2R relations and can then easily evaluated using Graph traversal algorithms.

To take the model even further we introduced access requests as U2R relations to represent User Managed Access (UMA) scenarios. The relation “read access requested” is converted to a “read access allowed” relation as soon as the resource owner approves the request.

Register with SSOCircle and get a real impression on ReBAC and MyIdentityGraph.

Tags: , ,

Next Generation Identity and Access Management

English on April 6th, 2017 No Comments

SSOCircle recently introduces a Graph based identity management system with user manageable access permissions and an entitlement API.
MyIdentityGraph

Enter ReBAC (Relationship Based Access Control. Add ReBAC to ABAC (Attribute Based Access Control) and RBAC (Role Based Access Control) and get StarBAC.

ReBAC can be described by the explicit tracking of relationships between identities themselves and identities and resources plus the expression of access control policies in terms of these relationships. A good fit for the next generation IAM challenges of the CIAM and IoT age and complex non hierarchical relationships.

View from Ron' perspective. Seeing the permission path from Delgado to Ron's UserProfileData

View from Ron’ perspective. Seeing the permission path from Delgado to Ron’s UserProfileData

Enter standardized Authorization as a Service. XACML… ,yes, but JSON and REST based. Protected with a OAuth bearer token.

Find your path … Welcome MyIdentityGraph!

Read more at www.ssocircle.com

Tags: , , , , , , , , ,

Configuration and Metadata Certificate Changes

English on August 7th, 2016 No Comments

Applies to the Public IDP. Not to our IDPee offerings.

Update: Public IDP Metadata will be replaced during a maintenance window at the weekend of 13/14th August 2016. We do not expect downtime but there may be some changes needed at your service provider.
SSOCircle Root CA certificate used for client certificate authentication will also be replaced in the first week of August.

Details on the changes:

  1. Replacement of the SSOCircle Root CA Certificate
  2. SSOCircle Public IDP Certificate and its SAML Metadata will be replaced. The certificate will be signed by the old SSOCircle CA certificate. The SAML Metadata and the endpoints itself are considered deprecated.
  3. New Public IDP Metadata will be introduced with new endpoints, new keys and certificates signed by the new SSOCircle CA. The new Public IDP Metadata should be used with new deployments and should replace the old metadata.
  4. Client certificates used for strong authentication when signing in to the IDP will now be signed by the new SSOCircle Root CA certificate. Old certificates will continue to work

What you need to change:

Details depend on your SP implementation and configuration. The following points should only direct you into the right direction.

Deprecated use of old IDP Metadata (may be removed in future)
During the weekend of 13/14th August replace the SSOCircle IDP certificate in your SP configuration with the new certificate or just replace the metadata (if your SP supports SAML Metadata)
Deprecated SSOCircle Public IDP Metadata

Recommended: Use of new IDP Metadata
From now on, you can use the new IDP Metadata (If your SP supports SAML Metadata)
SSOCircle Public IDP Metadata

If you need to change your SP configuration manually, you need to change the certificate and properties as listed in IDP Configuration Changes.

SSOCircle Root CA Certificates can be found at the URL:

SSOCircle CA Certificate
SSOCircle CA Certificate (deprecated – legacy use only)

Tags: , , , ,

Enable Key Generation in Chrome

English on June 6th, 2016 No Comments

The following article refers to the process of generating client certificates at the SSOCircle Public IDP. In the PKI functionality of SSOCircle IDP we allow the automatic generation of keys and the enrollment of X.509 certificates. Client certificates are used for strong authentication. These certificates are not related to the certificates used with SAML single sign on.

As of Chrome 49 the keygen tag is deprecated and automatic generation of keys as used in the public IDP is turned off by by default. In order to use the automatic enrollment with Chrome enable it by executing the following steps:

  1. Open “Settings” from the beacon icon
  2. Click on Privacy: “Content Settings”
  3. keygen2

  4. At Key generation: Check the radio box “Allow all sites to use key generation in forms” or as a alternative: “Manage Exceptions” an enter idp.ssocircle.com as allowed hostname pattern
  5. keygen

Tags: , , , ,