Do you speak SAML? Google Apps, Salesforce and SAP Hana Cloud tested

English on December 23rd, 2014 No Comments

In this article we compare the SAML service provider implementation of three popular cloud services:

  • Google Apps (which includes GMail, Google Drive and Docs, Calendar)
  • Salesforce
  • SAP Hana Cloud

Our testing procedure includes verification of the service provider compliance to the SAML 2.0 specification and checking the handling of signature validations.

Secure Assertion Markup Language (SAML) today is the main standard used for signing in to Cloud Services with a single authentication procedure (typically username/password). A correct implementation of the standard is crucial for security. Failing to do so may compromise security and lead to information loss.
Unfortunately SAML 2.0 is very complex and probably over-engineered. Leaving the developer too many degrees of freedom to implement only parts of the security measures envisaged by the standard. The risk even aggravates as the implementation might look like they are functioning correctly: single sign on works and some of the checks against signature or timestamps are processed. But on diving a little deeper security issues or nonconformity will become evident.
In our research we tested Google Apps, Salesforce CRM and SAP Hana Cloud as representatives of modern Cloud Service providers which provide Single Sign On integration with SAML 2.0.

Research method: Tool to run automated tests leveraging the SSOCheck API.

Test cases were divided into different testing areas:

  1. Replay
  2. General XML
  3. SAML Response Message
  4. SAML Assertion
  5. Digital Signature

Whereas the tests of area 3 and 4 typically refer to the components of the SAML documents as illustrated in the following picture.

SAP performed best in all categories. Salesforce ranked second. Google was vulnerable to assertion replay and almost completely ignored the response part of the SAML message and several attributes of the assertion.

We informed the security teams of the tested companies about the results before publishing the article. All companies replied in acceptable time. Some involved their development departments which tried to reproduce the tests and some were arguing with risk based approaches. Salesforce being the fastest and most communicative respondent. SAP’s answer was the slowest but the most meticulous. Google took some time to respond but over time a very interesting discussion evolved with participation of several members of the security and product team which leads to the enrollment of product patches. Most parties leveraged SSOCheck tool to understand and reproduce the findings.

The following table summarizes the results found.
Summary Table (% passed tests)

Test Google Apps Salesforce CRM SAP Hana Cloud
Replay 0 100 100
General XML 100 100 100
SAML Response 16.7 66.7 83.3
SAML Assertion 50.0 69.2 76.9
Digital Signature 100 100 100 (*)
Total 48.5 82.7 88.5

*) SAP Hana Cloud was the only service provider who accepted a SAML response with an evil assertion inserted before the valid assertion. We rated the test as passed since the SAP implementation seemed to totally ignore the evil assertion and therefore could not be used to attack the service.

Total results were calculated as a weighted average of the group results. Giving the SAML assertion tests a weight of 2, general XML tests a weight of 0.5 and the rest a weight of 1.

Detailed test result table:

Test Google Apps Salesforce CRM SAP Hana Cloud
1 Unmodified SAML – as a positive protocol test
2 Replay Attack – SAML protocol message replayed
3 Invalid SAML Protocol Namespace
4 Invalid SAML Assertion Namespace
5 SAML Response Status Code is set to RequestDenied
6 SAML Response Issuer is invalid
7 SAML Response IssueInstant is set to a value in the future
8 SAML Response InResponseTo is invalid
9 SAML Response Destination is invalid
10 SAML Response Version is invalid
11 SAML Assertion Issuer invalid
12 SAML Assertion IssueInstant is set to a value in the future
13 SAML Assertion Version is invalid
14 SAML Assertion Subject without NameID
15 SAML Assertion subject NameId format set to an unknown value
16 SAML Assertion SubjectConfirmation Method invalid
17 No SubjectConfirmationData element in the SAML Assertion sent
18 SAML Assertion InResponseTo is invalid
19 Recipient in SAML Assertion SubjectConfirmationData is invalid
20 Address in SAML Assertion SubjectConfirmationData is invalid
21 NotOnOrAfter in SAML Assertion SubjectConfirmationData is set to a value 1h into the past
22 Two Assertion SubjectConfirmationData elements whereas the first is the valid one and the second is a wrong value.
23 Two Assertion Subject Confirmation Data elements whereas the first is the wrong one and the second has the correct value.
24 SAML Assertion Condition is inserted which is unknown to the service provider
25 SAML Assertion Condition NotBefore is set to a value of 1h in advance.
26 SAML Assertion Condition NotOnOrAfter set to 1h in the past.
27 Syntax test to check that the SP supports the OneTimeUse element.
28 AudienceRestriction element in SAML Assertion Condition is empty
29 AudienceRestriction element in SAML Assertion Condition is set to a wrong value
30 Two values in one SAML Assertion AudienceRestriction element. The wrong value is the first
31 Two values in one SAML Assertion AudienceRestriction element. The wrong value is second.
32 Two AudienceRestriction elements in SAML Assertion. The first elment holds the wrong value
33 Two AudienceRestriction elements in SAML Assertion. The second elment holds the wrong value
34 Two AudienceRestriction elements in SAML Assertion. Both hold two audience values in different ordering
35 AuthnStatement is missing in SAML Assertion
36 Sets the SubjectLocality of AuthnStatement to a non valid IP address
37 AuthnInstant timstamp of Assertion AuthNStatement is moved one day into the future.
38 AuthnInstant timstamp of Assertion AuthNStatement is moved one day back in time.
39 SessionNotOnOrAfter timstamp of Assertion AuthNStatement is set one day in the past.
40 AuthnContextClassRef of Assertion AuthNStatement is set to “unsepcified” and should be declined by the service provider.
41 Multiple Signature tests: signature exclusion
42 Multiple Signature tests: mangled signature
43 Multiple Signature tests: wrong signature key
44 signature wrapping variants

All tested Cloud Services did not fully comply with the SAML standard.

SAP and Salesforce did not disclose any severe problems which could lead to a significant exploit. Non conformity to the specification might lead to the non-functioning of specific use cases but can be justified in order to achieve broader compatibility with IDP products or might be argued with risk based approaches.
Google Apps SAML implementation revealed several issues which could be leveraged by an attack scenario. The good news is that Google has rolled out fixes for these findings which we were able to verify.
We especially thank the Google team for a valuable interaction and cooperation.

If you have questions or comments please let me know. We are also looking for other SaaS services, which might be of general interest to run the tests against.

Tags: , , , ,

Terms Of Use updated

English on August 24th, 2014 No Comments

This is to announce a change in the SSOCircle Terms of Use which might affect both existing accounts and new user registrations to the public IDP. From now on we might block registrations with specific email addresses (for example disposable email addresses)  and we will limit (currently 3 – subject to change) the number of user accounts registered to a single contact address.

Why the change? In the last months we are seeing growing numbers of registrations either used for regular training classes and/or large scale quality assurance test runs. Although we advocate these kind of usage, we consider it a matter of fairness for these companies to purchase either our hosted IDPee offering or to subscribe to SSOCheck API private. Both are offering a hosted tenant where any number of users might be created. SSOCheck Private API even adds the opportunity of running additional compliance and security tests against SAML service provider deployments.

This decision was made to protect the investment of our paying customers and to keep the public IDP running as a free service – without annoying advertising.

Please note: Existing accounts not corresponding to the Terms of Use should be changed to be compliant. Non-compliant user accounts will be inactivated in the next days.

If you have questions or comments, please contact us.


Impressions from European Identity & Cloud Conference 2014

English on May 22nd, 2014 No Comments

What are the hot topics this year? What will be announced dead? These are the questions always accompanying KuppingerCole’s European Identity & Cloud conference which was held for the 8th time from 13.-16. May. The conference gathered more than 600 visitors from 35 countries, 150 international expert speakers and 50 exhibitors discussing about the Internet of Things and the agile, connected business. After years of consolidation in the IAM industry it seems that this year more software and service vendors populated the floor space in the Dolce Ballhausforum in Munich. Almost half of the exhibitors were new compared to last year, demonstrating that there is still a lot of movement in the market and space for new players and segments – worth mentioning the application security testing companies exhibiting this year at EIC.

No big surprise that the NSA scandal, Heartbleed and their implications run like a common thread to many of the presentations as it deeply impacts the awareness for privacy issues in society and the information security business itself. It clearly demonstrates to the information security industry and their customers that protection from today’s complex threads cannot only be accomplished by technical standards and trust in the accurate, uninfluenced implementation in software and hardware products.

And what was killed? Was it the absence of the most provoking speakers like the highly esteemed Craig Burton and Fulup ar Foll? This year it was noticeable the speakers were more reserved and cautious in their statements. Martin Kuppinger said: “If something is declared to be dead, it would be SIEM” but not without adding the next sentence that “Real-time Security Intelligence” is the next big thing. Ian Glazer former Burton/Gartner analyst and now with Salesforce, one of the shiny characters at the conference, killed IDM. Identity management dead? Astonishing announcement in an Identity Conference. But …, he only killed IDM in order to save it. According to him the “new” IDM must a) naturally integrate b) be part of the business and c) be ready for the real world. IDM must evolve away from using Excel and CSV as the most important IDM tools and away from hierarchical modelling of relationships. Although not directly IDM related, I would declare the iPad for dead. To me it was obvious that, compared to past years, most attendees were not using tablets to take notes but their more or less conventional laptops.

Like every year the conference lasted three days from Tuesday to Thursday and an additional workshop day on Friday. As always the agenda was fully packed from 8:30 to around 19:30. With up to 5 parallel tracks it is difficult to decide where to go. The selection of topics described here depends on my personal choice.

From four parallel workshops at the first day I visited the Kantara Initiative Workshop on “Consumer Identity – International Use Cases and Approaches” moderated by Joni Brennan and the OpenID Foundation Workshop on “Enterprise Application of OpenID Connect, Mobile Apps SSO, Account Chooser”. The Kantara Workshop described the evolution of today’s identity management requirements from perimeter IAM – the employees – to perimeter less federation and consumerization. The workshop introduced the Kantara certification program: “Identity Assurance Accreditation and Approval Program” which provides a trust status listing service, provider registry and white listing. Maciej Machulak showed a demo of UMA – user-managed access. The consent pages are similar to OAuth but UMA does not necessarily require a close coupling between resource and authorization server and other users are able to request access to personal data of the resource owner. For an overview on use cases visit the Kantara UMA case study page.
The OpenID Foundation Workshop held in parallel centered on the question of the adoption of OpenID Connect. Microsoft Azure Active Directory will support OpenID Connect. Yahoo and Google will support OpenID Connect next year deprecating the OpenID 2.0 and OAuth 2.0 userinfo and scopes endpoint. Watch Google’s migration timetable. Interesting to note: Although OpenID Connect standard was finalized in February 2014, the single logout profiles are not. A discussion around that topic was started in the workshop gathering the opinion of participants about three approaches, which need to balance cheap and easy implementation versus reliability and completeness:

  1. The current logout mechanism in OpenID spec with JavaScript listening for state change at the client. A pattern optimized for Ajax applications but has cons because active Javascript listening is required and it doesn’t work if the browser tab is not active.
  2. Use of a logout page with embedded images/iframes linking to the relying parties – the approach Deutsche Telekom is using. The advantage here is the solution’s simplicity which does not need Javascript. Bad is that the IDP has to track active sessions, it does not work when the browser is closed and last but not lease you need these ugly logout pages.
  3. Notification over the back channel. Probably the completest approach described here. It works even when the browser is closed. The main disadvantage is that the relying party needs a logic to identify sessions by an explicit identifier which causes scaling issues.

As usual the conference itself started with an afternoon of keynotes. One of the highlights is always Martin Kuppinger’s presentation. He started with a brief history in IT which leads to today’s agile, connected business and the Identity of Things which will be the hot topics of next years. He came up with his gloomy prognosis “Waiting for the disaster …”. To quote him: “Something will happen: hacking the connected car, running out of water and power and/or revealing your secrets.” Raising awareness that privacy needs security and vice versa. The title of his top trends slide was “The Digital Future Buzzword Bingo”:

  • Application Security Infrastructure
  • Information-Centric Security
  • Domain-Independent Security
  • Secure Information Sharing
  • Layered Security and the next generation Firewalls & AVs
  • Realtime Security Intelligence
  • Software Defined Environment/Computing Infrastructure
  • Secure IoEE (Internet of Everything and Everyone)
  • Future of Authentication & Authorization
  • Cloud IAM
  • Future of eMail Security & Privacy
  • Life Management Platforms

Another highlight of the conference was the presentation of Ladar Levison, the founder of Lavabit, talking about building a system that is secure against attacks from an attacker with quasi unlimited computing power and cryptographic expert pool. For more information on the Dark Mail alliance of Silent Circle and Lavabit consult the web site The architecture and protocol specifications are currently under review and will be published by the end of summer. Quoting Ladar: “Publishing date depends on how many protocol holes will be found in the review – but he hopes he will not get so paranoid that he will never release it”. Interesting to watch how the technology will be adopted in the coming years.

One of my personal highlights in day 2 beside the identity award ceremony was the presentations of Paul Fremantle, the founder of WSO2, who propagated the Enterprise Identity Bus Model as the solution to replace the failed single monolithic identity system. The tasks of the identity bus are to bridge between tokens (SAML, OAuth 1.0/2.0, OpenID, OpenID Connect), claims and claim dialects and provisioning SPML, SCIM, Salesforce, Google and other JiT variants.

In the evening KuppingerCole presented the winners of “The European Identity & Cloud Awards 2014” for the 7th time – this year only in 6 categories:

  • Best Cloud Security Project: NXP Semi Conductors
  • Best Access Governance and Intelligence Project: Banca Intesa Beograd
  • Best IAM Project: UK Ministry of Defense
  • Best Innovation / New Standard: Kantara Initiative: UMA User Managed Access (OIDC finalized this year, but it already received the award in 2012
  • Special Award: Best innovation for Security in the API Economy: IETF with JWT/JOSE
  • Lifetime Achievement Award: Ann Cavoukian for Privacy by Design
  • Award details at the KuppingerCole web site: For Privacy by Design please read the EIC presentation
    On day 3 one of the track topics was around adaptive and risk based authentication. The FIDO alliance was founded in February 2013 by 6 members and expanded to 122 members today, clearly demonstrating the need and interest in standardizing authentication. FIDO’s mission is to change the nature of online authentication by developing and submitting technical specifications as well as operating programs to ensure the worldwide adoption. Current specification are: UAF – Universal Authentication Framework and U2F – Universal 2nd Factor which can be downloaded from

    Last but not least it is worth saying the European Identity & Cloud Conference again was a success and well organized by the KuppingerCole team. Next year’s conference will be held from 5th-8th May 2015 at the same location.

Tags: , ,

Infosecurity Europe 2014

English on May 6th, 2014 No Comments

Infosecurity Europe 2014 held on 29. April to 1. May in London – the gathering of information security professionals. It is the largest event of this type in Europe.

You made it to London and despite the Tube strike during the days of the event you reached Earls Court. On entering the conference center you are overwhelmed by more than 325 exhibitors representing the huge portfolio the information security industry provides. Infosecurity Europe is mainly a fair, companies of all sizes showcasing their products in on-stand presentations and creative set-up’s like Pen Test Partners “Security Kitchen” or Ping Identities Lego Mosaic “Keep Identities where they belong”.

But Infosecurity Europe is more than just that. Infosecurity offers keynote presentations, workshops and other educational courses.

The subheading “Security as a business enabler – are you fit for 2014?” highlights the growing awareness of security in organizations today. After NSA scandal and Heartbleed bugs, not only tech guys but business leaders painfully realize the limits of technology and the false sense of security.

Following up this context the Ponemon Institute and Thales e-Security presented the “Global Encryption Trends Study” which surveyed 4.802 individuals across multiple industry sectors in eight countries: US, UK, Germany, France, Australia, Japan, Brazil and for the first time Russia. The research examined the evolvement of the use of encryption and the security posture of organizations during the last 9 years.

Citing from the report the big encryption trends over nine years are

  • Steady improvement in the security posture of companies
  • Increase in the use of encryption as part of the Enterprise Strategy
  • Business units getting more influence in choosing and deploying encryption
  • Importance of compliance as the main driver decreases versus privacy considerations – although there is a big difference from country to country
  • Key management continues to be a challenge
  • Spending in encryption and key management increases

Next year Infosecurity Europe will be held from 02-04 June 2015 at a new location “Olympia”.


Impressions from European Identity & Cloud Conference 2013

English on May 26th, 2013 No Comments

Big Data, life management platforms, extended enterprise++, fusion drive, dead standards and  identity Silo relaunched. European Identity & Cloud Conference 2013 had lots of new and old topics. The 7th EIC was held for the 3rd time in the Dolce Ballhausforum from 14-17th May, gathering many digital identity thought leaders and making Unterschleissheim the Identity capital of Europe or even the World.

As always the conference was well organized in a pleasant environment with a noticeable Bavarian touch. Exhibitors and visitors from 33 countries, 5 parallel tracks and 150 speakers gave insight into new trends in identity, access management and cloud computing. The number of visitors were slightly increasing compared to last year, with end user representing the majority of visitors now.

As usually the conference started with some half day pre-workshops, continued with 2 ½ days of tightly packed conference and an additional workshop day at the end. KuppingerColes team of analysts again was growing with Peter Cummings and Rob Newby, proven experts with practical project implementation experience, joining the team.

As known from previous years the conferences started with a series of keynotes from sponsors, customers and academics. The first keynote delivered by Martin Kuppinger speaking about identity and cloud trends and on “setting the right direction”. The three biggest trends were called the “Computing Troika“, which is made of Cloud Computing, Mobile Computing and Social Computing. Information security receives more perception – it makes it to the 8′o clock news – and is now a business success factor. “Risk” is the common language which aligns IT and business viewpoints. Identity and privacy incidents can massively damage the reputation of a company. For that reason IAM is closer to business than ever. KuppingerCole BII is a business impact indicator for information technology which graphically indicates the value of a particular IAM technology in terms of: business alignment, business enablement, cost savings and compliance fulfillment. The KuppingerCole CIO GPS helps you finding your path in governance, privacy and data protection and security. It shows which technologies are the best for achieving specific targets. Another topic that he discussed was the API Economy also named the Extended Enterprise++, which reveals big potential for business enablement in the extended enterprise ( business partners and customers).

What were the main topics in the conference?

Data Privacy and Protection Laws
Due to Karsten Kinast, an attorney concentrating on data protection and IT law, joining the KuppingerCole analyst team, a stronger focus on legal topics were obvious. Presentations and discussions on EU regulation shaped one track of the conference.

Big Data

Another big topic was Big Data. What is meant by Big Data in the IAM context? There is no exact definition available – something that we already know from the “cloud”. According to a track session of Mike Small and Sachar Paulus it is like a big datawarehouse based on data that is publicly available. Big Data’s characteristics are

  • Volume: according to a IDC report: 2.8 Exabytes of data have been created in 2012
  • Velocity: lots of data events
  • Variety: can be text, voice, photos, video

Technologies used to deal with Big Data:

  • Hadoop: Map/reduce
  • Elastic map reduce (amazon)

And to deal with velocity:

And with variety:

  • natural language processing
  • Graph stores
  • XML stores

Why is Big Data handled in the conference? Transforming Big Data to smart data by analyzing and combining creates information and confidentiality problems. Existing access controls cannot be placed because you cannot define protection levels if you don’t know how and what will be processed and analyzed. Smart data becomes relevant as business can benefit from it by improving competitiveness or transforming products.

Life management platforms (LMP)

Life management platforms are the evolution of today’s social networks personal data stores. that might be the result of the user’s wish to get more control over his data. Something which becomes more prevalent in times were everyone has the feeling that too much of personal data gets collected by the Google’s, Facebooks etc and used for their consumption. In times where a SmartTV is able to track which programs you are viewing and Microsoft is reading your Skype messages checking hyperlinks that were sent, users see a need for a change. But the road to LMP also means a fundamental change in attitude from quick profit to trust.
According to a keynote from Craig Burton: the life management platform is not a product. It is extensible, API enabled with privacy by design (proxy façade). LMP is not a personal data store. LMP is not a social network. It follows the controlled push and informed pull with privacy controls. Controlled push means that a customer only provides controlled partial information of his data to a service which ensures privacy. Informed pull describes the concept where a user requests information from different sources guarantying confidentiality of the data towards competitors of the service. Issues on the success of LMPs arise with the need that vendors must cooperate in sensitive areas – a schema must be defined. According to Burton’s rule of thumb adding an element to a schema needs 1 year. Adding 10 elements lasts 10 years. A possible solution might be the Graph API. Microsoft cloud directory is schema independent.

European Identity & Cloud Awards:

One of the highlights of the conference is the Award Ceremony which was introduced with the 2nd conference and was now held for the 6th time. Martin Kuppinger noted that this year a significant number of nomination were available which emphasizes the increasing maturity in some of the IAM areas. He mentioned that a few years ago it was difficult to find successful mature projects.
This year prices in 11 different categories were awarded:

1. Best Identity and Access Management project
Winner: Virgin Media represented by Paul Edmondson from aurionPro SENA: “Infrastructure for the Olympic Games: WiFi for the tube with high numbers of authentications every time a train is entering a station”

2. Best Access Governance and Intelligence Project
Winner Deutsche Bank – represented by Carolin Pfeil: “Manage complex SOD rules in a very large institution”

3. Best access Governance and Intelligence Project II
Swiss Re represented by Daniel Frei: “Dynamic access management, based on DirectoryX and Axiomatics”

4. Best Cloud Security Project
Evry represented by Anne Bergersen: “Multitenant IAM infrastructure in the cloud which brings together a way of identifying customers and citizens in Norway. Based on NetIQ”

5. Best approach on improving governance and mitigating risks
Universtitäts Krankenhaus Hamburg-Eppendorf represented by Juerg Staebler – IBV Informatik AG:
“Privileged account management in health care industry leveraging Liebermann software. Now using one time password instead of plain text passwords. Project implemented in 3 days.”

6. Best innovation /new standard in information security
An obvious choice: OAuth 2.0 – the OAuth standard team represented by Mike Jones, Microsoft “new and influential it feels like it is around for a longer time”

7. Lifetime Achievement Award
Kim Cameron, Microsoft – Evidently being deeply affected by the reward.

8. Special award: Bridging the organizational gap between business and IT
Volkswagen Financial Services represented by Marek Bingel: “Well defining guidelines and processes which enables to move forward”

9. Special Award: Rapid and lean implementation of IAM/IAG
E.ON Global Commodities –represented by Carsten Mielke. “Governance project based on CrossIdeas”

10. Special award: Rapid re-design and re-implementation of the entire IAM
Schindler Informatik AG represented by Reto Tomasini and Gary Edward Stewart: “Identity provisioning infrastructure based on Quest Identity Manager”

11. Special Award integration of Provisioning and Access Governance in a complex banking environment
HypoVereinsbank represented by Ulrich Haumann: “Provisioning combined with Governance of a large number of applications based on Microsoft Forefront Manager”

In an interesting panel discussion by Craig Burton, Mike Neuenschwander, Gerry Gebel and Martin Kuppinger on the future of IAM, the panel quickly turned to a discussion on “dead standards”, a topic which became a running gag during the entire conference. Motivated by a blog article of Forrester’s Andras Cser this year’s “dead standard” candidate number one was XACML (as basically all XML based standards). Craig Burton stated that he does not expect to see a product deployment with XACML in its current form. Gerry Gebel retorted that AuthZ is very important and that XACML is working on JSON/REST profiles to move more towards APIs.

The topic on standards and its practical usage was continued in another panel session on the second day by Craig Burton, David Brossard of Axiomatics speaking for XACML, Daren Rolls of SailPoint for SCIM, Paul Madsen, Ping, for SAML and Michael B. Jones, Microsoft for OAuth. Jones pointed out the OAuth 2.0 was designed with simplicity in mind as the 1.0 spec turned out to be too complicated. OAuth 2.0 is designed to use existing security layers like TLS and by being REST-based the developer does not even need a library. Paul Madsen replied that the “S” in SAML does not stand for “simple” like in SCIM but for “security”. SAML sets the bar for the industry. And everything comes with a price – in that case with 800 pages of specification. For security SAML was historically designed to reflect the legal contract between parties. A question on the “liveliness” of AuthZ profiles within SAML was answered, that a few years ago it was recognized that SAML is more suited for authentication and attributes. XACML is the better fit for AuthZ – and that SAML and XACML work good together. David Brossard declined that XACML is losing attraction. He, as a XACML product vendor, is seeing more adoption and the focus is now more on developers and profiles to make XACML simpler. Daren Rolls replied on the question about SCIM versioning not being stable after transferring SCIM to IEFT that SCIM 1.1 can be implemented. A good conclusion was given by Paul Madsen on the question what he would recommend to customers if they were asking for a specific standard: What fits best depends on the use case. SAML is not optimized for mobile. Ping would not push it for mobile. OpenID Connect may be a problem if the partners do not support it. SAML is definitively more widespread (a quick poll in the audience initiated by Pamela Dingle confirmed that). The best measure of the mortality of a standard is the number of deployments. Someone of the audience added, that a measure could also be the open source implementations available. SAML has several, XACML mainly for the 2.0 version, SCIM with UnboundId – but as OAuth a simple REST based protocol does not really need a library implementation.

People like Craig Burton, Fulup Ar Foll and others are always good for some catchy quotations.  I noted some of them:

We need the hacker to stay in business.

If I BYOD, I have the right to install malware.

There are public APIs and DARK APIs.

OAuth and REST are the fusion drive for the API economy.

Banks and operators are too fat, lazy and rich to take the risk to compete with the Facebooks and Googles.

Some links worth mentioning:

Datownia, with an interesting developer use case demonstrating how APIs can be used to enable frictionless integration with Windows Azure AD and the Windows Azure Graph Store by using the Datownia system developed by Release Mobile Ltd.

Dutch authentication and authorization for legal entities: eRecognition

bwIDM: Federation on non web based services like HPC between Universities of the state of Baden-Württemberg. The solution is called FACIUS. Consortium focusing on TRUST in digital Life

FIDIS: Future of Identity in the Information Society

AZA – Native Authorization Agent: enabling mobile SSO cross native apps.

Topics I missed :
Not much about Cloud Crypto. New companies in this area were not represented at the conference.

My personal winner at EIC 2013:
OAuth 2.0: fast specification, quick adoption, feels like it has been around for much longer time.

Last but not least: The European Identity & Cloud conference 2014 will be held from 13.-16. May. Guess where? In the identity capital Unterschleissheim. See you there.

Tags: , ,

Time for change: Is OpenAM or OAM the better fit for replacing OpenSSO?

English, OAM, OpenAM, OpenSSO on January 26th, 2013 No Comments

Once upon a time there was a computer company that loved open source software but they forgot to make money. Another big successful company came and bought the other. The big company did not like open source but they know how to make money. Since they already had similar closed-source software products, they decided to put the open source in second place. Quite understandable – remember they don’t like open source but they know how to make …

It is now more than 3 years when Sun was taken over by Oracle. Sooner or later customers who invested a lot of work and money to implement and maintain their OpenSSO infrastructure must decide on how to go forward with the product.

Oracle decided to put OpenSSO in maintenance mode. What does this mean? In the last two years a few updates/patches to the product were released but no major release and no new features. There is no roadmap. For web policy agents it is even worse. Almost no patch releases, no support for newer operating system versions. It does not mean that there is no support if you run into problems. But you have first to run into already known problems to file bugs and get a patch. Even for real critical bugs. That’s tedious …

Customers are safe and get support from Oracle, if they don’t need new features, but at one point in time OpenSSO customers have to make up their mind and develop a migration strategy. The first software that comes into consideration will be Forgerock’s OpenAM, a fork of OpenSSO. So the migration promises to be quite straightforward. The second thought would be to look at Oracle’s Access Manager (OAM). Oracle might have had reasons to abandon OpenSSO in favor of OAM. Oracle normally does not leave its customer alone and offers tools for a smooth migration.

A decision in favor of OpenAM or OAM might be the result of different aspects. Technical guys will primarily look at features and architecture. For business and strategical thinking people a close look on the companies behind the products might be important as well. On the one hand there is Forgerock, a small but ambitious startup company and on the other hand Oracle, the software giant, that promises more stability and investment protection.

Forgerock started in 2010 when it became obvious that OpenSSO will not survive. Sun used to release Express versions of OpenSSO. Right before Express 9 should be released, Oracle stopped Express roll-outs. OpenSSO Enterprise 8.0 was at that time equivalent to Express 6 (today it is still this version with bug fixes and some minor feature enhancements mainly in the web service security space). This was the time when Forgerock stepped in, forked Express 9 and released their own version. In the beginning many people were skeptical whether Forgerock will be able to execute. But after 2 years, backed with a 7 million funding from Accel Partners, they not only proved to be able to run the business, they also expanded the portfolio with OpenDJ (a fork of OpenDS, Sun’s JAVA based directory server) and OpenIDM (a self written provisioning software).

There is not much to say about Oracle as a company. Let’s look at their Access Management software Oracle Access Manager. The roots of OAM are going back to Oblix, a company and a software product which was acquired by Oracle in 2005. If you have a closer look on OAM up to version 10g you will notice that the software architecture is quite different from what we were used from OpenSSO. OAM had separate server processes written in C++ and did not have a central server side user session. Session information was stored in the cookie. In addition to OAM, you need to deploy Oracle Identity Federation (OIF), if you are using federation protocols like SAML 2.0 in your OpenSSO deployment. With OAM 11g things changed. The software is now implemented in JAVA (either written from scratch or ported). With that in mind and if you take into consideration that the development from 11g to 11g R2 is really very dynamically catching up with features, you can argue that OAM 11g is a 1.0 version and not very mature. The latest OAM release also has now SAML 2.0 federation capabilities built in. So you might not need to deploy OIF anymore. At least if you are only running a service provider and not an identity provider.

What are your thoughts, plans or experience for the migration? We are happy to take your input as comment to the blog or through our contact form as we are preparing a deeper look into the topic.

Tags: , ,

User attributes in the SAML assertion

English on November 30th, 2012 No Comments

It is nothing really new, but it was a missing feature in the administration GUI of our Public IDP: Configuring which user profile attributes should be sent as an AttributeStatement in a SAML assertion.
The feature has always been there, but administrators had to open a service request to have attributes configured. Now, you can select which attributes to insert during importing of Service Provider metadata. A sample is in the screen shot below:

Tags: , , ,

Impressions from European Identity Conference 2012

English on April 25th, 2012 No Comments

This year’s European Identity & Cloud Conference took place from 17.-20. April with the last day being a workshop day to deepen some of the topics. The event is one of the most important IAM meetings in the world and continues to increase its impact. Almost 600 visitors from allover the world and 40 exhibitors constituted to a 35% growth. As every year the vendor landscape showed some dynamics with NetIQ acquiring Novell’s IAM business, ATOS taking over Siemens IT Solutions and Services (DirX), new rising stars appearing like ForgeRock, Symplified and The Dot Net Factory to name a few, Ping Identity expanding its presence and big companies like VMWare participating for the first time.

The most discussed new topics this year have been “The Open API Economy” and “Life Management Platforms” (Personal Cloud).
API economy: most presenters agreed that open APIs are important to the businesses today as they can bring new business opportunities and allow cloud users to orchestrate their applications into MashUps delivering the service that the business really needs. And even more for some companies it will be crucial to provide APIs to stay in business. In Andre Durand’s speak: “A business without a cloud API is like a door without doorknob”.
Life Management Platforms provide more than personal data store. They offer an answer to the need of people to share data in a very controlled and secure way. An example mentioned is the insurance contract number that is needed to be accessed from abroad in case of a car accident. These platforms follow a minimum disclosure approach which is totally different from those of social networks a la Facebook as we know them today (Remember: as soon as you entered your information, the data belongs to Facebook) . Life Management platforms are expected to replace the existing social networks in a 10-15 years time frame.

For me one of the main take-aways of the conference is the fact that now identity and information security really matters. Finally it has arrived on the agenda of the boards.

As usual the conference started with a set of pre-conferences on Tuesday morning: Kantara Initiative Summit, OASIS and ISACA workshops and the OpenId community reviewing the status of OpenID Connect, OAuth 2.0 and Account Chooser.

The actual conference itself began in the afternoon with Martin Kuppinger’s keynote. The KuppingerCole team itself changed with Craig Burton, Fulup Ar Foll and Alexei Balaganski joining as analysts and Tim Cole stepping back due to health reasons. In absence of the charming, entertaining Cole the moderator’s task was taken over by Nigel Cameron bringing a more rigid timeliness the the conference schedule.

The IAM world today is not characterized by fundamental new aspects but undergoes a more evolutionary development. In his keynote Kuppinger describes these changes as a development process from manufacturing to industrialization which manifests itself in the need of IT departments to meet changing requirements. IT departments feel that they now must compete against external (cloud) offerings. This is similar to the pressure that we know from outsourcing considerations but with cloud computing becoming more prevalent the rivalry is more tangible. Kuppinger describes the new demand in his “IT Paradigm”, a standardized model for building future IT. The paradigm illustrates how IT departments can provide the services the business really wants by enforcing information security, mitigating risks and being compliant by enforcing an enterprise-wide Governance approach.

According to KuppingerCole the Trends 2012 are:

  • Data Loss Prevention which will be the number one topic for IT departments
  • BYOD (Bring Your Own Device) will continue to be an issue in 2012
  • Cloud computing standards like SCIM (Simple Cloud Identity Management) need to be supported by providers as cloud users demand for standards increases. But standards for authorization and auditing in the cloud are still missing
  • IAM will move to the cloud more than ever before
  • Continued breaches of trust providers which will not be limited to digital certificate authorities
  • GRC, data governance and data loss prevention will merge as business realize that DLP includes data loss mitigation (what to do when things happened)
  • Ubiquitous encryption will become a hot topic (encryption of all data everywhere)
  • Companies will start to redefine their IAM infrastructure to become future-proof
  • all mobile platforms will remain under attacks of all forms
  • regulatory pressure is still pushing IAM and GRC

In the reminder of the first day the agenda’s tough schedule provided for a number of keynotes (9 keynotes without a break …) which brought the known and highly valued mixture of business and academical thought leaders as well as keynotes by sponsoring vendors. Speakers, some of them known from previous years, presented their viewpoints and vision. Enrico Mordini postulated “the new gold is identity” , Reinhard Posch reported on eID projects and their challenges especially in the cross border usage (see STORK, Kim Cameron (“through a series of bizarre events and the fact that it is hard to retire” he returned to Microsoft) stated that the new cloud requires a new identity model. IDMaaS (Identity Management as a service) is needed to assemble claims from multiple sources and organizations will selectively expose their directories to other applications. “The cloud motor runs on identity”, he said. Supporting concepts: Microsoft U-Proove (Remark: and IBM Idemix Speakers from Cyber Ark presented on PxM, Shireif Nosseir, CA on the transformation of the security model, Peter Weierich of IC Consult on externalized authorization, Laurent Liscia of OASIS on evolving cloud standards, ID-Cloud (ID in the cloud) and TOSCA (portability for the cloud), Jonathan Sander of Quest, Barbara Mandl of Daimler on consumerization of IT, Doc Searls about “free customers are the new platform” in contrast to the old captured customer (See:, – Kinetic rule engine and KRL the cloud programming language), Mike Neuenschwander now with Oracle and Patrick Parker, CEO of The Dot Net Factory completed the spectrum.

The second day started early at 8:30 with three keynotes by speakers mainly from the banking sector and then split up in five tracks, one being a track dedicated on legal topics and one a round table discussion on consumer identity. As last year the cloud audit track elaborated the need for cloud audit standards which are required so that the customer is able to compare providers and otherwise stays unclear in what he really buys. A statistics was shown which measured the cloud readiness of countries concerning their legal and regulatory structure. The result ranks Japan, Australia and Germany as the first three countries. (Some references: Cloud Services Measurement Initiative – CSMIC,, ENISA, ISAE3402 replaces SAS70, ISO/IEC WD TS 27017 .

In the afternoon and the following day several successful examples of large scale federations were shown which came mostly from the educational sector (The Danish Federation with their own profile OIOSAML, WAYF best practice in out sourced federation in Denmark, REFEDs with astonishing 27 federations, 1815 IDPs and 2755 service providers (Reference:

Craig Burton moderated a session with the provoking statement “Is SCIM a Scam?” A very lively track with statements like “SOAP is dead”. Burton and the other participants came to the conclusion that SCIM is not a scam because it is simpler than SPML (basically providing only CRUD operations and not trying to reflect the whole provisioning object model) and the specification work involved big names in the cloud like Google and WebEx who are expected to implement SCIM for their services contributing to make 2012 the year of SCIM.

In the Life Management track, Drummond Reed ( and Marcel van Galen ( presented on their services, VRM (Vendor Relationship Management), the personal cloud and relationship as a service.

The evening of day two concluded with keynotes from Andre Durand, Ping Identity “IT problems are fractal: your job is never done” and “a business without a cloud API is like a door without a doorknob”, Eberhard Faber on challenges security managers should watch (bring your own device = bring your own vulnerability), Stephan Bohnengel of VMWare and the European Identity Award Ceremony.

European Identity Award Winners 2012

  • “Best IAM Project”: Siemens AG, Project HRS DirX, a IAM project that involves international deployments and leveraging hybrid cloud environments.
  • “Best Access Governance and Intelligence Project”: Europol, the European law enforcement agency, received the award for a stategic IAM project with central auditing in a very sensitive environment.
  • “Cloud Security Project”: In this category two projects received the award: Daimler AG, consulted by IC-Consult, for a project that involves hybrid cloud by reuse of existing infrastructure and Sanofi S.A. for a federation project which was successfully implemented in a very short time frame using Ping Identity solutions.
  • “Best Approach on improving Governance and mitigating Risks”: Aeroport de Paris S.A., a Privileged Account Management project using Cyber Ark and Qualys.
  • “Best Innovation/New Standard in Information Security”: OpenID Connect for its elegantly simple design.
  • A new category was introduced in this year’s EIC: “The Lifetime Achievement Award for Identity” business: Prof. Dr. Reinhard Posch. CIO for the Austrian Federal Government.
  • Special award “Mobile Security”: Swisscom with MobileID, a product which uses SIM card security build on ETSI mobile security standard. (Remark: in Germany a similar product was announced by Vodafone with “Secure SIM”.)

My unofficial award for the acronym of the year goes to a very old and known acronym “API”. I have never expected that API’s will get such an ineffable importance for businesses not just application developers.

The third conference day started with presentations given by ATOS, Jacques Bus of Digital Enlightment Forum and Kai Rannenberg of University of Frankfurt ( Rannenberg lectured on a more privacy friendly Internet. (References: ABC4TRUST a EU Project on attribute-based credentials for trust, and partial identities, ISO/IEC JTC 1/SC 27/WG STORK, Microsoft U-Proove based on blind signature and IBM Idemix based on zero knowledge proof, ISO/IEC 24760

The tracks of day three gave insight on best practice experiences of IAM projects (e.g the Province Trentino), the use of open source in IAM, a real IAMaaS solution provided by Swisscom and an interesting panel with Craig Burton, Martin Kuppinger, Kim Cameron, Fulup Ar Fol and Steven Willmott from 3scale on “IT model and the API economy” describing the openness cycle of APIs:
Raw Data → internal reuse → customer reuse → partners and distribution
with all steps providing values.

To summarize the conference all in all was a very interesting and informative event and as always organized perfectly by the KuppingerCole team.

Tags: , ,

SAML Request Online Decoder / Encoder

English, Toolbox on March 31st, 2012 No Comments

SSOCircle Toolbox Part 3:

Continuing our series on field tools that help troubleshooting SAML federation problems, we are now adding online decoder and encoder to translate SAML messages into readable text. In many cases you need to see what is in the SAML messages even if you have no access to the servers log files. Although transferred via the browser the base64 and sometimes zipped content is not directly readable.
The tools:

allow to copy and paste the request into a form and decode the contents.
The following images show how to use the tool. Just copy & paste the contents of the request into the form. Use a tool like the firefox addon “tamper data” to log the request.

SAML Online Decoder : encoded text

Click on decode and switch to XML view:

SAML Online Decoder: decoded text

SAML Online Decoder: decoded text

We use these tools often to see for example which attributes are in the assertion or whether constraints are set as expected.

Stay tuned with more tools to come.

Tags: ,

Securing Google Apps/Gmail – Part I

English on January 22nd, 2012 No Comments

In December Google announced the availability of SAML SSO and other APIs within the free edition of Google Apps. SAML was already introduced for the premium/business and educational versions back in 2007. But now you can benefit from this feature to make access to all versions of Google Apps more secure.

This article has two parts. Part I describes how to secure access to Google Apps using SSOCircle IDPee with password-free X.509 client certificate authentication which is a good countermeasure against phishing attacks often practiced to capture user name and password in order to gain access to your Gmail account. Remember the attack against U.S. officials Gmail accounts by phishing attacks originating from China (see CNN: “Massive Gmail phishing attack hits top U.S. officials”).

Part II describes how to leverage certificates to encrypt and sign emails with a standard browser and Gmail. Take the next step to protect your email communication from everyone including the service provider. Do all these with your standard browser.

This is what you need for Part I (Secure access to Google Apps):

  • Google Apps account (e.g. free Standard Edition)
  • SSOCircle IDPee account

Follow the steps below to configure the application. We assume you already have user accounts created at Google Apps and SSOCircle IDPee.

A. Configure Google Apps for SAML SSO

  • Login to your Google Apps account as administrator
  • Go to “Advanced tools” and “set up single sign on”
Configure SAML SSO in Google Apps

Configure SAML SSO in Google Apps

  • Enter the fields as described in the screen shot
  • The certificate needed as a verification certificate can be downloaded from your IDPee at <my-hostname>

Google Apps SSO configuration screen

Google Apps SSO configuration screen

B. Import Google Apps configuration data into SSOCircle IDPee

  • Login to your SSOCircle IDPee account as administrator
  • Go to “Manage meatdata” and click “Add new service provider”
Manage Meta data

Manage SAML Meta data

  • Enter the metadata of your Google Apps.

You can retrieve a sample of meta data on the SSOCircle web site and replace the string “YOUR_GOOGLE_APPS_DOMAIN” with the name of your domain.
Copy & paste it into the form:

Import Google Apps meta data

Import Google Apps meta data

You will now see that your Google Apps meta data was properly as shown in the following screen:

Service Provider meta data listing

Service Provider meta data listing

C. Enroll certificate for your user account

Finally after getting the Google Apps – SSOCircle IDPee integration in place, you need now to enroll for a personal client certificate. SSOCircle IDPee provides automatic enrollment pages for Firefox, Internet Explorer and Chrome. Read the following screens to see how simple it is:

  • Install your personal certificate into your browser by using the automatic enrollment page
Certificate autmatic enrollment page

Certificate autmatic enrollment page

After clicking on the link for your browser a key generation and certificate enrollment page appears. Choose a key length that fits your requirements and submit the page. A process is started that gernerates a private – public key pair locally and submits a certificate signing request to SSOCircle IDPee. SSOCircle will sign the certificate and send it back to the browser for import in the local certificate store.
This is done fully automatically:

Certificate key generation and enrollment

Certificate key generation and enrollment

The browser displays a message that the certificate issued by the CA was successfully imported. Now you are ready to go to authenticate to SSOCircle IDPee and Google Apps without a password send over the wire. Just click on the three-locks symbol at the authentication page. A certificate chooser is displayed by the browser. Choose your personal certificate generated in the previous step and you are logged in …

X.509 certificate authentication

X.509 certificate authentication

Cloud security made simple – SSOCircle. Contact us for more information.

Tags: , , , , , , , ,