SAML Request Online Decoder / Encoder

English, Toolbox on March 31st, 2012 No Comments

SSOCircle Toolbox Part 3:

Continuing our series on field tools that help troubleshooting SAML federation problems, we are now adding online decoder and encoder to translate SAML messages into readable text. In many cases you need to see what is in the SAML messages even if you have no access to the servers log files. Although transferred via the browser the base64 and sometimes zipped content is not directly readable.
The tools:

allow to copy and paste the request into a form and decode the contents.
The following images show how to use the tool. Just copy & paste the contents of the request into the form. Use a tool like the firefox addon “tamper data” to log the request.

SAML Online Decoder : encoded text

Click on decode and switch to XML view:

SAML Online Decoder: decoded text

SAML Online Decoder: decoded text

We use these tools often to see for example which attributes are in the assertion or whether constraints are set as expected.

Stay tuned with more tools to come.

Tags: ,

Securing Google Apps/Gmail – Part I

English on January 22nd, 2012 No Comments

In December Google announced the availability of SAML SSO and other APIs within the free edition of Google Apps. SAML was already introduced for the premium/business and educational versions back in 2007. But now you can benefit from this feature to make access to all versions of Google Apps more secure.

This article has two parts. Part I describes how to secure access to Google Apps using SSOCircle IDPee with password-free X.509 client certificate authentication which is a good countermeasure against phishing attacks often practiced to capture user name and password in order to gain access to your Gmail account. Remember the attack against U.S. officials Gmail accounts by phishing attacks originating from China (see CNN: “Massive Gmail phishing attack hits top U.S. officials”).

Part II describes how to leverage certificates to encrypt and sign emails with a standard browser and Gmail. Take the next step to protect your email communication from everyone including the service provider. Do all these with your standard browser.

This is what you need for Part I (Secure access to Google Apps):

  • Google Apps account (e.g. free Standard Edition)
  • SSOCircle IDPee account

Follow the steps below to configure the application. We assume you already have user accounts created at Google Apps and SSOCircle IDPee.

A. Configure Google Apps for SAML SSO

  • Login to your Google Apps account as administrator
  • Go to “Advanced tools” and “set up single sign on”
Configure SAML SSO in Google Apps

Configure SAML SSO in Google Apps

  • Enter the fields as described in the screen shot
  • The certificate needed as a verification certificate can be downloaded from your IDPee at <my-hostname>.idpee.com/cert.cer

Google Apps SSO configuration screen

Google Apps SSO configuration screen

B. Import Google Apps configuration data into SSOCircle IDPee

  • Login to your SSOCircle IDPee account as administrator
  • Go to “Manage meatdata” and click “Add new service provider”
Manage Meta data

Manage SAML Meta data

  • Enter the metadata of your Google Apps.

You can retrieve a sample of meta data on the SSOCircle web site and replace the string “YOUR_GOOGLE_APPS_DOMAIN” with the name of your domain.
Copy & paste it into the form:

Import Google Apps meta data

Import Google Apps meta data

You will now see that your Google Apps meta data was properly as shown in the following screen:

Service Provider meta data listing

Service Provider meta data listing

C. Enroll certificate for your user account

Finally after getting the Google Apps – SSOCircle IDPee integration in place, you need now to enroll for a personal client certificate. SSOCircle IDPee provides automatic enrollment pages for Firefox, Internet Explorer and Chrome. Read the following screens to see how simple it is:

  • Install your personal certificate into your browser by using the automatic enrollment page
Certificate autmatic enrollment page

Certificate autmatic enrollment page

After clicking on the link for your browser a key generation and certificate enrollment page appears. Choose a key length that fits your requirements and submit the page. A process is started that gernerates a private – public key pair locally and submits a certificate signing request to SSOCircle IDPee. SSOCircle will sign the certificate and send it back to the browser for import in the local certificate store.
This is done fully automatically:

Certificate key generation and enrollment

Certificate key generation and enrollment

The browser displays a message that the certificate issued by the CA was successfully imported. Now you are ready to go to authenticate to SSOCircle IDPee and Google Apps without a password send over the wire. Just click on the three-locks symbol at the authentication page. A certificate chooser is displayed by the browser. Choose your personal certificate generated in the previous step and you are logged in …

X.509 certificate authentication

X.509 certificate authentication

Cloud security made simple – SSOCircle. Contact us for more information.

Tags: , , , , , , , ,

ServiceNow SAML SSO Online Demo

English on November 27th, 2011 No Comments

It is already a year ago when we published the article “Service-now.com: On Demand IT Service Management supports SAML 2.0″ which ended with the sentence “Looking forward for more to come …”

One year after we have set up an online demo showcasing SAML single sign on between SSOCircle and ServiceNow. With Google Apps offering office, email, calender, spreadsheet, etc, Salesforce offering cloud CRM and ServiceNow IT service management our demo “Cloudified Company” is becoming more and more reality.
The added value that SSOCircle offers is not only about a more convenient access to applications via single sign on but also about improved security by leveraging strong authentication means. Try it out by registering an user, enroll a X.509 client certificate and use it to authenticate to ServiceNow Online Demo and the other services in the Circle of Trust.

The ServiceNow Online demo is also a good opportunity to check out what the ServiceNow application is about. In this demo we are mapping all SSOCircle Public IDP users to one user with name “itil” at ServiceNow.

ServiceNow Application

A full list of our demo service providers can be found at Service Provider section.

Watch John Andersen’s video on setting up SSO between ServiceNow and SSOCircle. John is the integration expert at ServiceNow.

About Service Now:
ITIL v3 + Web 2.0 + SaaS = Service-now.com, a pioneer of On Demand IT Service Management, combines ITIL v3 guidelines with Web 2.0 technology to a Software as a Service offering.

Tags: , , , ,

OpenSSO / OpenAM Session Cookie Decoder

English, OpenAM, OpenSSO, Toolbox on September 18th, 2011 No Comments

SSOCircle Toolbox Series Part 1

Understanding the “iPlanetDirectoryPro” session cookie can be key to debugging problems like OpenSSO / OpenAM internal session rooting, persistence problems and misconfiguration.

The SSOCircle Toolbox OpenSSO / OpenAM session decoder: http://idp.ssocircle.com/sso/toolbox/ossoDProDecode.jsp

OpenSSO iPlanetDirectoryPro Decoder

The iPlanetDirectoryPro Cookie is used by OpenSSO and OpenAM to reference a specific user session. It consists of an unique random identifier marking the session, a base64 encoded extension part and a tail value. The Extension part itself holds information for internal session routing (some keys are optional and depend on the system architecture):

  • The Site ID
  • Server Instance ID
  • Storage Key for Session Failover (optional and not displayed by the tool)
  • Tail Value after the “#”  (optional and not displayed by the tool)

Tags: , ,

OpenSSO / OpenAM Password Encryption/Decryption

English, OpenAM, OpenSSO, Toolbox on September 18th, 2011 No Comments

SSOCircle Toolbox Series Part 2

OpenSSO and OpenAM store passwords (for example J2EE Policy Agents) encrypted in configuration files. If you need to encrypt a password without having access to the bundled encryption tools, use the SSOCircle Toolbox OpenSSO / OpenAM Password Encryption web tool.

And if you can’t remember what the password was and the only documentation you have is the configuration file with the encrypted service secret, use the SSOCircle Toolbox OpenSSO / OpenAM Password Decryption web tool.

OpenSSO / OpenAM Secret Decryption

Tags: , ,

Cloud Identity Summit 2011

English on August 21st, 2011 No Comments

The cloud conference in the clouds or at least close to the clouds took place from 18.-21. July 2011 in Keystone, Rocky Mountains, at an altitude of 2.830m. The conference was organized by Ping Identity, headed by Andre Durand who put a lot of passion into the conference and into the fostering of the “identity family”. Many Thanks to him, his wife and the Ping crew who made this event possible. Microsoft, Google and Covisint sponsored the event which started with two days of workshops and another two days of conference.

The conference offered a good mixture of technical oriented talks, companies views and analysts visions. The first thing I noticed was the absence of the “big” IAM software vendors. No visible presence of Oracle, IBM …   I am very relieved that other companies are now setting the IAM tone
especially after the disappearance of active players like SUN. These companies are now Ping, Google, Salesforce.com, eBay. I am not sure about the reason for the absence of the big players, but one reason could be that the focus of new trends in identity is more and more shifting to the consumer space. Especially the strong presence and activity of companies like Google, Salesforce.com and others emphasizes that cloud identity is now more and more an API identity topic.

Back to chronology:  In the first two days we had to choose between different workshops. Some of them were sponsored by Google, for others an additional fee was charged. The work sessions duration was 3 hours. Enough time to dig deeper in cloud identity topics. The workshop titles listed below give an overview on the “hot topics” this year:

  • Cloud Security 101; Gunnar Peterson from Artec
  • OAuth 101; Paul Madsen and Brian Campbell, Ping Identity
  • The essential XACML Primer; Gerry Gebel, Axiomatics
  • OpenID & OpenID Connect; Eric Sachs from Google
  • SAML Single Sign On 101;  John Da Silva, Ping Identity
  • SAML & OAuth with Force.com; Pat Patterson from Salesforce.com
  • Challenges of Consumer Identity in the Cloud; Mike Neuenschwander, Drew Clippard and Matt Randall
  • Windows Azure, Office365 and More;  Brian Puhl, Laura Hunterm Vittorio Bertocci from Microsoft
  • Securing & Connecting the Mobile to the Enterprise; Andy Zmolek from LG
  • Integration with the Google Cloud; Eric Sachs, Ryan Boyd and others from Google
  • XACML 3.0 and Hands On Cloud Authz; Doron Grinstein from BITKOO
  • Integrating PingFederate with the Microsoft Ecosystem ADFS/WIF/SP2010; Travis Spencer from Ping Identity
  • The Kantara / OpenID Summit

The conference agenda on day 3 and 4 was made of keynotes and two separate tracks on different topics. The presentation were all scheduled to last 30 minutes and there was plenty of time to network in the breaks, definitely a plus.

A very interesting presentation was held by Farhang Kassaei by Ebay talking on the “Role of Identity in eCommerce”.  Trying to answer the question about the the nature of commercial identity and a commercial IDP and how it differs from a social network identity and a social network IDP. Another question he asked was if one IDP can cover all range of identities. His answers described the identity from a view point of a  merchant: “Identity = Customer”  and identity management is not about SSO but easy on boarding, personalization, transaction, less risk and more security. Of importance to the merchants customer itself is: convenience, value, privacy control, less risk and more security. He pointed out that there is a real business value for merchants to have an (customer) attribute provider that dynamically supplies relevant information about a buyer (e.g. how many merchants have been shipped to the address of the buyer without complaints in the last 6 months) or an IDP that offers methods and techniques to identify that two identities are the same person (entity resolution) which is very important to detect fraud.

Paul Madsen’s presentation on Synergies “You  got SAML on my OAuth” demonstrated how much the portfolio of standards are interrelated and/or play together:

  • SCIM + SAML:  SAML binding for SCIM: SCIM can be used for a just-in-time provisioning through a SSO assertion which holds SCIM attributes. Or more simple by API right before SSO.
  • SCIM + OAuth:  OAuth can be used to secure SCIM API calls. SCIM can be used to provision accounts for subsequent OAuth based mobile access.
  • SAML + OAuth: Hybrids like OAuth token carried in SAML SSO messages. Or assertion profile that uses SAML assertions within OAuth flow.
  • SAML + OAuth + JWT: Use SAML assertion or JWT (speek: joot) for OAuth client authentication or OAuth grant type
  • OpenID + JWT OAuth: OpenID Connect adds identity layer on top of OAuth 2 and stipulates use of JWT for identity tokens
  • UMA + OAuth: User Managed Access extends OAuth 2 to manage access to distributed resources through a centralized Authorization Manager

Eric Sachs of Google “Time to Eliminate Passwords”  emphasized on the user experience aspect which is still in its infancy. Signing in to web applications in the majority of cases means typing in the user name (likely the long email address). Tedious compared to what we are used to in operating system logins (think of Windows 7, Mac, Chome OS login screen). Google launched the Account Chooser project: https://sites.google.com/site/gitooldocs/experiment—account-chooser
which tries to bring the OS login user experience to the web. Web sites who want to adopt Account Chooser will find implementation help by the Google Identity Toolkit GITKit.

John Shewchuk of Microsoft presented on his company’s view on Federated IT and Identity: Office 365 was launched in June in 40 markets and 20 languages and already 50.000+ organizations signed up in the first two weeks. Office 365 leverages Azure’s infrastructure capabilities and enables managed and federated identities. Directories are a critical enabler for federated IT but existing standards need to be modernized. The programmable directory principles need to model not only identity but federation of data, authentication and authorization. For more information take a look at OData and Facebook graph.

This is just a few randomly taken samples of presentation that I described. Lots of interesting presentation at the summit could fill the whole SSOCircle blog. If you are looking for more information on presentations given go to the Cloud Identity Summit web page http://www.cloudidentitysummit.com/Presentations-2011.cfm.

Bookmark summary:
www.simplecloud.info
oauthssodemo.appspot.com
account-chooser.appspot.com
Account Chooser Experiment
login-helper.appspot.com
www.odata.org
graph.facebook.com
openidsamplestore.com

P.S. The next Cloud Identity Summit will be held in Vail, Colorado on 16.-19. July 2012.

Tags: , , , ,

Impressions from European Identity Conference 2011

English on May 15th, 2011 No Comments

This year’s European Identity Conference (EIC2011), a fixed star in the digital identity world took place in Munich, Germany, from 10.-12. May and a supplemental workshop day on the 13th. As last year the conference also hosted the Cloud 2011. In terms of venue the conference made a leap into the future from the venerable Deutsche Museum to the Dolce Ballhaus-Forum, a modern hotel and conference center north of Munich. Needless to say that the conference was well organized by KuppingeCole and newly introduced supplemental offerings like the World Cafe unconference or a crash course in international privacy and IT security law.

Before diving into details my overall impression was that the identity community is finally reaching a state of reflection. Compared to last year, where I experienced a more enthusiastic atmosphere and speakers, the 2011 conference was strongly influenced by academics and organizations. Keynote topics like “where will identity be next year” and personal changes like that of Kim Cameron who recently left Microsoft inspired Jackson Shaw to present a retrospect bolstered thoughtfulness.

In addition the human part of identity is coming more and more into consideration. At EIC2011 we had the chance to listen to speakers like Emilio Mordini, a psychoanalyst and founding director of Centre of Science, Society and Citizenship or Stephan Humer, a sociologist from Berlin University of Arts whose presentations demonstrate that sociological aspects play a very important role in acceptance and success of digital identity and internet security.

We finally reached the social human being and not only the user account. identity acceptance development cycle, shown below, demonstrates these iterations which might lead to new rethinking and specifications.

This is a great achievement. In other areas it seems we are not at that point yet. Looking at the evolution of OpenID which is finally approaching a new level with OpenID Connect reinventing the wheel that SAML 2.0 already did but with less complexity replacing SOAP and XML security with REST and JSON. That looks to me like taking the first shortcut in the identity acceptance development cycle due to missing implementation acceptance at least in the consumer identity space. Listening to Barbara Mandl from Daimler revealed that there are also several instances of shortcut 2 caused by business not technical reasons. In summary there is still a lot to do for the identity community, despite that most technologies are mature, the digital identity in a social world is very complex and subject to change.

In my eyes the most dynamic fields are:

  • OpenID Connect
  • OAuth 2.0
  • XACML 3.0
  • SCIM

the integration of mobile devices as a whole and the formation and establishing of Trust Frameworks.

But continuing with details of the conference in chronological order. As always it is subjective due to my interests and the selection of presentations visited.

Day 1:

Preconferences:

The conference started similar to the years before with a set of preconferences. One of these was an update and overview of OpenID staffed with Eric Sachs, Google, David Recordon, Facebook, John Bradley, Nat Sakimura and Don Thibeau, OpenID Foundation, Mike Jones and Anthony Nadalin, Microsoft; The upcoming version of OpenID is expected for IIW in November and will be named OpenID Connect, the AB for artifact binding will be removed from the name. It’s goal is to make “easy things easy and harder things possible”. Its design is modular with focus on integrating mobile devices. It will replace the 3.5 years old OpenID 2.0 spec and will introduce some advanced concepts known from the SAML spec, like level of assurance similar to SAML auth context and session management, like single logout, but less ambitious than the one known from SAML 2.0. OpenID connect is based on OAuth 2.0 which itself will be finalized in the next months.

Announcements:

In a press conference Drummond Reed, known from his work on XRI, XDI, Information Card, OIX and OpenID foundation, launched a new start-up called connect.me. Connect.me is the first personal respect trust network in which you can vouche/vote for a person in a specific respect. With joining the network people agree to 5 principles called promise, permission, protection, portability and proof. Connect.me is not a new social network but constitutes a layer above other social networks. By vouching for a person at http://vote.connect.me you are giving a person “trust points” for a specific respect. For me this is comparable to the seller rating in ebay. I am curious to see how this will develop and if we all get personal ratings in the new future. I expect that in next year’s EIC agenda there will be the rating mentioned right behind the speaker’s name. We will see if leaving Microsoft will change Kim Cameron’s rating from AAA to AAA+ or AAA-.

Keynotes:

As usual Martin Kuppinger gave the opening notes with an overview on the the hottest topics which are:

  • Cloud Computing
  • Information Security
  • Business-driven service management (far more than ITIL)
  • Make BYOD secure

BYOD stands for “bring your own device” and reflects that many employees nowadays want to use their own private devices (iPad, iPhone etc) in business. This poses a new thread on corporate security.

Cloud: In cloud computing more standards will evolve and there will be no success without security. Recent security breaches like SONY or Amazon give us a new awareness of users, company CIOs and politics that accelerates the development.

GRC: continuing progress towards one GRC for business and IT. Regulatory pressure will reach other industries.

IAM: PxM, privileged x=(Access,Account,Identity, User) Management, is the important topic in 2011. Externalization of authorization is becoming reality and versatile authentication will become more widespread. The RSA breach as one of the reasons.

Mobile:

BOYD as a new phenomena and the circumstance that the built-in security is not sufficient. Kuppinger compared the security of mobile devices to the security standard of PC in the 80s.

CIO key topics in 2011 will be

  • How to make the cloud part of the IT
  • How to enforce and privacy protect data (SONY)
  • How to reach enterprise GRC maturity
  • How to reach governance
  • How to optimize investments and close gaps
  • How to improve information security

First day keynotes on “the future of identity” continued with presentations by Laurent Liscia, executive director of OASIS, Wolfgang Hirsch of Siemens IT solutions, Maurizio Griva of Reply. Kim Cameron’s keynote was canceled and replaced by an interview in which Tim Cole eagerly tried to get information about Cameron’s real reasons for leaving Microsoft. Was it Microsoft’s recent strategy? No answer from Cameron except a comment expressing his feelings: “hey man, I am feeling so free”. Jackson Shawn (Quest Software) keynote directly influenced by Cameron’s “retirement” gave a retrospective of the development of identity from 1991, 1996, 1999 and a forecast how it may look like in 10 years from now. Illustrated with photos from Cameron and him as they were close fellows all these years. Shawn said that the start-up companies he is watching right now are Oka, Biznet3, SecureAuth and Symplified.

Prof. Reinhard Posch, CIO for the Austrian Government, presented on eID cards and the cloud and Jörg Asma from KPMG gave his view on future hot topics: Facebook as an identity manager and application hoster. Cloud computing driven by the use of devices like iPad etc. BYOD, the use of private devices for business purposes. Interesting his statement from HR on attracting new talent: today you don’t need a fancy car to attract new hires but cool lifestyle devices like the iPad or iPhone.

Day 2:

Starting with three keynotes from Dave Kearns on integrated identity management, Rolf von Rössing, VP of http://isaca.org. ISACA is an independent , nonprofit, global association, ISACA engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. Framework examples are: Cobit 5 bringing the GRC frameworks to the public, Risk IT, Val IT and BMIS. Professor Eberhard von Faber presented on froward strategies to protect corporate data in the cloud: Encryption is important to protect data in the cloud but has its limitation in server side batch processing for example in BI systems.

Alternatives are homomorphic encryption, not now but maybe in 10 years, or peudonymisation which can solve some problems. [Remark: fully homomorphic encryption is a encryption in which a service provider can operate (add, multiply) on the encrypted data without being able to decrypt data. That means a cloud service can work on data without knowing it.] Other means to secure the data are database encryption and database activity monitoring. Access restriction only protects from outside. Most service provider lack in protection from inside attacks. Limiting access to data (e.g. by terminal server or not having full access to “data files”) and EDRM (enterprise data right management) as well as VPN against eavesdropping and protection against access of data from other tenants are important. Securing the cloud isn’t easy. It still need to be easy to use. User awareness, control and monitoring are key for successful cloud deployments.

Breakout:

The conference offered four parallel tracks from which I selected the Directory & Federation track. Martin Kuppinger gave an introduction with the statement: you cannot make federation which relies on data quality if you do not have your directory in order. Federated directories are a solution to that problem as the single directory does not work due to complexity and privacy. Here comes virtual directories or cloud directories into play, whereas use cases for the latter are authentication of customers, directories for specific applications or the migration of in house directories to the cloud. Kuppinger expects directories in 2020 being similar as they are today.

I was surprised seeing an overcrowded room when visiting “How to authenticate for the cloud”. A panel discussion lead by Sebastian Rohr with Judith Little, CloudID, Mark O’Neill, Vordel, Travis Spencer, Ping, and Tom Stewart, SecureAuth. The better way to do the authentication to the cloud is to authenticate internally and then federate to outside. This will increase adoption as too much different methods lack user acceptance. Authorization to the cloud is still difficult to handle as there are mainly proprietary methods used.

“Federation lessons learned” with Matthew Gardiner, CA & Kantara, Nishant Kaushik, Oracle and Travis Spencer, Ping, concluded that federation is now main stream. Success of facebook connect demonstrates that federation still profits from the federated SSO use cases but that reinventing over and over with new technology is problematic. A business sponsor and a aligned strategy is needed. One question asked by Mike Small was if there is a reason to not use federation. Spencer answered that there is no reason except there are some use cases for mobile devices with limited capability that can be overcome by OAuth or WS-*. Cloud business becomes a major driver for federation which does not stop at SSO. Provisioning, authorization and audit are getting more and more important.

Cloud standards adoption track: in the absence od Laim Lynch, eBay, Mike Small gave an introduction to the topic. Analyzing the risks in cloud computing. Starting with the risk of vendor locking which is more prevalent with SaaS than with PaaS or IaaS. Other risks are “Legal risk: contract”: we need a trusted standard for a provider contract; “Loss of governance”: standards for provider certification and auditing required; “Privacy legislation”: standard how well a provider meets privacy laws; “Impersonation”: is user name/password sufficient?; “Insider abuse of privilege”, “Management Interface”; “Ineffective data deletion” ; “Poor authorization model”;

Mike Small also pointed out that current cloud provider assurance frameworks are far too complex with 148 control points. He introduced a star rating method scoring the major controls reducing the list to 5 basic and 11 risk factors.

In the evening Kuppinger and Cole presented the annual European Identity in several categories:

  • Cloud provider offerings
    • WSO2: multi tenant identity as a cloud service with OpenID and XACML support build on open source
  • On premise to cloud migrations
    • NHS Trust/ King’s College London: Secure infrastructures for researchers
  • Identity and Access Management
    • BrokerGate : Secure federation broker for insurance brokers to manage federations instead of managing all users
  • Integrated identity & access management
    • Telefonica O2 Czech Republic: successful deployment of a large scale IAM implementation covering provisioning, sso, audit, efficient application on-boarding and more
  • GRC
    • BT managed fraud reduction service: shared service providing real-time assessment of online transactions and analyzing fraud
  • Privacy
    • Qiy: Innovative approaches to manage the personal identity in the internet
    • connect.me: recommendation network
  • Identity related e-government project
    • Postecom CECPAC: certified, free email platform open to all Italian citizens for their communications with public administrations
    • Finland: Tunnistus.fi/KATSO: government to citizen/business services established in Finland now used by more than 70% of the Finnish companies
  • Influential standardization efforts
    • XACML 3.0: standard driving the externalization of security out of application for centralized management and control
  • Special award entitlement management
    • State of California: tax service based on external authentication and authorization using XACML 3.0

Day 3:

Three keynotes from Niels von der Hude, Beta Systems, Emilio Mordini, CEO of Centre for Science, Society and Citizenship, and Barbara Mandl from Daimler.

Mordini, a psychoanalyst, presented on the secrecy in the post wikileaks era. He elaborated the meaning of secrecy, s.th. hidden, kept separate from other things and invisible or unspoken. He asked the question: Do we still need secrecy in modern information society? His answer: we need secrecy and publicity and compared that to the life in a small village: everybody knows where you are, who you are what you are doing. But people do that with discretion: they pretend to ignore knowing the information. He concludes that ICT should address access rights. But strong data protection and security are often useless. True power is not to remember and to be remembered but forget and to be forgotten.

Back to reality: Barbara Mandl pointed towards the real problems a global corporation is confronted with. Data protection requirements in Germany, the US or Japan are total different. For example in Japan the working counsel supports to store and evaluate log in and log out times in active directory. Federation itself is not a solution as a whole. Contracts with every supplier and contracts for special applications pose challenges to legal departments. Both on Daimler and supplier side.

She also pointed out that things that work perfectly in private space, (e.g. security awareness in private online banking) due to protecting own belongings. But: the same people do not care about these things at work.

Legal track:

EIC offered a three hour crash course on international privacy and IT security law for IT professionals which compared the data protection legislation in the EU, the US and China and gave an introduction to the European legal requirements for data protection, IT security, encryption and audit. I remember a tweet saying: “It seems like two words can dissolve all the reputedly strong EU privacy & data security protections: contract or consent “. And that is exactly the point: opt-in rather than opt-out.

In another track on privacy Stephan Humer, Berlin University of Arts, presented on the sociological aspects of eID cards: technical people are problem centered. Normal people are not necessarily, they might act chaotic …

A talk from Maarten Wegdam, Novay, and a panel discussion analyzed topics like “Consumer and citizen identities; Governmental issued or trust frameworks? and “Identity assurance frameworks are now upon us. But what are they good for?”.

In the best practice track the winner of the EIC award “BrokerGate” reported from their project setting up a SAML identity provider service for 10.000 brokers and 20 insurer (final goal) in Switzerland with versatile authentication methods. In a final presentation Vassilia Orfanou from EUReID, the pan-european network of eID practitioners introduced the platform to consolidate documents and information, support networking and exchange of information related to eID projects in Europe: http://ePractice.eu.

Final words: a very successful conference and thanks to KuppingerCole for a perfect organization and composition of interesting topics. For interested readers: the European Identity Conference 2012 will be held on 17-20. April. So the fixed star has moved a little bit.

Tags: , , , , ,

Service-now.com: On Demand IT Service Management supports SAML 2.0

English on November 29th, 2010 No Comments

ITIL v3 + Web 2.0 + SaaS = Service-now.com, a pioneer of On Demand IT Service Management combines ITIL v3 guidelines with Web 2.0 technology to a Software as a Service offering.
As we have seen in many cases customers of SaaS providers are increasingly asking for identity and access management features for convenience and security. To meet this requirements Service-now.com added SAML v2 support to their Spring 2010 release. This is in line with what we have seen at other important SaaS players like Salesforce.com who added SAML 1.1 support in the Summer 2008 release and SAML 2.0 later. Demonstrating once more that SAML 2.0 is a must-have in the enterprise SaaS world.

If you go to wiki.service-now.com you’ll find an article on “Embedded:SAML 2.0″ the functionality added by the SAML 2.0 Single Sign-On plugin. The article explains in detail how to configure Service-now.com to use SAML authentication and outlines the Single Sign On and Single Log-out request flows in sequence diagrams.

Service-now.com uses SSOCircle as the sample Identity Provider. One more time a service provider is using our free SAML 2.0 identity provider service as a test platform of choice. Ensuring that their service is compatible and runs out of the box with SSOCircle.

Citing from the wiki the next release of Support-now will support deep linking with SAML 2.0 and processing of signed SAML requests.
Looking forward for more to come …

Tags: , , , , ,

Single Sign On to the Game Portal Spellenmug

English on September 30th, 2010 No Comments

The board game portal www.spellenmug.nl offers several options for single sign on.  Most of them are OpenID based. Only one  leverages SAML v2:  the only free, open and public SAML V2 Identity Provider SSOCircle.

SSOCircle IDP has now more than 250 integrated SAML v2 service providers in its SSOCircle of trust. Although many of them are developing and testing applications and some do not allow us to use them as a reference, we believe that this is one of the largest and most active circle of its kind.

Tags: , , ,

Market Profile Identity Management 2010

English on August 4th, 2010 No Comments

Burton Group, acquired by Gartner, Inc., recently published their IdM Market Profile report: “Identity Management 2010″. A very interesting report that not only described the current market but outlines the changes and the future trends IdM is or will be going through.

As there is still unclaritiy on what we generally understand by “IdM Market”, Burton group’s report starts with the definition of what the “IdM” Market is composed of:

  • Active Directory Bridge
  • Directory services
  • Enterprise single sign-on (ESSO)
  • Federation
  • Fine-grained authorization
  • Identity and access governance
  • Identity assurance
  • Privileged account management (PAM)
  • Provisioning
  • Stronger authentications
  • Web access management

IdM is now a wide portofolio and not, like some people still may think, only account provision software. When it comes to delivery options for software, Burton Group stated that new options are becoming more commodity. Citing from the report “Vendors have begun to become more creative in their delivery of product to customers. Vendors have begun to offer:

  • Subscription licenses
  • Appliance (both physical and virtual) delivery options
  • Software as a service or hosted delivery options”

and important to mention from our perspective:

“A few vendors have begun to focus on the problems of using identity services from the cloud as well as identity services to and in the cloud.”

Burton’s conclusion:
“The growing identity management market is vibrant. Constantly consolidating yet never consolidated, the IdM market is mature, but that maturity is unevenly spread across the market’s sub-markets. New entrants and approaches have continued to appear, and a number of them are focused on the emerging problems that the cloud poses from an identity perspective. …”

One part in “Burton Group’s Opinion” is exactly what we experience in real life projects:
“Although enterprises have expressed to Burton Group that their needs have outgrown the most mature parts of the IdM market, Burton Group has observed fantastic growth in those same market segments. This indicates that even though architects and identity teams can be fascinated with newer, shinier technologies, their enterprises still have basic identity needs such as user provisioning and WAM.”

When describing the market landscape Burton Group’s describes what SSOCircle propagates as a very important aspect for a while: Idm Is increasingly seen and preparing itself to work in concert with other markets, namely of:

  • Business process management (BPM)
  • Data leakage prevention (DLP)
  • Risk management
  • Security information and event management (SIEM)
  • Service management

Read the detailed report at “http://www.burtongroup.com/Research/PublicDocument.aspx?cid=1990″

Tags: , , ,