Single Sign On to Salesforce online demo

English on October 11th, 2009 1 Comment

Recently Salesforce.com added SAML 2.0 support. We have launched a sample that allows users to single sign on to Salesforce with their exisiting SSOCircle account.  The individual account is mapped to a group account (due to our limitation in salesforce users).

Just click on the IDP initiated SSO link and you will be prompted to sign on to SSOCircle (if not already in session).

Great to see is the integration of Google Apps into Salesforce.com. Just click on the sign on link in the chat window and SSOCircle is doing the SSO magic behind the scenes (sure – you need to have a SSOCircle Google Apps  account created before)

Salesforce.com is checking for your IP address for additional security. Access from IP addresses not explicitly allowed must be confirmed by the user. If you experience this in the demo, please contact us.

Tags: , ,

New SAML enabled blogging system launched

English on August 2nd, 2009 No Comments

Visit our new SAML 2.0 enabled WordPress blogging system, where we moved all our articles from the former news section. You have to log in with your SSOCircle account to leave a comment. We also added some newsfeeds from interesting blogs on identity. We hope that it will be a usefull source for all identity-minded. The WordPress plugin is a derivation of the simpleSAMLphp plugin of  David O’Callaghan. Thanks to him for getting us started.


Tags: , ,

SSOCircle launches German Language Portal

English on July 5th, 2009 No Comments

SSOCircle is now available in German language www.ssocircle.de. We will add more support for more languages as demand grows.

Impressions on European Identity Conference 2009

English on May 9th, 2009 No Comments

European Identity Conference 2009

Listed in reverse chronological ordering and with focus on SSO, federation and authorization topics.

My conclusions:

A very well organized conference from Kuppinger Cole and partners. Many distinct persons attended, presented and discussed in panel sessions. Visiting the conference is a must as it is the leading identity conference in Europe. Many thanks to Kuppinger Cole for organizing it.

After returning home my personal impression this morning is that I had been traveling to Babylon. I heard many people speaking about GRC ( governance, risk, compliance ), claims and attributes, authorization and externalization of authorization decisions, RBAC and ABAC and XACML, not to mention DABBOPDS (differentiated app behavior based on permission data sharing). Is this the way to go ? In most of the keynotes I visited on GRC the presenters were giving their best to answer what GRC is, especially in the context of IAM. Have we seen a satisfying answer ? In the presentations on Geneva it was always necessary to clarify what “claims” are and how claims differ from attributes, if they differ at all. I noted the best definitions I heard:

  • a claim is a answer to a question someone would ask to grant you access to s.th.
  • a claim is a rated attribute
  • a claim is a statement on someone made by somebody else, in some special cases someone and somebody else can be the same person …
  • a claim can be a privilege or a simple attribute or it can be a role

I guess we are somehow away from mutual understanding. I’ll be with Tim Cole’s ruminative closing note where he asked: how can the identity challenges be solved for the cloud if today there are so many unanswered questions in the “small” enterprise world. Elaborating it a little bit more, I would say we are giving ourselves a hard fight, if we will not come to a more simple and clear approach. I guess simplicity is key, more then ever.

Looking in more detail on the SSO and federation field. When we started SSOCircle in 2006 we were convinced that the federation protocols finally converged into SAML 2.0 and that it is just a matter of time for the mainstream breakthrough. Basically SSOCircle has always had the ambitious goal to help accelerating the take-off process. Reflecting the last three years we saw OpenID sky rocketing from scratch which had good reasons: simplicity. With OpenID 2.0 we notice this advantage going away and becoming even more complicated as SAML. Now we are facing interesting times with the coming Geneva server which plugs into Active Directory pushing the infocard technology and with Microsoft getting collaborative supporting SAML 2.0. Considering the market share of Active Directory and the very pragmatic approach of Microsoft which keeps a lot of problems unsolved for the moment (thinking of the missing solution of storing infocards for roaming users or that there is no way of combining claims from different infocards) there is a good chance for success. I am comparing this to the discussions around https and shttp protocols in the mid 1990s. Were many people had many reasons that shttp is the better solution for securing web traffic but Netscape pushes https through due to their browser market share at that time and the simplicity http over SSL had and still has. Without https the commercial internet would not be where we are now. I am curious to see the impact the release of Geneva will have. RTM is expected for the second half of 2009. Maybe the European Conference 2010 will be the right moment to make up an early benchmark.

Now you’ll find some comments on some of the sessions I have visited in reverse chronological ordering:

day 4: workshop day

Friday was dedicated to workshops on serveral topics. One of them was on XACML held by Bakak Sadighi and Ludwig Seitz from Axiomatics. A very didactically structured training that started with an introduction on access control lists, capability lists, group based, role based and attribute based access control. Sadighi pointed out the difference between role and group based authentication is “role activation” which means that you can dynamically decide to act in a specific role. They then further dig into the XACML 2.0 standard and the additions XACML 3.0 (currently in draft) will bring, basically the concept of hierarchical administrative policies that help leverage administrative delegation.

day 3

Dipping into the world of Identity Systems and Claims: Vittorio Bertocci from Microsoft, answered the question of the definition of “claims” with: A claim is the answer to a question somebody would ask you to allow you access to a specific task. It can be a privilege or a simple attribute. Ariel Gordon, Microsoft, detailed that after asking him for the difference of a claim and a attribute. He said a claim is a rated attribute. In a presentation of Liam Lynch and Upendra Mardikar described the shift from identity 1.0 to identity 2.0 where in their understanding behavioral checks and reputation play a major role in authentication and authorization. He mentioned that Ebay has to evaluate 20 TByte of logfile a day to do risk analyzes. A “real time” behavioural analyses might ease this problem. He is motivating to participate in cloud security efforts that you can find in cloudsecurity.org.

A panel session moderated by Dave Kearns discussed the topic of authentication beyond passwords: tokens, biometrics and others. These methods have all their pros and cons. From case to case one has to decide on what the value of the protected resource is to justify the method used. A good way would be to have a single sign on solution protected by strong authentication to limit the number of tokens used and to reduce the overall costs, Jackson Shaw of Quest Software mentioned. By the way this is one idea behind SSOCircle. You can find authentication methods from user name/password, X.509 certificates in software or hardware tokens, OTP tokens, Swekey’s and soon the award winning Yubikey. The topic leads to the next panel on context based authentication where Dave Kearns was asking the 6W+1H question of who, what, when, where, which, how and why that may have influence on the decision of authorizing access. As the first six may be answered by technical means there is still the question of why a user is doing a specific action. Another proof that the big questions of IAM cannot only be answered by technical means.

In Tim Cole’s closing note he asked the question: how can the identity challenges be solved in the upcoming cloudy IT be solved if today there are so many unanswered questions in the “small” enterprise world. He is asking who will be the Google in identity context. Google ? A little pity that Google wasn’t present and demonstrated their vision of cloud identity. We are all looking forward to find answers to the open questions. A great conference. Well done Kuppinger Cole & Partners.

day 2

Felix Gaethgens gave an overview on the mess of authorizations and entitlement management today which starts at role based authorization (RBAC) to Attribute based authorization (ABAC) in which XACML ist the most prominent representative. His presentation was the foundation for the succeeding talk and a very interesting panel discussion. It was emphasized that the role based model is to coarse to be applied to all business rules, one example was given: an employee of an insurance company who is also a customer became ill and a colleague of her sitting next in the same office had access to their medical record in her business role as insurance consultant). Their is a need to take context into account to decide whether a person should be authorized to a particular action. This is what leads to a very fine coarse definition of elementary claims/attributes and not to the definitions of uncountable roles by combining all variants of claims to new roles. Another eye-catching aspect is the externalization of entitlement management from within an application to a central system. This is a point all speakers agreed but obviously such an architecture brings up the questions of performance. How can an application performantly work if for a single task the application has to request hundreds of attributes and policies ? This is where things become unclear and unsolved. The same applies to the question how XACML can solve the problem, as it is a policy language but doesn’t solve how to access the policies. There need to be different solutions according to the problem and the audience. There should be a solution for simple internet based web2.0 applications in a very simple say restful way and there must be more sophisticated solutions for environments like financial industries etc. APIs are definitively not the preferred way here. But all participants agreed to that there would be at least an improvement if all vendors would work together and put their applications on the same foundation of a policy language like XACML. Seems like a simple obvious first step. But in reality it seems to be a difficult one.

In his presentation of real life federation deployments Chris Harvison from Scotiabank explained the difficulties they faced on utilizing federation in the Canadian banking sector and how difficult it is to convince service providers to implement federation protocols as these companies do not see this as their core business. He mentioned that only an agreement between the Canadian banks (fortunately there are only 4 chartered banks) finally forced the service providers to do so. The same applies to an effort withing the German automotive industry where companies formed the SESAM project as Wofgang Jodl, BMW, mentioned in his session. Harvision also mentioned how the virtual federation concept of OpenSSO and the Fedlet eased there efforts. Daniel Raskin added that the Fedlet is supported through OpenSSO enterprise support. So if a company with support contract gives out the Fedlet to a partner, the partner can call Sun and receives support. By the way: a SSOCircle Fedlet is soon downloadable from our download site. Beside our CGI and lightbulb samples this is another way to easily integrate with SSOCircle.

Joost van Dijk gave another presentation of a successful deployment: the SURFfederatie project. A Federation service for the Dutch Higher Education. As they formerly developed their own federation protocol A-Select and they didn’t want to limit the federation to a single protocol, they deployed a federation protocol gateway based on Ping Federate. They provide their offering as “identity as a service” which leads to the next panel session on IaaS. Up to this point I was missing participants of Ping. Last year Andre Durand and Patrick Harding were attending but I remember Andre Durand’s words when he was asked how Ping as a niche vendor could survive between all these big players like IBM, Sun, Novell and Oracle, he answered: we will see whether we are still here in 2-3 years. With contentment I noticed Marc LLerandi from Ping Identity was taken part in the IaaS panel session. Actually IaaS is something SSOCircle is pushing since more than a year by introducing IDPee, a hosted IDP. The advantages are obvious: leave the complexity of operating and managing an identity provider to specialized providers and save money and hassle. We will see how this business evolves when people get used of the idea to outsource there identity management. Good luck to all these pioneers.

European Identity Award winners:

  • Best innovation in IDM: Yubico, AXSionics, Sun Microsystems (OpenSSO Fedlet), Microsoft (Geneva Framework)
  • Best new or improved standard in IDM: Oauth, ArisID, Information Card Foundation
  • Best Project in the last 12 months: Internal use of IDM: Deutsche Bank, ECCO Sko A/S, Helvetia Insurance, Enel SpA
  • Best Project in the last 12 months: B2B use of IDM: Citi, SwissGrid, BankId
  • Best Project in the last 12 months: B2C/eGovernment use of IDM: Ministery of Interior Czech Republic, London Borough, Stadt Koeln

day 1

Tuesday morning I am faced with two problems: a long 4 hours drive from Frankfurt to Munich early in the moring and then, after arrival, the decision where to go at the conference. For the first point it might appeal to Kuppinger Cole to change the conference location to Frankfurt. The latter is certainly nothing I can blame Kuppinger Cole for an excellent conference program with many choices.

At the OpenSSO community meeting Daniel Raskin is showing the OpenSSO roadmap. He is emphasizing that OpenSSO is the software that manages enterprise SSO, federation and web services security with one product. This sounds like a message to Oracle and its bundle of point products. But no word on the future of OpenSSO under Oracle’s flag. I guess nobody can say something about the way Oracle is going – or did I miss it ?

OpenSSO is now at express build 7 which brings a new configuration wizard for Google Apps on the task panel of the administration GUI. The task panel is something which will be extended in the next releases. Raskin is mentioning wizards to configure Salesforce.com and SugarCRM. In progress of development are improvements for a better entitlements management. Although OpenSSO has XACML request/response, PDP and PEP functionality it lacks an intuitive management GUI and a scalable policy engine. In one of the next builds a new authentication module will provide one time passwords without the need of a hardware token. OpenSSO will generate OTP through OATH and send out the password by SMS to your mobile. This sounds cheap, but keep in mind that you either will need hardware to send SMS or adopt the module to use an API of a SMS provider. Further development work is done on OAUTH integration into OpenSSO.

Tags: , , ,

Swekey: OTP authentication without tedious typing of digits

English on May 3rd, 2009 No Comments

SSOCircle introduces a new one time password strong authentication device with USB interface. If you are tired of reading and typing one time passwords from conventional tokens, this is the device for you.

The Swekey is a one time password token that works with a challenge/response. SSOCircle offers two authentication modules: Swekey and Swekey&Pin. Use of an additional pin augments securityi and gives you a higher authentication level compared to Swekey (without pin) and should be used for applications that need stronger protection. Get your Swekey here.

Tags: , ,

Scheduled maintenance coming weekend

English on April 30th, 2009 No Comments

We are planing a scheduled maintenance of SSOCircle services on Sunday, 3rd May, with some short service interruptions between 6:00-8:00 GMT. We will be back with even more features, so please stay tuned.

Tags:

Certificate expiration next weekend

English on February 21st, 2009 No Comments

We will replace SSOCircle’s signing and encryption certificate at 28. February 209. The meta data containing the new certificates can be found at new meta data URL. The certificate will be changed at 28.02.2009, next Saturday. Please be sure to replace the data on your SP.

Account validation by SMS to your mobile

English on January 5th, 2009 No Comments

As some customers are asking for better means of confirming a user’s identity after using the self registration procedure. Our IDPee hosted identity provider product now supports SMS confirmation messages send to a mobile telephone number instead of sending an email to the email-address entered during registration. As many users are subscribing with free web mailer accounts, which can be anonymous, the sending of SMS as an optional feature provides stronger linking of the user account at the IDP to the identity recognized by its cell phone telephone number. Interested in this feature ? Send us an email and we will upgrade your IDPee account.

Tags: ,

One Time Password token available now

English on October 31st, 2008 No Comments

SSOCircle is now adding a new strong authentication method: One Time Password tokens. In our approach to offer an IDP with strong authentication to everyone, the ePassOTP hardware tokens are unbeatable in price and give you a strong authentication method that can be used with any device. The SSOCircle authentication portfolio now comprises MSISDN, username/passwords, X.509 certificates (software and hardware token) and OTP hardware tokens mapping to three authentication levels.

Tags:

MSISDN, password or client certificate – it’s your choice

English on August 16th, 2008 No Comments

SSOCircle now added MSISDN authentication support. Now you can choose among three authentication methods. Read the new authentication context study that describes use cases for these methods. MSISDN is an authentication method based on a trust relationship to your mobile provider. If you access the internet from your mobile, devices use the provider’s WAP gateway ( simple devices default to use WAP, others may use WAP optionally ). Some of the WAP gateways insert an HTTP header for identification – the MSISDN number. The number is used by SSOCircle to identify and authenticate you. To use MSISDN authentication you need the following requisites:

  • The WAP Gateway must insert a MSISDN number
  • The WAP Gateway must be trusted by SSOCircle
  • You need to link the MSISDN number to your account
  • Access SSOCircle by a mobile through a WAP Gateway

Please check whether you match the first two criteria by accessing the MSISDN check page. The third step can be done through the SSOCircle self administration.
Another part of the new authentication context study describes how to leverage authentication context to protect high sensitive user data by requiring a session upgrade to a strong authentication security context.

Tags: , ,

agen slot online Aplikasi Capsa Susun online Daftar Bandar Ceme Online agen ion casino Baccarat Online Roulette Online Dadu Online Sicbo Online ionclub Baccarat Online Roulette Online Dadu Online Sicbo Online daftar situs judi slot online terpercaya Bandar Togel sbobet casino Sabung Ayam https://run3-game.net/ https://www.foreverlivingproduct.info/ https://rodina.tv/ Bandar Sakong Online Agen Slot