Gluu Web Authentication / SSO Protocol Adoption Predictions

Its hard to make accurate predictions about adoption for SSO protocols. Its impossible to make a detailed model when the known inputs are so vast. With that inherent disclaimer about the difficulty of forecasting, the following graph represents Gluu’s view about the likely adoption and un-adoption of three very important web authentication standards: SAML, CAS, and OAuth2 (specifically OpenID Connect).



SAML



It makes sense to start any conversation about web authentication standards with the grand-daddy of Web SSO, the Security Assertion Markup Language–SAML. This is the current leading standard for enterprise inter-domain authentication. It is widely supported by off-the-shelf software, and major SaaS vendors like Google, SalesForce, WorkDay, Box, Amazon, and many others. SAML is the basis for extensive B2B, government and educational networks around the globe. Gluu’s prediction is that providing SAML endpoints and services will be critical for domains for years to come. In the next 15 years or so, organizations will look to consolidate on OAuth2 based trust networks, and will look to end-of-life and de-commission SAML relationships.

CAS

The “Central Authentication Server” defined one of the first Web SSO protocols. Its a simple to use API, and supported by several open CMS platforms. Backed by LDAP, it was a good choice for many organizations to centralize username / password authentication. It also allowed access control based on network address, to restrict which servers can use the enterprise web authentication service. With the availability of newer, more functional authentication standards, like SAML and OpenID Connect, new applications should be directed away from CAS. Older applications should also be asked to upgrade to one of the newer protocols. CAS was great, but there are better options now.

OpenID Connect

OpenID Connect is a profile of OAuth2 that provides several services related to authentication. In years past, federation experts thought OpenID would be ubiquitous. Then a smaller subset of federation experts thought OpenID 2 would be ubiquitous. However, the community has coalesced, and now a large group of federation experts are predicting that OpenID Connect will become ubiquitous. Its a risky position, but it holds up when you look at some simple indicators:

Support of large consumer IDPs: Google, Microsoft, Yahoo probably Facebook

Consolidation of several protocol communities such as OpenID, Oauth2, WS-*, a subset of the SAML community.

Move in consumer market to JSON/REST Authentication API’s

Explosion of mobile applications requiring better authentication API’s for non-web interactions

Expanded role of a “client” acting as an agent of the Person to access Web APIs

New standards that are building on OpenID Connect authentication, such as UMA and the new OpenID Connect Native SSO working group.

Even Scott Cantor has acknowledged at InCommon Camp that Shibboleth 3.0 is being designed to make it easier to support OpenID Connect in the future!

So we’re going out on a limb here… and predict that OpenID Connect is actually going to catch on this time. We are also perhaps going to help our own cause by providing a scalable, production quality open source implementation of OpenID Connect: oxAuth.

If anyone disagrees or agrees with the admittedly arbitrarily drawn graphs above, feel free to comment below!

Postcard from IdentityNext 2013

IdentityNext is a unique conference that pulls aspects from several of the identity events I’ve attended over the years. As only a handful of Americans attend, it reminded me of Kuppinger’s EIC (European Identity Conference).  There were delegates from many Western European counties, for example Sweden, Denmark, France, Germany, Austria, Spain, Belgium, the Netherlands (of course), England and probably a few more.  The focus on privacy reminded me of the PII (Privacy, Identity, Innovation) which is held several times around the US. And finally, it was the second conference I attended this year that had an “un-conference” portion, inspired by IIW (Internet Identity Workshop).

It was a great honor for me to deliver the opening keynote. I wanted to give a general interest talk about federations, an introduction to OAuth2, and describe how these two technologies could be combined to the net benefit of society. I was a little tense, especially as I’d never attended this conference. My slides are here. I was amused that Martin Wegdam quoted me on Twitter as apologizing for previous XML identity standards. I was not really serious… As Andre Durand says, “Identity” is a big and complex domain of knowledge. If we (as in the global community of identity architects) had figured “it” out on the first try, it would have been a miracle. Defining standards for identity has been an iterative process. And 13 years later, I think the work done on OpenID Connect puts us on the verge of a good technical standard for one aspect of Identity–authentication. “Connect” has achieved something even more elusive: consensus.

One of the best talks was given by author, journalist and teacher Pernilla Tranberg. She presented an up-to-date view of the current state of online privacy, and some pragmatic strategies we can consider to achieve more control of our personal data. For example, don’t use Google search… use “Start Page”, which strips out all the tracking cookies that sell to advertisers the interested implied by your Internet searches. Also, advise your kids to sign up for Facebook using a different name so they can start their adult life with a clean slate.

One of the most amusing talks was given by Mike Chung from KPMG on the topic of predications. He recommended a number of books: Nate Silver’s The Signal and the Noise, two books by Nassim Nicholas Taleb: The Black Swan and Fooled by Randomness. Dan Ariely’s book Predictably Irrational. Robert Kaplan’s Revenge of Geography and Daron Acemoglu’s Why Nations Fail. Robert McNamaras In Retrospect and Jim Paul’s What I Learned Losing a Million Dollars. Apparently none of which helped him very much given his self-proclaimed abysmal record making accurate forecasts in identity and access management. For example, he forecast in the mid 2000’s that WS-* would be the predominant federation protocol among other equally inaccurate claims. He totally missed the rise of mobile computing. And even more amazingly,  companies paid him his inaccurate advice. Hearing stuff like this makes me nervous about the big bets Gluu has placed on OAuth2, and reminded me that if Gluu is able to invest our scarce resources properly in one of the most dynamic technical markets, we’re probably more lucky than smart.

Most Americans are unaware of the identity card programs that have been undertaken by almost all European governments. The conference featured talks on the efforts of Sweden, Germany, and Belgium. All of these cards can be used to access government services. But many are expanding to B2B and B2C purposes. For example, in Belgium there are beer vending machines that read the birthday off of your national id cards to figure out if you’re old enough to be served. In Japan I video-taped a machine that automatically poured a glass of beer. Its clear… our country is just so far behind, it’s ridiculous.

Given my keen interest for federation, the talk I got the most out of was Rainer Horbe’s ’s talk on federation. Austrians clearly understand the value of federations, and also that these federations are hard to form. So the Austrian Chamber of Commerce formed the Wirtschaftsportalverbund (which believe it or not is an abbreviation for something like the Austrian Identity Federation Authority) which aims to establish B2B and B2C federations the cost of identity management and SSO. This group is creating a framework to help businesses jumpstart federations, including the required technical and governance components.

One of the most interesting conversations I had at the conference was with Haydar Cimen from KPN and Steve Pannifer from Hyperion Consulting regarding Snowden. While a majority of Americans now regard him as a heroic whistle blower, his support in Europe is even higher.  In fact, I seem to be the only one in my industry who thinks he needs to answer for his actions. My problem is that if more people follow his precedent, our government and businesses couldn’t operate. If he thinks the moral imperative to uncover this wrong was sufficient to justify his actions, he shouldn’t be hiding in Russia. If he had stayed in the US, I’d support him for standing up for his beliefs. Many people don’t think he would have gotten a fair trial if he had stayed. Or that maybe the government would have water-boarded him, or left him in solitary for years like they did to Manning. Whatever you think of Snowden, it’s clear that our allies view the US as little better than China, are hesitant to travel to the US for fear of being the victim of a big-data analysis snafu, and are resentful that their systems are being hacked in the pursuit of America’s enemies in a covert cyber war for which we apparently have a great talent (and an insane amount of budget).

I was happy to see many old friends, especially from Surfnet and Kinnesnet. I also got a chance to chat with Hans Zandbelt from Ping Identity.  Apparently after working all day on helping companies implement federation, he can’t get enough, so he has been moonlighting to write his own OpenID Connect plugin for Apache. It’s much simpler than the one Gluu has undertaken in our crowd-sourcing project.  The nice thing about it is that it is standalone. Gluu uses a local process, “oxd”, to handle the OAuth2 messaging. Some people don’t want this additional complexity. We used this approach because it enabled us to leverage our Java libraries for OpenID Connect and UMA, and it would have taken us too long to do all the messaging in C (as we already have Java libraries written). Hans’ plugin supports less features, but its a great example of how you can use a subset of the features if it suits your purpose. More options for developers is great, so I hope Hans has the energy to keep working on it, and to make it available to other developers. If you want to look at the code, its currently here.

Finally, one of the best uses of technology on display in a video from the UK by hipster the “Urban Wizard.” To express his identity he likes to dress up like a wizard when he walks around London. He melted his Oyster card  (subway debit card), and attached the chip to his staff. As he walks into the subway, he touches his staff to the turnstiles, and magically, the doors swing open.  Apparently the police were not amused, and won’t let him do this anymore. But it’s a reminder that technology is not a one-size fits all affair. People will use things in ways the developers never intended. Who knows what OX will be used for one day… open source and open standards are more embracing of this phenomenon than the metro police

Article Resource:- http://thegluuserver.tumblr.com/post/68143784696/postcard-from-identitynext-2013

Gluu Federation Registry Service

There has been a hoopla about what to expect out of the Gluu Federation Registry Service here’s what you get from the Gluu Federation Registry Service:

Support for the design of a multi-party federation that enables autonomous domains to use SAML or OAuth2 for authentication and authorization

Creation of a Sample Participation Agreement—will require review and modification by the federation host.

Creation of initial schema for attributes, authentication, and authorization

Deployment of the Federation Registry application on an IAAS server or a Gluu Server

Customization of the registration process to automate the on-boarding of new application and identity providers into the network

Functional testing of the Federation Registry software for identity provider and application enrollment

Development of a operations guide for Registry Administrators

Training for Registry Administrators who will take over the responsibility of vetting and approving new identity providers and applications into the network.

Annual subscription to support and Monitoring of the Federation Registry instance.

DIY 2Factor using OpenID Connect as the authentication API

There is no license fee for passwords. It may sound silly, but businesses are simply not used to the idea that they need to pay for authentication. Also, the idea that passwords are “dead” is crazy. Companies already manage passwords for people. However, as everyone knows, passwords alone are a recipe for disaster. So what is a domain to do if they want to add a second factor of authentication, but they don’t want to add yet another SaaS fee or annual per user license?

QR Code

Tiqr is a free, open source solution developed by SURFnet. Surfnet has published an Android and iPhone application to scan a QR code, which can be displayed on a web page. If you’re ok instructing people in your domain to use a Surfnet branded app, its a good option. Gluu offers Tiqr authentication as part of its Gluu Server subscription offering. If you want to deploy the Tiqr server yourself, it uses SimpleSAMLphp to pubish the authentication APIs, which is pretty easy to install / manage. Its also possible to perhaps customize Surfnet’s open source applications, to give the app a look and feel more appropriate for your domain.

Push

If you can enroll a Person’s mobile device, and push a message to that device, its a very strong indicator that the person has really authorized a transaction. Red Hat has published an open source server called AeroGear Push that acts as a facade for the Apple, Google and Mozilla push networks. There is a nice diagram. Instead of having to learn the API’s of each of these networks, you can make one request such as this:

curl -u "{MobileVariantID}:{secret}"
-v -H "Accept: application/json" -H "Content-type: application/json"
-X POST
-d '{
"deviceToken" : "someTokenString",
"deviceType" : "iPad",
"operatingSystem" : "iOS",
"osVersion" : "6.1.2",
"alias" : "someUsername or email adress...",
"category" : "football",
"simplePushEndpoint" : "http://server.com/someEndpoint"
}'

The nice thing about the PUSH approach is that the app doesn’t even have to be running for the notification to work, as it is received at the OS level.

Phone

Ok, its not totally free, but at the price service providers like Callcentric sell SIP service, the cost is pretty negligible. In the Asterisk VoIP platform, you can create a “dialplan” to call a number (that you have pre-associated with the person) and read the DTMF, which could be the person pressing # or some pin number. Asterisk hooks to Java with the Asterisk-Java library, so you can keep all your actual business logic in Java, and just use Asterisk to read the DTMF, and to dial the phone number via the SIP trunk.

Browser Certificate

The usability has been terrible, so this is not something I recommend unless you work with an organization full of geeks. But you can launch your own Certificate Authority, or use a free service like CACert.org for “user certificates.”

Network / Location

Used with care, the network (or if you look up the respective location of that network) can help you to identity the person. Some domains might allow one method for authentication from their office, and another for remote access. The location can be pretty specific. Some companies are remembering previous locations, and using it for authentication. However, you’ll need to read the license agreement of the api to see if your application can use it for commercial purposes. Location can also be a pretty good indicator that its NOT you… for example, LinkedIn will notify you via email if someone tries to login to your account from a foreign country.

NFC

The price of NFC stickers and tags has come way down.. in bulk, as low as $0.20 a piece. I just ordered a few from RapidNFC. NFC is both readable, and writable. There is not much room–only about 64 characters–but enough to put a URL or access token that can add security over password alone.

Browser Session Information

Cookies are also not a very strong way to a identify a person, but many consumer services use them as a “factor.” For example, when you go to Amazon, they say recognize you, and “step-up” the authentication when you place an order or edit your profile.

The Context

The best possible usability for an authentication mechanism is the one you never see. A relying party (i.e. a website) can add up all the contextual piece of information to determine if interactively authenticating the person is necessary for their respective transaction. The trendy jargon for this is “adaptive authentication.” I can’t tell you what those indicators are for your business… they may include device ids, or something specific to your service offering or product. But use ‘em if you got ‘em.

Publish an authentication API

Once you figured out what factors you want to use for authentication, you may want to look at OX as a way to publish a standard Oauth2 API for your authentication mechanism. This Gluu blog contains information on how to use OX Custom SSO Authentication scripts to use Python to code the business logic. You can also watch the Gluu video on Strong Authentication.

------------------------------------------------------------------------