16 Apr 2014

feedPlanet Identity

Julian Bond: What a most excellent collection of images.

16 Apr 2014 7:56am GMT

Vittorio Bertocci - Microsoft: Calling Office365 API from a Windows Phone 8.1 App

Did you install the preview of Windows Phone 8.1? I sure did, and it's awesome!

Windows Phone 8.1 introduces a great new feature, which was until recently only available on Windows 8.x: the WebAuthenticationBroker (WAB for short from now on). ADAL for Windows Store leverages the WAB for all of its authentication UI rendering [...]

16 Apr 2014 7:34am GMT

Julian Bond: Next time somebody tries to tell you that big pharma is hiding medical cures, or the illuminati, sorry...

Next time somebody tries to tell you that big pharma is hiding medical cures, or the illuminati, sorry, the 1%, are manipulating world society, or big oil invaded Iraq, or similar conspiratorial bullshit, just say:-

"That's all a bit 'lizard people', isn't it?"
[from: Google+ Posts]

16 Apr 2014 7:27am GMT

Julian Bond: After the Big Bang is it Space-Time that expands or the distances between the things in it?

After the Big Bang is it Space-Time that expands or the distances between the things in it?

Something I continue to have trouble getting my head round is the idea that there are bits of the universe that are so far apart (and accelerating away from each other) that there hasn't been enough time since the Big Bang for light to travel between them. So there's a kind of quantum foam of light cones that can't interact. But if nothing can travel faster than the speed of light, then how did these bits of stuff get further apart than light could travel in the available time?

http://en.wikipedia.org/wiki/Metric_expansion tries to explain this and I think I'm beginning to get it. It also helpfully points out that lots of highly qualified physicist have trouble with understanding this as well so it's not just me! There are bits of it that still feel like handwavium. In particular it feels a bit like http://en.wikipedia.org/wiki/Copenhagen_interpretation in that it's only difficult to think about because you're treating the equations as objective reality. It's all very well to say that it's space-time that's expanding not the stuff in it but, but, 
Metric expansion of space - Wikipedia, the free encyclopedia »
Basic concepts and overview[edit]. Overview of metrics[edit]. Main article: Metric (mathematics). To understand the metric expansion of the universe, it is helpful to discuss briefly what a metric is, and how metric expansion works.

[from: Google+ Posts]

16 Apr 2014 7:23am GMT

15 Apr 2014

feedPlanet Identity

Julian Bond: What do we want?

What do we want?
Evidence based medicine.

When do we want it?
After full, transparent publication of all trial results both future and historical, peer review and without being encumbered by long term patents.

And we want our governments to subsidise this for the good of society as a whole and to properly enforce the rules with realistic penalties. And without the market being hopelessly skewed by mandated oligopolies bought with high priced lobbying. And without government money being wasted on high priced stockpiles that do nothing. (like Tamiflu: here's looking at you, Roche).

As the article points out, EU regulations pushing for greater transparency on clinical trials are a good thing, but not if they ignore historical results and are never enforced.

Clinical trials and tribulations: a role for Europe | The Pirate Party »
It's hard to imagine a better fairy-tale villain than a big pharma company. There's something undeniably sinister about these vast, faceless titans with their unfathomable methods and international reach; so much so that it's sometimes an effort to remember that, actually, they're the ones who ...

[from: Google+ Posts]

15 Apr 2014 8:29am GMT

14 Apr 2014

feedPlanet Identity

CA on Security Management: Beware the UnDead Password

Recently I took my daughters to see the RiffTrax Live showing of Night of the Living Dead. RiffTrax is a group of three guys who show movies and goof on them (You can get more information here). Night of the...

14 Apr 2014 10:14pm GMT

Katasoft: MultiTenant User Management- the Easy Way

Building a multi-tenant SaaS isn't easy, but in a world where your customers expect on-demand services and your engineering team wants a central codebase, multitenancy offers tremendous value.

The hardest part is user management. Multi-tenant applications come with special user considerations:

  • How will tenants be represented in the data model?
  • How will users be created?
  • How will tenant users be kept secure and separate from other tenants?

As you might have guessed, Stormpath's data model natively supports multi-tenant user management out-of-the-box. You don't have to worry about building or managing data partitions yourself, and can focus on building your app's real features.

But, how do you build it? We've created a comprehensive Guide to Building Multi-tenant Apps and this post will specifically focus on how to model user data for multi-tenancy. We will also show how to build a multi-tenant application faster and more securely with Stormpath, a cloud-hosted user management service that easily supports multi-tenant user models.

What is a Multi-Tenant application?

Unlike most web applications that support a single company or organization with a tightly-coupled database, a multi-tenant application is a single application that services multiple organizations or tenants simultaneously. Multi-tenant apps need to ensure each Tenant has its own private data partition so the data is cleanly segmented from other tenants. The challenge: very few modern databases natively support tenant-based data partitioning.

Devs must figure out how to do this either using separate physical databases or by creating virtual data partitions in application code. Due to infrastructural complexities at scale, most engineering teams avoid the separate database approach and implement virtual data partitions in their own application code.

Our Guide to Building Multi-tenant Apps goes into deep detail on how to set up tenants and their unique identifiers. In this post, we will dive straight into setting up user management for your multi-tenant application.

Multi-Tenant User Management

Why use Stormpath for Multi-Tenant Applications?

Aside from the security challenges that come with partitioning data, setting up partitioning schemes and data models takes time. Very few, if any, development frameworks support multi-tenancy, so developer teams have to build out multi-tenant user management themselves.

Stormpath's data model supports two different approaches for multi-tenant user partitioning. But first, a little background.

Stormpath Data Model Overview

Most application data models assign user Accounts and groups directly to the application. For example:

Traditional Application User Management Model:

              +-----\>| Account |\
              | 1..\* +---------+\
+-------------+      \^ \
| Application |       |\
+-------------+       v\
              | 1..\* +-------+\
              +-----\>| Group |\

But this isn't very flexible and can cause problems over time - especially if you need to support more applications or services in the future.

Stormpath is more powerful and flexible. Instead of tightly coupling user accounts and applications, Accounts and Groups are 'owned' by a Directory, and an Application can reference one or more Directories dynamically:

Stormpath User Management Model:

                                 +-----\>| Account |\
                                 | 1..\* +---------+\
+-------------+ 1..\* +-----------+     \^\
| Application |-----\>| Directory |      |\
+-------------+      +-----------+       v\
                                 | 1..\* +-------+\
                                 +-----\>| Group |\

A Directory isn't anything complicated - think of it as simply a 'top level bucket for Accounts and Groups'. Why did we do it this way?

  • Multiple applications can reference the same Directory and share users.
  • An application can 'plug in' to multiple directories, so multiple user populations can access the same application. This is great for our customers building a SaaS.
  • Security policies for Accounts are configured at the Directory level, giving you tighter control over security requirements.
  • You can configure changes to all of this without changing your application code

This directory-based model supports two approaches for partitioning multi-tenant user data:

Approach 1: Single Directory with a Group-per-Tenant

Recommended for most multi-tenant applications.

This design approach uses a single Directory, which guarantees Account and Group uniqueness. A Tenant is represented as a Group within a Directory, so you would have (at least) one Group per Tenant.

For example, let's assume new user jsmith@customerA.com signs up for your application. Upon submit you would:

  1. Insert a new Account in your designated Directory. This will be a unique account.
  2. Generate a compatible subdomain name for their tenant and create an equivalent Group in your designated Directory. Your 'Tenant' record is simply a Group in a Stormpath Directory.
  3. Assign the just-created jsmith@customerA.com Account to the new Group. Any other Accounts added over time to this Group will also immediately be recognized as users for that Tenant.

We cover the many benefits of the Single Directory approach - as well as how to implement it - in the Multi-Tenant Guide , but at a high level, this approach has the following benefits:

  • A single unified user identity across many applications or services
  • You can associate Accounts to a tenant easily: just add them to the tenant Group. You can find all users in a tenant by requesting the Group, or search across users in a tenant just by searching in that Group.
  • You can store Tenant-specific data without having to roll your own database/tables, by assigning custom data to your tenant group. This is great for tenant-specific permisions or Access Control Lists.

The Single Directory, Group-per-Tenant approach is the simplest model, easiest to understand, and provides many desirable features suitable for most multi-tenant applications. Read more [link].

Approach 2: Directory-per-Tenant

In Stormpath, an Account is unique only within a Directory. This means:

Account jsmith@gmail.com in Directory A

is not the same identity record as

Account jsmith@gmail.com in Directory B.

As a result, you could create a Directory in Stormpath for each of your tenants, and your user Account identities will be 100% separate. With this Directory-per-Tenant approach, your application's user Accounts are only unique within a tenant (Directory), and users could register for multiple tenants with the same credentials.

Directory-per-Tenant is an advanced data model that offers more flexibility, but at the expense of simplicity. This is the model we use at Stormpath, and it is only recommended for more advanced applications or those with special requirements.

As a result, we don't cover the approach in further detail here. If you feel the Directory-per-Tenant approach might be appropriate for your project, and you'd like some advice, just email support@stormpath.com. We are happy to help you model out your user data, whether or not Stormpath is the right option for your application.

We're Always Here to Help

Whether you're trying to figure out multi-tenant approaches for your application or have questions about a specific Stormpath API, we're always here to help. Please feel free to contact us atsupport@stormpath.com.

14 Apr 2014 8:29pm GMT

Courion: Re-set Your Passwords, Early & Often

Access Risk Management Blog | Courion

Jason MutschlerOn Monday April 7th, OpenSSL disclosed a bug in their software that allows data, which can include unencrypted usernames and passwords, to be collected from memory remotely by an attacker. OpenSSL is the most popular open source SSL (Secure Sockets Layer) implementation and the software is used by many popular websites such as Yahoo, Imgur, Stackoverflow, Flickr and Twitpic. Many of these popular websites have been patched. However as of this writing some, including Twitpic, remain vulnerable.

HeartbleedSeveral tools have become available to check whether an individual website is vulnerable. We recommend that you double-check whether websites that you use are affected before logging in. If the website you are logging into is not vulnerable, you should reset your password since the password may have been captured if the server was previously vulnerable. The bug is also present in some client software and a malicious web server could be used to collect data from memory on client machines running these pieces of software.

httpsThis particular vulnerability has been present since 2012 and underscores the need to look beyond typical perimeter defenses and continuously monitor for unusual behavior within your network. Persistent attackers will continue to find creative ways to breach the perimeter and detecting abnormal use of valid credentials is becoming extremely important.

By the way, Courion websites, including the Support Portal and the CONVERGE registration page remain unaffected by this vulnerability.


14 Apr 2014 12:29pm GMT

13 Apr 2014

feedPlanet Identity

Anil John: Standardizing the RP Requirements for Identity Resolution

When a credential from an outsourced CSP shows up at the front door of a RP, the RP needs two pieces of information. First, an answer to the question "Are you the same person this credential was issued to?" and second, information to uniquely resolve and enroll the credential holder at the RP. We have more or less standardized the first bit, but have not been as mindful about the second.

I have my own opinions as to why this has not been done before:

  • This is typically a federation requirement, and successful federations exist in industry verticals where this is addressed by the operator of that closed community
  • A driver for this requirement, e.g. public sector service delivery, where multi-sector standardization would have significant benefits has only recently started to come online
  • Entities who, in the absence of RP access to authoritative identity establishment sources, have become gatekeepers to identity resolution may desire to protect their IP ("magic sauce")

At the same time, I do believe that in order to deliver public sector services, it is critical to address this issue. But it needs to be done in a manner that looks at the world as it exists and not as we would wish it to be, which in the U.S. means that:

  • There is little to no direct access to authoritative identity establishment sources
  • Identity verification and validation are done by corroborating different sources of non-authoritative information
  • Entities with IP ("magic sauce") to bring to the table when dealing with that aggregated set of data have a role to play
  • RP's need a set of quantitative criteria to evaluate what they get from such an entity i.e. "identity proofing component"

To make this happen will require three things:

  1. A clear understanding by the RP of the various approaches it can utilize to enroll users
  2. An understanding of the context in which IP/proprietary approaches have a role in identity resolution e.g. At the "identity proofing component"
  3. Development and standardization of the quantitative criteria used by the RP to evaluate the information it needs for identity resolution


This blog post, Standardizing the RP Requirements for Identity Resolution, first appeared on Anil John | Blog. These are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer.

13 Apr 2014 6:00pm GMT

Julian Bond: Global Warming won't be as bad as the IPCC predict and will peak at the low end of their predictions...

Global Warming won't be as bad as the IPCC predict and will peak at the low end of their predictions.

Because society will have collapsed by then.

So that's all good then!


ps. Have you noticed how 2030 is no longer the far future? The doomsayers are predicting major disruption by 2030 which is now only ~15 years away.
Oil Limits and Climate Change - How They Fit Together »
We hear a lot about climate change, especially now that the Intergovernmental Panel on Climate Change (IPCC) has recently published another report. At the same time, oil is reaching limits, and thi...

[from: Google+ Posts]

13 Apr 2014 6:42am GMT

11 Apr 2014

feedPlanet Identity

ForgeRock: ForgeRock Software Not Affected by ‘Heartbleed’ Security Flaw

A few days ago, it was announced that there is a major vulnerability in OpenSSL, known as Heartbleed. ForgeRock customers running enterprise software will not be affected by this vulnerability. Important notes: ForgeRock's products (OpenAM, OpenIDM, OpenDJ, OpenIG) do not incorporate openssl. OpenSSL is a commonly used component of open source software and Linux distributions, whereas the vast majority of ForgeRock...

The post ForgeRock Software Not Affected by 'Heartbleed' Security Flaw appeared first on ForgeRock.

11 Apr 2014 9:33pm GMT

Mike Jones - Microsoft: JSON Web Key (JWK) Thumbprint Specification

I created a new simple spec that defines a way to create a thumbprint of an arbitrary key, based upon its JWK representation. The abstract of the spec is: This specification defines a means of computing a thumbprint value (a.k.a. digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509 Certificate SHA-1 Thumbprint) […]

11 Apr 2014 12:47am GMT

10 Apr 2014

feedPlanet Identity

Gluu: Impact of Heartbleed for Gluu Customers

This blog provides a good analysis to understand the impact of Heartbleed: http://www.gluu.co/cacert-heartbleed If you are running a Shibboleth IDP front ended by an Apache HTTPD server, the private SAML IDP key in the JVM's memory (i.e. tomcat) would not be exposed to the Apache httpd process. However, if the web server's private key is … Read more >>

10 Apr 2014 5:12pm GMT

Kuppinger Cole: Enterprise Single Sign-On - is there still a need for?

In KuppingerCole Podcasts

In this KuppingerCole Webinar, we will look at Enterprise Single Sign-On (E-SSO) and the alternatives. Starting with the use cases for single sign-on and related scenarios, we will analyze the technical alternatives. We look at various aspects such as the time for implementation, the reach regarding applications to sign-on, users, and devices and compare the alternatives.

Watch online

10 Apr 2014 3:48pm GMT

Gluu: CACert Heartbleed Notification

This note I received from CACert today. It provides a good overview of the HeartBleed vulnerability.See also Shibboleth Security AdvisoryDear customer, there are news [1] about a bug in OpenSSL that may allow an attacker to leak arbitrary information from any process using OpenSSL. [2] We contacted you, because you have subscribed to get general … Read more >>

10 Apr 2014 2:45pm GMT

Kuppinger Cole: Leadership Compass: Identity Provisioning - 70949

In KuppingerCole

Identity Provisioning is still one of the core segments of the overall IAM market. Identity Provisioning is about provisioning identities and access entitlements to target systems. This includes creating and managing accounts in such connected target systems and associating the accounts with groups, roles, and other types of administrative entities to enable entitlements and authorizations in the target systems. Identity Provisioning is...

10 Apr 2014 12:32pm GMT