Posts Tagged ‘IAM’

Collection of Useful SAML Tools

Saturday, June 11th, 2011

Architecting and deploying SAML-based federation for companies using tools like PingFederate and CA SiteMinder is one of CoreBlox’ key services. Since I find myself using the same sites repeatedly during these deployments, I thought it would be useful to jot them down for your enjoyment. There are other sites out there are as well, but these few always seem to be on my list:

Update - This was also brought to my attention: SAML Tracer for Firefox

Since this also comes up, here are the steps I use to create a self-signed certificate with OpenSSL for use with SiteMinder for Federation. The certificate can be used to sign SAML assertions during testing (or I cheat sometimes and using it in production since I can create a certificate with an extended expiration date). I am not an OpenSSL expert, but these steps seem to do the trick (be sure to substitute your desired values):

Generate Private Key and Cert:

> openssl req -x509 -days 3650 -newkey rsa:1024 -keyout saml_key.pem -out saml_cert.pem

Enter PEM Passphrase:  password
Verify Passphrase:  password
Country:  US
State:  Massachusetts
Locality:  Framingham
Organization Name: CoreBlox
Organizational Unit Name: SiteMinder Team
Common Name: ps.coreblox.com
Email Address: siteminder@coreblox.com

Convert Private Key PCKS8 DER Encoding:

> openssl pkcs8 -topk8 -inform PEM -outform DER -in saml_key.pem -out saml_key.pkcs8

Enter Passphrase:  password
Enter Encryption Password:  password
Verify Encryption Password: password

Create SiteMinder Key Database (if you haven’t done this already):

> smkeytool.bat -createDB -password password -importDefaultCACerts

Import Certs into Key Database:

> smkeytool.bat -addPrivKey -alias defaultEnterprisePrivateKey  -certfile saml_cert.pem -keyfile saml_key.pkcs8 -password password

Validate certs imported correcly:

> smkeytool.bat -listCerts -alias defaultEnterprisePrivateKey

I hope this is helpful.  If you have any tricks or sites you use, please post them in the comments.

Tags: , , , ,
Posted in General, Identity and Access Management | 2 Comments »

Putting the Practical Back in IAM

Wednesday, June 16th, 2010

2353470227_cf37943a16-1Let’s face it: explaining Identity & Access Management to a layperson isn’t easy. How often do those of us who work in the space respond to the simple question “so what do you do?” at a cocktail party or a family event, only to see that familiar glazed-over expression less than 30 seconds into our reply? IAM is a space that’s prone to acronyms and cryptic concepts: SSO, virtual directory, WAM, federation, SAML, LDAP, etc. Of course, the issue here is not so much that these concepts are over your grandmother’s head. The problem comes when your grandmother is a high-level executive trying to figure out how IAM is going to provide significant ROI for her company. As product and service providers in this space, we’re the ones responsible for making the practical case for Identity & Access Management. My belief is we could all be doing a better job of this.

The inspiration for this post was a recent interview conducted with Dieter Schuller, VP of Business Development for our partner Radiant Logic. The interview covers its own fair share of acronyms and concepts, most of which are at the core of what this blog’s readership does for a living. But eventually it shifts into a practical (and very powerful) example of what identity correlation can do for a business, courtesy of Dieter:

For example, we just worked with a major electronics company, where they started with access management, single sign-on, delegated administration, but they wanted to make their portal a much better experience so when the user logged in, rather than just serving up products, the idea is you know enough about me because you have an order entry system that tracks what I bought online, you have a product registration system that tracks what I bought offline, you have a product database so you know that I bought a camera and now you should try to sell me a camera case.

They actually took it a step further and actually integrated it to their partner systems as well. They have a relationship with Facebook, for example, and, for that particular identity, started to look at what their movie and music preferences are and serving up content based on that.

Take a step back and think of what this interview would have meant to a non-IAM professional had it not included this real-life scenario. I think it would have led to multiple Google searches to define MDM, CDI, virtual directory, etc, if the reader had the time. Instead the reader comes away thinking about what this technology meant to an electronics company and how this might help his/her own business. In the real world this can mean the difference between a company becoming a prospect, and a prospect becoming a client or a customer.

“For example” can be powerful words in the context of security technology. We need more for examples in this space, not less. Have you seen examples of IAM companies providing practical real-world descriptions of how their products and services are being leveraged? If so, please share in the comments!

Tags: , , , , , , , , , , , , , , ,
Posted in Identity and Access Management, Virtual Directory | No Comments »

Skyworth TTG Holdings, Inc. and CoreBlox, Inc. Enter Into Strategic Partnership

Thursday, May 20th, 2010

Hong Kong, China, May 20, 2010

Skyworth TTG Holdings, Inc. (STTG), (www.skyworthttg.com) and CoreBlox, Inc. (www.coreblox.com) announced today that they have entered into a strategic partnership to deliver the highest quality Identity & Access Management solutions to world-class enterprises. As two of the best of breed IAM, Federation, and Virtual Directory service providers, this partnership allows for expanded service levels and even greater depth of experience and skill sets from over 65 dedicated IAM specialists across the globe.

With over 100 successful IAM deployments for Fortune 500 companies delivered across 14 countries and 4 continents, STTG & CoreBlox have established themselves as the trusted 3rd parties of choice for deploying key components of CA’s Identity Lifecycle Management suite of products: CA SiteMinder, CA Identity Manager, and its companion products. The combination of STTG’s distinctive product offerings and CoreBlox’ virtual directory expertise provides a one-stop shop for companies seeking reliable service and measurable ROI.

“We are excited to work closely with CoreBlox as we continue to expand our product and services offerings in the IAM space,” said Richard Sand, Chief Executive Officer of STTG. “ STTG’s and CoreBlox’s extensive enterprise security knowledge and experience ideally compliments and enhance the other, as we strive to continue providing the highest level of service excellence, worldwide, that our clients have come to expect.”

“Our partnership with STTG underscores the commitment we’ve made to expand our capacity for service and support. Working together, we can make more efficient use of the talents of our respective teams while maintaining the trusted advisor status we’ve earned with our clients” said Todd Clayton, Chief Executive Officer of CoreBlox.

About Skyworth TTG Holdings Limited

STTG is a rapidly expanding global system integrator specializing in fast growing information technology areas such as Identity & Access Management, Service Oriented Architecture implementation, Security/Risk management, Document management, and Open Source development. STTG has offices in New Jersey/USA, Oslo/Norway, Singapore, Hong Kong, Shen Zhen/China and Wuhan/China.

STTG’s Fortune 500 customers and partners span the globe and are diversified throughout Banking and Insurance, Education, Entertainment, Telecom, Aviation, Transporation, Information Technology, Logistics, Manufacturing, Retail, and Government and Government Sponsored Organizations.

About CoreBlox, Inc.

CoreBlox, headquartered in Framingham, MA/USA, focuses its technology services practice on enterprise security and technical support operations. The CoreBlox team specializes in single sign-on (SSO) and web access management solutions, SAML and identity federation services, and LDAP Directory Virtualization, with broad experience managing, executing and supporting CA SiteMinder and Radiant Logic Virtual Directory deployments.

CoreBlox is proud to provide solutions for a variety of industries including Banking, Information Technology, Insurance, and Telecommunications.

Tags: , , , ,
Posted in CoreBlox News | No Comments »

Just What is a Virtual Directory Anyway?

Thursday, September 10th, 2009

I often get asked what a virtual directory server is and how it can help. It’s surprisingly hard to get a basic, all-encompassing description of virtual directory technology. So, I thought I would take a stab at offering up my version. The description comes from information accumulated from several sources, including Radiant Logic, Wikipedia and my own write-ups.

A virtual directory or virtual directory server is a technology that provides a consolidated view of user identity and related information without having to migrate users into a single enterprise directory infrastructure. It serves as a lightweight service that operates between identity consumers and the various identity repositories across the environment. These identity repositories can be LDAP directories, databases or even web services and access to information can be either proxied through the virtual directory or correlated and cached through a complex set of rules. Think of it as a one-stop shop for everything you need to know about your users and their associated data and attributes. So, if you wanted to create a view of all your customers, what they have purchased and which sales rep sold them the product, the virtual directory allows you to pull together this data into a hierarchy that represents these relationships.

The following diagram shows how identity consumers leverage the virtual directory instead of being coded to talk directly to the back-ends:

virtual directory diagram

Instead of building static representations of the information, a virtual directory receives queries and directs them to the appropriate backend identity repositories. The retrieved information appears to be coming from a single source and logic can then be applied such as re-mapping the information to make it compatible across applications without modifying the backend data or the applications. This ability to reach into native disparate repositories makes virtual directory technology ideal for consolidating data stored in a distributed environment.

The most commonly used protocol for virtual directory servers is LDAP. Some virtual directories like RadiantOne allow access through other mechanisms like ODBC/JDBC and through web services. Additionally, RadiantOne Virtual Directory Server is able to provide structure to unstructured information in order to understand the context of the identity and related information in the backend repositories.

The advantages of virtual directories include:

  • Faster deployment by avoiding synchronization
  • Leverage existing investments and high-availability for authoritative data stores
  • Provide application specific views of identity data that can help avoid the need to develop a master enterprise schema
  • Allow a single view of identity data without violating internal or external regulations governing identity data
  • Act as identity firewalls – preventing denial of service attacks on the primary data-stores and providing further security on access to sensitive data
  • Changes made in authoritative sources are reflected in real-time

Directory virtualization technologies are an alternative to other directory replication technologies such as Microsoft Identity Lifecycle Manager (ILM – formerly MIIS), IBM Tivoli Identity Manager (ITIM) and IBM Directory Integrator (IDI). Instead of replicating information from one directory or database to another, virtualization dynamically presents information from multiple sources as a single view. This concept is similar to a view in SQL Server, except that virtualized views support both read and write operations. This approach is extremely flexible as a large number of different views can be presented without impacting the underlying data stores.

There are many situations, though, where there is no common identifier to tie a user together across identity repositories:

nocommonid

Radiant Logic’s Identity Correlation and Synchronization (ICS) component further extends the reach of VDS by allowing complex joining of identities to build an identity hub of correlated user identities and allows organizations to build a global profile for their users. It enables aggregation and correlation of identity information, the ability to build unique global identifiers and identification and indexing of orphaned identities.

This allows me to now create a correlated identifier for the users and pull together a unified view of attributes:

correlatedid

This enables things like single sign-on (SSO) because without a common identifier there is no way to pass the correct identity information to the underlying application or web access control product (e.g. CA SiteMinder Web Access Manager).

ICS also allows synchronization through replication (e.g. directory to directory, database to database), point-to-point and/or subscriber-to-publisher and ESB/JMS messaging. So, you get the best of both worlds and can choose when to virtualize and when to synchronize information.

I hope this has been helpful. If you would like to see additional clarifications, please let me know.

-Todd

Tags: , , , , , , ,
Posted in Identity and Access Management | 3 Comments »

Video: Extending SiteMinder with RadiantOne

Tuesday, August 25th, 2009

Last month, our very own Todd Clayton presented a webinar for Radiant Logic called Evolve Your SiteMinder Portal Through Virtualization—Without Breaking the Bank”.  He discussed the benefits of using a RadiantOne virtual directory with CA SiteMinder, some of which include:

  • Identify, correlate, and integrate identities from multiple user populations across security domains.
  • Publish different profile views for SSO, authorization, and profile management.
  • Create unified profiles of all users for different application contexts.
  • Build an abstraction layer so SiteMinder can access attributes without any changes to your existing infrastructure.
  • Develop an environment that easily accommodates future expansion and new business requirements.

Please feel free to contact us for more info on how these two products can work together.

-Dave

Tags: , , , , , , , ,
Posted in Identity and Access Management | No Comments »

The Latest on SSOhelp.com

Friday, January 23rd, 2009

I wanted to take the time to share some good news about SSOhelp.com. We created this community in the hope of providing a place for folks who work in the Identity & Access Management space to find answers to tough questions, learn about upcoming events in the IAM world, provide important information from the field regarding problems they’ve encountered and how they’ve been solved, and just get to know each other in an online social setting. Our past experience troubleshooting enterprise security problems through the web (Google searches, forum posts, etc.) taught us that there really wasn’t a centralized place to find this type of information, and our goal is to have SSOhelp.com fill that role.

Anyway, on to the good news:

  1. We’ve added 5 new members over the past couple of weeks. Granted this is not a huge number, but it shows that people we don’t know are beginning to find it. Facebook was not built in a day, and neither will SSOhelp.com be.
  2. We’re beginning to see people post questions in the Forum, and the CoreBlox team has been doing its best to answer them. Later on we hope the broader community will begin to respond as well, but for now this appears to be headed in the right direction.

I recently read a post about Social Media Tools that drew an interesting comment from my Twitter friend Jim Storer. Unfortunately I can’t directly link the comment, but it’s the 6th one down in the comments section of the post. Jim writes:

That’s what “shared meaning” means to me. The tool builder or community organizer can present an opportunity for people to use their tool/community, but ultimately it’s up to the members to determine what it means to them. And this meaning can swing wildly over the course of time, depending on who’s using it and what’s important to them.

This happens to be a perfect description of the approach we’re trying to take with SSOhelp.com. We’ve provided the venue, and now we’re looking to the members to decide how it will ultimately be used. We’re excited about the potential, and it will be interesting to see where this thing goes from here!

If you work in the enterprise security space, please take a moment to join! We’d love to meet you.

-Chad

p.s. If you’re interested in social media, you should definitely check out Jim’s blog. I’ve learned a lot from keeping tabs on him, and it doesn’t hurt that we share a common love for the local baseball club.

Tags: , , , ,
Posted in Identity and Access Management, SSOhelp.com | No Comments »

On the Road Again

Monday, November 10th, 2008

Just a quick announcement that our fearless leader Todd Clayton once again finds himself with a busy travel schedule over the next couple of weeks. For the next 3 days he’ll be attending the Gartner Identity and Access Management Summit in Orlando, FL. Or at least that’s what he tells us. After all, there’s another Orlando destination that could prove to be too tempting for Todd.

Next week, Todd will be attending CA World 08 at the Venetian Congress Center and Sands Expo in Las Vegas, NV from Monday 11/17 through Wednesday 11/19. Amazingly this will be Todd’s first trip to Vegas, so we highly encourage people to get him out and show him the sights. He was devestated to learn that Celine Dion is no longer doing her Vegas show, but we’ve assured him he’ll find other ways to enjoy his free time.

As always, we encourage you to connect with Todd if you’re planning to attend either of these events. Here’s a photo so you can pick him out in a crowd:

Todd on horseback

Todd in Colorado

(Just to be clear, he will not be on horseback at either event.)

Tags: , , , , , , ,
Posted in Identity and Access Management | No Comments »

Matt Flynn on CoreBlox

Tuesday, August 26th, 2008

I’ve been following Matt Flynn’s Identity Management Blog for the past few months, and I’ve enjoyed reading his views on the many questions and issues that surround the IAM space. The security community tends to be a very small world, but that doesn’t stop people from mixing it up now and then. Nonetheless I get the sense most of these folks could spend an entire afternoon in a spirited debate, then have no problem sharing dinner and drinks afterward.

In today’s entry, Matt makes mention of the value CoreBlox can bring with our managed identity services offerings. He’s also kind enough to give us kudos for our approach:

“One of the things I like about this is that CoreBlox isn’t trying to provide a support professional for any identity system. They’re focused on the technologies that they know.”

Granted there are many principles of IAM that would apply to any product suite, and we’ve shown we can be versatile enough to gain expertise in other areas such as federation and directory virtualization. But no one at CoreBlox will deny that SiteMinder is our bread & butter, and will continue to be a main area of focus for us on the services side of the business.

Tags: , ,
Posted in Identity and Access Management | No Comments »

Thank you, SiteMinder

Tuesday, August 19th, 2008

Seven years ago when I was working for Onyx Software, I led a CRM implementation for a Waltham, MA based company called Netegrity. Netegrity had made an early arrival to the Identity & Access Management (IAM) party, and its SiteMinder solution for single sign-on (SSO) had been wildly successful with Fortune 500 companies. About a year later when I was looking to reduce my travel load and get a view of the CRM world from the other side, I joined Netegrity’s Business Systems group where I began working with my fellow CoreBlox co-founders. Three years later CA acquired Netegrity, and shortly after that we launched CoreBlox.

Normally I would end that last paragraph with “And the rest is history…”, but it’s important to recognize a major component that has allowed our start-up to defy the odds and celebrate three years as a self-funded business: SiteMinder. There’s no doubt that having a strong, smart, versatile team has been a key to our success, but it would be difficult to pursue our Web 2.0 initiatives (such as our I Have Kids app which is up to 60,000 users!) if we were unable to find consistent sources of revenue to fund them. Our team’s SiteMinder expertise has allowed us to establish ourselves as a boutique firm in a niche market, and it has opened doors in other spaces such as directory virtualization and SAML/federation. In a down economy, IAM spending has remained strong enough to provide us with the engagements we need to drive our business forward:

… the number of organizations planning to roll out identity and access management solutions in the next 12 to 18 months increased 11 [percentage points], moving from 49 percent in 2006 to 60 percent in 2008.

As with any product or service that one works with on a daily basis, it’s easy to focus on gaps and frustrations. Sometimes we need to step back and recognize that what makes the solution complex leads to the opportunities that those who know it well can enjoy.

So on behalf of the entire CoreBlox team, I’d like to offer a sincere THANK YOU to SiteMinder. May you continue to send great opportunities and clients our way!

Tags: , , , , , , , ,
Posted in General | No Comments »

Application Virtualization

Tuesday, May 13th, 2008

Recently, I have been thinking about a concept currently dubbed “virtual business logic” or something like that. It’s basically taking the capabilities inherent to a virtual directory and turning it from focusing on identities to a method of correlating application services. Something along the lines of this picture:

vbls_2.jpg

A system that implemented this model could be referred to as a Virtual Business Logic Server (VBLS). This would allow application developers to leverage the virtual directory as a “service aggregator” of sorts that would allow the definition of higher-level business logic. In this model, the application developer could request a higher level entity from the VBLS and get the full dataset regardless of back-end source returned.

This model could be implemented simply by extending the functionality within existing virtual directory servers such as RadiantOne.

So, from a use case (for a product managed through Eclipse):

1. Go to Eclipse and point it at web services in my environment

2. Use Eclipse to map the data elements between the services together

3. Define the logical business entities and map to the various services

4. Define the security rules for that business entity

5. Make the business entity available as a service to the presentation layer

6. When the results are determined, they are cached before sending to the UI

So,

1. I define a business entity called “View a Case”

2. The “View a Case” entity is mapped to three services: Get Case Details, Get User Information, Get Worknotes and are correlated in the mapping previously done in Eclipse

3. The “View a Case” entity is security by password/certificate/etc so that only apps that present the proper key can access the call

4. The portal calls the “View a Case” entity

5. The VBLS take the call and determines the result

6. The result is cached for improved performance

7. The result is returned to the portal

The full concept here is still being thought through and I would definitely be interested in feedback.

Tags: , , , ,
Posted in Identity and Access Management | 1 Comment »