Posts Tagged ‘security’

Working Around SiteMinder 500 Errors for Unauthorized Federation Service Provider Access

Wednesday, September 7th, 2011

Overview:
SiteMinder provides federation capabilities for SAML (and other protocols). SiteMinder’s federation capabilities are accessed through a set of web services installed with the Web Agent Option Pack. The federation web service throws a 500 error instead of automatically redirecting the user for re-authentication like a standard SiteMinder Web Agent when the user has a valid SiteMinder session, but is not authorized to access the configured SAML Service Provider. This can be worked around in a couple of ways, but one way to handle this is to leverage the federation 500 error redirect to automatically redirect the user to a page which logs the user out and then redirects back to the federation URL.

The following is required for this configuration:

  1. Custom redirect page that takes the federation POST variables and redirects the user back to the sent SPID. This page should be placed on a web server with an installed SiteMinder Web Agent.
  2. Configure the redirect page as the logoff URI within the agent’s configuration object (ACO).
  3. Set the custom error page as the Server Error URL in the Additional URL Configuration section on the Advanced tab of the SAML service provider configuration dialog.

Custom Redirect Page:
The custom redirect page can be an ASP, ASP.NET, JSP or any other dynamic page that can take POST parameters, parse them and redirect the user back to a URL. The following ASP code is an example of a page that takes the information from SiteMinder and redirects the user back to the federation URL:

<%
Dim relaystate, spid, fedurl, redirecturl
relaystate=Request.Form("RelayState")
spid=Request.Form("SPID")
fedurl="https://saml.company.com/affwebservices/public/saml2sso"

if relaystate = "" Then
 redirecturl=fedurl+"?SPID="+spid
Else
 redirecturl=fedurl+"?SPID="+spid+"&RelayState="+Server.URLEncode(relaystate)
End If
%>

<html>
<head>
<title>Redirect Page</title>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
</head>
<body>
<% Response.Redirect(redirecturl) %>
</body>
</html>

To use this code, set the fedurl variable to the base federation URL for the environment. The page should then be dropped on a server with a SiteMinder Web Agent in an unprotected folder. For example in a folder like:

<WWW root>\redirect\logoffredirect.asp  (is the file was an ASP named logoffredirect.asp)

where <WWW root> is the base document folder for the web server site.

Configure the Page as the LogoffUri Agent Parameter:
Setting the custom redirect page as the logoffUri for SiteMinder ensures that the SiteMinder session is ended so that when the user is redirected page to the federation URL they will then be prompted to log in again. In the example above, the URI for the page is /redirect/logoffredirect.asp. To add this:

  1. Open the Agent Config Oject (ACO) for the Web Agent  installed on the server with the custom redirect page.
  2. Uncomment the LogoffUri parameter and add the URI (not URL) for the custom redirect page.
  3. Save the ACO.

The configuration change will be automatically picked up be the agent. In this example, the ACO looks like the following image:

Set the Server Error URL:
Once the custom error page is deployed and configured as the LogoffUri, the next steps is to tell SiteMinder to redirect to this page when the user would normally receive a 500 error from the federation web service. While we are using to redirect the 500 error thrown when a user is not authorized, this has the side effect of sending all 500 errors to the redirect page. This may or may not be an issue in your environment. To configure the Server Error URL:

  1. Open the SiteMinder FSS Administrative UI.
  2. Click on the Domains tab.
  3. Open the federation domain.
  4. Click on the SAML Service Providers left-nav item.
  5. Open the Service Provider configuration.
  6. Click on the Advanced tab.
  7. Click the [Custom Error URL Config] button.
  8. Check the Enable Server Error URL checkbox.
  9. Enter the URL for the custom redirect page (e.g. https://saml.com.com/redirect/logoffredirect.asp).
  10. Change the drop-down to Http Post.
  11. Save the configuration.

Setting the drop-down to Http Post is required so that the necessary information is sent to the redirect page. This allows the redirect page to redirect the user back to the correct Service Provider configuration. Making the redirect page dynamic ensures that a common redirect page can be used for multiple Service Provider configurations.

 

Tags: , , , ,
Posted in Identity and Access Management | 4 Comments »

2011: The Year of the Insider?

Tuesday, December 21st, 2010

This morning I was catching up on my IAM industry reader feed when I stumbled on this little nugget: CA Technologies Experts Predict 2011 as the Year IT Security Enables Cloud Adoption. The gist of the article is summarized here by Tim Brown, CA Technologies’ Senior Vice President and Chief Security Architect:

Throughout the year, industry events and new discoveries impact the security and operations of our organizations. In 2011, IT security professionals will need to step-up their battle against the insider threat and leverage Identity and Access Management to shift the view of security to that of an enabler for cloud adoption.

I like Brown’s point of view on this topic because he seems to advocates making security an integral part of the cloud strategy, rather than something that’s considered at the end of the design & architecture cycle (or after the fact!). Security becomes a strategic advantage when you a) know that what you’re releasing won’t leave your organization vulnerable to attacks and b) aren’t forced to patch or re-architect your solution after the fact because you’ve been compromised!

Russell Crowe - the original "Insider"

Russell Crowe - the original "Insider"

Unfortunately the potential 2011 “bad guys” don’t just reside in the cloud. Brown goes on to cite the 2010 Verizon Data Breach Investigations Report which shows that “insiders” accounted for 46% of all security breaches, and he predicts that this percentage will increase again in 2011. Aside from conjuring up images of a good movie, this also reminded me of the foresight that CoreBlox’ friend Matt Flynn showed early on when he began writing about the insider threat. Matt’s blog posts are worth a read, as they will get you thinking about angles such as the “soft insider threat” (e.g. when an employee leaves a corporate USB thumb drive at Starbucks by mistake).

I’m also intrigued by this paragraph on how the active threats might be rooted out:

Organizations will begin using behavioral analysis to predict threat from the inside. There is case study research in this area that examines the psychosocial factors that can contribute to an insider breach. This data could be used to create predictive models that correlate psychological profiles or behaviors to insider breaches or crime. For example, how an employee reacts to stress; financial and personal predisposition to conflict; rule violations and the propensity to hide them when they occur; and chronic disgruntlement or strong reactions to organizational sanctions can all be indicators of risk for insider data breach. This data then could be used to step-up and tighten access and data usage rights.

How close are we to personality and mood-driven access management and provisioning? My guess is not very, but I’m sure large organizations would view this type of analysis as a small price to pay in order to guard against a much larger threat.

What are your thoughts on Tim Brown’s predictions? Do you view behavioral analysis as invasive overkill, or a legitimate means of exposing potential insider risks?

Tags: , , , , , , , , , ,
Posted in Cloud, Identity and Access Management | No Comments »

Facebook – Your Identity Neighborhood Watch

Friday, December 3rd, 2010

NW-Logo
A couple of years ago Facebook released Facebook Connect. According to them:

“Facebook Connect is the next iteration of Facebook Platform that allows users to “connect” their Facebook identity, friends and privacy to any site. This will now enable third party websites to implement and offer even more features of Facebook Platform off of Facebook – similar to features available to third party applications today on Facebook.”

While it provides an easy way to extend your login to other sites, it also, perhaps, has another hidden advantage.  Presence has become more prevalent across Facebook. While that may help your employer know you online at work, it also lets your friends know that you are around.  When I’m talking about presence information, I mean the following quoted from Wikipedia:

“presence information is a status indicator that conveys ability and willingness of a potential communication partner—for example a user–to communicate.”

Since you need to log in to Facebook to access these sites, you in essence tell your friends that your online.  So, your friend list becomes a neighborhood watch for your identity.  Perhaps they see you online when they know you are out of town or maybe it is other odd behavior that seems out of place.  It’s behavioral security at its finest.  There is also the built-in alerting mechanism of the multiple text messages to check your account and reset your password from all those friends looking out for your best interests.

I suppose there is also an advantage in that you control a site’s access to your information.  At least somewhat… and I guess if you trust your identity to Facebook. I was not too fond of Facebook Connect initially. Maybe I should give it another shot…

What do you think?

Tags: , ,
Posted in Identity and Access Management, Social Networking | No Comments »

Business Lesson: Choose Your Partners Wisely

Tuesday, June 29th, 2010

Photo courtesy of DRB62 on Flickr

My wife & I began subscribing to the MetroWest Daily News back in 2002. At the time they published in the afternoons, so it was the paper I read when I’d get home from work in the evening. When we moved from Framingham to Westborough back in 2008, we opted to keep subscribing to the MetroWest even though it’s Framingham-centric paper and there are probably better candidates for local news. As everyone knows, I’m a craft beer geek and always look forward to Norman Miller‘s Beer Nut columns on Wednesdays. If you’re reading this and wondering why we subscribe to a physical newspaper in the Internet age, well, I’m not going to convince you why it’s worth it. Suffice it to say we like the routine of knowing there’s morning news in our driveway, and we also enjoy supporting quality reporting by paying that subscription fee. Of course, the subscription fee also funds the delivery of the paper. Which leads me to my story…

We enjoyed reliable delivery service for most of the 8 years we subscribed. Then, a couple months ago, our regular delivery person was replaced. It’s still unclear to me whether it was just a new person from the existing delivery service or an entirely new delivery service. Apparently the MetroWest Daily News farms the delivery part out to a 3rd party, which I’m sure is much cheaper for them in the long run.  We knew the carrier had changed on that first morning when our newspaper wasn’t there (we later discovered it in our neighbor’s driveway). The next day we didn’t get any paper at all and it wasn’t in our neighbor’s driveway either. In the days that followed we had some days where we got the paper, some where we got the wrong paper, and some with no paper at all. I grew accustomed to calling the MetroWest’s Circulation Dept to report the problem. Within a couple of weeks I had their phone menu options memorized because I had dialed in so frequently (side note- why does one option say “to have your paper REdelivered, press..”? How can a paper be redelivered if it wasn’t delivered in the first place??). It was not going well.

After several days of issues a MetroWest manager called the house to apologize. He gave us his direct dial line to call if we had further issues, and he even called on some days to check and made sure we got the paper. This was the GOOD side of dealing with the problem. Unfortunately there was a BAD side too. The delivery service itself called our house a couple of times. They were rude, abrupt, and apparently suspicious of our motives. On one call they implied that we were inventing the issues (did I miss the announcement that one can use accumulated newspaper credits toward their kids’ college savings plans?). On another day when the service had already “redelivered” the paper because they’d missed the morning delivery, a 2nd driver showed up to give us a 2nd copy. When I politely explained that we’d already gotten the paper, the driver commanded in an annoyed voice “just keep it because I don’t want to have to come back out here.”

I’m guessing we had at least ten days of newspaper delivery issues over the course of 6-8 weeks. We’re

Photo courtesy of aroberts on Flickr

not high-maintenance people, but our patience was wearing thin. Eventually we decided “1 more strike and they’re out”. That final strike happened last week when I went outside and found no MetroWest Daily News. I was tired of calling their circulation desk at least once a week, and I didn’t understand why our service went from excellent to miserable so quickly. I made the final call to the subscription desk to cancel. When the woman I spoke with politely asked why, I made things very clear: “I love your newspaper, your staff has been great to deal with, but your delivery service has been awful lately.” She immediately saw my list of calls and was very sympathetic. A manager is supposed to call us at some point, no doubt to regain our business. At this point I don’t see that happening.

Here’s what I learned from this whole saga:

  1. Don’t take excellent service for granted. We always sent tips to our old carrier, but I would have sent more had I realized how much aggravation his reliability saved me.
  2. If you outsource any aspect of your business to partners, choose wisely. Partners share as much responsibility for representing your business as your employees do. Chances are your clients/customers won’t make the distinction between a full-time employee and a partner when something goes wrong. More often than not, your business will pay for your partners’ mistakes. If you don’t believe me, just ask the MetroWest Daily News.
  3. If you or your company resells or performs a service on behalf of another entity, you should strive to represent them in the best possible light. This will help to differentiate you from other partners. If you end up making a poor impression, you risk costing them money. Go the extra mile and you’ll be recognized and appreciated.

At CoreBlox we’ve been fortunate to be part of some productive strategic partnerships. I think a big part of that success comes from taking the lessons we learn as individual consumers and applying them to our business. This experience with my local newspaper has reminded me that when it comes to partnerships, there’s no substitute for reliability and professionalism.

– Newspaper photo courtesy of DRB62 on Flickr

– Handshake photo courtesy of aroberts on Flickr

Tags: , , , , , , , , , ,
Posted in General | No Comments »

RSA Conference 2010 (a.k.a. Information Security Heaven)

Tuesday, February 9th, 2010

If you’re in the market for a security conference over the next couple of months, look no further than the big one that’s happening in San Francisco! On March 1-5 the granddaddy of all enterprise security conferences will be taking place at the Moscone Center when RSA Conference comes to town. Todd & I had the chance to visit the Moscone Center a few years back for salesforce.com‘s DreamForce event, and it was a gorgeous venue. The speaker list for this year’s event looks impressive:

– Scott Charney, Corporate Vice President for Trustworthy Computing, Microsoft Corp.

– Art Coviello, Executive Vice President of EMC Corp. and President of RSA, The Security Division of EMC

– Enrique Salem, President and CEO, Symantec Corp.

– Dave Hansen, Corporate Senior Vice President and General Manager, Security Business Unit, CA Inc.

– Al Zollar, General Manager, IBM Tivoli Software

– David DeWalt, President and CEO, McAfee Inc.

– Phil Dunkelberger, President and CEO, PGP Corp.

– Philippe Courtot, Chairman and CEO, Qualys Inc.

– Herbert (Hugh) Thompson, Ph.D., Chief Security Strategist, People Security and Program Committee Chair, RSA Conference 2010

– James Bidzos, Executive Chairman, VeriSign Inc.

How’s that for a list of heavy hitters? :-)

The CoreBlox team is excited to follow the conference and hear what the future holds for some of the key technologies we service such as SiteMinder, Radiant Logic VDS, and CA Identity Manager. These gatherings are a great way to break free of the day-to-day and engage with your peers in a social setting. For more information, check out the RSA Conference 2010 registration form.

Photo courtesy of adactio on Flickr.

Tags: , , , , , , , , , , , , , , , ,
Posted in events, Identity and Access Management, Virtual Directory | No Comments »

Enterprise Microblogging Security

Tuesday, October 14th, 2008

Last week I read an article that was co-written by one of the most knowledgeable social media experts I follow on Twitter, Aaron Strout of Mzinga, and Joe Cascio of JoeCascio.net.  The article is titled Is the Enterprise Ready for Microblogging Tools Like Twitter?. It was full of useful information that any organization would want to consider before using a tool like Yammer or Present.ly, but the pieces that caught my eye were listed under the Key Considerations section:

“Single Sign-On (SSO): A growing problem in the social media world right now is identity proliferation. With some notable exceptions that accept OpenID, most sites still require you to create yet another account in their system (or identity domain). In most enterprises, a fair amount of effort has already been expended on establishing single sign-on through the intranets’ LDAP registry. It would be highly desirable to leverage this capability to enroll employees in the microblogging system. So, an enterprise microblogging solution must have flexibility in adapting to existing ID and sign-on registries.”

Then further down:

“Security: This will probably be of paramount concern at least initially in most businesses. Most corporations are very aware of keeping internal communications safe from prying outside eyes. An enterprise microblogging solution must provide for fine-grained authorization and trustworthy security of communications. Management, through the IT department will want to be able to restrict who can see certain posts.”

Some would say that the beauty of Twitter is its lack of walls. Granted you can globally secure your updates so that only those you approve may see them or leverage the DM feature to send private messages, but for the most part communication is done in the clear for all the Twitter community to see. But when discussions turn to private topics like corporate strategy and departmental policies, the need for enterprise microblogging to be secure becomes paramount. In other words, you don’t want that jab about a competitor’s product to become public because the person who made it was foolish enough to set their password = “password”.

So how secure are these new microblogging tools? A quick check of Yammer’s API Documentation shows the following:

“Authentication is done using HTTP Basic Authentication. The username is the full email address of the user, and the password is the same used to authenticate to the yammer.com web interface.”

It’s the same with Present.ly’s API Documentation:

“Just as with the Twitter API, the Present.ly API can be accessed via HTTP Basic authentication. The primary difference is that there is no data accessible without authentication in the Present.ly API, since the data is all private.”

For those who aren’t familiar with Basic Authentication, Wikipedia points out its main weakness:

“Although the scheme is easily implemented, it relies on the assumption that the connection between the client and server computers is secure and can be trusted. Specifically, the credentials are passed as plaintext and could be intercepted easily. The scheme also provides no protection for the information passed back from the server.”

This entry is not intended to knock Yammer or Present.ly for their API security protocols. I’m sure when their founders set out to deliver their solutions, security was barely a blip on their radars. But this is a security hole that Yammer & Present.ly’s customers will need to address if they want to provide secure microblogging environments for their employees.

If you’re part of an organization that needs help implementing SSO to a microblogging solution, or if you have any other security needs related to microblogging, we’d love to hear from you! CoreBlox has broad experience creating quick and effective solutions to these types of issues, and chances are we could help you figure this out. Drop us a line at info@coreblox.com, or feel free to contact me directly on Twitter.

For those folks who work in the Identity & Access Management space or just have a general interest in this area- what are your thoughts on the security challenges that these microblogging solutions pose? Anything you see that makes their situations unique relative to other applications that are covered by enterprise security?

Tags: , , , , , , , , , , , ,
Posted in Identity and Access Management, Social Networking | 3 Comments »