Category: CardSpace

SignOn.com / Google Apps Integration

One of the reasons behind launching SignOn.com was to compare and contrast different identity protocols. There are things that you can learn by reading the specs. And then there are things that you can learn by deploying/implementing the specs.

We have had support for OpenID and Information Cards for a long time. With the latest release, we have added support for SAML by leveraging PingFederate.

Additionally, we have integrated with Google Apps. Google Apps is a service from Google that features applications for mail, calendaring, docs etc.

Google Apps

This allows SignOn.com users to

  • Add Google Apps services to their SignOn.com accounts (e.g. you can have an email address like joe@signon.com that’s hosted by Google Apps).
  • Single Sign-On to Google Apps via their SignOn.com credentials (username/password or Information cards).

Your username for Google Apps will be the same as your user name for SignOn.com. For example, if your SignOn.com username is joe, your email address will be joe@signon.com.

In order to enable your SignOn.com Google Apps Account, do the following:

  • Login to SignOn.com (register if you don’t have an existing account).
  • Go to My Profile tab and make sure that you have your firstname and lastname populated (we need this information to create your Google Apps Account).
  • Go to My Accounts Tab.
  • Scroll down and you will see ‘Partner Accounts’. Click Add. This will enable your account with Google Apps.
  • Go to the home page again. And you should see another link e.g.<username>@signon.com. Click on this and this will take you to your mailbox.
  • For the first time access, you will have to go through Google CAPTCHA to complete the registration process with Google Apps.

For future access, you can either go to your SignOn.com home page and click on Google Apps links (IdP initiated SSO).
Or you can access Google App services directly by going to the following URLs, and it will redirect you to SignOn.com for authentication (SP initiated SSO).

Appreciate any feedback.

Concordia Slides from RSA

SlideShare | View | Upload your own

Slideshare doesn’t handle animation very well. So here is a run-down on the final demo.

In addition to demonstrate inter-operability with other vendors, I was able to show how to login to Google Apps, using SAML IdP/Infocard RP from Ping, CardSpace from Microsoft and an information card from Sun. In terms of platforms, Sun’s server was running on OpenSolaris, Ping’s on Linux, CardSpace on Windows XP (which in-turn was running on Mac OS X) and Google’s on ‘whatever they run over there’.

Identity at RSA

I’ll be at RSA Conference next week participating in the following events.

Concordia
What: The current goal is to demonstrate that SAML, WS-Fed and Information cards can co-exist and some of use cases where it makes sense. For instance, if you already have a federation setup (using SAML or WS-Fed), you can leverage Information Cards as an authentication mechanism and tighten the security. Similarly if you are planning on authenticating using an Information Card, you can extend the reach (and hence get more value for your investment) by federating using SAML/WS-Fed.
Who: Fugen, Internet2, Microsoft, Oracle, Ping Identity, Sun, Symlabs.
When: April 7th, 9AM-12:30 PM
Where: Red Room 302, Moscone Center North/South, Esplanade level

OSIS
What: This is an interop event where you will get to see most (if not all) of Information Card as well as OpenID providers and consumers. What started off as an informal interop session at IIW, now has 57 participants. A lot of credit for this goes to Mike, Dale and Pam for continuing to encourage (read harass) other participants.
Who: 33 Companies. 24 Projects. 57 Participants.
When: April 8th, 9th. Working session 11AM-4PM. Demos: 4-6PM.
Where: Mezzanine Level Room 220, Moscone Center.

Mix-it-up
What: This has now established itself as a standard event at the main identity conferences. This is where we leave the vendor, customer, big enterprise, small company hats behind and just have a good time. Most end up getting wasted and missing out on their next day appointments.
Who: All available.
When: April 8th. 6-8 PM (it’s not really going to end at 8).
Where: 111 Minna Gallery (Tel: 415.974.1719).

See you there.

OpenID Thoughts

Trust (using the word here in a broad, abstract way) has been one of the strongest reason for the OpenID adoption. The spec does not require for OPs and RPs to get together and discuss key exchange, business value, liability issues, attribute data and so forth. OPs and RPs work independently of each other and as long as they adhere to the core specification, things just work.

Trust has also been one of most critiqued area of OpenID. As an RP, why should I outsource my user authentication to someone I have never even interacted. Call me crazy but I don’t feel like accepting users from Iwillstealyourusers.com. There have been suggestions that it should be acceptable for the low-value transactions. But then, there is no definition of a low value transaction. And beauty value lies in the eyes of the beholder.

All that led to the discussion of OpenID whitelist. One might argue that it’s against the spirit of OpenID. Anyone should be allowed to run an OP without contacting all the RPs to be added to their whitelist. On the other hand, it gives a cozy feeling to the RPs to only have a handful of trusted OPs (which by the way there is no way to determine; but that’s a topic for some other day).

One of the ways the concept of whitelist can manifest itself is for OPs to provide an ‘OP Button’ for the RPs. Yahoo did exactly that couple of months ago. It’s good for the users since they don’t have to remember their OpenID URL and the user experience is much better. Most of the RPs (at least the current crop) won’t mind accepting users from Yahoo. I figured sooner or later, Google and Microsoft will join the OP list (along with AOL), have their own set of buttons that RPs will happily accept;practicality will take over; the OpenID identifier as we know today will go under the covers; the small OPs will cease to exist. We’ll all wait for a couple of years and then start over.

Except…ClickPass launched last week with it’s own button. There are still some discussions on the what and the why of ClickPass. But beyond that, it does paint the picture of what the future RPs might look like – a Nascar billboard (with buttons and branding from every OP)…or something like this building.

dish

This is where the discussions get into discovery, which is a really hard issue to address.

  • This is how social news sites address this:

social bookmarking

  • This is how RSS Readers address this:

RSS

  • This is how SAML address this : Okay…let’s not go there :-)

The common pattern – a Nascar billboard.

So… David and I spent some time talking about this. This is still a ‘thought in process’ but I wanted to write it down before I get heads down into the RSA preparations.

The requirements:

  • The user shouldn’t need to type the OpenID identifier.
  • There should be one OpenID button. Not two. Not three.
  • The RPs shouldn’t need to host the Nascar billboard (and hence add an icon every time a new OP comes on board).
  • The user should be in control of his identifier and who to share it with.

IMHO, this is how it should work from a user’s perspective:

  • I signup with any OP of my choice. Or setup my own OP.
  • I enter my identifier once. On a client side component. Either a browser extension/plugin or a desktop client.
  • I visit the RP and click on the single OP button. It invokes the client component and verifies if I want to share my idenifier.
  • On clicking okay, it redirects me to the OP and rest of the OpenID flow resumes.
  • If I don’t have the extension or haven’t picked an OP yet, it redirects me to a central (OIDF/Community hosted) Nascar page.
  • The central Nascar page should host the OPs logos/buttons. It should allow me to pick my OP and redirect me back to the RP.
  • Additionally, the central Nascar page should allow me to signup with a listed OP (redirect);add the selected OP to my client component; And allow me to enter my own OP(text field).
  • No registration should be required by the Nascar page.
  • What should be done to be listed on the Nascar page? – Well..that’s where some of the existing work that’s being done by SpreadOpenID, OpenIDDirectory and Nat comes into play.

Thoughts?

As I write this, I do notice the similarities with the CardSpace flow. Ergo…it will be interesting if MS (now member of OIDF) adopts OpenID in the client.

What is your mother’s maiden name?

A while back I spent some time researching into several strong authentication methods that are available in the online world. In order to get real user experience, I ended up creating online accounts with several banks and financial institutions . I got to try out various methods including OTP, biometrics, device fingerprinting etc. However, I found that every bank had something in common. They had all implemented some form of KBA (knowledge based authentication), also referred by some as challenge-response or Q&A. It was either implemented as a secondary authentication method i.e. give me your password and then tell me the color of your eye. Or as a means for back-end authentication (either to recover the password or to register my computer).

So….when we first launched SignOn.com with Infocard authentication (and account recovery via email) , we received some feedback that the site is only as secure as the weakest link. Hence in the follow up release, we upgraded the account recovery to use KBA.

We spent some time coming up with the right questions for the users. Should we ask

  • What’s the name of your first spouse? OR
  • What’s the name of your first love?

The difference is that the answer to the first question is a “fact”. And the answer to the second question is an “opinion”.

To illustrate this further, here are some “fact” based questions:

  • What is your mother’s maiden name?
  • What is the color of your eye?
  • What was the make of your first car?
  • In what city were you born?

And here are some “opinion” based questions:

  • Who is your favorite sports team?
  • Who was your childhood hero?
  • What is the name of your best friend?
  • Who is your favorite movie star?

It’s a lot easier for others to find facts about you. And hence the ‘fact’ based questions are a lot less secure than the “opinion” based questions. However, based on my experience and others that I have talked to- it seems when presented with a choice, most of the users choose the ‘fact’ based questions…simply because they are easier to answer and don’t make you think.

convenience

To me, it seems like another area where security and convenience are at odds. I’ll be interested to hear if others have an “opinion” on this.

MacBook Pro

I started my career writing RPG programs on AS/400. I spent majority of the past 14 years as a consultant and thus got to try a variety of platforms. Except One. Till now.

Ping Identity recently gave the option to the engineering team to pick between Windows and Mac.

In case you are wondering, the following image gives an idea on what we all opted for.

9489b70ab55692ffcac3ec776aa50a1f_img_6672s.jpg

BTW, this also means that Open letter to the Bandit team is coming :-)

Three days more / Interop Zen

Suiwo, the disciple of Hakuin, was a good teacher. During one summer seclusion period, a pupil came to him from a southern island of Japan.

Suiwo gave him the problem: “Hear the sound of one hand.”The pupil remained three years but could not pass the test. One night he came in tears to Suiwo. “I must return south in shame and embarrassment,” he said, “for I cannot solve my problem.”

“Wait one week more and meditate constantly,” advised Suiwo.Still no enlightenment came to the pupil. “Try for another week,” said Suiwo. The pupil obeyed, but in vain.

“Still another week.” Yet this was of no avail.In despair the student begged to be released, but Suiwo requested another meditation of five days. They were without result. Then he said: “Meditate for three days longer, then if you fail to attain enlightenment, you had better kill yourself.”

On the second day the pupil was enlightened.

It’s good to have deadlines and interops every now and then.

Re:Reconciliation

Paul lists some Reconciliation  ideas in a recent blog entry. His post raises two issues:

  • Why does SignOn.com require the profile information in the card (even though the site has the information already)?
  • As an RP/SP, how do you deal with the user’s profile information?  Do you keep a copy? Do you ask it every time from the IdP? How do you handle claims freshness, expiry, etc?

The second one is a bigger question since it is dependent on several other things like RP business model, IDP/RP relationship etc. We need to have a F2F session to drill down on that one.

Let me attempt to answer the first one. We did spend a significant amount of time on this particular subject before coming up with what we have. It’s not perfect but it’s the best among the choices that we had.
If you (or anyone else) have a better idea to address this, please share and beers are on us next time we meet.

At SignOn.com, we had the following requirements:

  • we wanted our users to have the option of registering multiple cards (one for work, one for home etc).
  • Once the user has registered a card with SignOn.com, he/she should be able to go to the My Account page, look at the registered cards and quickly determine if a card has already been registered.

We prototyped 3 ways to address the requirements:

  • Display PPID – This option will require the card to only have a PPID (every personal card has one). And then under My Account, the user will see a list of PPIDs. In case you haven’t seen, this is how a PPID looks alike – 7n+eg3TBKNP1ylqPrksKmS0xB8uyhTVX36XcdiEDdk0=.  Needless to say, it isn’t exactly user friendly. Additionally, the PPID is created on a per site basis. In order to see the PPID, the user has to submit the card to the site. Therefore if the user likes to verify if a card has already been registered, he/she has to invoke the card selector, select a card and submit it. 3 clicks only to find out if the card has already been registered.
  • Card name / label – At the time of registration, allow the user to enter a card name or a label to identify the card. The CardSpace client has a card name associated with the card. However, when a user submits the card to the site, the name does not get transmitted to the site. Therefore the name/label at the site has to be a completely manual process and will have no link with the card name in the identity selector. (We could have used nickname as the card name, but it meant overloading the claim and we didn’t want to go that route).
  • Additional claims – Ask for more claims from the user (e.g. firstname, lastname, email address) and hopefully that will give the user enough indication if a card has already been registered. It still has the problem since the user might have multiple cards with the identical claim values.

We had an independent team perform a usability test on the 3 prototypes and they preferred option 3.  Personally, I would have preferred a way for the cardspace client to send the card name to the site and then pick option 2.

Net/Net as it stands today, we aren’t using the claims in the card to map it to the user’s profile data but merely as a visual clue for the users to look at their registered cards. If you have a better idea, I’m all ears.

Online Payments using Information Cards

Here are the slides from Sid’s DIDW presentation.

To try out the demo, go to DIDWDemo, get yourself a card and ‘Go shopping at Starbuzz Coffee’. You need to have IE7 and MS CardSpace to checkout the demo (the bank site doesn’t support Firefox).

From the outside, it looks like any other ‘Managed Information cards’ demo. But behind the scene, the merchant site and the issuer are integrated with ACI’s Access Control Server and Payment engine. In the coming weeks, we’ll allow the user to monitor the transaction details between the merchant and the issuer.

For more information on the concept, checkout Sid’s post here .

acipingdemo2.jpg

Hesitation from Relying parties

James mentioned another reason for relying parties’ lack of support for Information Cards. Wanted to add more thoughts on that:

  • I haven’t seen many consumer based web applications that leverage the web access management products. I may be wrong but the WAM products are more in use for the internal/enterprise centric applications.
  • The access management products that you have listed provide authentication modules (and the SDK) which allows other authentication schemes to be hooked. Therefore, it’s not a big deal to create a custom authentication module/scheme for Information cards and then create the appropriate token/session.
  • We demonstrated a similar use case at Catalyst last year where you can use an information card to login to a Siteminder or CoreID domain. Behind the scene, you retrieve claims from the information card, contact the access management server and then create the appropriate token.
  • CA (Siteminder), Oracle(CoreID) and IBM (TAM) were all part of the OSIS interop demo at Catalyst in June. And Sun has demonstrated a CardSpace extension to their OpenSSO offering too. I don’t know when these products will be commercially available but I’m sure you know that a real customer/requirement can change priorities pretty quickly in the vendor world.
    Let us know when you are ready :-)

Image | WordPress Themes