Harmonizing OAuth2, OIDC and SCIM

faucet trumpet The Cloud Foundry blog recently published my post about how we combined OAuth2, OpenID Connect,  and SCIM in the User Account and Authentication (UAA) service. The UAA and those three protocols are now woven into the Cloud Foundry platform on many levels:
  • authentication and authorization of developers managing applications on the platform
  • single signon for developers with platform support sites
  • delegated authorization to partner applications and services
  • support for separation of duties for service to service access between platform components.
The UAA also allows us to seamlessly support external authentication services such SAML, OpenID2, — and, yes, even LDAP. I’m pretty happy with how the harmonization turned out. Each protocol contributes specific, essential capabilities with very little overlap. The usefulness of the whole is greater than the sum of the parts. As we move forward, there are some areas of concern:

1. Schema

OAuth2, OpenID Connect, and SCIM Continue reading "Harmonizing OAuth2, OIDC and SCIM"

If you must have a password…

… make it easy to remember and hard to guess. We spend so much time trying to reduce the need for passwords it’s easy to overlook that password management itself can be improved. Some months ago the Cloud Foundry identity team restructured our approach to password policy. Luke Taylor posted about it on the Cloud Foundry blog. The new approach is inspired by the famous xkcd cartoon which uses “correcthorsebatterystaple”.  We don’t require specific punctuation, case or length. No stupid rules. We dynamically check the password as you type and update a password strength score using an algorithm and open source project also inspired by the xkcd comic. The dynamic feedback is quite intuitive. I’ve quickly learned what makes a strong password — and it’s not an underscore or using a number that looks like a letter. My password lengths have greatly increased but they are much easier to remember. Continue reading "If you must have a password…"

Turtles all the way down

turtles in vmware pond
Photo of turtles on the VMware campus courtesy of Yvonne Wong, recruiter extraordinaire.
Most of us on the Cloud Foundry identity team have been working together for just over a year. We work with a rather interesting group that leads the larger open source community that builds Cloud Foundry. On the identity team we’ve been working to evolve Cloud Foundry’s user authentication and authorization system into a full suite of identity services — open source and built on open standards. We’ve built some cool stuff. We are now starting to publicize what we’ve built and more actively engage with the community. Our team consists of veteran SpringSource  leaders David Syer (@david_syer) and Luke Taylor in the UK, with Joel D’sa, Vidya Valmikinathan and me in Palo Alto. Dave started us off with 3 solid blog posts for the cloudfoundry.org blog explaining our use Continue reading "Turtles all the way down"

Password anti-pattern alive and well at a financial institution

Wow. I would have thought that after the years of publicity describing the evils of the password anti-pattern, it would not be seen in any current web site that is serious about security. Today, I tried to link an etrade account to a checking account at another institution. Here is part of the screen I got:
I wasn’t sure what it meant by “online login information”. I thought that perhaps they wanted me to reenter my etrade credentials for extra security at this step, but it seemed odd that they would do that in a box that says “powered by yodlee”. I wouldn’t want to give my etrade password to yodlee. So I checked the help bubble and got this:
“Please enter the login information for the bank your external account is at”.
REALLY! They actually want me to enter my username and password from my bank into yodlee Continue reading "Password anti-pattern alive and well at a financial institution"

New Gig, New Rig, New digs

path at coyote point About 18 months ago, Julie and I left family and friends and our long-time residence in Utah and move to California. It’s been a wild ride. We’re enjoying it now, but initially it was quite a shock. Here are some of the changes:
Old: Utah New: Norcal
gig 23 total years at Novell, last project: Novell Cloud Security Services (identity services) 1.5 years at VMware Cloud Foundry (identity services)
rig 4wd SUV sporty hybrid hatchback
digs big new house on a golf course in the foothills quaint rambler built in 1922 — 1/2 the space for 3x the cost
OS Linux, Windows, NetWare initially Mac OSX with Linux in a VM, but I rebelled back to Linux, where the user experience and package management are more consistent
code C/C++, C#, Java Ruby, Ruby, Ruby, Java, some Go and Scala
VCS Subversion, Continuus all git, all the time
release cycle
bikes by the bay
Continue reading "New Gig, New Rig, New digs"

NCSS Demo at Cloud Connect

Both of my regular readers have pointed out to me that my abysmally low blog posting frequency has recently sagged. That has been somewhat due to the state of my current project, Novell Cloud Security Services (NCSS). NCSS was released last August, and since then we have been working with current and prospective customers to make sure it’s what they need, and to enhance it as usage of the cloud evolves. That has meant a lot of travel and meetings for me — much of which I can’t blog about. However, sometimes I am involved in events that allow said loyal readers to see what I do. One such event was last week. Last week I attended the Cloud Connect conference in Santa Clara. As I arrived at the conference about an hour late, I got a message from my colleague Gary Ardito that a camera crew was there waiting Continue reading "NCSS Demo at Cloud Connect"

My Daughter Appears in an Arrington Post on TechCrunch

I have referred to my children numerous times in this blog. For some reason, their adventures are often rather technology focused – but this post is not about technology. It’s about the sheer techie coolness of my daughter being seen in a post on TechCrunch. My oldest son recently started working for a new company called Instructure. I’m not sure I agree with a company strategy that defines itself by it’s competition, but they have certainly made a splash by announcing that they are specifically attempting to dislodge Blackboard as the leader in learning management software. They’ve taken some interesting approaches to grab attention and market share such as releasing the core product as open source. There are a number of solid strategic reasons to do that – but (again) this post is not about technology. Instructure’s recent emergence in the market, their intriguing strategic moves, and some significant early Continue reading "My Daughter Appears in an Arrington Post on TechCrunch"

Issues with Multi-tenant Cloud Services and Corporate Identity Providers

Updated 21 Jan 2011 to fix two broken links. Recently I have been trying, yet again, to understand social networking and its tools. I figure that, if people like Ben Goodman and Paul Madsen find that stuff useful, there must be some value there that I just haven’t found yet. In my current efforts, I came across this tweet from Anil Saldhana. It points to my submission last month of a set of use cases that I’d like to see considered by the OASIS Identity in the Cloud technical committee. The use cases are some that we have encountered while developing and deploying Novell’s Cloud Security Service. Not only did I think Anil’s tweet showed a positive use for twitter – I’d like to see more quick updates when standards documents are submitted or updated – but it also served as a reminder that I needed to update the use Continue reading "Issues with Multi-tenant Cloud Services and Corporate Identity Providers"

Further into Identity as a Platform Play

A few weeks ago I had a great conversation with Matt Grant over at the Trusted Cloud Initiative. It was a lively conversation and Matt did a great job of turning it into a blog post.  I’m not sure if I ever stated the main point of our conversation as succinctly as Matt captured it in the title, but he nailed it: “Hosters Need to Think about Identity as a Platform Play”. When I read it today I noticed one idea I’d like to clarify a bit. The post contains this paragraph:
You see, people can move an application from one host to another without much trouble. The hosters want to be able to hold on to relationships with specific SaaS customers and the idea of identity services is one of the stickiest things possible. Why? Because where people have their user accounts is a very sticky Continue reading "Further into Identity as a Platform Play"

Identity and Security on the Cloud Train

I’ve had many conversations with Dave Kearns over the years in hallways, a few beer halls, and conference panel discussions at events like the Internet Identity Workshop and the European Identity Conference. The conversations have been lively and often pushed my thinking in new directions. We’ve followed a similar path from the directory services of the 90s to Internet identity systems, and now on to cloud computing as it accelerates the adoption of identity services and the identity provider model. In a recent newsletter Dave riffs on my presentation at the European Identity Conference and then concludes with this paragraph:
“The cloud is a reality. Cloud-based computing is a reality. Platform-as-a-service, application-as-a-service and, yes, identity-as-a-service will soon be as pervasive as client-server computing became in the last century. This will mean fundamental changes in the ways we think about identity and security. Get on that train, or be left at Continue reading "Identity and Security on the Cloud Train"