Thursday, May 17, 2018

SAML-message with NotBefore

I was integrating our corporate JIRA with One Identity Cloud Access Manager via SAML2. I chose the plugin from Resolution GmbH

Integration was a breeze. Their wizard is brilliant! I got the whole integration completed successfully within 15 minutes.

One issue I encountered was - "SAML-message with NotBefore xxx is not valid yet."

This was quite easily resolved. Do make sure the IdP (One Identity Cloud Access Manager) and SP (JIRA) are sync-ed with the same NTP server.

The error disappeared as soon as I have NTPd configured on my JIRA server.


Tuesday, May 15, 2018

One Identity Cloud Access Manager - Backend SSO Method

Out of the box, One Identity Cloud Access Manager provides the traditional credential SSO methods like IWA (Integrated Windows Authentication) and HTTP Header. I like that it provides Form Fill, though I would keep this as a "hidden secret weapon" in the event customers have some legacy applications that I have no choice but to perform password replay.

In the same box (yes, same box. some other vendors require you to add-on :>), the trendier Federated SSO Methods like SAML2 and OpenID Connect/OAuth 2.0 are provided. No additional add-on. No additional cost. SAML2 IdP is enabled out of the box. OpenID Connect Provider is enabled out of the box. Very easy to integrate with any 3rd party federated clients. 

I was trying to integrate our in-house JIRA via SAML2 and it took me less than 15 mins for the first try. 

Thursday, May 3, 2018

One Identity Cloud Access Manager - Not Authorized

I was playing with One Identity Cloud Access Manager this afternoon and hit into "Not Authorized - Sorry, but it seems as if you're not authorized to access the selected application".

This is what I have observed. If the administrator configured a new protected application after you have logged in to the Application Portal (a one-stop landing portal for you to single sign-on to multiple protected backend applications), the new application link (e.g. Web SVN (Management)) will immediately appear on the portal.

However, as soon as you click on the new link, you'll hit into "Not Authorized" error.

To workaround this, log out and log in again. The new link is now accessible.



Wednesday, May 2, 2018

CA SSO Access Gateway

I met with a potential customer today and he was interested to deploy CA SSO Access Gateway in the DMZ, while keeping CA SSO Policy Server in the Intranet.

He was not sure what were the possible integrations provided by CA SSO Access Gateway with his backend applications.

I showed him the diagram below. Self-explanatory.

  • SAML (Federation)
  • OpenID Connect
  • HTTP Header (Web Agent)


Tuesday, April 17, 2018

Password Meter

We have been in the Security & Identity business for a long time. Recently, we have been engaged in a number of Identity Management projects in the Asia region.

In some projects, we build our own Access Request Portal on top of Identity Management products out there in the market.

Reason is simple - To Increase User experience!

From our observation, some IDM products are just too complex, too heavy; some IDM products lack features required by customers.

And since more and more IDM products are exposed by REST, it makes it compelling to build our own Access Request Portal.

We build a Access Request Portal that is lean and fast. No unnecessary features just to make Gartner happy. (You don't agree? Ha! )

In one of our projects, the CIO took a look at the User Profile tab and explore how we build the Password module. He didn't like what we have built. He has a strong view on what is a Strong Password. He even sent my team this to read up - Science Can Help You Choose a Better Password. Complexity isn't as important as you think.

So we stripped the original Password module and incorporated Password Meter.

Password Meter is pretty cool. It will "score" your password quality as you type in and give you advice immediately.

My team did it better! As Password Meter is open-source and published in GitHub, we enhanced it to support multi-languages.  

What's next is for the team to tidy up the sources and offer them back to the community.

That's the beauty of open-source! Some just don't get it. Money is never enough. 


Friday, April 13, 2018

One Identity Manager - Access Request History

Having implemented numerous IDM projects and seen multiple IDM products, all will provide a Access Request History view in a table format.

Besides providing the default table format, One Identity Manager provides a timeline view. 

Important feature? No. Wow feature? Yes, indeed. I like it a lot personally.

Thursday, April 12, 2018

Tyk API Designer

I was playing around with Tyk API Designer the other day and I noticed there are 2 ways to edit an API - API Designer or Raw API Definition.
API Designer View

Raw API Definition View

I'm not too sure you belong to which camp. I have team members who belong to both camps. The juniors will definitely prefer the API Designer view, while the seniors will go for the Raw API Definition view.

When we go to customers' sites, it's quite obvious. Customers will prefer API Designer view, while my team will most likely configure using the Raw API Definition view, especially when there are a lot of APIs to configure.

That's cool!