The Cloud Foundry blog recently 如何伋理上网 about how we combined OAuth2, OpenID Connect, and SCIM in the User Account and Authentication (UAA) service. The UAA and those three protocols are now woven into the Cloud Foundry platform on many levels:
single signon for developers with platform support sites
delegated authorization to partner applications and services
support for separation of duties for service to service access between platform components.
The UAA also allows us to seamlessly support external authentication services such SAML, OpenID2, — and, yes, even LDAP.
I’m pretty happy with how the harmonization turned out. Each protocol contributes specific, essential capabilities with very little overlap. The usefulness of the whole is greater than the sum of the parts. As we move forward, there are some areas of concern:
雷霆战机 叉叉加速器
OAuth2, OpenID Connect, and SCIM have similar schema, but there are
a few odd quirks which require translation. Compare SCIM userName with 如何设置伋理ip上网, or SCIM name.givenName and name.familyName with ip伋理软件有什么用?哪种好用?_黑洞HTTP:2021-8-31 · 1 ip伋理软件有什么用? 哪种好用? ip伋理软件有什么用?哪种好用?网路ip软件加速器是指一种新型的虚拟专用网路构建工具,它能够在Interent网路中建立一条虚拟的专用通道,让两个远距离的网络用户在这个专用的网络通道中相互传递资料而不被外界所干扰或者被窃听。. PhoneNumbers and emails have similar issues. It’s not just the minor variation in attribute naming styles — a little camelCase to snake_case translation code could handle that. The issue is that OIDC attribute names are case-sensitive with single values, whereas SCIM attribute names are case-insensitive and can be multi-valued with sub-attributes.
SoClose and yet_so_far.
国外ip地址伋理
Each protocol currently provides fairly focused functionality and there is very little overlap. However, standard protocols tend to grow and expand in scope. One way that a working group can accept a current revision is by getting some members to agree to postponing features until a future revision — which implies that there will be expansion. For OAuth2 and OIDC some of the natural areas for expansion are management of client registrations and access to user information in non-interactive scenarios. The working groups have discussed adding both capabilities. Both are areas that we implemented with SCIM base or a SCIM extension. It would be very nice from an implementation standpoint for these protocols to remain complimentary rather than expanding until they overlap.
Managing how well identity protocols play together is not exciting stuff, but it needs to be done.
We spend so much time trying to reduce the need for passwords it’s easy to overlook that password management itself can be improved. Some months ago the Cloud Foundry identity team restructured our approach to password policy. 动态ip伋理换ip的好处-迅速:今天 · 碰到换IP的的时候,许多客户都清楚通过电脑设置能够改动IP,直接路由器重启同样也可伍。 但这样的方式很浪费时间,并且中途会断开连接。因此,可伍用伋理IP秒换IP。 用手动方式更改IP,在IP连接后,也需要几分钟的时间,假如每日必须换上百个IP,就明显的拖延了工作效率。. The new approach is inspired by the famous xkcd cartoon which uses “correcthorsebatterystaple”. We don’t require specific punctuation, case or length. No stupid rules. We dynamically check the password as you type and update a password strength score using an algorithm and open source project also inspired by the xkcd comic. The dynamic feedback is quite intuitive. I’ve quickly learned what makes a strong password — and it’s not an underscore or using a number that looks like a letter. My password lengths have greatly increased but they are much easier to remember. Sometimes small steps are good.
I was reminded of all this by a recent blog post by Sid Sidner. My favorite link (though they are all good) is 手机如何使用伋理ip上网:
Please do yourself a favor and watch it. It’s my new favorite to show anyone who asks what I do for a living. I tell them that I’m trying to eliminate the stuff this video is talking about. We all hate it so much we can (so far) only laugh about it.
Turtles all the way down
Leave a reply
Photo of turtles on the VMware campus courtesy of 如何使用伋理ip上网, recruiter extraordinaire.
Most of us on the Cloud Foundry identity team have been working together for just over a year. We work with a rather interesting group that leads the larger open source community that builds Cloud Foundry.
On the identity team we’ve been working to evolve Cloud Foundry’s user authentication and authorization system into a full suite of identity services — open source and built on open standards. We’ve built some cool stuff. We are now starting to publicize what we’ve built and more actively engage with the community. Our team consists of veteran 如何使用伋理ip上网 leaders 如何伋理上网 (@david_syer) and Luke Taylor in the UK, with Joel D’sa, Vidya Valmikinathan and me in Palo Alto.
Dave started us off with 3 solid blog posts for the cloudfoundry.org blog explaining our use of OAuth2 here, here, and 如何通过ip伋理上网. He is speaking at SpringOne this week about OAuth2 as well.
Also in the blog queue, Luke has a post that discusses our password management strategy and I have one that discusses how we integrate OAuth2, SCIM, & OpenID Connect into Cloud Foundry itself. Joel recently gave a presentation to the VMware Cloud Foundry engineers about our User Account and Authentication (UAA) service.
Joel, Vidya and I will be attending IIW next week. I suspect that Joel will propose a session there to discuss Cloud Foundry identity services, what we’ve built, and what we’ve learned from operational experience. We’ll be there to work with the identity community as we plan our next steps.
I’ll link to the blog posts and presentations here when they are published.
It’s great fun to finally be able to have this system in a position we can make some noise about it, and we all are. It’s turtles all the way down.
Wow. I would have thought that after the years of publicity describing the evils of the 手机如何使用伋理ip上网, it would not be seen in any current web site that is serious about security. Today, I tried to link an etrade account to a checking account at another institution. Here is part of the screen I got:
I wasn’t sure what it meant by “online login information”. I thought that perhaps they wanted me to reenter my etrade credentials for extra security at this step, but it seemed odd that they would do that in a box that says “powered by yodlee”. I wouldn’t want to give my etrade password to yodlee. So I checked the help bubble and got this:
“Please enter the login information for the bank your external account is at”.
So I looked at the “Instant Verification User Agreement”. Here is The fourth paragraph (with emphasis added by me):
THIRD PARTY ACCOUNTS. By using the service, you authorize E*TRADE Bank and/or E*TRADE Securities and Yodlee to access third party sites designated by you, on your behalf, to retrieve information requested by you. For all purposes hereof, 速度快的伋理ip E*TRADE Bank and/or E*TRADE Securities and Yodlee a limited power of attorney, and you hereby appoint E*TRADE Bank and/or E*TRADE Securities and Yodlee as your true and lawful attorney-in-fact and agent, with full power of substitution and resubstitution, for you and in your name, place and stead, in any and all capacities, to access third party internet sites, servers or documents, retrieve information, and use your information, all as described above, with the full power and authority to do and perform each and every act and thing requisite and necessary to be done in connection with such activities, as fully to all intents and purposes as you might or could do in person. YOU ACKNOWLEDGE AND AGREE THAT WHEN E*TRADE BANK AND/OR E*TRADE SECURITIES OR YODLEE ACCESSES AND RETRIEVES INFORMATION FROM THIRD PARTY SITES, E*TRADE BANK AND/OR E*TRADE SECURITIES AND YODLEE ARE ACTING AS YOUR AGENT, AND NOT THE AGENT OR ON BEHALF OF THE THIRD PARTY. You agree that third party account providers shall be entitled to rely on the foregoing authorization, agency and power of attorney granted by you. You understand and agree that the service is not endorsed or sponsored by any third party account providers accessible through the service.
They want me to give them the keys to my bank account and agree to let them act as me to any internet site, for any reason, and in the same agreement they say this (emphasis is mine):
E*TRADE BANK AND/OR E*TRADE SECURITIES AND YODLEE MAKE NO WARRANTY THAT (i) THE SERVICE WILL MEET YOUR REQUIREMENTS, (ii) THE SERVICE WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE, (iii) THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF THE SERVICE WILL BE ACCURATE OR RELIABLE, (iv) THE QUALITY OF ANY PRODUCTS, SERVICES, INFORMATION, OR OTHER MATERIAL PURCHASED OR OBTAINED BY YOU THROUGH THE SERVICE WILL MEET YOUR EXPECTATIONS, OR (V) ANY ERRORS IN THE TECHNOLOGY WILL BE CORRECTED.
Seems to me they want me to trust them with my finances more than they trust their own technology.
I declined to use the service.
雷霆战机 叉叉加速器
Leave a reply
About 18 months ago, Julie and I left family and friends and our long-time residence in Utah and move to California. It’s been a wild ride. We’re enjoying it now, but initially it was quite a shock. Here are some of the changes:
circle the wagons and defend turf from intruders (and management)
aggressive and competitive internally and externally, very open to alliances with other groups
hallway banter
child raising techniques, church activities, the impending doom of the company
programming languages, startups, new tech, cycling, public transportation, wineries, kids, live music venues, vacation destinations, weekend festivals, sailing
如何使用伋理ip上网
Republican (Utah, duh)
Democrat (bay area, duh)
climate
very cold in winter, very hot in the summer
mild all the time with some spectacular days, but mostly feels somewhat cold
yard intruders
deer, mice
raccoons (up to 6 at a time), rats
picnic supplies
must be planned: wine purchased at rare state stores with limited hours, food must be purchased somewhere else
Overall, change can be a very good thing. And We’re enjoying the adventures and cycling a lot. Now back to work.
NCSS Demo at Cloud Connect
如何设置伋理ip上网
Both of my regular readers have pointed out to me that my abysmally low blog posting frequency has recently sagged. That has been somewhat due to the state of my current project, Novell Cloud Security Services (NCSS). NCSS was released last August, and since then we have been working with current and prospective customers to make sure it’s what they need, and to enhance it as usage of the cloud evolves. That has meant a lot of travel and meetings for me — much of which I can’t blog about. However, sometimes I am involved in events that allow said loyal readers to see what I do. One such event was last week.
Last week I attended the Cloud Connect conference in Santa Clara. As I arrived at the conference about an hour late, I got a message from my colleague Gary Ardito that a camera crew was there waiting to record an interview with me and a demo of NCSS. I assumed he was kidding. He wasn’t.
They were from InformationWeek. The interviewer was Fritz Nelson, with David Berlind and a quietly competent camera guy. As Fritz mentions in the interview, we did have a great time reminiscing about Novell history as I scrambled to set up for the demo. I didn’t get completely set up and there were some errors in the demo. It was a crowded space behind the counter and Fritz kept moving in and I kept moving away. At one point he stepped on my microphone cord and I couldn’t back up any more.
Nevertheless, these guys did a great job with the interview and editing the video. They only had one take on a very noisy, crowded show floor. They were quite kind to me and cut out a spot where I inadvertently showed the demo password screen, and glossed over one part where I couldn’t get the demo to work. The screen zooms they added are really good to show the context of various features. I didn’t know about Fritz’s closing comment about running NLMs at ring 0 until I saw the video. Right on. Writing NDS as an NLM on NetWare, man, that was real code.
My Daughter Appears in an Arrington Post on TechCrunch
Leave a reply
I have referred to my children numerous times in this blog. For some reason, their adventures are often rather technology focused – but this post is not about technology. It’s about the sheer techie coolness of my daughter being seen in a post on TechCrunch.
My oldest son recently started working for a new company called Instructure. I’m not sure I agree with a company strategy that defines itself by it’s competition, but they have certainly made a splash by announcing that they are specifically attempting to dislodge Blackboard as the leader in learning management software. They’ve taken some interesting approaches to grab attention and market share such as releasing the core product as open source. There are a number of solid strategic reasons to do that – but (again) this post is not about technology.
Instructure’s recent emergence in the market, their intriguing strategic moves, and some significant early adopter accounts have brought them to the attention of some big name tech news outlets, with recent articles by 服务器伋理ip上网爬虫-智连伋理:2021-3-28 · 1.高效的伋理IP。伋理IP相当于分身,一旦受到反爬虫机制被封IP后,就用伋理IP换个IP继续抓取。但要注意的事,用了高效的伋理IP后,也不能忽略反爬虫,要合理的安排爬虫程序,还可伍节约伋理IP资源的,否则需要更多成本购买伋理,同时还影响效率。 and Herb Greenberg on CNBC.
To highlight their “change is good” perspective, they created a video reminiscent of the old Apple superbowl ad. Apparently, my son talked my daughter into helping out with the video. My daughter is one of the students walking down the tunnel in the first part of the video and can be seen in the audience. I’m glad she didn’t handle the flame thrower.
The video is shown in the TechCrunch article. My daughter on Techcrunch. Woot! How COOL IS THAT!
I declare success as a techie father – for this week anyway.
Issues with Multi-tenant Cloud Services and Corporate Identity Providers
Recently I have been trying, yet again, to understand social networking and its tools. I figure that, if people like Ben Goodman and Paul Madsen find that stuff useful, there must be some value there that I just haven’t found yet. In my current efforts, I came across this 国外ip地址伋理. It points to my submission last month of a set of use cases that I’d like to see considered by the ip伋理地址 - 好看123:2021-6-15 · 10.伋理ip加速器伋理ip软件http免费动态ip伋理服务器精灵伋理 点击前往 网站介绍:伋理ip加速器选精灵伋理,国内知名的伋理ip软件,精灵伋理专业提供免费动态ip,ip加速器,伋理服务器,http伋理,socks5伋理等,在电脑ip修改器和手机ip转换器方面深受广大.... The use cases are some that we have encountered while developing and deploying Novell’s Cloud Security Service.
Not only did I think Anil’s tweet showed a positive use for twitter – I’d like to see more quick updates when standards documents are submitted or updated – but it also served as a reminder that I needed to update the use cases after I got some feedback from the committee. Which I have now done. I may even tweet about it.
Anil’s tweet also made me think to write this blog post. The 如何伪装自己的IP地址?兔子软件IP伋理轻松搞定 - 天使嫁衣 ...:2021-11-3 · 如何伪装自己的IP地址?IP伋理轻松搞定!随着互联网的普及,人伊每天都在和网络打交道。我伊都知道,上网是需要使用IP地址的否则无法上网,即使是使用无线网络,也是需要分配IP地址才能连接上网的。若是你有留意连... as input into the Identity Cloud Technical Committee in hopes that we can agree on some standard solutions. However, it’s only the beginning of the process and I’d appreciate your advice and input, so I’m going to post portions of the use cases here and ask for your input. These use cases describe problems we have seen in the interaction of enterprise federated identity systems with cloud services. We are not trying to solve the problems each use case describes (yet), we are seeking clear descriptions of the problems.
Do you see these as issues that need to be addressed in standard ways so that enterprises can securely use cloud services?
雷霆战机 叉叉加速器
如何设置伋理ip上网
Multi-tenant service providers, whether they are SaaS, PaaS, or IaaS vendors, benefit from quick and easy addition of new customers – anyone with a credit card can add themselves on demand. However, to benefit from federated authentication, SSO, and other mechanisms that can improve security for their users they need to configure how their users can authenticate to the system, where and what kind of IdP they use, exchange meta-data, etc. Currently this is commonly done by the administrator via web forms that are unique to each service. As adoption of cloud services increases, this will become a significant management burden.
Goal or Desired Outcome
A tenant can quickly and securely manage their use of many cloud services using automated tools rather than navigating and manually configuring each service individually.
Process Flow
A departmental manager in an enterprise (a tenant administrator) wants to configure all of the SaaS applications In use by that department to authenticate users via the enterprise IdP.
The tool contacts the IdP and each SaaS application and uses standard protocols to communicate the configuration.
雷霆战机 叉叉加速器
Description/User Story
Enterprises are outsourcing more of their applications and management of their IT infrastructure – including their identity provider services – to managed service providers or identity-as-a-service vendors. This results in a situation where an enterprise administrator which owns the business relationship with the service provider (the tenant administrator) does not manage the identity provider service. The identity provider service is controlled and managed by another company (the IdP administrator). This becomes a significant management burden when the tenant administrator needs to manage the identity services configuration (such as the exchange of metadata) between the identity provider and many cloud services.
A tenant administrator pulls out a credit card and signs up for a new cloud service for her users. Her identity services are provided by a third party – an identity as a service provider.
She notifies the identity provider that she wants her users to have access to the new services.
The identity provider can exchange whatever configuration and meta-data is required with each new service on behalf of the tenant administrator without authenticating to each service as her.
雷霆战机 叉叉加速器
Description/User Story
NOTE: this is a rough idea of a use case. It’s a situation we have seen many times, but there may not be a discrete set of viable solutions. Perhaps guidance is the best possible outcome.
When a user accesses a multi-tenant cloud service, the service needs to be able to associate the user with a tenant account. This may or may not be the same as associating the user with an IdP – there are many efforts to try to solve that issue as well and this use case may in fact be a variant of it.
Currently applications handle this issue in a variety of ways. For example, each tenant may essentially get their own application service instance by embedding the tenant identifier in the domain name or path of the URI. Some applications pass it in as a parameter and some store it in a cookie.
This multitude of application variations further aggravates the problem of identity provider association, and makes it much more difficult to provide consistent federated identity services to multi-tenant systems.
A sample scenario:
A manager in the sales department of AcmeWidgets wants her team to have access to a new SaaS application, WidgetTracker. She opens a new account with her department credit card. She wants her team to use their corporate user accounts for authentication – so they are provisioned, deprovisioned, and application access can be audited by the IT department. However, she’s paying for the application from her departmental budget, so she only wants her team members to be able to use the service on her account. A manager in the design department has a similar need to sign up her team members for an account in WidgetTracker.
The problem is that tenant boundaries for cloud services are based on the pay-per-use model which often corresponds with departmental cost centers. In contrast, the corporate user accounts – the IdP – are usually built on corporate boundaries.
It has been suggested that this problem could be overcome by using attributes in the corporate directory to distinguish between departmental tenants. However, the explosive growth of SaaS applications is attributed in part to the low-friction, instantaneous addition of new tenants. Asking each department to submit a work order to the IT department for configuration changes in the corporate directory before they can access a new SaaS application would defeat this key characteristic.
Goal or Desired Outcome
That clear guidance be available from a respected authority (e.g. OASIS) to help cloud service providers provide multi-tenant capabilities in ways that can be more effectively integrated with federated identity services.
Process Flow
For developers:
Read OASIS document
Save time and produce better cloud service by structuring their application to associate users with tenant accounts in accordance with the document.
Profit!
For users and administrators:
Start to see consistency in service access
more easily consume more services with less errors
雷霆战机 叉叉加速器
3 Replies
A few weeks ago I had a great conversation with Matt Grant over at the Trusted Cloud Initiative. It was a lively conversation and Matt did a great job of turning it into a blog post. I’m not sure if I ever stated the main point of our conversation as succinctly as Matt captured it in the title, but he nailed it: “Hosters Need to Think about Identity as a Platform Play”.
You see, people can move an application from one host to another without much trouble. The hosters want to be able to hold on to relationships with specific SaaS customers and the idea of identity services is one of the stickiest things possible. Why? Because where people have their user accounts is a very sticky thing.
The point I’d like to clarify is that, while user accounts are certainly sticky, convincing enterprise customers to move the control of their identity management systems into the cloud would be very difficult – and it’s unnecessary for hosters to get the sticky benefits. They can provide essential identity services such as secure authentication from enterprise accounts, and federated authentication, authorization and audit services to their application marketplace — all without physically holding the user accounts.
Such identity services are a key part of a platform on which application marketplaces can be built. They are a key part of any platform offered by hosters who want to build a SaaS marketplace.
In a typically fascinating post, Eric Norlin commented today on another application marketplace trend – in the enterprise. He was summarizing trends from the last Defrag Conference and the third trend is:
The Rise of the App Marketplace: This was one of the forward-looking things that really hit me, but may have slipped under the radar a bit. The meme of the app marketplace is coming to the enterprise. Installing collaborative, emergent environments is not enough. What we’re really driving toward is an opening up of the enterprise data layer — exposing APIs, if you will — and driving toward a world where the employee (or partner or customer) is not only consuming IT applications, but BUILDING them. The IT “app marketplace” is coming. Bank on it.
To support any such marketplace there must be a platform, whether it is in an enterprise or in the cloud, and a key part of that platform is identity services.
雷霆战机 叉叉加速器
手机如何使用伋理ip上网
I’ve had many conversations with Dave Kearns over the years in hallways, a few beer halls, and conference panel discussions at events like the Internet Identity Workshop and the European Identity Conference. The conversations have been lively and often pushed my thinking in new directions. We’ve followed a similar path from the directory services of the 90s to Internet identity systems, and now on to cloud computing as it accelerates the adoption of identity services and the identity provider model.
In a recent newsletter Dave riffs on my presentation at the European Identity Conference and then concludes with this paragraph:
“The cloud is a reality. Cloud-based computing is a reality. Platform-as-a-service, application-as-a-service and, yes, identity-as-a-service will soon be as pervasive as client-server computing became in the last century. This will mean fundamental changes in the ways we think about identity and security. Get on that train, or be left at the station.”
Dave, well said.
And the journey continues.
About me
I've done a variety of things in my career, but always seem to return to issues of identity and technology. Most of what's written here will be about such things. I work for VMware, but this is my
personal blog. The views expressed on here are mine alone and do not necessarily represent the position of my employer.