Microsoft’s research paper focuses on the single sign-on protocols Facebook Connect, OpenID and Google ID. These are all social single sign-on systems whose primary objective is to provide convenience to the user rather than very strong security. As an example, when Facebook Connect was first announced, it was positioned as an easy way for third party sites to tap into Facebook’s social graph. Once you are signed into Facebook, sites like Yelp can use your active Facebook session to extract your name and photo as well as make it easy to post your own reviews on your Facebook wall.

Social single sign-on solves a different problem than enterprise single sign-on, which is designed with security as the number one priority. Security Assertion Markup Language (SAML) is the standards-based enterprise single sign-on protocol used by leading SaaS applications like Google Apps, Salesforce and WebEx. SAML’s security uses digital signatures to ensure message integrity and authentication. OneLogin’s SAML implementation uses 2,048-bit keys, which are considered to be impossible to break with the processing power available today and well into the future.

It can be hard for most people to grasp just how strong a 2,048 bit key is, so here is a video that visualizes how long it would take to crack a 2,048 bit key using a modern desktop computer.

    http://www.digicert.com/TimeTravel

If you want to understand the math behind the video, check out the details here.

    http://www.digicert.com/TimeTravel/math.htm

The math itself behind SAML is very strong and when vulnerabilities in enterprise single sign-on are found, they are related to a vendor’s implementation of the protocol and how it is integrated with the rest of their service. For example, a vendor may allow users to sign in with a password even when SAML is turned on, which could be viewed as way of circumventing multi-factor the authentication enforced by the identity provider.

This year we are exhibiting at the RSA Conference at Moscone Center in San Francisco. We're very excited to show you all the new stuff we have been working on lately, such as our support for a broad range of strong authentication vendors, user provisioning and Active Directory and Workday integration.

OneLogin is a Certified SecurID Partner and your existing SecurID infrastructure plugs right into OneLogin, which means you can easily enforce strong authentication for Box, Google Apps, Salesforce and other cloud applications. Stop by our booth and see how we do it.

We also have something very exciting to announce at the show. Stop by booth 665 for a demo of OneLogin.

Come meet us at Salesforce.com's Cloudforce Tour 2011 in New York this week. You can find us in the Cloudforce Expo on Tuesday — we'd love to show you how you can leverage OneLogin for Salesforce.com to increase utilization and streamline provisioning.

OneLogin already helps hundreds of enterprises protect their sensitive data in the cloud by eliminating passwords, enforcing multi-factor authentication, integrating corporate directories and automating user provisioning and deprovisioning.

Stop by the Cloud Expo and we'll show you how this works for Salesforce.

OneLogin is a Gold Sponsor of Workday's annual user conference in Las Vegas, October 24-27. We welcome all Workday customers and prospects to stop by our booth and see how OneLogin connects Workday with Active Directory and all your other cloud applications.

As employee records are managed by the Human Resource department, Workday will have the most accurate account of who is currently employed with the company. OneLogin can use Workday as user store and receive a live feed of updates, which can be applied against Active Directory and cloud applications like Salesforce, Google Apps, WebEx and Yammer. OneLogin's real-time user provisioning and deprovisioning ensure that employees have instant access to applications when they join the organization and are disconnected immediately when they leave.

If you want to see a live demo, stop by our booth or set up an appointment at sales@onelogin.com. We look forward to seeing you at Workday Rising 2011.

Come meet us at Dreamforce in San Francisco this week. You can find us at booth #35 from Tuesday to Friday where we would love to show you some of the cool stuff we have been working on the past year.

OneLogin already helps hundreds of enterprises protect their sensitive data in the cloud by eliminating passwords, enforcing multi-factor authentication, integrating corporate directories and automating user provisioning and deprovisioning.

Stop by booth #35 and we'll show you how this works for Salesforce.

The other night I received an email from PayPal that made all my alarms go off. Everything about the email made me think it was a phishing attack. The common wisdom is that when a site you normally trust sends you an email prompting you to log in to "verify" something, you should be cautious. Can you spot anything suspicious in the email below?

Try hovering your mouse over the image and it will reveal the URL that the "View mobile" link points to paypal-communication.com. Now, this domain looks like it belongs to PayPal, but anyone can register a domain with paypal in the name and this is a common trick used by attackers to make the recipient believe the email is legitimate.

All the links in the email point to paypal.com we trust, except for the two topmost links that point to paypal-communication.com that we're in doubt about. Fortunately, both sites use SSL so let's take a look at their respective SSL certificates. Both are Class 3 certificates issued by VeriSign.

Based on the certificates, it appears we that should be able to trust paypal-communication.com, but you can't expect the average user to perform this type of investigation and draw the right conclusion. It is strange that PayPal chose to introduce a new domain in their email outreach, especially considering that they their customer base is a regular target for phishing attacks. This just shows that you have to be very aware whenever you enter your credentials online.

Enterprises should be equally worried and we have recently seen several examples of spear-phishing attacks where specific organizations or individuals are being targeted. Solutions like OneLogin can drastically reduce the number of passwords in your organization and thereby minimize the risk of being employees phished.

OneLogin has completed its SAML integration with the Big Three in Content Management Software. Earlier this year we published plugins for WordPress and Joomla, and with today's release of our SAML Module for Drupal, we're able to provide single sign-on the vast majority of CMS's in the market.

The ability to easily provide employees and contractors access to your blog or CMS can save valuable time, drive usage and also give you better control of who has access. For example, you can use OneLogin's Active Directory Connector to let users sign in with their existing network credentials and enforce strong authentication using one of several options, such as Yubico or Symantec VIP Access.

The Drupal module is compatible with Drupal 7 and can be downloaded from our support forums.

The toolkit is very straightforward to use and can be embedded in your application in matter of hours. In addition to being completely free, the toolkit approach has another significant advantage over licensing a commercial, stand-alone SAML gateway. By embedding the SAML toolkit in your code, it will automatically inherit your own application's high-availability and scalability characteristics and you don't have to worry about dealing with a separate application or server.

OneLogin's SAML toolkits are growing in popularity by the day. Some of the most recent vendors to adopt the toolkit are Blue Mango Learning Systems, ShareFile and Transverse.

SAML is a standards-based single sign-on protocol for web applications. Some of the advantages of SAML are:

• Strengthens security - SAML uses digital signatures to establish trust between application and identity provider, which is more secure than passwords.
• Prevents phishing - SAML eliminates passwords and users don't have a password for an application, they can't be tricked into entering it on a fake login page.
• Simplifies directory integration - Identity providers like OneLogin have strong directory integration capabilities, which the application vendor can leverage indirectly via SAML.
• Drives adoption - When an application is just one click away, it will ultimately drive more usage and hence further anchor the application within the customer's organization.

If you are interested in getting your application SAML-enabled, contact us a bizdev@onelogin.com or check out the SAML toolkits in our support forums. ]]> http://www.onelogin.com/saml-toolkit-for-python/feed 0 http://www.onelogin.com/radius-and-ldap-server-interfaces http://www.onelogin.com/radius-and-ldap-server-interfaces#comments Tue, 12 Jul 2011 23:45:15 +0000 Thomas Pedersen http://www.onelogin.com/?p=2253 Our new LDAP or RADIUS interfaces allow LDAP and RADIUS clients to authenticate users against OneLogin with minimal configuration.

Many applications that don't yet support SAML have to ability to delegate authentication to an LDAP server. But instead of punching multiple holes in your firewall to your internal directory – if you even have one – you can now point that interface to OneLogin instead, which allows users to sign into those applications with their OneLogin credentials.

The same goes for VPN gateways from vendors like Cisco and Juniper, which can authenticate users against a RADIUS server. Instead of deploying your own RADIUS server, you can now point the gateway to OneLogin's RADIUS server interface which you can set up in a matter of minutes. Authenticate users via password of strong authentication factor, such as Yubikey or Symantec VIP Access.

Read more about today's upgrade, which further strengthens OneLogin as the fastest path to identity management in the cloud.

Sterling Knight, a financial services company based in Singapore, is using the innovative authentication key from Yubico and OneLogin’s single sign-on and identity management service. The convenient key generates a One-Time Password (OTP) used by Sterling Knight remote workers to securely access the OneLogin Application Portal, protecting access to its Web applications without compromising ease-of-use.

“With OneLogin and YubiKey, we are able to login securely to our cloud-based applications such as Google Apps and salesforce.com with one password and the simple click of a button,” said Lawrence Adam, Chief Operating Officer of Sterling Knight. “The implementation of the OneLogin/YubiKey solution was so simple that even our least technical employees were trained to use it in about 15 minutes.”

Leading IT market research and advisory firm IDC recently reviewed the joint solution used by Sterling Knight in a Buyer Case Study and found that companies such as OneLogin and Yubico are demonstrating that cloud-based solutions are indeed viable and secure options in today's computing environment.

“For those that are looking to eliminate multiple passwords and strengthen their access controls without putting too much pressure on their budgets and staff should consider these types of solutions from Yubico and OneLogin,” said Sally Hudson, Research Director, Identity and Access Management Products and Services at IDC.

By using the OneLogin/YubiKey solution, Sterling Knight has improved security while meeting compliance requirements and offering the latest technology to protect customer privacy. The cost savings gained by having more employees work remotely has enabled Sterling Knight to expand operations.

About Sterling Knight

Sterling Knight is a licensed insurance broker in Singapore, regulated and licensed by the Monetary Authority in Singapore to transact general and life insurance. Since its inception in 1973, Sterling Knight has worked with clients to protect their businesses and employees through the provision of general insurance and employee benefits consultancy and according to the principles of trust, integrity and speed.

Sterling Knight is a member of the Worldwide Broker Network, a global network of independent insurance brokers with USD2 billion revenue.