Thursday Mar 14, 2013

#MobileIDM Tweet Chat Archive Now Available

Thanks to everyone who participated in our last week’s twitter chat on Mobile Identity Management. Whether your organization has already embraced the mobile culture (offering applications on mobile, allowing seamless access to specific resources via mobile or enabling BYOD) or is exploring to do so, mobile security has become top of mind for most security and IT professionals. So, we thank the participants for taking some time to share their thoughts and perspective on this topic.

During #MobileIDM chat, the discussion ranged from how far mobile authentication will go and whether it can be adopted as sole factor in user authentication to whether the current industry standards support mobile uptake. Since the conversation invited participation from organizations who have or are looking to securely enable mobile, as well as industry analysts, thought leaders, implementation experts and other solution providers, we good a good range of best practices and advice on defining, managing and executing security policies that can extend to mobile.

Here is the link to the discussion archive if you missed the live event or if the tweets were zipping by too fast on your screen and you’d like to catch the full set.

We must admit, we are hooked to twitter chats! Both the #MobileIDM chat as well as the #Authchat discussion that we hosted in January enjoyed participation from Identity Management (IDM) enthusiasts around the world. (And a big shout-out to the APAC conversation participants who couldn’t join in during the live event due to the time difference but chimed in the next day.) As a result, the IDM community now has two rich sources of information (& perspectives) to rely on. To focus specifically on privacy, @OracleIDM will host a live twitter conversation with Dr. Ann Cavoukian, Ontario Commissioner of Information and Privacy and a well known privacy expert on Thursday, April 4 at 10 am PDT/ 1 pm EDT. If you have questions on privacy you’d like to ask the Commissioner, send those to @OracleIDM using #PrivQA.

And, as always, we look forward to your feedback. If you have topics in mind you’d like the IDM community to weigh in, send those our way and perhaps we can incorporate in our tweet chat schedule.

Wednesday Feb 13, 2013

Standards Corner: Is OAuth the End of SAML? Or a New Opportunity?

Author: Phil Hunt

I mentioned in my year in review post that rather then spell the end of SAML, OAuth2 might in fact greatly expand SAML's adoption. Why is that?

The OAuth2 Working Group is nearing completion on the OAuth2 SAML Bearer draft which defines how SAML Bearer assertions can be used with OAuth2 essentially replacing less secure user-id and passwords with more secure federated assertions.

Before I describe how this works, here is some quick terminology:
* Resource Service - A service offering access to resources, some or all of which may be "owned" or "controlled by" users known as "Resource Owners".
* Resource Owner - An end user, who is authorizing delegated scoped access by a client to resources offered by a Resource Service
* Client - An application (e.g. mobile app, or web site) that wants to access resources on a Resource Service on behalf of a Resource Owner.
* Authorization Service - A service authorized to issue access tokens to Clients on behalf of a resource server.

While the resource service and the authorization service may be authenticated by means of TLS domain name certificate, both the client application and the end-user often need to be authenticated. In "classic" OAuth, you can use simple user-id's and passwords for both. The SAML2 Bearer draft describes how federated SAML assertions can be used instead.

A typical scenario goes much like this.

1. Alice (resource owner) accesses a corporate travel booking application.
2. In order to log into the corporate travel application, Alice is redirected to her employer's Identity Provider to obtain a SAML Authentication Assertion. 
3. Upon logging in to the Corporate Travel Application, Alice wishes to update her seat preferences with her selected airline. In order to do this, the corporate travel application goes to the authorization server for the airline. The travel application provides two SAML authentication assertions: 1) An assertion representing the identity of the client application, and 2) an assertion representing Alice.  The scope requested is "readProfile seat".
4. Upon verifying the SAML assertions and delegated authority requested, the authorization server issues an access token enabling the corporate travel application to act on behalf of Alice.
5. Upon receiving the access token, the corporate travel app is then able to access the frequent flyer account web resource by passing the token in the header of the HTTP Request. The Access token, acts as a session token that encapsulates the fact that the travel app is acting for Alice with scope read & seat update. 

This SAML Bearer flow is actually very similar to the classic OAuth 3-leg flow. However instead of redirecting the user's browser to the authorization server in the first leg, the corporate travel app works with the user's IDP to obtain a delegation (or simple authentication) assertion direct from the IDP. Instead of swapping a code in the second leg, the client app now swaps a SAML Bearer assertion for the user.

OAuth2's ability to leverage different authentication systems makes it possible for SAML to enhance OAuth2 security going even further to eliminate the propagation of dreaded user-ids and passwords in much the same way SAML did for classic federate web sign-on. Rather than making SAML redundant, OAuth2 has in fact increased SAML's utility.

About the Writer:
Phil Hunt joined Oracle as part of the November 2005 acquisition of OctetString Inc. where he headed software development for what is now Oracle Virtual Directory. Since joining Oracle, Phil works as CMTS in the Identity Standards group at Oracle where he developed the Kantara Identify Governance Framework and provided significant input to JSR 351. Phil participates in several standards development organizations such as IETF and OASIS working on federation, authorization (OAuth), and provisioning (SCIM) standards.  Phil blogs at and a Twitter handle of @independentid.

Previous Posts:
2012: No Time to REST for the Holidays
Standards Corner: A Look at OAuth2
A Look at OAuth2 - A Follow-Up to the Reader's Comments

Monday Oct 03, 2011

Identity Management at Oracle OpenWorld - Monday WrapUp

Oracle OpenWorld has officially kicked off in high gear. There were three highlights from today’s Identity Management activities: 

  • Identity Management Demos: If you haven’t already checked out the Identity Management demogrounds in Moscone South, don’t miss it. This year, the Oracle IDM product team has pulled out all stops to bring together one of the most exciting set of demos we have seen. The 9 Identity Management demos are all designed to prove why Oracle Identity Management is the most complete and most integrated solution in the world. Each demo validates several real world use case scenarios that need an end to end solution. And this year, there is an added bonus. If you check out all the 9 IDM demos, you can enter to win an Apple TV. 
  • Identity Management Keynote: In his general session address, Amit Jasuja - VP of Oracle Identity Management and Security Products, discussed several key identity management trends and how innovation is the key driver behind Oracle’s Identity Management momentum. One of the key industry trends over the last couple of years has been the consumerization of IT and how it has fueled some secular trends like cloud, social and mobile computing. Identity Management and security are now important than ever as workforces everywhere need anywhere anytime access. Amit’s session showcased 3 cool demos –cloud-social-mobile integration, self serve access, and privileged user access control.
  • Customer Successes: One of the best barometers of a product’s success is its customer adoption. This year Oracle is showcasing several case studies that underscore why Oracle Identity Management leads the industry. In Amit Jasuja’s keynote, the CISO of Toyota discussed how Toyota is using Oracle Identity Management to bring social networking straight to your automobile. Earlier in the day, we had ING and Kaiser discuss how they are winning with Oracle Identity Analytics. Later in the day, we had Sasktel talk about how they are leveraging Oracle Identity Management to deliver identity services in the cloud. During the next three days, you will get an opportunity to hear from several other customers who have realized the benefits of Oracle Identity Management.

For a complete listing of Identity Management demos and sessions at OpenWorld, see the Identity Management Focus On. 


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« July 2016