March 2010 Archives

As I wrote about yesterday, you can use WIF to get a token from PingFederate's STS by tweaking a few binding-related knobs.  Today, I tried to use WIF to get an OnBehalfOf (OBO) token from Ping Identity's federation server.  The results weren't as positive though.

Before I dive into what went wrong, it might be helpful to explain what OBO is typically used for and why it's important.  An STS (especially an IP-STS) is a core service that is as critical to your organization's ability to conduct business as DNS, DHCP, and your enterprise directory.  Just like any of these, if your STS is compromised, your business will stop.  For this reason, it is critically important to ensure that it is protected.  One way to do this is to hide it behind a firewall and proxy it out to the Internet using an intermediary.  The resulting network topology looks something like this:


In this type of deployment, the proxy STS lives in the DMZ and external clients hit this not the actual STS; It (and its private signing key) are safely tucked away in your corporate haven. 

When a request for a security token arrives to the proxy and it is forwarded to the STS, what's sent is an OBO message.  In other words, the proxy is requesting a security token on behalf of the subject.  This allows the STS to decide if it should issue a token for the subject by way of the intermediary.  This manifests itself as a SOAP message that has a security token for the proxy in the header and another that is embedded in the OBO element of the RST (which is in the body).  For example, an OBO request would look something like this:

<s:Envelope ...>



    <o:Security ...>

      <!-- These are the credentials of the proxy -->

      <o:UsernameToken ...>







    <t:RequestSecurityToken ...>



        <!-- These are the credentials of the subject -->

        <UsernameToken ...>









With that groundwork in place, let's look at why PingFederate will not work w/ WIF. 

Starting where I left off yesterday, I added a new method to my driver that would get an OBO token from PingFederate:

private static RequestSecurityTokenResponse RequsetOnBehalfOfToken()


    var factory = GetChannelFactory();

    var rst = new RequestSecurityToken(WSTrustFeb2005Constants



        AppliesTo = new EndpointAddress(appliesTo),

        OnBehalfOf = new SecurityTokenElement(new UserNameSecurityToken(

            subjectUserName, subjectPassword)),


    RequestSecurityTokenResponse rstr;

    var channel = factory.CreateChannel();


    channel.Issue(rst, out rstr);


    return rstr;


Note how the RST includes an OBO element that has a security token identifying the subject.  That is different from the credentials of the proxy/requester that are set when the channel factory is created:

private static WSTrustChannelFactory GetChannelFactory()


    // See yesterday's post for more complete code sample.

    var factory = new WSTrustChannelFactory(binding, endpoint);


    factory.Credentials.UserName.UserName = proxyUserName;

    factory.Credentials.UserName.Password = proxyPassword;


    return factory;


When I ran this code, PingFederate returned a fault and printed this in its logs:

2010-03-17 12:05:21,481 tid:066b8dea8 DEBUG [org.sourceid.saml20.bindings.LoggingInterceptor] Handle Exception (
org.sourceid.wstrust.handlers.WSTrustException: STS requests with more than one token are unsupported.
                at org.sourceid.wstrust.handlers.WSTrustBaseRequestHandler.ensureOneToken(

As the message says, PingFederate allows only one token in an RST.  If an OBO element is included in the RST, it requires one of two things to be true:

  1. There must be no additional security tokens in the SOAP header, and the security token of the subject must be embedded directly in the OBO element of the RST; or
  2. The OBO element must contain a SecurityTokenReference element that points to the security token of the subject in the SOAP header.

Option one is not possible because WIF will throw an exception if a client credential is not supplied when calling Issue on a WSTrustChannelFactory object.  WIF does not support the SecurityTokenReference element, so option two is out as well. This means that to use WIF to implement the requester, we have to skip OBO entirely, put the subject's identity in the SOAP header, and authenticate the requester to the STS using transport-level security (e.g., using mutually authenticated SSL).
If you want to get a security token from the STS that is included in Ping Identity's flagship product, PingFederate, using a client coded in Windows Identity Foundation (WIF), you'll have to tweak a few knobs.  It isn't hard, but it does require that you know which dials to turn and how.  This can be quite time consuming if you have to (re)learn a bunch about WCF bindings.

To figure all this out, I started by setting up PingFederate using the guide (included with the product).  Then, I installed the .NET-based WS-Trust client sample.  This sample is a WSE-3-based console application that sends an RST, parses the RSTR, and prints the security token included in that message.  Once I had that working, I was able to use a proxy to grab the messages sent between it and PingFederate.  I used these as my baseline.

Creating a similar console app in WIF is easy thanks to the WSTrustChannelFactory (which is the replacement for WSTrustClient from the betas).  The trick was the binding and getting the protocol versions to match what was used in the WSE app.  Here's the entire console app in hopes that it helps:

using System;

using System.Net;

using System.ServiceModel;

using System.ServiceModel.Channels;

using System.ServiceModel.Security;

using System.Text;

using Microsoft.IdentityModel.Protocols.WSTrust;

using Microsoft.IdentityModel.Protocols.WSTrust.Bindings;


namespace ConsoleApplication1


    class Program


        private const string userName = "john";

        private const string password = "Password1";

        private const string appliesTo = "";

        private const string stsAddress = "https://computer:9031/idp/sts.wst";


        static void Main()




            var rstr = RequestSecurityToken();







        private static void IgnoreCertificateValidation()


            ServicePointManager.ServerCertificateValidationCallback = (sender,

                cert, chain, errors) => true;



        private static void PrintRequestSecurityTokenResponse(

            RequestSecurityTokenResponse rstr)


            Console.WriteLine("Security token issued by PingFederate:");





        private static RequestSecurityTokenResponse RequestSecurityToken()


            var factory = GetChannelFactory();

            var rst = new RequestSecurityToken(WSTrustFeb2005Constants



                AppliesTo = new EndpointAddress(appliesTo)


            RequestSecurityTokenResponse rstr;

            var channel = factory.CreateChannel() as WSTrustChannel;       

            var token = channel.Issue(rst, out rstr);


            return rstr;



        private static WSTrustChannelFactory GetChannelFactory()


            var binding = GetBinding();

            var endpoint = new EndpointAddress(stsAddress);

            var factory = new WSTrustChannelFactory(binding, endpoint)


                TrustVersion = TrustVersion.WSTrustFeb2005



            factory.Credentials.UserName.UserName = userName;

            factory.Credentials.UserName.Password = password;


            return factory;



        private static Binding GetBinding()


            var binding = new CustomBinding();


            binding.Elements.AddRange(new BindingElement[]




                new TextMessageEncodingBindingElement(MessageVersion

                    .Soap11WSAddressingAugust2004, Encoding.UTF8),

                new HttpsTransportBindingElement(),



            return binding;




What a conference! In case you missed it, I've blogged about RSA all week long:

Like last year, I finished the conference by attending Richard Howard's talk on cyber threats and trends.  Howard is the director of the iDefense Lab.  In his talks, he lays out new security disruptors that will drastically change the information security landscape over the next 5 to 10 years.  He warned of the following disruptors last year and this:

  • Cyber terrorism
  • Mobile threats
  • IPv6
  • Arbitrary TLDs and multilingual URLs
  • Virtual worlds
  • Shift in attacks to government targets (i.e., cyber terrorism)
  • Smart phones (i.e., mobile threats)
  • Cloud computing

Then, I went to a talk on cross-domain identity and access control presented by Tom Winnenberg, principal security engineer at Raytheon.  In it, he talked about federation and centralized authorization using XACML.  Centralized authorization, especially using XACML, is something I heard a lot about during the week actually.  Last year, that protocol was only mentioned once in a presentation given by Sun and Burton.  This year, I heard about it in a half dozen different sessions, a couple vendors on the show floor, and one other conference goer that I talked with. I think people are starting to wrap their heads around centralized authentication, and are now beginning to wonder about how to also centralize authorization.  So I think the attention paid to XACML will increase this year, especially if Microsoft begins supporting it their products (which won't happen in 2010).

All in all, it was a great show.  If you missed it, I would certainly recommend that check out those blog posts I listed above and try to attend next year if you can.
Cloud computing, virtualization, cyber-crime, and compliance were predicted to be the big themes of RSA.  After four days, I've been to about 20 sessions in 7 tracks, 7 keynotes, and heard from more than 30 corporate representatives from a half dozen industries.  Cloud computing has certainly come up, but almost exclusively in the keynotes.  It seems that the conference organizers want to talk about it, but the information security community has other things on its mind.  What have been the themes I've heard after attending all these sessions?  Identity and as corollaries to that authentication (as I said last night) and PKI.

I heard from Joshua Powers, CTO of Securboration and formerly of the US Air Force.  He talked about the difficulty of modeling identities and how semantic Web technologies can be used to create graphs to represent identities more effectively.  Then I heard from G&D and EISST about how they have been working to harder Web browsers and ensure that they haven't been patched by malware.  They called this technique Dynamic Application Authentication (DAA), and they used PKI and smart cards to do it. 

Then I attended a panel discussion chaired by a representative from Adobe which included a registrar in higher ed, a lawyer, and an auditor.  They talked about how there is a resurgence of interest in PKI.  Unlike ten years ago, they said, this new buzz is coming from business and not from crypto geeks going on and on about Alice, Bob, and Eve.  The result is a market pull rather than a push as was the case a decade ago.  The fundamental reason they said was because businesses of the twenty-first century are information companies.  Data doesn't remain neatly within the silos we've created in our organization -- it flows across them.  In order to comply with regulations, avoid leakages, and use data to provide customers with value, companies have to find a way to secure it.  PKI is an increasing way in which they're doing so, the panelist said.  They sited a number of examples:

  • Verification of hundred year old legal contracts
  • Digitally signing transcripts
  • Federation
  • Verifying the identity of doctors
All of these examples come down to authenticating the identity of different entities. 

BTW, when the layer, Randy Sabett, was asked by a Brazilian audience member about when America would get a national ID system like his country's, Sabett said it was a "long way off."  In light of this, perhaps my predication last night was a bit naive :-)

The last session I attended today was a P2P discussion about Identity Management (IdM).  The group was made up of folks reporting to CIOs, CSOs, and CTOs.  They talked about the huge disarray that their organizations are in with regard to identity.  From the sound of it, it seemed that their IdM systems were not working very well for them.

So cloud computing is important, but it seems that the information security community thinks identity, authentication, and PKI are more important.  Have you been hearing other things at the conference?  Are other issues more important to your organization than these?  Are these issues hot topics for you company as well?  I'd love to hear about it.  Leave a comment below or shoot me a note.  I've got one more day here at RSA, so keep an eye on my Twitter stream for real-time updates and check back tomorrow for my final post.
I can't believe it's only day three! It already feels like day 10. Today, I attended sessions presented by representatives from the Brazilian banking industry, Yahoo!, Google, Cisco, Bank of America, Qualys, and the US government.  There was a red threads that wove through all of these speakers' words that really caught my ear.  It was a topic I also heard while speaking with a German exhibitor on the show floor and other conference goers who I ate lunch with.  Any guesses as to what it was? Readers of my blog, especially those familiar with this year's theme for RSA, will certainly think it was cloud computing.  It wasn't though.  It was authentication.

The Brazilian banking representatives who worked for the first and eighth largest financial institutions spoke about the PKI that Brazil has recently launched.  The root of this trust hierarchy is the government itself.  When citizens are born, their fingerprints are taken at birth and placed in a government database.  At some later point, they are issued national identity cards.  Their fingerprints are encoded on the smart card of the ID and signed by the Brazilian root CA. 

Banks in Brazil apply to be intermediate CAs under the government's root.  When a citizen comes to one of them for a bank account, they must present their national ID card.  With this, they can authenticate the person using the biometric data on the card, the person's finger, and the signature of the root CA.  There are surely many factors that have led to the adoption of this technology in Brazil, but one is no doubt the scale of crime confronting the country.

Richard Clarke, Chairman of Good Harbor Consulting, asked rhetorically in his keynote, if America must get to similar level of crisis before taking more drastic measure to protect its citizens online.  An American gentleman that I had lunch with (who's name I unfortunately did not get) said that he wants a national ID, in order to protect his privacy.  He argued that by being able to positively identify himself using such an ID, he could avoid intrusive searches in cases where the government suspects him of crimes perpetrated by someone that looks like him.  While searching his computer, house, car, etc. to determine who he really is, the government may find things that are actually illegal.  Once they are convinced he is not the suspect they originally believed him to, they would then have the evidence necessary to convict him of other crimes.  Authentication initially would have prevented this, he argued.

Google, Yahoo!, B of A, and Cisco talked about how phishing is bombarding their users, and preventing the banks from using that channel to communicate to the full extent desired.  Due to a lack of authentication, email can not be trusted to deliver more value to customers.  In fact, the phishing attacks are discrediting the financial institution's brand and reputation, B of A said.  The solution the Web mail providers are employing is the same one the Brazilian banks are using to guard the online banking and ATM channels: PKI.  Unlike the South American organizations, however, Google and Yahoo! are not authenticating the end users; rather, they are only, initially, verifying the identity of the servers which are sending them email.  Email from unauthenticated servers are scrutinized more intensly than those from authenticated senders.

In her keynote, Secretary of the Department of Homeland Security, Janet Napolitano, said that what is needed is "privacy enhancing authentication."  CEO of Qualys, Philippe Courtot, said that it is the job of security professionals to "verify and to be on the lookout."  Bruno Quint of CORISECIO, a Germany service provider in the telco industry, told me about how his company is providing 2+ factor authentication using a national PKI (like Brazil's but without biometry) combined with Information Cards on on mobile devices to provide strong authentication that is easy to use.

From all of this, I will go out on a limb and make the following predictions about authentication:

  • America will inevitably role out a national ID card that uses PKI; it will not use biometry at first.
  • The creation of this PKI will be lobbied for by the financial industry.
  • It will be rolled out in 10 years or less.
  • It will eventually be used to securely authenticate online banking, e-commerce, voting, and other applications.
Disagree?  Have other predictions?  Share your opinion in a comment below or let me know.  Also, be sure to check back tomorrow for a summary of day 4 and watch my Twitter stream for live updates.

I attended three sessions this afternoon:  

  • One on cloud computing with a panelist from JPMorgan Chase,
  • One on authentication presented by the CIISP of Bradesco, a Brazilian bank, and
  • One that was a P2P discussion of identity facilitated by a SVP at Bank of America.

All of those are issues that I wrestle with all day long in the industry in which I work, so it was fantastic. Perhaps it's the marketing class I'm in ATM that has attuned my ears to the voice of the customer (VoC) because I heard them loud and clear. This is my interpretation of what they said about those topics.

What the Financial Institutions Said

My Interpretation

Cloud computing is a new name for things we've been doing for a long time.

Be careful and cautious about cloud computing. Scrutinize new cloud-based offerings using our established practices and procedures. Do not get sucked into the hype.

Once data gets out the door, it's gone forever.

You only get one chance. Cloud computing is still too new and unproven. Mistakes are bound to happen, and we can't afford for them to be made by us.

Everything is about risk management.

Be cautious and slow to adopt cloud computing. Let the early adopters go out of business trying to figure it out. Once they have worked out the technical, social, political, and legal kinks, consider it pursuant to our established practices, policies, and procedures.

The biggest risk is loss of reputation; the brand name must be upheld. You can't outsource your reputation.

Loosing the competitive advantage that a distinguishable and trustworthy brand offers is not worth the potential cost savings offered by cloud computing, especially considering that we have already invested in the computing infrastructure that IaaS and cloud computing offers.

Online banking will never be done in the cloud.

Public clouds such as Amazon's are not appropriate places to host online banking solutions. Host them on private or hybrid clouds instead.

Positively identifying legitimate users has been a long hard battle that has forced us to invest tons of money and effort; it has even forced us to do things we didn't want to do (e.g., biometry).

We are in an arms race. If you can help us make it cheaper and more cost effective, we're all ears.

Technology is not enough.

We need technological help in this war, but we will be especially interested if you can also help us with the people- and process-related problems.

Banks, governments/police, and customers must work together.

Your offerings need to be interoperable, UX tested, and compliant with government regulations.

We will constantly be confronted with new security challenges.

We need vendors who we can trust and that will continually provide products that are one step ahead of the fraudsters.

Users adopted biometrics much quicker and with less pushback then we expected.

We value solution providers that are willing to think outside the box; we know from past experience that it pays off.

Our customers love mobile devices.

We expect a whole host of new attacks and problems, so help, advice, and guidance is welcome.

Facebook can't be blown off.

Social networking Web sites represent a real opportunity given the mass adoption, but we're unsure how to capitalize on them.

If you disagree with my interpretations, are aware of other needs that these organizations have, or would like to ask me a question about other things they said about cloud computing, authentication, and digital identity, leave a comment here or let me know. Also, keep an eye on my Twitter stream for more frequent updates from the RSA Conference.

The keynotes this year at RSA were really good. The same guys that spoke last year spoke again this year:

  • Art Coviello, Executive Vice President of EMC Corp. and President of RSA, The Security Division of EMC
  • Scott Charney, Corporate Vice President for Trustworthy Computing, Microsoft Corp.
  • Enrique Salem, President and CEO, Symantec Corp.
The theme repeated over and over and over again in the address of all three was cloud computing. They said that cloud computing represents both a challenge and an opportunity.  As others said yesterday, cloud computing is a chance for the information security industry to redo the IT infrastructure with security at its core.  Even more so than last year, these men stressed the inevitability of cloud computing's adoption and Coviello said its transformative impact on society and business will be like that of the Internet itself.  It wasn't that they were crying uncle; it was more like they were saying if we (the information security community) can't deter them, let's lead them.  To this end, Coviello laid out a strategy for businesses:

  1. Begin moving non-critical services to the cloud
  2. Move critical business applications to the cloud
  3. Build internal clouds
  4. Combine your internal and external cloud infrastructures to create a hybrid cloud
In making that first step, he advised attendees to ensure that SaaS providers are able to address GRC, SLA, policy, identity, and multitenancy needs (the last being the hardest he said).  Through these, the cloud goes from being a nebulous black box to a transparent one:


Which seems like something your business wants to invest in? Startups looking to attract enterprise customers and acquisition should ensure that their offerings are like the later, something that I imagine will be hard for many of them due to a lack of experience working in and with large enterprises.

Coviello closed with a helpful analogy in which he compared cloud computing to the finical system.  Initially, we traded chickens for grain; then we used coins; then we "virtualized" our finances and began using paper money -- an act that places trust on the issuer of the notes; then, we created stocks and bonds to allow us to distribute wealth in a more "elastic" manner.

To make this happen, Charney picked up after him, identity is going to be a fundamental obstacle that we must overcome.  Including wording on his slides, Charney said identity over 25 times in his short address.  Microsoft, all the other speakers, and myself believe that identity is key in the adoption of cloud computing which is the future of all organizations.  To this end, Microsoft just released a public beta of U-Prove, a technology that is built on top of WIF, ADFS, and CardSpace; it provides the least amount of information necessary to conducting one's business online in the cloud.  I've had early access to an alpha of this software and talked to Christian Paquin, one of its creators, last year at RSA.  It is a really compeling technology and the release of the public beta, free use of its crypto, and open source reference code is an important step in overcome the identity barrier.

There's a lot more to see and here today, so I'll post again this evening if I have time.  Keep an eye on my Twitter stream for real-time updates and drop me a line if you have any questions/comments about the keynotes or U-Prove.
This year, I'm attending my second consecutive RSA Conference. Just like last year's show, I will be blogging about each day's happenings.  Today, I started things off by attending the day-long Kantara workshop. Like I mentioned last year, Kantara is a grassroots effort to bring together the OpenID, Information Card, and SAML communities to find a way to provide digital identity solutions in both the enterprise and consumer space.

During the workshop, various folks from CA, Google, PayPal, MEDecisions, NTT, Ping Identity, et al. spoke about what the group has been doing since its kick off last year at RSA.  Trent Adams, of the Internet Society, started by explaining what Kantara is, ways to get involved, etc.  Four important things that he said were:

  • Any individual can become a participant for free and become a voting member for a nominal fee (~$100/year) -- more for companies
  • Kantara is not a standards body but an incubator for them
  • The User-Managed Access (UMA) working group, chaired by Eve Maler of PayPal, is the most active of all groups
  • Kantara has been granted provisional status by the US government as a Trust Framework Provider (or something) that basically means that Uncle Sam thinks they're doing pretty important stuff ;-)
Andrew Nash of PayPal spoke next about how we as an industry are a couple billionths of a second after the "big bang" of identity, meaning we are on the absolute forefront of creating an identity metasystem for the Internet.  Given its early days, it's helpful to use the framework presented by Matthew Gardiner of CA to see what initial identity-related capabilities are needed to enable cloud computing:


By these labels, Gardiner means thus:

  • Enterprise to Cloud Providers - Needs of enterprises who are trying to leverage SaaS or cloud services
  • For Cloud Providers - Needs of cloud/SaaS providers themselves
  • Cloud Providers for Enterprise - Needs of cloud/SaaS providers who are targeting large enterprises
As a market researcher, I would be jazzed to know that this industry leader believes that what big businesses who are trying to adopt cloud computing need right now is data loss prevention, user authentication and federation, and log management services. Good time to be an aspiring entrepreneur who knows a bit about cloud computing, SAML, WS-Trust, and WS-Federation :-)

Paul Madsen (@paulmadsen), of NTT, then explained about what's been happening in the identity space with regard to the various specs and protocols. He said that most of the work these days is on creating new profiles for the various protocols (e.g., the XSPA profiles for WS-Trust, SAML, etc.).  He also mentioned OAuth WRAP which Eric Sachs of Google also talked about.  Not surprisingly Sachs was very positive about it, but so was Madsen.  It was notable to me because I got the impression that the community was in a tissy about WRAP, but those of the community that I heard from today weren't.  I caught up with Sachs on the exhibition floor and we chatted over a messy sandwich about how WRAP's purpose was to make OAuth simple to implement.  I've never tried, but Sachs said that OAuth is just too difficult for many developers to do right.

Also in the exhibitor hall, I met up with Sridhar Muppidi and Craig Forster of IBM. This architect and engineer told me about how their STS, which is a part of Tivoli Security Policy Manager (TSPM), has implemented the XSPA profile. Muppidi also said that their STS conforms to WS-Trust 1.3 but that 1.4 is on their road map.  He said that most of their customers are still using 1.2, so 1.3 is still relatively new and that customers aren't even thinking about 1.4 yet.  When they do implement the new versions though, he said that they intend to support not only ActAs but also the new challenge and response stuff.  Awesome!  They do challenge/response now in their STS in a proprietary way, Muppidi went on to say.  What they do is fault and include a subcode and info about the challenge that the user needs to answer to continue the token issuance process.

There's more I could say.  Unfortunately, I left my time stopper and a person replicator at home though, so I have to leave it here for now.  You can get all the slides from all the presentation from my stash.  If you have questions about anything I've written, add a comment below or get in touch with me.  Also, if you're at RSA and want to hook up, call, text, or DM/mention me on Twitter.