tag:blogger.com,1999:blog-37231572758676901432024-03-16T13:32:15.554+08:00azlabsI.AM SpecialistsChee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.comBlogger701125tag:blogger.com,1999:blog-3723157275867690143.post-91120450467543668532022-09-20T10:57:00.002+08:002022-09-20T10:59:31.986+08:002FA mobile app with Push Notification <p>Wow! I realized I have not blogged for the longest time, ever since pre-COVID. Have been super busy throughout the pandemic period with a lot of projects. </p><div class="separator" style="clear: both; text-align: center;"><br /></div><br />We are still deploying and maintaining Gluu Server for our customers. In fact, customers are looking at getting more values from what Gluu can provide.<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghErSQaC8HCBYufiRCcchgVQp2rnCMraDxuiQAy5GNYS4icxOHXNh_-RLaQy0mtNxtPrH7ZTmTxCpRwwLGXogf87aAr2YjAc-aEY7Xjyo7HcPGi4XPdmimYcKmuvKcCdfVwz0dhDs2Q0mGzv8H5Zlavut2oHHvcTHRR0t2piF4OjdPrL2MCq8yXEBq/s120/gluu.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="53" data-original-width="120" height="53" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghErSQaC8HCBYufiRCcchgVQp2rnCMraDxuiQAy5GNYS4icxOHXNh_-RLaQy0mtNxtPrH7ZTmTxCpRwwLGXogf87aAr2YjAc-aEY7Xjyo7HcPGi4XPdmimYcKmuvKcCdfVwz0dhDs2Q0mGzv8H5Zlavut2oHHvcTHRR0t2piF4OjdPrL2MCq8yXEBq/s1600/gluu.png" width="120" /></a></div><div><br /></div>Recently, a customer asked for integrating Push Notification into their mobile application. This will provide a 2FA to their end users who are accessing their websites. <div><br /></div><div>I recalled we have an internal app that is "white-labelled" from <a href="https://super.gluu.org/home/" target="_blank">SuperGluu</a>. <br /><div><br /><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhu-zZeMEmMZhuPQvAhuNhLW5C-t6CcjhQw06ClNtB7kW2c6_-qUhd0fZ8ADqGEf53WwBUspvjxo3cOMdYSEjRlZ58XwZDwVom0NlwPjJi0_eMBVa7HOP4oXe3YvWHEKQKlrcP7XsqwCsW6hCNYEQ_0m-UzPp4V7AP4qJYbceztyyzvLz0nf-pfhOlD" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="765" data-original-width="1151" height="266" src="https://blogger.googleusercontent.com/img/a/AVvXsEhu-zZeMEmMZhuPQvAhuNhLW5C-t6CcjhQw06ClNtB7kW2c6_-qUhd0fZ8ADqGEf53WwBUspvjxo3cOMdYSEjRlZ58XwZDwVom0NlwPjJi0_eMBVa7HOP4oXe3YvWHEKQKlrcP7XsqwCsW6hCNYEQ_0m-UzPp4V7AP4qJYbceztyyzvLz0nf-pfhOlD=w400-h266" width="400" /></a></div><br /><br /><p></p><p>I wrote an article in <a href="https://github.com/AzimuthLabs/AZPass" target="_blank">GitHub - AZPass</a>. We can copy some ideas from there and integrate into the mobile app for this customer.</p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi7gcPvayr4wzVBPnGKtc5t26mhPA4SgLS-5qL94ZFqFOoGt5VLQpFIFL_hNLhO8fJUqyTqbTtUCZJ0AC_iiOyvbqkv2_ctfke1sghm3v0Jlx4GDST-QRiv2mwGq24UxllTKo-x8_lpdan9x51avdxurXmWp4m-oA1XSlck63Pxyqp5iGi2XNUJHmJ9" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img alt="" data-original-height="1102" data-original-width="2392" height="184" src="https://blogger.googleusercontent.com/img/a/AVvXsEi7gcPvayr4wzVBPnGKtc5t26mhPA4SgLS-5qL94ZFqFOoGt5VLQpFIFL_hNLhO8fJUqyTqbTtUCZJ0AC_iiOyvbqkv2_ctfke1sghm3v0Jlx4GDST-QRiv2mwGq24UxllTKo-x8_lpdan9x51avdxurXmWp4m-oA1XSlck63Pxyqp5iGi2XNUJHmJ9=w400-h184" width="400" /></a></div><p></p><p> </p><p><br /></p><p>Pretty cool stuff!</p><p><br /></p></div></div>Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-91315031777251722372019-07-04T21:05:00.000+08:002019-07-04T21:05:18.639+08:00Mobile Single Sign-On<div class="separator" style="clear: both; text-align: left;">
The other day, we were at customer's site and the discussion was on Mobile Single Sign-On (MSSO). This customer will be launching a few mobile applications and he would like users to have the convenience of not having to sign-on every time a mobile application is launched.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><u>Traditional Mobile Single Sign-On</u></b></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The traditional method of achieving MSSO is to develop yet another mobile application to act as a SSO Wallet and the SSO Wallet will act as the bridge between the various mobile applications and the Identity Provider (IdP). </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<i>I'm using Gluu Server as an example now. But IdP can be any federation solution.</i> </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjO0Zc0UkgL0HaXCv9lHqWjGeI1HFVKQb_PMZh29HQwLonOcfpPcE5Uu2vz-kMQpphhRx2_fG1vWZNw49MbHmz2j7jafC48f10BKUijdCqCsGG_ieQ7ihLq_3r2DpafLiGzHjCcDZAMPc0/s1600/t.mobile.sso.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="468" data-original-width="446" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjO0Zc0UkgL0HaXCv9lHqWjGeI1HFVKQb_PMZh29HQwLonOcfpPcE5Uu2vz-kMQpphhRx2_fG1vWZNw49MbHmz2j7jafC48f10BKUijdCqCsGG_ieQ7ihLq_3r2DpafLiGzHjCcDZAMPc0/s1600/t.mobile.sso.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><u>Modern Mobile Single Sign-On</u></b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In iOS and Android, simple MSSO solutions are provided by tapping on the Cookie concept in browser.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
For iOS, <a href="https://developer.apple.com/documentation/safariservices/sfsafariviewcontroller" target="_blank">SFSafariViewController</a> is recommended, while in Android, <a href="https://developer.chrome.com/multidevice/android/customtabs" target="_blank">Chrome Custom Tabs</a> is suggested. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjRDeEq7kOnhE27yCPMG6D0HM9A8Nqdn8hKWiexujyzQpqmVY6pgjjMMZqZ7DDcJ34lNhsMMK_3XggAjAV-_XKJFII0aGV7DolGUH4LQUWNACVwRvVQyv0otr5rJ00ba4ADD9-80vUF6c/s1600/mobile.sso.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="518" data-original-width="464" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjRDeEq7kOnhE27yCPMG6D0HM9A8Nqdn8hKWiexujyzQpqmVY6pgjjMMZqZ7DDcJ34lNhsMMK_3XggAjAV-_XKJFII0aGV7DolGUH4LQUWNACVwRvVQyv0otr5rJ00ba4ADD9-80vUF6c/s1600/mobile.sso.png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Quite convenient to implement.<br />
<br />
Of course, we did discuss about a scenario whereby Chrome browser is not installed, then MSSO on Android will fail. This can be overcome by user education.<br />
<br />
<br />
.<br />
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-83567640268645896482019-06-08T08:00:00.000+08:002019-06-08T08:00:02.470+08:00Gluu AD/LDAP Synchronization - Part IVWhen configuring AD/LDAP Synchronization (Cache Refresh), it is very important to enable "Keep external persons".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQxA4XkGvhss6XzSboRH3IFV0Q-a7KwRM9fFGEtGCS1JHY-9qpUJOhf1t7uGcDRCt3FQ3hBUHuVU4EoRGrMjBgDvhyphenhyphen5Ek4l1ZUxZcplptAt5yoJII-66ImYqZuzDEv1efwjBCNGcScK1M/s1600/cr.04.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="874" data-original-width="580" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQxA4XkGvhss6XzSboRH3IFV0Q-a7KwRM9fFGEtGCS1JHY-9qpUJOhf1t7uGcDRCt3FQ3hBUHuVU4EoRGrMjBgDvhyphenhyphen5Ek4l1ZUxZcplptAt5yoJII-66ImYqZuzDEv1efwjBCNGcScK1M/s1600/cr.04.png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Why? Because the administrator "uid=admin" resides in the same organization unit (ou=people) as the imported users from external AD/LDAP.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJxBECqUIuoRHvppo29D6aS74Wbp42uCWhU2h9fQ0tWgjrjkya6iYb-fUzr1xyrg_NfgLFG0MNr1hNwpJZSvvvBtuHXp8lm4_67-Y4yDKNso2a_Mmu6WICQlLlRBs3DZwBZQ9bWgVHNCw/s1600/f.05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="512" data-original-width="580" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJxBECqUIuoRHvppo29D6aS74Wbp42uCWhU2h9fQ0tWgjrjkya6iYb-fUzr1xyrg_NfgLFG0MNr1hNwpJZSvvvBtuHXp8lm4_67-Y4yDKNso2a_Mmu6WICQlLlRBs3DZwBZQ9bWgVHNCw/s1600/f.05.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
Be careful.<br />
<br />
.<br />
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-67465341758823754212019-06-07T07:30:00.000+08:002019-06-07T07:30:07.825+08:00Gluu AD/LDAP Synchronization - Part III<div class="separator" style="clear: both; text-align: left;">
After AD Synchronization (Cache Refresh) was configured, I realized the total number of people imported exceeded the number of actual users we had in office. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvKRpFL_F3F6ACwijij64F6VyALYJroyJhKeOoIKaq0Pc2GMyvvSot5fZGkgELQGnSRc9qpwQlQO-I28ST1ZuG5iiYhwuYODGECYpEBhOJtDggpJarscy2UMSjkgLEeJGrOYySls-pH1Y/s1600/f.03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="444" data-original-width="309" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvKRpFL_F3F6ACwijij64F6VyALYJroyJhKeOoIKaq0Pc2GMyvvSot5fZGkgELQGnSRc9qpwQlQO-I28ST1ZuG5iiYhwuYODGECYpEBhOJtDggpJarscy2UMSjkgLEeJGrOYySls-pH1Y/s1600/f.03.png" /></a></div>
<br />
<br />
There is a way to filter off the unnecessary users from Microsoft Active Directory. If an AD user is a staff, we will tag this user as a member of "Azlabs Staff" AD Group.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1-Xggvc4qzT-lUvsAg7RfesFxYA4v0H3tVVir_XDNZTLPTCtkOZh8NsFHMXTeYa5v37MVHRHzauNUdLGEEYiILXjyCTotb297nnRG4EH8ErRnHPX1um3RR6sPeDeGqpu64jL1GObIkfw/s1600/f.01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="565" data-original-width="422" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1-Xggvc4qzT-lUvsAg7RfesFxYA4v0H3tVVir_XDNZTLPTCtkOZh8NsFHMXTeYa5v37MVHRHzauNUdLGEEYiILXjyCTotb297nnRG4EH8ErRnHPX1um3RR6sPeDeGqpu64jL1GObIkfw/s1600/f.01.png" /></a></div>
<br />
<br />
<br />
<br />
Then we can re-configure Cache Refresh in Gluu Server again -- "Customer Backend Key/Attributes". <i>(Yes, I dislike this tab title. Very confusing.)</i><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-ENnwF4RczqH47vXQbvYv25SHfYERb_1xv9KnbjDIFa8cJtxZr_r8QcXhjDG-EcL4jcjtYmCimz0fqaL2BPsxHD2HTnhMqbG9XmvPLTP8Zf-knp1oYnsFWiUOn__BjWbVIZLoVLZeJFk/s1600/f.00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="634" data-original-width="450" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-ENnwF4RczqH47vXQbvYv25SHfYERb_1xv9KnbjDIFa8cJtxZr_r8QcXhjDG-EcL4jcjtYmCimz0fqaL2BPsxHD2HTnhMqbG9XmvPLTP8Zf-knp1oYnsFWiUOn__BjWbVIZLoVLZeJFk/s1600/f.00.png" /></a></div>
<br />
Do remember <b><i>Custom LDAP filter</i></b> has to be a proper LDAP Query. As such, the memberOf value has to be a full DN. e.g. cn=Azlabs Staff,cn=users, dc ....<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisApxSOxuCZE8uGfEQAx4Ee0Z8uysHLiSsm_a6UmZ91U2tVKdfZFOVJ7GfSySoA_4YpoohfF_eN2r7FdOjwb_SvLSbYftXuH768Uh40CaYTBx_MzJNlBVJU_V-vxF3DuKpvY6wKF06XeU/s1600/f.02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="404" data-original-width="563" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisApxSOxuCZE8uGfEQAx4Ee0Z8uysHLiSsm_a6UmZ91U2tVKdfZFOVJ7GfSySoA_4YpoohfF_eN2r7FdOjwb_SvLSbYftXuH768Uh40CaYTBx_MzJNlBVJU_V-vxF3DuKpvY6wKF06XeU/s1600/f.02.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Wait for the next Cache Refresh to kick in.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhliTbSjj2Wf0MDh6Siscja3il9rglFlkivD3qEn-BieCtZ8-yf4tta_diZC-Nbax2EI9JMsOl2hB9GvvW2mjeqGoYjJXxliv6NZv1ADYdAWpsjjSV5GpnCojwReBhv_cdq4rxvm6jgiYM/s1600/f.04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="526" data-original-width="313" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhliTbSjj2Wf0MDh6Siscja3il9rglFlkivD3qEn-BieCtZ8-yf4tta_diZC-Nbax2EI9JMsOl2hB9GvvW2mjeqGoYjJXxliv6NZv1ADYdAWpsjjSV5GpnCojwReBhv_cdq4rxvm6jgiYM/s1600/f.04.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Done.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
.</div>
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-51451168828706104492019-06-06T08:10:00.000+08:002019-06-06T08:10:00.807+08:00 Gluu AD/LDAP Synchronization - Part II<div class="separator" style="clear: both; text-align: left;">
This is a step-by-step configuration guide to configure AD Synchronization (Cache Refresh) in Gluu Server. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<i>There is a documentation available <a href="https://gluu.org/docs/ce/3.1.6/user-management/ldap-sync/" target="_blank">here</a>, but I find it too generic and at times, confusing. Far too wordy with little graphical illustrations.</i></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><u>Step 1: Source Backend LDAP Servers</u></b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS3ro9n1nLoWU5swFS2I83XAw1pXGuUzi4c6l-32b0xLb7hVE5l0ST0rEXND6IltbBhs6KGf855lGK1AD5d6ayWRGc_PzJOJy-F9_CrfKEVOQgqVUdF-dfQmbtLZ3YvqhBfDDg8EeKwNs/s1600/cr.00.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="416" data-original-width="1018" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS3ro9n1nLoWU5swFS2I83XAw1pXGuUzi4c6l-32b0xLb7hVE5l0ST0rEXND6IltbBhs6KGf855lGK1AD5d6ayWRGc_PzJOJy-F9_CrfKEVOQgqVUdF-dfQmbtLZ3YvqhBfDDg8EeKwNs/s400/cr.00.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click on "Add source LDAP server"</td></tr>
</tbody></table>
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKsT6qbbyaSGa0pKUdZqwxgJSkR8d9DNjXiWa34JYDbvNvBEHhxVS5HFA-72H9H6BUy5KigBYbMNyAw-s-kxLWMA57dnl6R_GeRUDnDT44qN4a3Klx7XAag8cIUkVCIWClfjSDCwQ3xBA/s1600/cr.01.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="907" data-original-width="1014" height="357" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKsT6qbbyaSGa0pKUdZqwxgJSkR8d9DNjXiWa34JYDbvNvBEHhxVS5HFA-72H9H6BUy5KigBYbMNyAw-s-kxLWMA57dnl6R_GeRUDnDT44qN4a3Klx7XAag8cIUkVCIWClfjSDCwQ3xBA/s400/cr.01.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Fill in the detail for the backend MS AD server</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx0eCwTuRbqt9Tu-3mOkEapINtSkYsdXFunH_uAZG6dMqbITfkW78zy_3IkzlzIhN3JTE13wDaW1FtQYo72tgj627acpodFPc-rkEg0IsCI15yP61rqgjBLw788mrWek5wU__2VdclH8Q/s1600/cr.02.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="59" data-original-width="340" height="55" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx0eCwTuRbqt9Tu-3mOkEapINtSkYsdXFunH_uAZG6dMqbITfkW78zy_3IkzlzIhN3JTE13wDaW1FtQYo72tgj627acpodFPc-rkEg0IsCI15yP61rqgjBLw788mrWek5wU__2VdclH8Q/s320/cr.02.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Appears on top-right of screen when "Test LDAP Connection" is clicked</td></tr>
</tbody></table>
<br />
<br />
<div class="separator" style="clear: both;">
<b><u><br class="Apple-interchange-newline" />Step 2: Customer Backend Key/Attributes</u></b></div>
<div>
<b><u><br /></u></b></div>
<div>
<i>( This is the screen that I have the most opinion on. Why use "Customer", not "Source"? Why "Source" Attribute? How about the rest? They are not from "Source"? It's not consistent.)</i></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKw9FIsoGhCJCpWl1T6GA-LhT12Zt-E8NJ55pfMZc75aEzsa9wTIXH0V3GbL2pFWcMsh9SPWMc5PYzrYUkpQirmPlcdsyUkwy9g0MGjwfpEy6wRFD7_tB-Hn6bZ0Sp7Rf14ojdmF2wJuw/s1600/cr.03.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="900" data-original-width="1011" height="355" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKw9FIsoGhCJCpWl1T6GA-LhT12Zt-E8NJ55pfMZc75aEzsa9wTIXH0V3GbL2pFWcMsh9SPWMc5PYzrYUkpQirmPlcdsyUkwy9g0MGjwfpEy6wRFD7_tB-Hn6bZ0Sp7Rf14ojdmF2wJuw/s400/cr.03.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Take note that the above should reflect how a Person object is to be fetched from MS AD </td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both;">
<b><u><br class="Apple-interchange-newline" />Step 3: Cache Refresh</u></b></div>
<div>
<b><u><br /></u></b></div>
<div>
<b><u><br /></u></b></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiluupw_aecpTHnsIEyUeuPWHUcYYErF1gO6Grud7-YpsJzfYIlycZ1KBMw0HnBbm5ragVi-lCrjest7mcMDu2CESWeOon1jwieTkTtTeaanN7eYJLJ57QoAOkxuyJgl20MaRp7UaSKpI8/s1600/cr.04.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="983" data-original-width="1004" height="391" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiluupw_aecpTHnsIEyUeuPWHUcYYErF1gO6Grud7-YpsJzfYIlycZ1KBMw0HnBbm5ragVi-lCrjest7mcMDu2CESWeOon1jwieTkTtTeaanN7eYJLJ57QoAOkxuyJgl20MaRp7UaSKpI8/s400/cr.04.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Make sure "Keep external persons" is enabled</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<blockquote class="tr_bq" style="clear: both; text-align: center;">
<span style="color: #660000; font-family: Trebuchet MS, sans-serif;"><i>As per documented, "This will allow your default user 'admin' to log into Gluu Server after initial Cache Refresh iteration. If you do not enable 'Keep External Person', your 'admin' user including all other test users will be gone after first Cache Refresh iteration."</i></span></blockquote>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb3uK0daxcZJ5UR67WbtSQVr9i6PGb3mnHtPKfRz3ioahKakTfDXDbnVRvMZcPbPbhTNvmS2DIGymM_VyMLMo0WOfyTa2P3icQjrlQbebGuOsxxqQwHdU6pJUorJ6tOYO-0U4emOJhJ74/s1600/cr.06.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="546" data-original-width="427" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb3uK0daxcZJ5UR67WbtSQVr9i6PGb3mnHtPKfRz3ioahKakTfDXDbnVRvMZcPbPbhTNvmS2DIGymM_VyMLMo0WOfyTa2P3icQjrlQbebGuOsxxqQwHdU6pJUorJ6tOYO-0U4emOJhJ74/s1600/cr.06.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Left column refers to Source; Right column refers to Destination</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpGcTy9cQMCQ-4ueJSKREACGrU9LPGQ1E5MRIPC6HJUHb0dN6W8G60j8AEKvoZPlzKJhwm5xrNt_ySpxE-qYztYRtDHbz5qCq36vFwP672XOrFcdLuNVAEptFA7bnAfjmd7eCv8UVIAOM/s1600/cr.05.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="205" data-original-width="1001" height="81" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpGcTy9cQMCQ-4ueJSKREACGrU9LPGQ1E5MRIPC6HJUHb0dN6W8G60j8AEKvoZPlzKJhwm5xrNt_ySpxE-qYztYRtDHbz5qCq36vFwP672XOrFcdLuNVAEptFA7bnAfjmd7eCv8UVIAOM/s400/cr.05.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Make sure "Cache Refresh" is enabled</td></tr>
</tbody></table>
<br />
<br />
<br />
<b><u>Step 4: Manage LDAP Authentication</u></b><br />
<br />
Remember this diagram from previous post?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmkm0CpCLBuwm4tnDC3h1kWNeQ5SWPsM2ivj4z9LnCdWpmBhZwdnSTjQB47_nOckYUWTe3L9y_sUNNdChzSwoocBROu_SlLzkqnSSruGI0Y3lcbp9ziaMrkMoRVN9YSMKK29vIBQblwEs/s1600/cr10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="289" data-original-width="492" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmkm0CpCLBuwm4tnDC3h1kWNeQ5SWPsM2ivj4z9LnCdWpmBhZwdnSTjQB47_nOckYUWTe3L9y_sUNNdChzSwoocBROu_SlLzkqnSSruGI0Y3lcbp9ziaMrkMoRVN9YSMKK29vIBQblwEs/s1600/cr10.png" /></a></div>
<br />
<br />
What we have done so far is for (2) to work.<br />
<br />
<br />
For (3) to work, we need to navigate to Configuration > Manage Authentication. Scroll to the bottom of the page, click on "Add source LDAP server".<br />
<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWsZ6J-quM7JnhFv0V33J4m5xOJrm6_HWuIMVDDq7nJhGX73AdGjkKMYVFiaJiFI111bdRg55Qt5g_wQX9hkW7vaf4sNIgT052L-MY7sZL5AZeJnO666SEz0AIPGRgB4Cqo7HaSXh-34w/s1600/cr11.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="610" data-original-width="792" height="307" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWsZ6J-quM7JnhFv0V33J4m5xOJrm6_HWuIMVDDq7nJhGX73AdGjkKMYVFiaJiFI111bdRg55Qt5g_wQX9hkW7vaf4sNIgT052L-MY7sZL5AZeJnO666SEz0AIPGRgB4Cqo7HaSXh-34w/s400/cr11.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Add MS AD detail. Click "Test LDAP Connection" to ensure connection is OK</td></tr>
</tbody></table>
<br />
<br />
Done.<br />
<br />
.<br />
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com1tag:blogger.com,1999:blog-3723157275867690143.post-18273769715950368472019-06-05T08:00:00.000+08:002019-06-06T15:40:41.922+08:00Gluu AD/LDAP SynchronizationIn Gluu Server, there is a concept called AD/LDAP Synchronization.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhF_VMdPU2GM5gCLbr_kGUMoYwnhkdSv4ypqu1z8Bf_SogizhFfOeOHzTJ2FM0-pVxKmgnD0kwRLp0LS_3ngTiz1TWeHgnZTS9XiIFc-vJJn-DxcI298bbxScsY1_HpPgQ0QoTyO8cHUg/s1600/gluu.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="53" data-original-width="120" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhF_VMdPU2GM5gCLbr_kGUMoYwnhkdSv4ypqu1z8Bf_SogizhFfOeOHzTJ2FM0-pVxKmgnD0kwRLp0LS_3ngTiz1TWeHgnZTS9XiIFc-vJJn-DxcI298bbxScsY1_HpPgQ0QoTyO8cHUg/s1600/gluu.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<br />
<span style="font-family: "georgia" , "times new roman" , serif;"><i>AD/LDAP Synchronization, a.k.a. Cache Refresh, is the process of connecting one or more existing backend LDAP servers, like Microsoft Active Directory, with the Gluu Server's local LDAP server. Syncing people and attributes from a backend server speeds up authentication transactions. It is possible to perform attribute transformations, changing the name of attributes, or even using an interception script to change the values. Transformations are stored in the Gluu LDAP service.</i></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsXiO8VbgBZ3gAdpS87SnH03Jb2q3wT3uPnlIMBRZTy949QOIJGJsAybGqW4wMBrFRS6CF8o1ENMZ86Za_lofjcIkObImLjkP4v2qcXVqtAnr0elowZRcaWDkDhdPKuVdSO2ZVTXVc6qU/s1600/cr.09.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="295" data-original-width="447" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsXiO8VbgBZ3gAdpS87SnH03Jb2q3wT3uPnlIMBRZTy949QOIJGJsAybGqW4wMBrFRS6CF8o1ENMZ86Za_lofjcIkObImLjkP4v2qcXVqtAnr0elowZRcaWDkDhdPKuVdSO2ZVTXVc6qU/s1600/cr.09.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
<br />
<b><i>How does authentication take place?</i></b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHKiVLMl1xeS3f2mDYjSyfv_SoXlVq3SmLl7JmxC1dxsV7DXdXrAwj3ppNT8MnecI1UuOw9b_SBnIMv7K6OnfGKFVnSPR96SFB8RXjAqvhUqLLq81dwdPDd8Oo76aqfiq03Rc9rzYWPiw/s1600/cr10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="289" data-original-width="492" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHKiVLMl1xeS3f2mDYjSyfv_SoXlVq3SmLl7JmxC1dxsV7DXdXrAwj3ppNT8MnecI1UuOw9b_SBnIMv7K6OnfGKFVnSPR96SFB8RXjAqvhUqLLq81dwdPDd8Oo76aqfiq03Rc9rzYWPiw/s1600/cr10.png" /></a></div>
<br />
<br />
Because there is no password stored in the "local copy" of the Gluu LDAP, authentication has to take place on the actual Microsoft Active Directory instead.<br />
<br />
1. User attempts to authenticate with Gluu Server<br />
2. Gluu Server searches if the user exists in "local copy" of the Gluu LDAP<br />
3. If yes, Gluu Server will authenticate against the actual MS AD server with the username and password<br />
<br />
<br />
Slightly different architecture from other SSO products.<br />
<br />
<br />
.<br />
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-47122048967261998262019-06-04T13:48:00.003+08:002019-06-04T13:48:52.794+08:00Gluu Unexpected Error - login.errorSessionInvalidMessage<div class="separator" style="clear: both; text-align: left;">
I was testing Cache Refresh in <a href="https://www.gluu.org/roadmap/" target="_blank">Gluu Server 3.1.6</a> with Microsoft Active Directory being my backend source server. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After configuration, I hit into the following error when I wanted to simulate an end-user login.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGTGjtGvhljyIIjIiOeHxp2vP0n84pvw0HqAekwX4PkGWaM-9Zjkw-RRxcnuQT67RIu2S2gzJlqMBj0RzEFtE1d83ziZvKRSt1owNO6IE8f1bKm3clkq1WeD_UN-uIgz3iHoy_P0zspno/s1600/gluu.oops.00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="337" data-original-width="469" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGTGjtGvhljyIIjIiOeHxp2vP0n84pvw0HqAekwX4PkGWaM-9Zjkw-RRxcnuQT67RIu2S2gzJlqMBj0RzEFtE1d83ziZvKRSt1owNO6IE8f1bKm3clkq1WeD_UN-uIgz3iHoy_P0zspno/s400/gluu.oops.00.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
So I went to /opt/gluu/jetty/oxauth/logs/oxauth.log and saw the following debug log:<br />
<br />
<blockquote class="tr_bq">
<span style="color: #990000;"><i>(AuthorizeAction.java:253) - Failed to get CustomScriptConfiguration. auth_step: 1, acr_values: auth_ad_server</i></span></blockquote>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0pNzRa6jeH7oxcNZkBRgUWAqmyJzvjF9RBrVvyGoGk27ooT_073AIBcPHbbVNYmQGFzZfpXtvkgnhFDrA2_k-NmF4LFc-gHTYthOnShYMYb-z7jJEPYHZA4hPbpd0CNeRW-z7BBkkUBY/s1600/gluu.opps.03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="65" data-original-width="578" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0pNzRa6jeH7oxcNZkBRgUWAqmyJzvjF9RBrVvyGoGk27ooT_073AIBcPHbbVNYmQGFzZfpXtvkgnhFDrA2_k-NmF4LFc-gHTYthOnShYMYb-z7jJEPYHZA4hPbpd0CNeRW-z7BBkkUBY/s1600/gluu.opps.03.png" /></a><br />
<br />
<br />
I'm stuck! No way to log in either as Gluu Administrator or end-user.<br />
<br />
My last resort was to tweak the configuration database directly. In this case, OpenDJ directory server is the configuration database that Gluu Server is using.<br />
<br />
<br />
The entry to search for looks similar to <span style="background-color: rgba(236, 236, 236, 0.5); color: #37474f; font-family: "Roboto Mono", "Courier New", Courier, monospace; font-size: 13.6px;"><b>dn: inum=@!1E3B.F133.14FA.5062!0002!4B66.CF9C,<i>ou=appliances,o=gluu</i></b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnASwrqUJMrDPBMC3eax5_dYJmVWhQ_dZNvQ9GP9atHP-HX08JrOf89IQmZI7jCypBe_olcjbpSRR4bD-XOSf_fJTnXh6LU_lMx5nLWAs4v9t1gyJM3-Ftu-Kpw7tE6PX-VjR4UTyjBuk/s1600/gluu.oops.02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="342" data-original-width="922" height="147" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnASwrqUJMrDPBMC3eax5_dYJmVWhQ_dZNvQ9GP9atHP-HX08JrOf89IQmZI7jCypBe_olcjbpSRR4bD-XOSf_fJTnXh6LU_lMx5nLWAs4v9t1gyJM3-Ftu-Kpw7tE6PX-VjR4UTyjBuk/s400/gluu.oops.02.png" width="400" /></a></div>
<br />
<br />
Quite obvious the configuration is screwed. I have no idea how <b><i>auth_ad_server</i></b> got set as the values for <b>oxAuthenticationMode</b> and <b>oxTrustAuthenticationMode</b> when it's <u>enabled value is false</u>!<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxo4-fOhSk9by7HtIFc6TygFKUzBJFkMnV-oCpADuVKYNmOYAhiFytmjUh6hS_OO6gyTt3gii2GBwdqi_itSbWd7OUeIodO2RkLWP3u4bsFGY5UFW8jjEQizWe30myri75ua6I0MINhzI/s1600/gluu.oops.02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="275" data-original-width="570" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxo4-fOhSk9by7HtIFc6TygFKUzBJFkMnV-oCpADuVKYNmOYAhiFytmjUh6hS_OO6gyTt3gii2GBwdqi_itSbWd7OUeIodO2RkLWP3u4bsFGY5UFW8jjEQizWe30myri75ua6I0MINhzI/s1600/gluu.oops.02.png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Manually set them back to auth_ldap_server. Restart oxAuth server. Done!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHRLAhyphenhyphenmvsvKeqSe-xYz5P-_wEx6nAD_joGAwDi8GzM7wQ6X-EtDcugd4UAi50Cj5qXInt1BjjhGgHSO1NmTU84HIGG7G2b5JdjoJ12Aco5tZqx8Cs7ZNA0azDi20nblG91B6t0WU4420/s1600/gluu.oops.01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="486" data-original-width="575" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHRLAhyphenhyphenmvsvKeqSe-xYz5P-_wEx6nAD_joGAwDi8GzM7wQ6X-EtDcugd4UAi50Cj5qXInt1BjjhGgHSO1NmTU84HIGG7G2b5JdjoJ12Aco5tZqx8Cs7ZNA0azDi20nblG91B6t0WU4420/s400/gluu.oops.01.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
The login page is back.<br />
<br />
.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com2tag:blogger.com,1999:blog-3723157275867690143.post-72478800968990511972019-05-08T13:23:00.000+08:002019-05-08T13:23:02.259+08:00The Scope of IAMThe scope of IAM is getting bigger and bigger ...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDC6tVqo01pbleQmQSxRX0Vw9AKTxVYXiPLD-Hg84auQ9yVhSEzrmFt-ocQ6_8GIGFFJqv6HGQyD18C6Lh08v_M_wOhnhH_W0Ra42fuwKkCPA8P_go-_0KLKUB8pYDn-M7D-sxYAp1LvA/s1600/b14c85ce-9aad-4018-a459-4480e8304bce.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="753" data-original-width="974" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDC6tVqo01pbleQmQSxRX0Vw9AKTxVYXiPLD-Hg84auQ9yVhSEzrmFt-ocQ6_8GIGFFJqv6HGQyD18C6Lh08v_M_wOhnhH_W0Ra42fuwKkCPA8P_go-_0KLKUB8pYDn-M7D-sxYAp1LvA/s400/b14c85ce-9aad-4018-a459-4480e8304bce.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
.<br />
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-44192021724357080652019-03-06T12:48:00.001+08:002019-03-06T12:48:18.678+08:00No SSO<div class="separator" style="clear: both; text-align: left;">
Many times during SSO presales or tender presentations, we will be asked the same question again and again - "What if the SSO infrastructure goes down?"</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Ting ... Ting ...</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Most of us who have been in this field long enough will respond that high-availability has to be in place for such a critical infrastructure. One could go further to elaborate about the the reliability of cloud infrastructure like AWS scale-out, AWS availability zone failover, VM Fault Tolerance etc...</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Nothing beats application building its own local authentication as a last option.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7jHv562stD9bvVIrSsKTQCzvuCcBrKODOyspvWLhVmIX4UI9VnBKWDLUxjS9njh6h3DgSUUtn9O6E37FTUWJnm8epltqBYfSEGCcBXqftP_dS7twxFmhK5LzCvx2rQsaunsW3g5zuiEA/s1600/jira.nosso.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="430" data-original-width="557" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7jHv562stD9bvVIrSsKTQCzvuCcBrKODOyspvWLhVmIX4UI9VnBKWDLUxjS9njh6h3DgSUUtn9O6E37FTUWJnm8epltqBYfSEGCcBXqftP_dS7twxFmhK5LzCvx2rQsaunsW3g5zuiEA/s1600/jira.nosso.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
It's a fact.<br />
<br />
.<br />
<br />
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-34655531821502698662019-02-27T21:55:00.000+08:002019-02-27T21:56:16.260+08:00Implementing Web Policy Agent on with AWS - Part II<div class="separator" style="clear: both; text-align: left;">
We know a Policy Server consists of 2 very important components - Authentication and Authorization.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The following diagram is a typical deployment diagram of a traditional SSO architecture with a Web Policy Agent deployed on a web server, that communicates with a Policy Server on the backend. </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0su88Pklgbp6yT6tLPcFUuHzVg4k6KPGDXot2PpUZ5kn4iDBMuQJ9f-uh7Xx2x0q4LUaFOgitwtJti_K7QCHE6YCZYB5WiwVtxFyyZq4DvnVtUnGwSDVwgDm9gBfNmQGPYsb3Ugwlf2c/s1600/tradition-agent%252Boverview.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="253" data-original-width="698" height="144" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0su88Pklgbp6yT6tLPcFUuHzVg4k6KPGDXot2PpUZ5kn4iDBMuQJ9f-uh7Xx2x0q4LUaFOgitwtJti_K7QCHE6YCZYB5WiwVtxFyyZq4DvnVtUnGwSDVwgDm9gBfNmQGPYsb3Ugwlf2c/s400/tradition-agent%252Boverview.png" width="400" /></a></div>
<br />
How do we achieve the same in AWS world?<br />
<br />
1. Authentication will be performed at the Login Page which integrates tightly with Amazon Cognito. <i>(By the way, the pricing for Cognito is quite attractive!)</i><br />
<i><br /></i>
2. Authorization will be performed at the "Policy Server", which I discussed in my <a href="https://azlabs.blogspot.com/2019/02/implementing-web-policy-agent-on-with.html" target="_blank">previous post</a>.<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm2M1nd65EbCWps8xsRIxEi4DfvPPnwqpFSAl6DmYxVTQgu63PrZpkQnMPPMgOJLK44LZtzs5bn4puWHDU5bmBhfqEFAAMihWSS3wFH1RpFqogqUcTR1q7tsTF9fPdKj8wVn1qmXX5ZXQ/s1600/Architecture-Copy+of+AWS+CDSSO+%25282%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="415" data-original-width="531" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm2M1nd65EbCWps8xsRIxEi4DfvPPnwqpFSAl6DmYxVTQgu63PrZpkQnMPPMgOJLK44LZtzs5bn4puWHDU5bmBhfqEFAAMihWSS3wFH1RpFqogqUcTR1q7tsTF9fPdKj8wVn1qmXX5ZXQ/s1600/Architecture-Copy+of+AWS+CDSSO+%25282%2529.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
In fact, we can do better than that for the Authorization.<br />
<br />
In the modern world, API is everywhere. We can have a API Gateway that exposes a <b><i>isAuthorized</i></b> API. The "Policy Agent" will "ask" the API Gateway if a user is authorized or not.<br />
<br />
In additional, we can implement fine-grained authorization by building entitlement microservices.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfMqShixiqJ_OObjOVYJWO8sg_P-3ptO_skgPqYrAshWgcujt6554BhW3u3wtfp8LGkjbknAk011edssDXl3iIXcJJPXzf_01F0vj-GNPAPjMp9aafLtOBaeQW1GoDOsANdE9QW2F5JmY/s1600/Architecture-AWS+Policy+Agent.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="545" data-original-width="448" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfMqShixiqJ_OObjOVYJWO8sg_P-3ptO_skgPqYrAshWgcujt6554BhW3u3wtfp8LGkjbknAk011edssDXl3iIXcJJPXzf_01F0vj-GNPAPjMp9aafLtOBaeQW1GoDOsANdE9QW2F5JmY/s1600/Architecture-AWS+Policy+Agent.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
As long as we introduce a clean interface for the entitlement microservice, customers can own this piece of work to implement their own business logic and plug-in to the authorization framework anytime. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
.</div>
Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-78548032057483349272019-02-25T15:18:00.000+08:002019-02-25T15:18:05.258+08:00Implementing Web Policy Agent on with AWS<div class="separator" style="clear: both; text-align: left;">
In my previous post on <a href="https://azlabs.blogspot.com/2019/02/cross-domain-single-sign-on-with-aws.html" target="_blank">Single Sign-On with AWS Cognito</a>, my team successfully demo a way to implement Cross-Domain Single Sign-On with AWS Cognito. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
There are many ways to implement SSO. For a start, since Azlabs is very familiar with how Single Sign-On works, the team chose to minimize the changes required on existing applications that were protected by traditional web policy agents. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The assumption is that if any of our customers were to port over to AWS, there is minimal impact during migration. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
How can we achieve this? </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Let's take a look at how traditional SSO works. </div>
<div class="separator" style="clear: both; text-align: left;">
1. There is a Policy Server where A+A (Authentication & Authorization) takes place</div>
<div class="separator" style="clear: both; text-align: left;">
2. There is a Web Server where a web application (Web Resource) is deployed</div>
<div class="separator" style="clear: both; text-align: left;">
3. There is a Web Policy Agent sitting on the same Web Server intercepting traffic to the Web Resource. </div>
<div class="separator" style="clear: both; text-align: left;">
4. The Web Policy Agent queries the Policy Server for A+A decisions.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><u>Illustration 1</u></b></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiz_ZAglDtUy8h5na0R2Y1xdO-7BSwCxMzYxkFmiDjBk0HO-8HgT3owoD1hq1I_oP7QO6gGFrqVHRCnrGfAkethYaSjSB15NWilK9tnzV_caytPwILD3v2g8UzkL3Xusp_2H0oQnVQelcU/s1600/tradition-policy-agent.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="173" data-original-width="730" height="94" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiz_ZAglDtUy8h5na0R2Y1xdO-7BSwCxMzYxkFmiDjBk0HO-8HgT3owoD1hq1I_oP7QO6gGFrqVHRCnrGfAkethYaSjSB15NWilK9tnzV_caytPwILD3v2g8UzkL3Xusp_2H0oQnVQelcU/s400/tradition-policy-agent.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><u>Illustration 2</u></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihWMWbrlarwrMOS0N7u9tCCcpTh3cLi1n_fl3qnZja1fJLhThtuoSt3uH4OEH_viYs4WT4U6s8uJM3Uc2l8CoAN6NW-SLFD0H9kW_NBWtgBx912fnsGEyisRvqn30BZNOvf0LPGzY0iPM/s1600/tradition-agent%252Boverview.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="253" data-original-width="698" height="143" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihWMWbrlarwrMOS0N7u9tCCcpTh3cLi1n_fl3qnZja1fJLhThtuoSt3uH4OEH_viYs4WT4U6s8uJM3Uc2l8CoAN6NW-SLFD0H9kW_NBWtgBx912fnsGEyisRvqn30BZNOvf0LPGzY0iPM/s400/tradition-agent%252Boverview.png" width="400" /></a></div>
<br />
<br />
Let's build a "Policy Agent + Policy Server" concept in AWS!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilfk8dlTTxmBEC4RX1xCCMLxCNdmJVBKxQRvW8p-W1SYpnEx3eqUNqVhwwvmlsowKkcRgxInQpZruZw8RJokefElx6zVOX4RLcOkEGkKZplelLOsXLGJwjY_EYRCypLJW_WLHvoEpUCTw/s1600/AWS+Policy+Server.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="426" data-original-width="410" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilfk8dlTTxmBEC4RX1xCCMLxCNdmJVBKxQRvW8p-W1SYpnEx3eqUNqVhwwvmlsowKkcRgxInQpZruZw8RJokefElx6zVOX4RLcOkEGkKZplelLOsXLGJwjY_EYRCypLJW_WLHvoEpUCTw/s400/AWS+Policy+Server.png" width="383" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
.<br />
<br />
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-17707351268934759032019-02-23T14:30:00.001+08:002019-02-23T14:30:32.745+08:00Cross-Domain Single Sign-On with AWS CognitoWe have been exploring how to implement cross-domain single sign-on (CDSSO) on AWS platform for a while.<br />
<br />
The underlying user store is using <a href="https://aws.amazon.com/cognito/" target="_blank">Amazon Cognito</a> User Pools. It provide a secure user directory that scales to hundreds of millions of users.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgICviX1Nzk6pwR11i2XkGtbb4RvdDLhtXHs-95pNgpD99kUtqQMlhmixwXJ38zsFmTZaENzJQoIpPNG_W-f1X1evNjL_VPleLt7BV_l8aQDKvgyPqqBf2C3dq6eeErNgnIPDoPpQjUms0/s1600/aws.cognito.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="222" data-original-width="596" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgICviX1Nzk6pwR11i2XkGtbb4RvdDLhtXHs-95pNgpD99kUtqQMlhmixwXJ38zsFmTZaENzJQoIpPNG_W-f1X1evNjL_VPleLt7BV_l8aQDKvgyPqqBf2C3dq6eeErNgnIPDoPpQjUms0/s400/aws.cognito.png" width="400" /></a></div>
<br />
<blockquote class="tr_bq">
Using Cognito out of the box, <span style="color: #0c343d; font-family: "georgia" , "times new roman" , serif;"><b><i>Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0</i></b></span>.</blockquote>
<br />
That's it. In fact, it's mostly mobile-centric and support single domain for single sign-on.<br />
<br />
To support CDSSO, we need more components from the AWS family to come into play - AWS Fargate acting as Session Validator, AWS Lambda acting as Cookie Generator/Destroyer and AWS RDS acting as Session Store.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN4xVBR5NvlutkEDPkgAMqsttCIQXaa3w5JvyGVYLkW8iF4zaZQOlwGK-viT6w2QS8_2B1dvd81rDQ6Mjc0eIp77RC8F9aGzB3tqvW3KaNNzhgvJJli1DEpfxz2dFqdex7UGOaow3AoNo/s1600/Architecture-AWS+CDSSO.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="583" data-original-width="830" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN4xVBR5NvlutkEDPkgAMqsttCIQXaa3w5JvyGVYLkW8iF4zaZQOlwGK-viT6w2QS8_2B1dvd81rDQ6Mjc0eIp77RC8F9aGzB3tqvW3KaNNzhgvJJli1DEpfxz2dFqdex7UGOaow3AoNo/s400/Architecture-AWS+CDSSO.png" width="400" /></a></div>
<br />
<br />
We demo to a customer yesterday and they were impressed.<br />
<br />
To speed up the authentication process, <a href="https://www.amazonaws.cn/en/elasticache/" target="_blank">Amazon ElastiCache</a> can be used to replace or complement AWS RDS. That would be our next demo.<br />
<br />
<br />
.<br />
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com2tag:blogger.com,1999:blog-3723157275867690143.post-59770632844911990422019-01-23T22:12:00.000+08:002019-01-23T22:12:09.486+08:00BeyondTrust Privileged Access Management PlatformI just realized it has been a long while since I last blogged. Have been super busy with new direction with the company and making customers happy.<br />
<br />
Today, I tried to source for a PAM (Privileged Access Management) solution for my customer who has his infrastructure on AWS. As such, an appliance-based PAM solution does not make sense.<br />
<br />
Then I came across <a href="https://www.beyondtrust.com/" target="_blank">BeyondTrust</a>. Not totally new to me since I have friends working there. But there has been <a href="https://www.beyondtrust.com/company/acquisition" target="_blank">great changes in 2018</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqWFjrSxVUZpP6G2zb9-lV4P_TE3FOa1jJ-TdnEscrB1k7u14MwhJV_Jn-cD8ijllqXalLOTP3zPVoblgfBaANx5cSO0NLzacNvsHsN07CoI_WZzKeji2rC4MW2_WqWSbVX_uHuSQpSwQ/s1600/bt.00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="72" data-original-width="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqWFjrSxVUZpP6G2zb9-lV4P_TE3FOa1jJ-TdnEscrB1k7u14MwhJV_Jn-cD8ijllqXalLOTP3zPVoblgfBaANx5cSO0NLzacNvsHsN07CoI_WZzKeji2rC4MW2_WqWSbVX_uHuSQpSwQ/s1600/bt.00.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<blockquote class="tr_bq">
<span style="font-size: 16px; letter-spacing: 0.16px;"><span style="color: purple; font-family: Georgia, Times New Roman, serif;"><i>2018 was a game-changing year for the Privileged Access Management market. <b>Lieberman, Avecto and BeyondTrust were all acquired by Bomgar</b> and, in 2019, we will launch the new BeyondTrust. Bringing together these best-of-breed technologies allows us to deliver the most comprehensive PAM solution to date.</i></span></span></blockquote>
<div class="separator" style="clear: both; text-align: center;">
<span style="text-align: start;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Wow! 4-in-1!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWamNVt8NTswySGVe-qkYyGNIpfynojMjm0MYcDDfyqixjEnFSZUunDa1Sx58QJwIbqjzJCkC-hXAI0kkhV_lMuauylUjfq1wv7-aNRz4M8yzPj5ym9VxRYLjKnozvyo6B8ZfYkb8mWoY/s1600/bt.01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="603" data-original-width="978" height="246" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWamNVt8NTswySGVe-qkYyGNIpfynojMjm0MYcDDfyqixjEnFSZUunDa1Sx58QJwIbqjzJCkC-hXAI0kkhV_lMuauylUjfq1wv7-aNRz4M8yzPj5ym9VxRYLjKnozvyo6B8ZfYkb8mWoY/s400/bt.01.png" width="400" /></a></div>
<br />
<br />
Hope to do some businesses with BeyondTrust!<br />
<br />
<br />
.<br />
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-33437149530638236022018-10-31T10:29:00.001+08:002019-02-23T14:32:07.719+08:00SSO Migration in 10 (+3) weeks ... People matters!I have a long time SSO customer who came back to me after 6 months "ditching" us. Well, the actual fact was a new VP came in and we did not get along well. Anyway, he couldn't deliver after 6 long months and he was out of the game. The old VP called me immediately after she was reassigned with the SSO infrastructure.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEwk6hBvJMa-zkRUdAhZZ-gZcv1OZ5h4Khk1ULAW74USQu-C-XA-Lps0zYK_aVgUlhDgoGZ_SwO_DKKifAC3v7grv6jDUOa_GTHcp8yohnU5SQYghczQphZmSsqeEjnrdMfsOrx_-ShK0/s1600/people-bwi11.jpg" imageanchor="1"><img border="0" data-original-height="450" data-original-width="600" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEwk6hBvJMa-zkRUdAhZZ-gZcv1OZ5h4Khk1ULAW74USQu-C-XA-Lps0zYK_aVgUlhDgoGZ_SwO_DKKifAC3v7grv6jDUOa_GTHcp8yohnU5SQYghczQphZmSsqeEjnrdMfsOrx_-ShK0/s1600/people-bwi11.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
I'm very familiar with their environment and even though there is a lot of customization, I promised the whole migration will only take 10 weeks. Yes, a major jump in software version. A lot of code rewrites. A lot of Java code decompilation as the software has gone closed-source. It was real fun!<br />
<br />
I brought in my best team. And we are going live this coming Sunday! (Ok, customer requested to delay go-live for another 3 weeks as there is 1 site that customer would not want to migrate to the new platform. Thus communication with their end-customers is required to shut down that site.)<br />
<br />
Last mile and we are talking about Cut-Over Plan yesterday.<br />
<br />
I joined in the discussion. Towards the end of the discussion, customer looked at me and asked me if I have any comment. My only request was: "<b><i>Give me the same set of people who had performed the dry-run weeks before.</i></b>"<br />
<br />
It is going to be a real long night this Sunday and a lot of eyes are on the whole team. I told the manager of the application teams not to assign people based on availability (<i>you know, as this is a midnight job, the seniors will always find excuses not to be involved</i>), but based on experience and capability. Don't give someone who has no idea what is going on.<br />
<br />
People matters!<br />
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-56446855103008102192018-06-07T17:00:00.000+08:002018-06-07T17:00:12.868+08:00One Identity Cloud Access Manager - STS Windows Service<div class="separator" style="clear: both; text-align: left;">
In <a href="https://www.oneidentity.com/products/cloud-access-manager/" target="_blank">One Identity Cloud Access Manager</a> deployment, there is a STS host and Proxy host. The proxy host acts as the reverse proxy to protected applications, as well as serving as the Login Page.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf9tN3CuVyE47Snzip4k8S5DyBl3DcPh4Ybq5X_kzoHqWCbsyUq5xhSuoaL8XOmVbt5GfZOZL0XK-nFIm4I9oxTWquvYvEc1O7gSWZe1P27u1zRASs-W9r-v59IVjeWwLiLWLInI7292A/s1600/cam.ha.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1048" data-original-width="1600" height="261" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf9tN3CuVyE47Snzip4k8S5DyBl3DcPh4Ybq5X_kzoHqWCbsyUq5xhSuoaL8XOmVbt5GfZOZL0XK-nFIm4I9oxTWquvYvEc1O7gSWZe1P27u1zRASs-W9r-v59IVjeWwLiLWLInI7292A/s400/cam.ha.png" width="400" /></a></div>
<br />
<br />
On the Proxy host, if you ever need to restart the service, a quick search for <b><i>One Identity Cloud Access Manager Proxy</i></b> does the job. Fairly easy to locate.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZ6yowELP-tzz2w1eK5ATOXxS0iPxLWC2yXWZwYZ8YeMsnJVvpfc_2hSjQ8omg-jD0E1P5bzcIlntZnzllskhqqvwo3PDmNZh6cuMyGuEtIWV9XC2NBOwAb3DX1NPOLXv6tsEtYjq-I-Y/s1600/cam.svc.proxy.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="340" data-original-width="603" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZ6yowELP-tzz2w1eK5ATOXxS0iPxLWC2yXWZwYZ8YeMsnJVvpfc_2hSjQ8omg-jD0E1P5bzcIlntZnzllskhqqvwo3PDmNZh6cuMyGuEtIWV9XC2NBOwAb3DX1NPOLXv6tsEtYjq-I-Y/s400/cam.svc.proxy.png" width="400" /></a></div>
<br />
<br />
On the STS host, if you need to restart the service, you are not in luck. It took me a while initially. I just could not locate any service that starts with "<i><b>One Identity ...</b></i>".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNUhN_FLuLBjjehXMwHMg7Af2_fUpijUsFX3963lDg2qsrqrxzKyk4eamOiQjG_scFUuZoS2SWKdYmK6PUnWjfLYjokcWb5Y5RjhumYiPyF39Bsa7ZTqjJkjdePolKjXNo8w52G4QGKNk/s1600/cam.svc.sts.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="416" data-original-width="626" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNUhN_FLuLBjjehXMwHMg7Af2_fUpijUsFX3963lDg2qsrqrxzKyk4eamOiQjG_scFUuZoS2SWKdYmK6PUnWjfLYjokcWb5Y5RjhumYiPyF39Bsa7ZTqjJkjdePolKjXNo8w52G4QGKNk/s400/cam.svc.sts.png" width="400" /></a></div>
<br />
<br />
To do so, search for "<b><i>Redistributable Secure Token Server</i></b>" instead.<br />
<br />
<br />
Weird and inconsistent naming convention indeed!<br />
<br />
<br />
.<br />
<br />
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-26007697014428502072018-06-06T23:10:00.001+08:002018-06-06T23:11:21.144+08:00One Identity Cloud Access Manager - Notifications<div class="separator" style="clear: both; text-align: left;">
I found a good feature in One Identity Cloud Access Manager today - <i>Reminder to turn off detailed message logging</i>.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEXVk8HlieRFphry3Ct7-xzSrHYauFEQ7L9S76Dn-9KsQWJNURmNlHDLtrZY18NoNE-z10pzuz_85Yhle9gmZRaSFnpXR8dzzo_UqFf7IGTNMTbioIeT4K-tDUnKP2vZt3hqRczfMyUoo/s1600/cam.debug.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="701" data-original-width="970" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEXVk8HlieRFphry3Ct7-xzSrHYauFEQ7L9S76Dn-9KsQWJNURmNlHDLtrZY18NoNE-z10pzuz_85Yhle9gmZRaSFnpXR8dzzo_UqFf7IGTNMTbioIeT4K-tDUnKP2vZt3hqRczfMyUoo/s400/cam.debug.png" width="400" /></a></div>
<br />
<br />
So I was debugging something yesterday and totally forgotten to turn off detailed message logging. I was at admin console a while ago and I saw a new notification on the top right of the dashboard.<br />
<br />
Being curious, I took a look and was reminded to turn off detailed message logging as "Keeping detailed message logging turned on impacts performance".<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS1gm5OnUXHwDdEEKND-Bww7n2IlHxnSxYR5CWohJhm6Eyhp3naJp0pj7pEOnpYsLh_zbpXMURBYRNBt3wdH8Xvrjo-mca5FrYVsEukwv_ovHktnEMez202cLGi-ApHzCAIjVZrcQzXa8/s1600/OneIdentity_final_logo_Vertical-1-830x1019.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1019" data-original-width="830" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS1gm5OnUXHwDdEEKND-Bww7n2IlHxnSxYR5CWohJhm6Eyhp3naJp0pj7pEOnpYsLh_zbpXMURBYRNBt3wdH8Xvrjo-mca5FrYVsEukwv_ovHktnEMez202cLGi-ApHzCAIjVZrcQzXa8/s320/OneIdentity_final_logo_Vertical-1-830x1019.png" width="259" /></a></div>
<br />
Not a hard feature to implement. But I seldom see this in other products. Good reminder to my team which is currently busy with their little product development.<br />
<br />
.<br />
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-46683987837482817182018-06-05T18:27:00.001+08:002018-06-05T18:27:08.739+08:00One Identity Cloud Access Manager - Database Snapshot<div class="separator" style="clear: both; text-align: left;">
Cloud Access Manager provides a utility feature for customers to download a snapshot of the CAM database. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyb_AAcbWi16fmdTpV5CwldPU7iqkJkq6aFkDJXAiwngmihf6t1d1Ruew8I_Lo7wgdE3RPEygFs_luu_zxheMkUd4sAP9hictK8x3cxrGr0FTlcPG7WPrPXUAsxdn2e_MhXj-uQQEH1To/s1600/cam.debug.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="521" data-original-width="520" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyb_AAcbWi16fmdTpV5CwldPU7iqkJkq6aFkDJXAiwngmihf6t1d1Ruew8I_Lo7wgdE3RPEygFs_luu_zxheMkUd4sAP9hictK8x3cxrGr0FTlcPG7WPrPXUAsxdn2e_MhXj-uQQEH1To/s1600/cam.debug.png" /></a></div>
<br />
<br />
This could be helpful for raising a support ticket. Other products have similar feature to capture a snapshot of the current configuration. However, none is as convenient as this.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS1gm5OnUXHwDdEEKND-Bww7n2IlHxnSxYR5CWohJhm6Eyhp3naJp0pj7pEOnpYsLh_zbpXMURBYRNBt3wdH8Xvrjo-mca5FrYVsEukwv_ovHktnEMez202cLGi-ApHzCAIjVZrcQzXa8/s1600/OneIdentity_final_logo_Vertical-1-830x1019.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1019" data-original-width="830" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS1gm5OnUXHwDdEEKND-Bww7n2IlHxnSxYR5CWohJhm6Eyhp3naJp0pj7pEOnpYsLh_zbpXMURBYRNBt3wdH8Xvrjo-mca5FrYVsEukwv_ovHktnEMez202cLGi-ApHzCAIjVZrcQzXa8/s320/OneIdentity_final_logo_Vertical-1-830x1019.png" width="260" /></a></div>
<br />
Pretty good!<br />
<br />
<br />
.<br />
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-11956150477829765672018-06-02T12:48:00.006+08:002018-06-02T12:48:53.297+08:00Accredited ConsultantForgeRock Access Management Accredited Consultant<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhstxvw_vAssdvaqqDLjei8SYYse5Kh8C7Iz_V1NdjBy039ZadWb0vjeJDGhFhHzM2f5lmxbWX-xoyFzQthj-CIKK5RvpLB2bwSTeZdNrrB1Q4Q-G_UnFgdhglF_jNNUafKldSyoom0fJ8/s1600/achievement-am.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="352" data-original-width="352" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhstxvw_vAssdvaqqDLjei8SYYse5Kh8C7Iz_V1NdjBy039ZadWb0vjeJDGhFhHzM2f5lmxbWX-xoyFzQthj-CIKK5RvpLB2bwSTeZdNrrB1Q4Q-G_UnFgdhglF_jNNUafKldSyoom0fJ8/s320/achievement-am.png" width="320" /></a></div>
<br />
<br />
ForgeRock sent me this yesterday. Nice gesture. I take.<br />
<br />
<br />
Just few weeks ago, I was told by one of my consultant (btw, he is ForgeRock Identity Management Accredited Consultant) that a young punk from another company boasted to him that he is ForgeRock Access Management certified.<br />
<br />
Nothing to be great of. Uncle me accredited keeping a low profile here.<br />
<br />
When you are capable, you just dig in and work harder. You don't need to show off. Customers have bright eyes.<br />
<br />
.<br />
<br />
<br />
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-49046314441425283342018-05-24T21:26:00.001+08:002018-05-24T21:26:40.388+08:00Magic Quadrant for Full Life Cycle API Management (2018)<div class="separator" style="clear: both; text-align: left;">
The latest magic quadrant for Full Life Cycle API Management has been released a month ago. I just received a mailer from CA. </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEile7UY-hZ1qreDoPZQlALWBKIq7r6JF_4V1qcFJhIg-CKk4Bjnxll2ktw-3Y3EpUFUuOAgpbBn768dy2cqUZi-ZuC2v3S5UWCsvdMg3ELrTGXP4vvEwggrl9ovnsr2Jt43SAEiGnc9oxI/s1600/319327_0001.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1393" data-original-width="1393" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEile7UY-hZ1qreDoPZQlALWBKIq7r6JF_4V1qcFJhIg-CKk4Bjnxll2ktw-3Y3EpUFUuOAgpbBn768dy2cqUZi-ZuC2v3S5UWCsvdMg3ELrTGXP4vvEwggrl9ovnsr2Jt43SAEiGnc9oxI/s400/319327_0001.png" width="400" /></a></div>
<br />
<br />
Well done, CA Technologies remains in the Leaders quadrant. Not sure why Google (Apigee) is so high up, as we don't see much competition from them in this region. As long as you are totally cloud-based in this region, especially Singapore, you're basically out of the game. I'm saying if you are looking for large customers. The game is still very much on-premise.<br />
<br />
Interestingly, Tyk has made it to the Niche Players quadrant. That's real hard work for a new player who has been in this market for less than 5 years. Really impressive! Kudo to the Tyk team!<br />
<br />
<br />
.<br />
<br />
<br />
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-67616159323368826682018-05-22T23:02:00.001+08:002018-05-22T23:02:50.401+08:00What API is not about and about?<div class="separator" style="clear: both; text-align: left;">
My team has been covering a potential customer for a while with regard to a API Gateway deployment. POC done. Presentation done. Then a competitor came in to disrupt ... it's common. Singapore is a saturated market. There are finite number of customers to chase after. If customers don't come to you and you hear that they are looking at a product from your competitor, you quickly go in to disrupt the market. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
If you are the product principal and you have the time and energy and you have a willing partner, then you will do this sort of things. I'm someone that is not too keen to do this. The pie is always big enough for everyone, that's my view. If you go in to disrupt the market, you're usually going into a price war. It's not about product superiority anymore. More importantly, the quality of the consultants are not considered. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This is a vicious cycle. Nothing good will come out of it. Customers think they are getting a good deal. I say they are mostly blind. Partners/Vendors are not stupid either. If a partner bids with a superbly low price, you think the partner will give you his best consultants? You pay peanuts, you get monkeys. As simple as that. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Anyway, I went in to make my last presentation. I only showed 2 slides. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgOvPdWjImeh2voBsWJsPMgKmhyu1PwSa9kjGbjEoAJi-4E_vY9aI-SsfXsl3ESQE-p7-gUsIqLDwrv7kJWgLHWuiSCYg3BvjbPJMHLnmJQGB9FMwnmR3E0JbOoSKODyno72Nx1CfIB-Q/s1600/api.00.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1007" data-original-width="1553" height="258" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgOvPdWjImeh2voBsWJsPMgKmhyu1PwSa9kjGbjEoAJi-4E_vY9aI-SsfXsl3ESQE-p7-gUsIqLDwrv7kJWgLHWuiSCYg3BvjbPJMHLnmJQGB9FMwnmR3E0JbOoSKODyno72Nx1CfIB-Q/s400/api.00.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
API is really not about Secure File Transfer, Security, Throttling and Message Queues. These are given. If a gateway has no such features, they will never get a chance into the board room in customers' place. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Honestly, 80-90% of the API products out there in the market have similar features. All are equally good. Why? For most customers (80%), they only use a subset of features (20%). I can confidently say most API products meet the requirements of most customers. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtUuuFdH7rdDgMnV-g-EWg01E87pPWwo4Qg7GT9HhDoo43VPVIFTvWZDu4RPlEYW2J_gJ-uvEP5aPFAfrrqfJ90cPUFcJI5UhkVFVJOECgwe1M7lu7j1HtUwglsi8q31wF8QlRlcfxtbc/s1600/api.02.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="640" data-original-width="1137" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtUuuFdH7rdDgMnV-g-EWg01E87pPWwo4Qg7GT9HhDoo43VPVIFTvWZDu4RPlEYW2J_gJ-uvEP5aPFAfrrqfJ90cPUFcJI5UhkVFVJOECgwe1M7lu7j1HtUwglsi8q31wF8QlRlcfxtbc/s400/api.02.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
API is really about People - Customer & Vendor. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I know that the competitor is partnering with a SI that does mostly systems related work - PAM, Secured File Transfer. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In our experience, these type of people are only used 20% of the total time spent in a typical API projects. They are utilized during the Build phase and the Maintenance/Patching phase. In Build phase especially, my own experience told me that my API Consultants are of no use here. They simply do not understand networking, firewall, zoning, routing, high-availability, scaling, hardening, vulnerability assessment, security scanning. This is where a trained Systems Consultant is useful. They will be able to work with the Network Security team from the Customers' sides effectively. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
But as soon as the Build phase is over, the Systems Consultants become totally "useless". This is where API Consultants come in. They are there to help Customers with "<b><i>Discover, Simplify, Transform, Add Values</i></b>". In short, to provide API Design services. This usually takes up 80% of the total time spent in typical API projects.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
API is all about proper thought process. It's not a simple "Oh, let's create a new API and map it 1-to-1 with your backend service". An intern will do! Why spend so much money?</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
.Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com1tag:blogger.com,1999:blog-3723157275867690143.post-88780563578316176402018-05-17T22:57:00.000+08:002018-05-17T22:58:17.109+08:00SAML-message with NotBefore<div class="separator" style="clear: both; text-align: left;">
I was integrating our corporate JIRA with One Identity Cloud Access Manager via SAML2. I chose the plugin from <a href="https://wiki.resolution.de/doc/saml-sso/2.2.x/jira" target="_blank">Resolution GmbH</a>. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpJoZZiswraIi4u8b8Ct8fOeMeQM1KpZZsdVhuYWIVLUOl2Q3dXuEvbMy6QIp4I1NUhOrgMKl6ODSgWX4fpU_ILXxeZsCl4Tgjuo5psQKUJnLypFPUbkvlKkpAoxzn-yD9sWUM-oJE5pI/s1600/jira.saml.00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="188" data-original-width="733" height="102" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpJoZZiswraIi4u8b8Ct8fOeMeQM1KpZZsdVhuYWIVLUOl2Q3dXuEvbMy6QIp4I1NUhOrgMKl6ODSgWX4fpU_ILXxeZsCl4Tgjuo5psQKUJnLypFPUbkvlKkpAoxzn-yD9sWUM-oJE5pI/s400/jira.saml.00.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Integration was a breeze. Their wizard is brilliant! I got the whole integration completed successfully within 15 minutes.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS1gm5OnUXHwDdEEKND-Bww7n2IlHxnSxYR5CWohJhm6Eyhp3naJp0pj7pEOnpYsLh_zbpXMURBYRNBt3wdH8Xvrjo-mca5FrYVsEukwv_ovHktnEMez202cLGi-ApHzCAIjVZrcQzXa8/s1600/OneIdentity_final_logo_Vertical-1-830x1019.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1019" data-original-width="830" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS1gm5OnUXHwDdEEKND-Bww7n2IlHxnSxYR5CWohJhm6Eyhp3naJp0pj7pEOnpYsLh_zbpXMURBYRNBt3wdH8Xvrjo-mca5FrYVsEukwv_ovHktnEMez202cLGi-ApHzCAIjVZrcQzXa8/s200/OneIdentity_final_logo_Vertical-1-830x1019.png" width="162" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
One issue I encountered was - "SAML-message with NotBefore xxx is not valid yet."</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2heEdADrKtESIH0bXLEtMdEHH2_pEBl5JOTdfO4Tkd3PyLhGpuNnAy6uc-Ze7X8IABGUnVe53_xY-rQs4Ij1H58UrdT5gSkFp3DQTDQou8WoIPoMTn_1V5jGdxZ05Lw8cQYGsvx56PWk/s1600/jira.saml.04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="197" data-original-width="550" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2heEdADrKtESIH0bXLEtMdEHH2_pEBl5JOTdfO4Tkd3PyLhGpuNnAy6uc-Ze7X8IABGUnVe53_xY-rQs4Ij1H58UrdT5gSkFp3DQTDQou8WoIPoMTn_1V5jGdxZ05Lw8cQYGsvx56PWk/s1600/jira.saml.04.png" /></a></div>
<br />
<br />
This was quite easily resolved. Do make sure the IdP (One Identity Cloud Access Manager) and SP (JIRA) are sync-ed with the same NTP server.<br />
<br />
The error disappeared as soon as I have NTPd configured on my JIRA server.<br />
<br />
<br />
.Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-59307520872950656322018-05-15T10:46:00.003+08:002018-05-15T10:46:28.369+08:00One Identity Cloud Access Manager - Backend SSO Method<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8jGBmsDqIvNdItKF81sVXawdln-aL3N8BF6OXGDk5ug1iL1mXTijbdbSaOIJdez07ZdG9Oyir-Yf0PNZdSB06Zy9QNbxQYf-V8vsKiolsWKdHwV0TxncHZSM8zWb8wEzZ7vkdwsEkm-0/s1600/OneIdentity_final_logo_Vertical-1-830x1019.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1019" data-original-width="830" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8jGBmsDqIvNdItKF81sVXawdln-aL3N8BF6OXGDk5ug1iL1mXTijbdbSaOIJdez07ZdG9Oyir-Yf0PNZdSB06Zy9QNbxQYf-V8vsKiolsWKdHwV0TxncHZSM8zWb8wEzZ7vkdwsEkm-0/s200/OneIdentity_final_logo_Vertical-1-830x1019.png" width="162" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Out of the box, <a href="https://www.oneidentity.com/products/cloud-access-manager/" target="_blank">One Identity Cloud Access Manager</a> provides the traditional credential SSO methods like IWA (Integrated Windows Authentication) and HTTP Header. I like that it provides Form Fill, though I would keep this as a <i>"hidden secret weapon"</i> in the event customers have some legacy applications that I have no choice but to perform password replay.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLMPuWUQt1Nw-O1tYCzcQGj9AnWsIzOe90CKZiZbzCwLY3xtARu2xFnDeRaUJEEaRHSU6TXXV-z-bBzPqT8AwwW223M_i1L3OieT_V8tdDIocvHtUEzpWiVLQX1LWPNiS7ZJ0KbC3fGOs/s1600/cam.01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="389" data-original-width="891" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLMPuWUQt1Nw-O1tYCzcQGj9AnWsIzOe90CKZiZbzCwLY3xtARu2xFnDeRaUJEEaRHSU6TXXV-z-bBzPqT8AwwW223M_i1L3OieT_V8tdDIocvHtUEzpWiVLQX1LWPNiS7ZJ0KbC3fGOs/s400/cam.01.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In the same box (yes, same box. some other vendors require you to add-on :>), the trendier Federated SSO Methods like SAML2 and OpenID Connect/OAuth 2.0 are provided. No additional add-on. No additional cost. SAML2 IdP is enabled out of the box. OpenID Connect Provider is enabled out of the box. Very easy to integrate with any 3rd party federated clients. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I was trying to integrate our in-house JIRA via SAML2 and it took me less than 15 mins for the first try. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
. </div>
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-59053573014533111212018-05-03T23:20:00.001+08:002018-05-03T23:20:15.884+08:00One Identity Cloud Access Manager - Not Authorized<div class="separator" style="clear: both; text-align: left;">
I was playing with <a href="https://www.oneidentity.com/products/cloud-access-manager/" target="_blank">One Identity Cloud Access Manager</a> this afternoon and hit into "Not Authorized - Sorry, but it seems as if you're not authorized to access the selected application".</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjHkecLYj478vSBSbxV_W5IdY5cLD_d2ZqKqZ31ZqY30c7-J6pOtOL-y_7vTtfw-Zl2mn27_NrSEggNXoT4iZWDEGHxnAZ_DXmVwmIM-NL80roMZghkIuxnMagmmaLob7e3Rfn3she0y0/s1600/cam.03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="285" data-original-width="519" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjHkecLYj478vSBSbxV_W5IdY5cLD_d2ZqKqZ31ZqY30c7-J6pOtOL-y_7vTtfw-Zl2mn27_NrSEggNXoT4iZWDEGHxnAZ_DXmVwmIM-NL80roMZghkIuxnMagmmaLob7e3Rfn3she0y0/s1600/cam.03.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This is what I have observed. If the administrator configured a new protected application after you have logged in to the Application Portal (a one-stop landing portal for you to single sign-on to multiple protected backend applications), the new application link (e.g. Web SVN (Management)) will immediately appear on the portal.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_CD-J42clHblM2dMDF09uP4Tw-9pme2TKI3Kfkdm6lwyTndVYE6BC4gJMsq4X3e4JH4fTbAZ437nd7Tdx-PzqV4RpNyCfYvU-zMA6QexxXFaPxr-2IDBGUBv3u__oWMzCliaxhcD-3Dg/s1600/cam.00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="318" data-original-width="671" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_CD-J42clHblM2dMDF09uP4Tw-9pme2TKI3Kfkdm6lwyTndVYE6BC4gJMsq4X3e4JH4fTbAZ437nd7Tdx-PzqV4RpNyCfYvU-zMA6QexxXFaPxr-2IDBGUBv3u__oWMzCliaxhcD-3Dg/s400/cam.00.png" width="400" /></a></div>
<br />
<br />
However, as soon as you click on the new link, you'll hit into "Not Authorized" error.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEgV2uhmTxki2ctTTQDMV5_2zYjH8jnX4uQveF6A4pwaI3yz_rF3CZ7NBqJ27UsIg7UTUYS6gWwhv7AMEMBiH_BMp5f8JGMj3EI99ifMlNzTK_tfJqpPTOm7PW22vqzvhsH9JRij79z3k/s1600/cam.01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="273" data-original-width="681" height="157" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEgV2uhmTxki2ctTTQDMV5_2zYjH8jnX4uQveF6A4pwaI3yz_rF3CZ7NBqJ27UsIg7UTUYS6gWwhv7AMEMBiH_BMp5f8JGMj3EI99ifMlNzTK_tfJqpPTOm7PW22vqzvhsH9JRij79z3k/s400/cam.01.png" width="400" /></a></div>
<br />
To workaround this, log out and log in again. The new link is now accessible.<br />
<br />
<br />
Simple!<br />
<br />
.<br />
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-9208386484335204932018-05-02T22:18:00.001+08:002018-05-02T22:18:46.316+08:00CA SSO Access GatewayI met with a potential customer today and he was interested to deploy CA SSO Access Gateway in the DMZ, while keeping CA SSO Policy Server in the Intranet.<br />
<br />
He was not sure what were the possible integrations provided by CA SSO Access Gateway with his backend applications.<br />
<br />
I showed him the diagram below. Self-explanatory.<br />
<br />
<ul>
<li>SAML (Federation)</li>
<li>REST/JSON </li>
<li>OpenID Connect</li>
<li>HTTP Header (Web Agent)</li>
</ul>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaX8mx4rj7q__Bl-XNwgzifxvVDxXD-7Tf1i5aL4OQHDD0a8txD4XC0f3BWxcv1mULdzaQT4keNDtTaMniYezTsQAKgNfEpM0xSlY5yIaX2RDH-FNR01zA80b5BaoYQ8wMofbsqHQGCQE/s1600/sm.gw.04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="344" data-original-width="571" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaX8mx4rj7q__Bl-XNwgzifxvVDxXD-7Tf1i5aL4OQHDD0a8txD4XC0f3BWxcv1mULdzaQT4keNDtTaMniYezTsQAKgNfEpM0xSlY5yIaX2RDH-FNR01zA80b5BaoYQ8wMofbsqHQGCQE/s1600/sm.gw.04.png" /></a></div>
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH86tvBUXas0fpbIucJ5WqJrkoaOaIgGXjowCBHdnqgFXw_I5dyGhNfjIiFbSQt3szzJuOGlcx2fDwA5BNX5hQQxSJ_TgWvnETS5NW6eLK9h9w-2f9o0Vm_d5-pTCoJ84swVcY-R7Wt-E/s1600/sm.gw.02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="358" data-original-width="657" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH86tvBUXas0fpbIucJ5WqJrkoaOaIgGXjowCBHdnqgFXw_I5dyGhNfjIiFbSQt3szzJuOGlcx2fDwA5BNX5hQQxSJ_TgWvnETS5NW6eLK9h9w-2f9o0Vm_d5-pTCoJ84swVcY-R7Wt-E/s400/sm.gw.02.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
.</div>
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0tag:blogger.com,1999:blog-3723157275867690143.post-63224698983269961702018-04-17T14:52:00.002+08:002018-04-17T14:52:39.204+08:00Password MeterWe have been in the Security & Identity business for a long time. Recently, we have been engaged in a number of Identity Management projects in the Asia region.<br />
<br />
In some projects, we build our own Access Request Portal on top of Identity Management products out there in the market.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqgHqJ1XG9HcqmE9SKvjt-gufvDo6s8obQOMlbYTGZRywuf02ha_FGkLvjRReJdrPMkbSHnG68uqcReGbtAK4ykpYOaOYsLxi4KcSTlLfDEA-SwERwc0pDFrrJZv-q7vOKsTI96ZT0g8w/s1600/idm.07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="513" data-original-width="1258" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqgHqJ1XG9HcqmE9SKvjt-gufvDo6s8obQOMlbYTGZRywuf02ha_FGkLvjRReJdrPMkbSHnG68uqcReGbtAK4ykpYOaOYsLxi4KcSTlLfDEA-SwERwc0pDFrrJZv-q7vOKsTI96ZT0g8w/s400/idm.07.png" width="400" /></a></div>
<br />
Reason is simple - To Increase User experience!<br />
<br />
From our observation, some IDM products are just too complex, too heavy; some IDM products lack features required by customers.<br />
<br />
And since more and more IDM products are exposed by REST, it makes it compelling to build our own Access Request Portal.<br />
<br />
We build a Access Request Portal that is lean and fast. No unnecessary features just to make Gartner happy. <i>(You don't agree? Ha! )</i><br />
<br />
<br />
In one of our projects, the CIO took a look at the User Profile tab and explore how we build the Password module. He didn't like what we have built. He has a strong view on what is a Strong Password. He even sent my team this to read up - <a href="https://www.popularmechanics.com/technology/a28050/science-password/" target="_blank">Science Can Help You Choose a Better Password. Complexity isn't as important as you think</a>.<br />
<br />
So we stripped the original Password module and incorporated <a href="https://github.com/cupslab/password_meter" target="_blank">Password Meter</a>.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFM41iHwz1qRqtbUVldrCYcKtCwrBKsxyhj7geezOp6oumth66LxsF_a0a7COmI8-_BEhK_Wuqa7PUIdmKSrwIJ2ulKLT_ks1p4kwP9hBf7SH2dgwyNA2lNL8xij6haPA0lDS_YlCRQsE/s1600/pwd.meter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="293" data-original-width="641" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFM41iHwz1qRqtbUVldrCYcKtCwrBKsxyhj7geezOp6oumth66LxsF_a0a7COmI8-_BEhK_Wuqa7PUIdmKSrwIJ2ulKLT_ks1p4kwP9hBf7SH2dgwyNA2lNL8xij6haPA0lDS_YlCRQsE/s400/pwd.meter.png" width="400" /></a></div>
<br />
Password Meter is pretty cool. It will "score" your password quality as you type in and give you advice immediately.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2I6jfScgv6JPO9rG18YzEzniFkegvze2Z7ELYwmEn38UU_M2FqG4e8Rmvz1aGApJR2Ea6cnJwfYE6elAldY0v4tPFbuMwxV9hWtb9giky_dmAfdpaj_wMOLTEDshiRAg_TpbLLE46MvU/s1600/idm.03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="583" data-original-width="550" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2I6jfScgv6JPO9rG18YzEzniFkegvze2Z7ELYwmEn38UU_M2FqG4e8Rmvz1aGApJR2Ea6cnJwfYE6elAldY0v4tPFbuMwxV9hWtb9giky_dmAfdpaj_wMOLTEDshiRAg_TpbLLE46MvU/s1600/idm.03.png" /></a></div>
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqvrpfq-S0Jo57EqDmPoc1GHVPUscur8qSTvNK3RPoaHFUn911vH8ECYzBX3vOnN13IfgG3Mt6knHTD2Q19l16qS70NgU29H2Lc_5nBvA3BOTZF6S7iquym2Rf_hDI0cvWyOEV-KEGAtE/s1600/idm.04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="607" data-original-width="550" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqvrpfq-S0Jo57EqDmPoc1GHVPUscur8qSTvNK3RPoaHFUn911vH8ECYzBX3vOnN13IfgG3Mt6knHTD2Q19l16qS70NgU29H2Lc_5nBvA3BOTZF6S7iquym2Rf_hDI0cvWyOEV-KEGAtE/s1600/idm.04.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
My team did it better! As Password Meter is open-source and published in GitHub, we enhanced it to support multi-languages. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQxv72qWRoNElbKhnGBLA90AuzZUAFp68jFI1iJ0wI1WDzTXpn7d8ln8TB_SNr4xSACfrqOpYaN81eCqmgLpNezxDfVDo8TsPggxqYEniR_Rh5oSP2y-zPGxAVgk8ir7lNQEQ2Me4wHdA/s1600/idm.06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="665" data-original-width="550" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQxv72qWRoNElbKhnGBLA90AuzZUAFp68jFI1iJ0wI1WDzTXpn7d8ln8TB_SNr4xSACfrqOpYaN81eCqmgLpNezxDfVDo8TsPggxqYEniR_Rh5oSP2y-zPGxAVgk8ir7lNQEQ2Me4wHdA/s1600/idm.06.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMurZQLSSm0i6Q4zVBNAiaERvHcTpKyKPp-MeJKunEgz5sj5qbt6efIMhx9LdLtmJsTMFkF4QevJeXgJxExEd8Z2xEiCuuBguRv1NHO4Ilu73Qwu7YIx1vW0ZhNTxmk7vC0qg9Eo389nM/s1600/idm.05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="607" data-original-width="550" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMurZQLSSm0i6Q4zVBNAiaERvHcTpKyKPp-MeJKunEgz5sj5qbt6efIMhx9LdLtmJsTMFkF4QevJeXgJxExEd8Z2xEiCuuBguRv1NHO4Ilu73Qwu7YIx1vW0ZhNTxmk7vC0qg9Eo389nM/s1600/idm.05.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
What's next is for the team to tidy up the sources and offer them back to the community.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
That's the beauty of open-source! Some just don't get it. Money is never enough. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<br />Chee Chonghttp://www.blogger.com/profile/10867256679200062722noreply@blogger.com0