IdP, SAML, OAuth are new acronyms for identity in the cloud. SAML is used for federated authentication between an identity provider (IdP) like Active Directory and a service provider (SP) like Office 365. The IdP authenticates the user and sends a SAML token with claims to the SP. OAuth streamlines authentication for mobile by issuing short-lived access tokens instead of passing full credentials or SAML assertions between each service. It allows authorization without passwords and tokens can be revoked, reducing risks of compromised apps. Office 365 uses Azure Active Directory as an IdP with SAML or OAuth to authenticate users from an on-premises Active Directory via federation or synchronization.
This document discusses authentication and authorization frameworks like OAuth and OpenID Connect. It provides an overview of key concepts like authentication, authorization, roles in OAuth like resource owner, client, authorization server and resource server. It explains the authorization code grant flow in OAuth and how OpenID Connect builds upon OAuth to provide identity features. It also compares OpenID Connect to SAML and discusses Microsoft and TechCello implementations of these specifications.
This document discusses Single Sign On (SSO), which allows a user to access multiple services or applications with a single set of login credentials. It describes common SSO protocols like SAML and OpenID Connect and where SSO can be implemented, such as on-premise or in the cloud. Examples of SSO use cases and product categories are provided.
OAuth and OpenID Connect are the two most important security specs that API providers need to be aware of. In this session, Travis Spencer, CEO of Curity, will cram in as much about these two protocols as will fit into 20 minutes.
Know your opponent and know yourself. It held true for Sun Tzu 2500 years ago, and it holds true for pen testers today. A pen tester who has worked in sec ops role has a distinct advantage, especially if that pen tester has a solid grasp of the good, the bad, and the ugly of identity and access management (IAM) in an enterprise setting. For red teams, this presentation will cover pen testing tips and tricks to circumvent weak or missing IAM controls. For blue teams, we’ll also cover the steps you can take to shore up your IAM controls and catch pen testers in the act. Purple teaming, FTW!
Single sign-on (SSO) allows users to access multiple systems after one authentication. Common SSO protocols discussed include SAML, OAuth, and username/password. SAML is best for single sign-on across websites while OAuth is for secure API access. Best practices include high availability, proactive certificate management, custom error pages, and testing. The document provides an overview of SSO concepts and recommendations for implementation and troubleshooting.
This 20-minute presentation introduces OAuth through defining it, explaining why it is useful, providing background information, defining key terminology, outlining the workflow, and including a live example. It defines OAuth as a method for users to grant third-party access to their resources without sharing passwords and to grant limited access. It highlights issues with traditional client-server authentication and how OAuth addresses them. The presentation then covers OAuth background, terminology like consumer and service provider, the redirection-based authorization workflow, and concludes with a live example and references for further information.
Building an enterprise level single sign-on application with the help of keycloak (Open Source Identity and Access Management).
And understanding the way to secure your application; frontend & backend API’s. Managing user federation with minimum configuration.
by Apurv Awasthi, Sr. Technical Product Manager, AWS
This session introduces the concepts of AWS Identity and Access Management (IAM) and walks through the tools and strategies you can use to control access to your AWS environment. We describe IAM users, groups, and roles and how to use them. We demonstrate how to create IAM users and roles, and grant them various types of permissions to access AWS APIs and resources. We also cover the concept of trust relationships, and how you can use them to delegate access to your AWS resources. This session covers also covers IAM best practices that can help improve your security posture. We cover how to manage IAM users and roles, and their security credentials. We also explain ways for how you can securely manage you AWS access keys. Using common use cases, we demonstrate how to choose between using IAM users or IAM roles. Finally, we explore how to set permissions to grant least privilege access control in one or more of your AWS accounts. Level 100
This document discusses best practices for AWS Identity and Access Management (IAM). It defines IAM as a service that helps securely control access to AWS resources. The main IAM components are users, groups, roles, and policies. It provides several rules for security best practices, including: never using the root account for daily tasks; locking away root access keys; granting least privileges; using roles to delegate permissions; using roles for EC2 applications; rotating credentials regularly; and monitoring account activity.
Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. It allows developers to manage multiple versions and stages of APIs, monitor access by third party developers, and handle traffic spikes without operational burden. API Gateway supports features like throttling, authorization, caching of responses, and SDK generation to make APIs easy to consume.
Rest API Security - A quick understanding of Rest API Security
This document discusses REST API security methods. It provides an overview of authentication and authorization and describes common security methods like cookie-based authentication, token-based authentication, OAuth, OpenID, and SAML. It then compares OAuth2, OpenID, and SAML and discusses best practices for securing REST APIs like protecting HTTP methods, validating URLs, using security headers, and encoding JSON input.
These slides are supposed to help you understand the basics of application security, and how the latest technologies come together to enable you to reduce the number of times people at your organization need to authenticate.
For more information visit. http://gluu.org
This document provides guidelines for securing managed APIs. It discusses defining an API's audience and whether they are direct users or relying parties. It also covers bootstrapping trust either directly through user credentials or brokerd through a third party. The document then discusses various OAuth 2.0 grant types and federated access scenarios. It emphasizes using TLS, strong credentials, short-lived tokens, and access control to secure APIs and their communication.
This document provides an introduction and overview of SAML and OIDC for single sign-on and federated authentication. It describes the key components of each standard, including identity providers, service providers, assertions, flows, and tokens. SAML enables users to authenticate once and access multiple sites using circles of trust, while OIDC builds on OAuth2 and provides additional functionality for authentication with RESTful endpoints and easier token and claims handling.
Overview of Azure AD
Deployment lessons from the real world
Outline items that can accelerate your deployment
Avoid things that can slow you down
Deep Dive on common technical challenges and how to overcome them
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
Organizations planning for Extranet access to SharePoint 2010 or faced with providing access to an Intranet from multiple internal authentication platforms often find it challenging to properly architect SharePoint for extranets, to isolate content, and to manage identities across disparate systems. The complexity involved in understanding how to isolate content from a security perspective but still provide for a collaborative space for end users is complex, and if not done correctly can lead to security breaches and confusion. This session focuses on understanding the various extranet models for SharePoint 2010 and providing real world guidance on how to implement them. Covered are extranet content models and extranet authentication options, including Claims-based authentication and also covering advanced options using tools such as Microsoft's Forefront Identity Manager (FIM) 2010 to centralize identity management to SharePoint 2010 farms, allowing for better control, automatic account provisioning, and synchronization of profile information across multiple SharePoint authentication providers. • Review Extranet design options with SharePoint 2010 • Understand the need for identity management across SharePoint farms • Examine real world deployment guidance and architecture for SharePoint environments using multiple authentication providers
O365con14 - moving from on-premises to online, the road to follow
This document provides links to numerous Microsoft technical support and documentation pages related to Office 365, Azure Active Directory, identity management, multi-factor authentication, and directory synchronization. The pages cover topics such as configuring directory synchronization between on-premises Active Directory and Azure AD, managing user identities and authentication in hybrid cloud environments, and using multi-factor authentication to secure access to Office 365 applications and services.
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
This document provides an overview of identity and authentication in SharePoint 2013 and Office 365. It begins with a primer on authentication and authorization concepts. It then covers Windows authentication, trusted claims providers, service delegation between servers, and authorization for apps. It discusses the various identity management options for integrating on-premises Active Directory with Office 365 through options like online IDs, directory synchronization, and federation.
This document discusses identity management options for integrating on-premises directories with Office 365. It describes scenarios for cloud identity without integration, directory synchronization using password sync or federation, and federation options like ADFS, Shibboleth, and third-party identity providers. Directory synchronization can be used to integrate Active Directory or non-AD sources with options like DirSync, FIM, and PowerShell for provisioning users.
This document provides instructions for configuring different single sign-on options for IBM Notes clients, including Notes Shared Logon, LDAP authentication, Kerberos/SPNEGO/IWA, and SAML. It describes what each option does, examples of how it works, and requirements to set it up. SAML provides single sign-on across multiple systems using a centralized identity provider, but has more complex setup involving configuring identity providers, service providers, certificates, and policies in both Active Directory and Domino.
SAML and Other Types of Federation for Your Enterprise
This document discusses federated authentication and SAML. It defines key concepts like identity management, identification, authentication and authorization. It explains how federation works using standards like SAML and allows single sign-on across organizational boundaries. Specific examples are provided of SAML identity providers, service providers and how products like Active Directory Federation Services, NetScaler and XenApp/XenDesktop support federated authentication.
This document provides an overview of Office 365 for IT professionals presented by Andy Malone. It begins with an introduction of Andy Malone and his background. The bulk of the document then explores various components and capabilities of Office 365 including exploring Office 365, understanding data storage locations, identity management with Azure Active Directory, provisioning accounts, and Exchange Online. It provides summaries of key Office 365 services and components. The document concludes with some final tips and thoughts on Office 365 and links to additional tools and resources.
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION
This document discusses important identity and access management (IAM) considerations for selecting a software-as-a-service (SaaS) provider. It outlines key questions to ask the SaaS provider regarding support for single sign-on protocols, ease of provisioning and de-provisioning users, whether their technical environment fits the organization's constraints, and ability to test integration before going live. The document also covers identity lifecycle management standards like SCIM and questions for IAM experts on how federation can be made easier.
Planning Extranet Environments with SharePoint 2010
Organizations planning for Extranet access to SharePoint 2010 or faced with providing access to an Intranet from multiple internal authentication platforms often find it challenging to properly architect SharePoint for extranets, to isolate content, and to manage identities across disparate systems. The complexity involved in understanding how to isolate content from a security perspective but still provide for a collaborative space for end users is complex, and if not done correctly can lead to security breaches and confusion. This session focuses on understanding the various extranet models for SharePoint 2010 and providing real world guidance on how to implement them. Covered are extranet content models and extranet authentication options, including advanced options using tools such as Microsoft's Forefront Identity Manager (FIM) 2010 to centralize identity management to SharePoint 2010 farms, allowing for better control, automatic account provisioning, and synchronization of profile information across multiple SharePoint authentication providers.
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
Active Directory Federation Services (AD FS) is the Microsoft technology to bridge your on-premises Identity systems towards cloud Identity providers like Azure Active Directory. Colleagues depend on a reliable, yet cost effective deployment of AD FS and it’s our jobs as IT Pros to make it happen. This session covers the 10 most common mistakes we see in the field In organizations that have deployed AD FS and performed a hybrid identity deployment. Learn from their mistakes, so you don’t have to make them.
This document provides an overview of identity management options in Office 365 and describes the Synchronized Identity Model (DirSync), Federated Identity Model (SSO), and key considerations for each. It compares the models based on organization size and capabilities like single sign-on and management of credentials. The Synchronized Identity Model uses Azure Active Directory Connect to synchronize on-premises directories with Azure AD. The Federated Identity Model implements Security Assertion Markup Language for single sign-on using federation servers like Active Directory Federation Services.
With a complete new Identity/Access Management Suite on the Oracle market,
one might forget the good old SSO server, bundled with each and every IAS server.
Although it has some out-of-the-box capabilities like WNA and X509 certificate support,
it can be quite hard to set up an authentication scheme just the way you (or your customers) like it.
Using a case study, this presentation discusses how you can extend Oracle’s Single
Sign On (SSO) server to your needs. It will discuss :
- Integration & authentication with smartcard passports (eID)
- Authentication with digital certificates
- Implementing fallback authentication schemes
- Integration with SSL terminators and reverse proxies
- DIY federated authentication
- writing your own SSO plugin
The solutions presented are part of AXI NV/BV's portfolio.
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
Office 365 brings a host of productivity options, but one of the most overlooked components is how we'll authenticate to The Cloud™. With Microsoft Azure Active Directory driving access and authentication to our Office 365 tenants, it is important to understand how we can interact with it. Join us as we explore Cloud Identity, identity federation, directory synchronisation, and most importantly Azure and its impacts on user experience and access Office 365. Throughout this session, we'll answer the questions that impact you and how your decisions around identity shape your Office 365 experience.
This document provides an overview of identity management and authentication options for Office 365. It discusses the key concepts of identity federation using protocols like SAML and WS-Federation. It also summarizes the different identity synchronization and single sign-on options available in Office 365 for organizations of different sizes, including password synchronization, directory synchronization, federated identity, and cloud identity. The advantages and requirements of each approach are outlined.
Develop iOS and Android apps with SharePoint/Office 365
This document provides an agenda and overview for developing iOS and Windows Store apps using Office 365/SharePoint 2013. It discusses what mobile apps are, why to build them, and how to use SharePoint/Office 365 as a backend. It demonstrates sample apps and covers development platforms, SharePoint APIs, authentication, and code reviews.
The document discusses how to deliver a Windows 7 experience on Windows Server 2008 R2. It describes that the Windows 7 experience refers to features included in the Desktop Experience package. It then details various methods to enable these features, including manually configuring settings, using tools from Citrix, and scripts available on the Citrix code sharing site. The presentation recommends using the XenApp 6 Service Provider Automation Pack to enable the Windows 7 look and feel.
This document discusses the tools used by Dan Brinkmann to consume, organize, and create data. It outlines the RSS feeds, Twitter, and Pocket apps he uses to gather content from across the web. It also describes the Office Suite, Evernote, Google Docs, WordPress, and OmniGraffle tools he leverages to consolidate insights and produce new written works, diagrams, and blog posts. He is still on the lookout for solutions that can manage follow-up tasks and allow sharing of data across all of his devices.
This document provides guidance on designing a virtual desktop infrastructure (VDI). It discusses key decision points around the hypervisor, servers, and storage. It recommends determining user groups, applications, and requirements through piloting before finalizing the design. The document also analyzes options for the hypervisor, servers including CPU, memory, and local storage considerations, and storage including the impact of VM density and hidden capacity needs. Monitoring IOPS and latency is emphasized as critical to ensuring a successful VDI deployment.
VDI projects often fail due to lack of proper planning and testing. Key reasons for failure include not understanding compute and storage requirements, guessing at user needs rather than measuring them, and insufficient testing with real users and applications. Proper testing is needed to understand peak usage periods, application impacts on performance over time, and how the system performs at scale.
This document summarizes Citrix's remote access solutions, including the Citrix Secure Gateway (CSG), Citrix Access Gateway Standard (CAG), and Citrix Access Gateway Enterprise Edition (CAG-EE). It also discusses the Netscaler platform. The CSG is now end-of-life with no support for newer features. The CAG provides ICA proxy and SSL VPN capabilities on a physical or virtual appliance. The CAG-EE has additional features like endpoint analysis and load balancing. The Netscaler provides all CAG-EE functions plus load balancing of StoreFront and XenApp/XenDesktop resources. The document discusses factors in choosing between a physical or virtual appliance deployment.
This document provides an overview of new features in vSphere 5 including:
- ESXi only architecture with no service console and smaller security footprint.
- New ESXi shell and vCLI commands for simplified management.
- Enhancements to features like vMotion, DRS, HA, and new features like Auto Deploy, Storage DRS, and ESXi firewall.
- Performance improvements and support for new hardware like USB 3.0 and larger VMs.
- Summary of changes to management tools including new vSphere Web Client.
vSphere provides tools like vCenter, ESXTOP, and PowerCLI to monitor the performance of CPU, memory, network, and storage. Key metrics include CPU and memory usage, network packet drops, storage latency, and swap rates. Issues like oversubscription, capacity limitations, and configuration errors can be identified by watching for saturated resources, dropped packets, and high latency or queueing. External monitoring of physical infrastructure can also provide useful visibility.
7 Most Powerful Solar Storms in the History of Earth.pdf
Solar Storms (Geo Magnetic Storms) are the motion of accelerated charged particles in the solar environment with high velocities due to the coronal mass ejection (CME).
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
Six months into 2024, and it is clear the privacy ecosystem takes no days off!! Regulators continue to implement and enforce new regulations, businesses strive to meet requirements, and technology advances like AI have privacy professionals scratching their heads about managing risk.
What can we learn about the first six months of data privacy trends and events in 2024? How should this inform your privacy program management for the rest of the year?
Join TrustArc, Goodwin, and Snyk privacy experts as they discuss the changes we’ve seen in the first half of 2024 and gain insight into the concrete, actionable steps you can take to up-level your privacy program in the second half of the year.
This webinar will review:
- Key changes to privacy regulations in 2024
- Key themes in privacy and data governance in 2024
- How to maximize your privacy program in the second half of 2024
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...
Slide of the tutorial entitled "Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Emerging Trends" held at UMAP'24: 32nd ACM Conference on User Modeling, Adaptation and Personalization (July 1, 2024 | Cagliari, Italy)
Kief Morris rethinks the infrastructure code delivery lifecycle, advocating for a shift towards composable infrastructure systems. We should shift to designing around deployable components rather than code modules, use more useful levels of abstraction, and drive design and deployment from applications rather than bottom-up, monolithic architecture and delivery.
Sustainability requires ingenuity and stewardship. Did you know Pigging Solutions pigging systems help you achieve your sustainable manufacturing goals AND provide rapid return on investment.
How? Our systems recover over 99% of product in transfer piping. Recovering trapped product from transfer lines that would otherwise become flush-waste, means you can increase batch yields and eliminate flush waste. From raw materials to finished product, if you can pump it, we can pig it.
Are you interested in dipping your toes in the cloud native observability waters, but as an engineer you are not sure where to get started with tracing problems through your microservices and application landscapes on Kubernetes? Then this is the session for you, where we take you on your first steps in an active open-source project that offers a buffet of languages, challenges, and opportunities for getting started with telemetry data.
The project is called openTelemetry, but before diving into the specifics, we’ll start with de-mystifying key concepts and terms such as observability, telemetry, instrumentation, cardinality, percentile to lay a foundation. After understanding the nuts and bolts of observability and distributed traces, we’ll explore the openTelemetry community; its Special Interest Groups (SIGs), repositories, and how to become not only an end-user, but possibly a contributor.We will wrap up with an overview of the components in this project, such as the Collector, the OpenTelemetry protocol (OTLP), its APIs, and its SDKs.
Attendees will leave with an understanding of key observability concepts, become grounded in distributed tracing terminology, be aware of the components of openTelemetry, and know how to take their first steps to an open-source contribution!
Key Takeaways: Open source, vendor neutral instrumentation is an exciting new reality as the industry standardizes on openTelemetry for observability. OpenTelemetry is on a mission to enable effective observability by making high-quality, portable telemetry ubiquitous. The world of observability and monitoring today has a steep learning curve and in order to achieve ubiquity, the project would benefit from growing our contributor community.
Quality Patents: Patents That Stand the Test of Time
Is your patent a vanity piece of paper for your office wall? Or is it a reliable, defendable, assertable, property right? The difference is often quality.
Is your patent simply a transactional cost and a large pile of legal bills for your startup? Or is it a leverageable asset worthy of attracting precious investment dollars, worth its cost in multiples of valuation? The difference is often quality.
Is your patent application only good enough to get through the examination process? Or has it been crafted to stand the tests of time and varied audiences if you later need to assert that document against an infringer, find yourself litigating with it in an Article 3 Court at the hands of a judge and jury, God forbid, end up having to defend its validity at the PTAB, or even needing to use it to block pirated imports at the International Trade Commission? The difference is often quality.
Quality will be our focus for a good chunk of the remainder of this season. What goes into a quality patent, and where possible, how do you get it without breaking the bank?
** Episode Overview **
In this first episode of our quality series, Kristen Hansen and the panel discuss:
⦿ What do we mean when we say patent quality?
⦿ Why is patent quality important?
⦿ How to balance quality and budget
⦿ The importance of searching, continuations, and draftsperson domain expertise
⦿ Very practical tips, tricks, examples, and Kristen’s Musts for drafting quality applications
https://www.aurorapatents.com/patently-strategic-podcast.html
Quantum Communications Q&A with Gemini LLM. These are based on Shannon's Noisy channel Theorem and offers how the classical theory applies to the quantum world.
How Social Media Hackers Help You to See Your Wife's Message.pdf
In the modern digital era, social media platforms have become integral to our daily lives. These platforms, including Facebook, Instagram, WhatsApp, and Snapchat, offer countless ways to connect, share, and communicate.
Details of description part II: Describing images in practice - Tech Forum 2024
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and transcript: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Have you noticed the OpenSSF Scorecard badges on the official Dart and Flutter repos? It's Google's way of showing that they care about security. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge.
You can do the same for your projects, and this presentation will show you how, with an emphasis on the unique challenges that come up when working with Dart and Flutter.
The session will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across an organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.
Implementations of Fused Deposition Modeling in real world
The presentation showcases the diverse real-world applications of Fused Deposition Modeling (FDM) across multiple industries:
1. **Manufacturing**: FDM is utilized in manufacturing for rapid prototyping, creating custom tools and fixtures, and producing functional end-use parts. Companies leverage its cost-effectiveness and flexibility to streamline production processes.
2. **Medical**: In the medical field, FDM is used to create patient-specific anatomical models, surgical guides, and prosthetics. Its ability to produce precise and biocompatible parts supports advancements in personalized healthcare solutions.
3. **Education**: FDM plays a crucial role in education by enabling students to learn about design and engineering through hands-on 3D printing projects. It promotes innovation and practical skill development in STEM disciplines.
4. **Science**: Researchers use FDM to prototype equipment for scientific experiments, build custom laboratory tools, and create models for visualization and testing purposes. It facilitates rapid iteration and customization in scientific endeavors.
5. **Automotive**: Automotive manufacturers employ FDM for prototyping vehicle components, tooling for assembly lines, and customized parts. It speeds up the design validation process and enhances efficiency in automotive engineering.
6. **Consumer Electronics**: FDM is utilized in consumer electronics for designing and prototyping product enclosures, casings, and internal components. It enables rapid iteration and customization to meet evolving consumer demands.
7. **Robotics**: Robotics engineers leverage FDM to prototype robot parts, create lightweight and durable components, and customize robot designs for specific applications. It supports innovation and optimization in robotic systems.
8. **Aerospace**: In aerospace, FDM is used to manufacture lightweight parts, complex geometries, and prototypes of aircraft components. It contributes to cost reduction, faster production cycles, and weight savings in aerospace engineering.
9. **Architecture**: Architects utilize FDM for creating detailed architectural models, prototypes of building components, and intricate designs. It aids in visualizing concepts, testing structural integrity, and communicating design ideas effectively.
Each industry example demonstrates how FDM enhances innovation, accelerates product development, and addresses specific challenges through advanced manufacturing capabilities.
An invited talk given by Mark Billinghurst on Research Directions for Cross Reality Interfaces. This was given on July 2nd 2024 as part of the 2024 Summer School on Cross Reality in Hagenberg, Austria (July 1st - 7th)
The document discusses single sign-on best practices. It recommends developing troubleshooting practices for SSO failures, such as having a process to gather information and check login errors. It also suggests preventing failures by ensuring high availability of IDP servers, being proactive about certificate expirations, and testing implementations. Reliable and scalable SSO can be achieved using federation IDs instead of Salesforce usernames and disabling direct login to Salesforce when SSO is enabled.
OAuth 2.0 allows third party applications to access resources without sharing credentials. It uses grant types like authorization code and implicit grant to obtain an access token. The access token is then used by the client to access resources from the resource server. DataPower supports OAuth 2.0 and provides customization options like additional grant types and extension points to customize the OAuth handshake process.
This document compares and contrasts three token-based authentication and authorization protocols: SAML, OAuth access tokens, and OpenID Connect ID tokens.
SAML uses XML assertions for identity and authorization. Access tokens in OAuth are opaque bearer strings, while ID tokens in OpenID Connect are JSON Web Tokens (JWTs) containing user information. SAML is for web services and uses WS-Security, while access tokens and ID tokens can be used by web and mobile apps via HTTP. Both SAML and ID tokens can be used to represent user identities, while access tokens and SAML assertions can authorize access to protected resources. Security considerations for each include confidentiality, integrity, and replay attacks.
This document discusses authentication and authorization frameworks like OAuth and OpenID Connect. It provides an overview of key concepts like authentication, authorization, roles in OAuth like resource owner, client, authorization server and resource server. It explains the authorization code grant flow in OAuth and how OpenID Connect builds upon OAuth to provide identity features. It also compares OpenID Connect to SAML and discusses Microsoft and TechCello implementations of these specifications.
Single sign on (SSO) How does your company apply?Đỗ Duy Trung
This document discusses Single Sign On (SSO), which allows a user to access multiple services or applications with a single set of login credentials. It describes common SSO protocols like SAML and OpenID Connect and where SSO can be implemented, such as on-premise or in the cloud. Examples of SSO use cases and product categories are provided.
OAuth and OpenID Connect are the two most important security specs that API providers need to be aware of. In this session, Travis Spencer, CEO of Curity, will cram in as much about these two protocols as will fit into 20 minutes.
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
Know your opponent and know yourself. It held true for Sun Tzu 2500 years ago, and it holds true for pen testers today. A pen tester who has worked in sec ops role has a distinct advantage, especially if that pen tester has a solid grasp of the good, the bad, and the ugly of identity and access management (IAM) in an enterprise setting. For red teams, this presentation will cover pen testing tips and tricks to circumvent weak or missing IAM controls. For blue teams, we’ll also cover the steps you can take to shore up your IAM controls and catch pen testers in the act. Purple teaming, FTW!
Single sign-on (SSO) allows users to access multiple systems after one authentication. Common SSO protocols discussed include SAML, OAuth, and username/password. SAML is best for single sign-on across websites while OAuth is for secure API access. Best practices include high availability, proactive certificate management, custom error pages, and testing. The document provides an overview of SSO concepts and recommendations for implementation and troubleshooting.
This 20-minute presentation introduces OAuth through defining it, explaining why it is useful, providing background information, defining key terminology, outlining the workflow, and including a live example. It defines OAuth as a method for users to grant third-party access to their resources without sharing passwords and to grant limited access. It highlights issues with traditional client-server authentication and how OAuth addresses them. The presentation then covers OAuth background, terminology like consumer and service provider, the redirection-based authorization workflow, and concludes with a live example and references for further information.
Building an enterprise level single sign-on application with the help of keycloak (Open Source Identity and Access Management).
And understanding the way to secure your application; frontend & backend API’s. Managing user federation with minimum configuration.
by Apurv Awasthi, Sr. Technical Product Manager, AWS
This session introduces the concepts of AWS Identity and Access Management (IAM) and walks through the tools and strategies you can use to control access to your AWS environment. We describe IAM users, groups, and roles and how to use them. We demonstrate how to create IAM users and roles, and grant them various types of permissions to access AWS APIs and resources. We also cover the concept of trust relationships, and how you can use them to delegate access to your AWS resources. This session covers also covers IAM best practices that can help improve your security posture. We cover how to manage IAM users and roles, and their security credentials. We also explain ways for how you can securely manage you AWS access keys. Using common use cases, we demonstrate how to choose between using IAM users or IAM roles. Finally, we explore how to set permissions to grant least privilege access control in one or more of your AWS accounts. Level 100
This document discusses best practices for AWS Identity and Access Management (IAM). It defines IAM as a service that helps securely control access to AWS resources. The main IAM components are users, groups, roles, and policies. It provides several rules for security best practices, including: never using the root account for daily tasks; locking away root access keys; granting least privileges; using roles to delegate permissions; using roles for EC2 applications; rotating credentials regularly; and monitoring account activity.
Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. It allows developers to manage multiple versions and stages of APIs, monitor access by third party developers, and handle traffic spikes without operational burden. API Gateway supports features like throttling, authorization, caching of responses, and SDK generation to make APIs easy to consume.
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
This document discusses REST API security methods. It provides an overview of authentication and authorization and describes common security methods like cookie-based authentication, token-based authentication, OAuth, OpenID, and SAML. It then compares OAuth2, OpenID, and SAML and discusses best practices for securing REST APIs like protecting HTTP methods, validating URLs, using security headers, and encoding JSON input.
These slides are supposed to help you understand the basics of application security, and how the latest technologies come together to enable you to reduce the number of times people at your organization need to authenticate.
For more information visit. http://gluu.org
This document provides guidelines for securing managed APIs. It discusses defining an API's audience and whether they are direct users or relying parties. It also covers bootstrapping trust either directly through user credentials or brokerd through a third party. The document then discusses various OAuth 2.0 grant types and federated access scenarios. It emphasizes using TLS, strong credentials, short-lived tokens, and access control to secure APIs and their communication.
This document provides an introduction and overview of SAML and OIDC for single sign-on and federated authentication. It describes the key components of each standard, including identity providers, service providers, assertions, flows, and tokens. SAML enables users to authenticate once and access multiple sites using circles of trust, while OIDC builds on OAuth2 and provides additional functionality for authentication with RESTful endpoints and easier token and claims handling.
Overview of Azure AD
Deployment lessons from the real world
Outline items that can accelerate your deployment
Avoid things that can slow you down
Deep Dive on common technical challenges and how to overcome them
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010Michael Noel
Organizations planning for Extranet access to SharePoint 2010 or faced with providing access to an Intranet from multiple internal authentication platforms often find it challenging to properly architect SharePoint for extranets, to isolate content, and to manage identities across disparate systems. The complexity involved in understanding how to isolate content from a security perspective but still provide for a collaborative space for end users is complex, and if not done correctly can lead to security breaches and confusion. This session focuses on understanding the various extranet models for SharePoint 2010 and providing real world guidance on how to implement them. Covered are extranet content models and extranet authentication options, including Claims-based authentication and also covering advanced options using tools such as Microsoft's Forefront Identity Manager (FIM) 2010 to centralize identity management to SharePoint 2010 farms, allowing for better control, automatic account provisioning, and synchronization of profile information across multiple SharePoint authentication providers. • Review Extranet design options with SharePoint 2010 • Understand the need for identity management across SharePoint farms • Examine real world deployment guidance and architecture for SharePoint environments using multiple authentication providers
O365con14 - moving from on-premises to online, the road to followNCCOMMS
This document provides links to numerous Microsoft technical support and documentation pages related to Office 365, Azure Active Directory, identity management, multi-factor authentication, and directory synchronization. The pages cover topics such as configuring directory synchronization between on-premises Active Directory and Azure AD, managing user identities and authentication in hybrid cloud environments, and using multi-factor authentication to secure access to Office 365 applications and services.
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...NCCOMMS
This document provides an overview of identity and authentication in SharePoint 2013 and Office 365. It begins with a primer on authentication and authorization concepts. It then covers Windows authentication, trusted claims providers, service delegation between servers, and authorization for apps. It discusses the various identity management options for integrating on-premises Active Directory with Office 365 through options like online IDs, directory synchronization, and federation.
This document discusses identity management options for integrating on-premises directories with Office 365. It describes scenarios for cloud identity without integration, directory synchronization using password sync or federation, and federation options like ADFS, Shibboleth, and third-party identity providers. Directory synchronization can be used to integrate Active Directory or non-AD sources with options like DirSync, FIM, and PowerShell for provisioning users.
A Technical Guide To Deploying Single Sign OnGabriella Davis
This document provides instructions for configuring different single sign-on options for IBM Notes clients, including Notes Shared Logon, LDAP authentication, Kerberos/SPNEGO/IWA, and SAML. It describes what each option does, examples of how it works, and requirements to set it up. SAML provides single sign-on across multiple systems using a centralized identity provider, but has more complex setup involving configuring identity providers, service providers, certificates, and policies in both Active Directory and Domino.
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
This document discusses federated authentication and SAML. It defines key concepts like identity management, identification, authentication and authorization. It explains how federation works using standards like SAML and allows single sign-on across organizational boundaries. Specific examples are provided of SAML identity providers, service providers and how products like Active Directory Federation Services, NetScaler and XenApp/XenDesktop support federated authentication.
This document provides an overview of Office 365 for IT professionals presented by Andy Malone. It begins with an introduction of Andy Malone and his background. The bulk of the document then explores various components and capabilities of Office 365 including exploring Office 365, understanding data storage locations, identity management with Azure Active Directory, provisioning accounts, and Exchange Online. It provides summaries of key Office 365 services and components. The document concludes with some final tips and thoughts on Office 365 and links to additional tools and resources.
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTIONForgeRock
This document discusses important identity and access management (IAM) considerations for selecting a software-as-a-service (SaaS) provider. It outlines key questions to ask the SaaS provider regarding support for single sign-on protocols, ease of provisioning and de-provisioning users, whether their technical environment fits the organization's constraints, and ability to test integration before going live. The document also covers identity lifecycle management standards like SCIM and questions for IAM experts on how federation can be made easier.
Planning Extranet Environments with SharePoint 2010Michael Noel
Organizations planning for Extranet access to SharePoint 2010 or faced with providing access to an Intranet from multiple internal authentication platforms often find it challenging to properly architect SharePoint for extranets, to isolate content, and to manage identities across disparate systems. The complexity involved in understanding how to isolate content from a security perspective but still provide for a collaborative space for end users is complex, and if not done correctly can lead to security breaches and confusion. This session focuses on understanding the various extranet models for SharePoint 2010 and providing real world guidance on how to implement them. Covered are extranet content models and extranet authentication options, including advanced options using tools such as Microsoft's Forefront Identity Manager (FIM) 2010 to centralize identity management to SharePoint 2010 farms, allowing for better control, automatic account provisioning, and synchronization of profile information across multiple SharePoint authentication providers.
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITProceed
Active Directory Federation Services (AD FS) is the Microsoft technology to bridge your on-premises Identity systems towards cloud Identity providers like Azure Active Directory. Colleagues depend on a reliable, yet cost effective deployment of AD FS and it’s our jobs as IT Pros to make it happen. This session covers the 10 most common mistakes we see in the field In organizations that have deployed AD FS and performed a hybrid identity deployment. Learn from their mistakes, so you don’t have to make them.
This document provides an overview of identity management options in Office 365 and describes the Synchronized Identity Model (DirSync), Federated Identity Model (SSO), and key considerations for each. It compares the models based on organization size and capabilities like single sign-on and management of credentials. The Synchronized Identity Model uses Azure Active Directory Connect to synchronize on-premises directories with Azure AD. The Federated Identity Model implements Security Assertion Markup Language for single sign-on using federation servers like Active Directory Federation Services.
With a complete new Identity/Access Management Suite on the Oracle market,
one might forget the good old SSO server, bundled with each and every IAS server.
Although it has some out-of-the-box capabilities like WNA and X509 certificate support,
it can be quite hard to set up an authentication scheme just the way you (or your customers) like it.
Using a case study, this presentation discusses how you can extend Oracle’s Single
Sign On (SSO) server to your needs. It will discuss :
- Integration & authentication with smartcard passports (eID)
- Authentication with digital certificates
- Implementing fallback authentication schemes
- Integration with SSL terminators and reverse proxies
- DIY federated authentication
- writing your own SSO plugin
The solutions presented are part of AXI NV/BV's portfolio.
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?Scott Hoag
Office 365 brings a host of productivity options, but one of the most overlooked components is how we'll authenticate to The Cloud™. With Microsoft Azure Active Directory driving access and authentication to our Office 365 tenants, it is important to understand how we can interact with it. Join us as we explore Cloud Identity, identity federation, directory synchronisation, and most importantly Azure and its impacts on user experience and access Office 365. Throughout this session, we'll answer the questions that impact you and how your decisions around identity shape your Office 365 experience.
This document provides an overview of identity management and authentication options for Office 365. It discusses the key concepts of identity federation using protocols like SAML and WS-Federation. It also summarizes the different identity synchronization and single sign-on options available in Office 365 for organizations of different sizes, including password synchronization, directory synchronization, federated identity, and cloud identity. The advantages and requirements of each approach are outlined.
Develop iOS and Android apps with SharePoint/Office 365Kashif Imran
This document provides an agenda and overview for developing iOS and Windows Store apps using Office 365/SharePoint 2013. It discusses what mobile apps are, why to build them, and how to use SharePoint/Office 365 as a backend. It demonstrates sample apps and covers development platforms, SharePoint APIs, authentication, and code reviews.
The document discusses how to deliver a Windows 7 experience on Windows Server 2008 R2. It describes that the Windows 7 experience refers to features included in the Desktop Experience package. It then details various methods to enable these features, including manually configuring settings, using tools from Citrix, and scripts available on the Citrix code sharing site. The presentation recommends using the XenApp 6 Service Provider Automation Pack to enable the Windows 7 look and feel.
This document discusses the tools used by Dan Brinkmann to consume, organize, and create data. It outlines the RSS feeds, Twitter, and Pocket apps he uses to gather content from across the web. It also describes the Office Suite, Evernote, Google Docs, WordPress, and OmniGraffle tools he leverages to consolidate insights and produce new written works, diagrams, and blog posts. He is still on the lookout for solutions that can manage follow-up tasks and allow sharing of data across all of his devices.
This document provides guidance on designing a virtual desktop infrastructure (VDI). It discusses key decision points around the hypervisor, servers, and storage. It recommends determining user groups, applications, and requirements through piloting before finalizing the design. The document also analyzes options for the hypervisor, servers including CPU, memory, and local storage considerations, and storage including the impact of VM density and hidden capacity needs. Monitoring IOPS and latency is emphasized as critical to ensuring a successful VDI deployment.
VDI projects often fail due to lack of proper planning and testing. Key reasons for failure include not understanding compute and storage requirements, guessing at user needs rather than measuring them, and insufficient testing with real users and applications. Proper testing is needed to understand peak usage periods, application impacts on performance over time, and how the system performs at scale.
This document summarizes Citrix's remote access solutions, including the Citrix Secure Gateway (CSG), Citrix Access Gateway Standard (CAG), and Citrix Access Gateway Enterprise Edition (CAG-EE). It also discusses the Netscaler platform. The CSG is now end-of-life with no support for newer features. The CAG provides ICA proxy and SSL VPN capabilities on a physical or virtual appliance. The CAG-EE has additional features like endpoint analysis and load balancing. The Netscaler provides all CAG-EE functions plus load balancing of StoreFront and XenApp/XenDesktop resources. The document discusses factors in choosing between a physical or virtual appliance deployment.
This document provides an overview of new features in vSphere 5 including:
- ESXi only architecture with no service console and smaller security footprint.
- New ESXi shell and vCLI commands for simplified management.
- Enhancements to features like vMotion, DRS, HA, and new features like Auto Deploy, Storage DRS, and ESXi firewall.
- Performance improvements and support for new hardware like USB 3.0 and larger VMs.
- Summary of changes to management tools including new vSphere Web Client.
vSphere provides tools like vCenter, ESXTOP, and PowerCLI to monitor the performance of CPU, memory, network, and storage. Key metrics include CPU and memory usage, network packet drops, storage latency, and swap rates. Issues like oversubscription, capacity limitations, and configuration errors can be identified by watching for saturated resources, dropped packets, and high latency or queueing. External monitoring of physical infrastructure can also provide useful visibility.
7 Most Powerful Solar Storms in the History of Earth.pdfEnterprise Wired
Solar Storms (Geo Magnetic Storms) are the motion of accelerated charged particles in the solar environment with high velocities due to the coronal mass ejection (CME).
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc
Six months into 2024, and it is clear the privacy ecosystem takes no days off!! Regulators continue to implement and enforce new regulations, businesses strive to meet requirements, and technology advances like AI have privacy professionals scratching their heads about managing risk.
What can we learn about the first six months of data privacy trends and events in 2024? How should this inform your privacy program management for the rest of the year?
Join TrustArc, Goodwin, and Snyk privacy experts as they discuss the changes we’ve seen in the first half of 2024 and gain insight into the concrete, actionable steps you can take to up-level your privacy program in the second half of the year.
This webinar will review:
- Key changes to privacy regulations in 2024
- Key themes in privacy and data governance in 2024
- How to maximize your privacy program in the second half of 2024
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...Erasmo Purificato
Slide of the tutorial entitled "Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Emerging Trends" held at UMAP'24: 32nd ACM Conference on User Modeling, Adaptation and Personalization (July 1, 2024 | Cagliari, Italy)
Kief Morris rethinks the infrastructure code delivery lifecycle, advocating for a shift towards composable infrastructure systems. We should shift to designing around deployable components rather than code modules, use more useful levels of abstraction, and drive design and deployment from applications rather than bottom-up, monolithic architecture and delivery.
Sustainability requires ingenuity and stewardship. Did you know Pigging Solutions pigging systems help you achieve your sustainable manufacturing goals AND provide rapid return on investment.
How? Our systems recover over 99% of product in transfer piping. Recovering trapped product from transfer lines that would otherwise become flush-waste, means you can increase batch yields and eliminate flush waste. From raw materials to finished product, if you can pump it, we can pig it.
Are you interested in dipping your toes in the cloud native observability waters, but as an engineer you are not sure where to get started with tracing problems through your microservices and application landscapes on Kubernetes? Then this is the session for you, where we take you on your first steps in an active open-source project that offers a buffet of languages, challenges, and opportunities for getting started with telemetry data.
The project is called openTelemetry, but before diving into the specifics, we’ll start with de-mystifying key concepts and terms such as observability, telemetry, instrumentation, cardinality, percentile to lay a foundation. After understanding the nuts and bolts of observability and distributed traces, we’ll explore the openTelemetry community; its Special Interest Groups (SIGs), repositories, and how to become not only an end-user, but possibly a contributor.We will wrap up with an overview of the components in this project, such as the Collector, the OpenTelemetry protocol (OTLP), its APIs, and its SDKs.
Attendees will leave with an understanding of key observability concepts, become grounded in distributed tracing terminology, be aware of the components of openTelemetry, and know how to take their first steps to an open-source contribution!
Key Takeaways: Open source, vendor neutral instrumentation is an exciting new reality as the industry standardizes on openTelemetry for observability. OpenTelemetry is on a mission to enable effective observability by making high-quality, portable telemetry ubiquitous. The world of observability and monitoring today has a steep learning curve and in order to achieve ubiquity, the project would benefit from growing our contributor community.
Quality Patents: Patents That Stand the Test of TimeAurora Consulting
Is your patent a vanity piece of paper for your office wall? Or is it a reliable, defendable, assertable, property right? The difference is often quality.
Is your patent simply a transactional cost and a large pile of legal bills for your startup? Or is it a leverageable asset worthy of attracting precious investment dollars, worth its cost in multiples of valuation? The difference is often quality.
Is your patent application only good enough to get through the examination process? Or has it been crafted to stand the tests of time and varied audiences if you later need to assert that document against an infringer, find yourself litigating with it in an Article 3 Court at the hands of a judge and jury, God forbid, end up having to defend its validity at the PTAB, or even needing to use it to block pirated imports at the International Trade Commission? The difference is often quality.
Quality will be our focus for a good chunk of the remainder of this season. What goes into a quality patent, and where possible, how do you get it without breaking the bank?
** Episode Overview **
In this first episode of our quality series, Kristen Hansen and the panel discuss:
⦿ What do we mean when we say patent quality?
⦿ Why is patent quality important?
⦿ How to balance quality and budget
⦿ The importance of searching, continuations, and draftsperson domain expertise
⦿ Very practical tips, tricks, examples, and Kristen’s Musts for drafting quality applications
https://www.aurorapatents.com/patently-strategic-podcast.html
Quantum Communications Q&A with Gemini LLM. These are based on Shannon's Noisy channel Theorem and offers how the classical theory applies to the quantum world.
How Social Media Hackers Help You to See Your Wife's Message.pdfHackersList
In the modern digital era, social media platforms have become integral to our daily lives. These platforms, including Facebook, Instagram, WhatsApp, and Snapchat, offer countless ways to connect, share, and communicate.
Details of description part II: Describing images in practice - Tech Forum 2024BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and transcript: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Chris Swan
Have you noticed the OpenSSF Scorecard badges on the official Dart and Flutter repos? It's Google's way of showing that they care about security. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge.
You can do the same for your projects, and this presentation will show you how, with an emphasis on the unique challenges that come up when working with Dart and Flutter.
The session will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across an organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.
Implementations of Fused Deposition Modeling in real worldEmerging Tech
The presentation showcases the diverse real-world applications of Fused Deposition Modeling (FDM) across multiple industries:
1. **Manufacturing**: FDM is utilized in manufacturing for rapid prototyping, creating custom tools and fixtures, and producing functional end-use parts. Companies leverage its cost-effectiveness and flexibility to streamline production processes.
2. **Medical**: In the medical field, FDM is used to create patient-specific anatomical models, surgical guides, and prosthetics. Its ability to produce precise and biocompatible parts supports advancements in personalized healthcare solutions.
3. **Education**: FDM plays a crucial role in education by enabling students to learn about design and engineering through hands-on 3D printing projects. It promotes innovation and practical skill development in STEM disciplines.
4. **Science**: Researchers use FDM to prototype equipment for scientific experiments, build custom laboratory tools, and create models for visualization and testing purposes. It facilitates rapid iteration and customization in scientific endeavors.
5. **Automotive**: Automotive manufacturers employ FDM for prototyping vehicle components, tooling for assembly lines, and customized parts. It speeds up the design validation process and enhances efficiency in automotive engineering.
6. **Consumer Electronics**: FDM is utilized in consumer electronics for designing and prototyping product enclosures, casings, and internal components. It enables rapid iteration and customization to meet evolving consumer demands.
7. **Robotics**: Robotics engineers leverage FDM to prototype robot parts, create lightweight and durable components, and customize robot designs for specific applications. It supports innovation and optimization in robotic systems.
8. **Aerospace**: In aerospace, FDM is used to manufacture lightweight parts, complex geometries, and prototypes of aircraft components. It contributes to cost reduction, faster production cycles, and weight savings in aerospace engineering.
9. **Architecture**: Architects utilize FDM for creating detailed architectural models, prototypes of building components, and intricate designs. It aids in visualizing concepts, testing structural integrity, and communicating design ideas effectively.
Each industry example demonstrates how FDM enhances innovation, accelerates product development, and addresses specific challenges through advanced manufacturing capabilities.
An invited talk given by Mark Billinghurst on Research Directions for Cross Reality Interfaces. This was given on July 2nd 2024 as part of the 2024 Summer School on Cross Reality in Hagenberg, Austria (July 1st - 7th)
UiPath Community Day Kraków: Devs4Devs ConferenceUiPathCommunity
We are honored to launch and host this event for our UiPath Polish Community, with the help of our partners - Proservartner!
We certainly hope we have managed to spike your interest in the subjects to be presented and the incredible networking opportunities at hand, too!
Check out our proposed agenda below 👇👇
08:30 ☕ Welcome coffee (30')
09:00 Opening note/ Intro to UiPath Community (10')
Cristina Vidu, Global Manager, Marketing Community @UiPath
Dawid Kot, Digital Transformation Lead @Proservartner
09:10 Cloud migration - Proservartner & DOVISTA case study (30')
Marcin Drozdowski, Automation CoE Manager @DOVISTA
Pawel Kamiński, RPA developer @DOVISTA
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
09:40 From bottlenecks to breakthroughs: Citizen Development in action (25')
Pawel Poplawski, Director, Improvement and Automation @McCormick & Company
Michał Cieślak, Senior Manager, Automation Programs @McCormick & Company
10:05 Next-level bots: API integration in UiPath Studio (30')
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
10:35 ☕ Coffee Break (15')
10:50 Document Understanding with my RPA Companion (45')
Ewa Gruszka, Enterprise Sales Specialist, AI & ML @UiPath
11:35 Power up your Robots: GenAI and GPT in REFramework (45')
Krzysztof Karaszewski, Global RPA Product Manager
12:20 🍕 Lunch Break (1hr)
13:20 From Concept to Quality: UiPath Test Suite for AI-powered Knowledge Bots (30')
Kamil Miśko, UiPath MVP, Senior RPA Developer @Zurich Insurance
13:50 Communications Mining - focus on AI capabilities (30')
Thomasz Wierzbicki, Business Analyst @Office Samurai
14:20 Polish MVP panel: Insights on MVP award achievements and career profiling
11. Definition of Terms
SAML
• Security Assertion Markup Language
Oauth
• Open standard for authorization
Federation
• You’ve authenticated to a different system than the one you’re tyring to access and your identity
has been proven by a 3rd party and on that basis you’re being allowed to this system
18. Why not use Active Directory?
Bad admin
>>passwords.txt
19. Why not use Active Directory?
No Trust
Bad admin
>>passwords.txt
20. IdP / SP Architecture
SaaS Solution Enterprise
Service
Provider
(SP)
Identity
Provider
(IDP)
Trust
Claims
LDAP
Signed
Active Directory
21. Common IdP’s
Ping Identity PingFederate
CA SiteMinder
Microsoft ADFS
Shibboleth
Okta
22. Microsoft ADFS
ADFS 1.0 - Part of Windows 2003 R2
ADFS 1.1 - Part of Windows 2008 and R2 (Installed as Role from Server Mgr)
Used SAML 1.x so forget about these
23. Microsoft ADFS
ADFS 2.0 - Released after Windows 2008 R2 as a standalone download
ADFS 2.1 - Part of Windows Server 2012 and installed as a Role
ADFS 3.0 - Part of Windows Server 2012 R2 and installed as a Role Service
ADFS 2.x rely on IIS
ADFS 3.x is built on http.sys (IIS is not installed or needed)
27. IDP trusts Service Provider: Relying Party ID
When a user requests claims
from this Federation Service for
the relying party, the relying party
identifier will be used to identify
the relying party for which the
claims should be targeted
Translate: Match incoming SP
request to IdP Relying Party
Trust configuration
28. IDP trusts Service Provider: Signature
SAML request from the Service
Provider is signed
Not always used
31. IdP / SP Architecture
Authentication (AuthN)
SaaS Solution Enterprise
Service
Provider
(SP)
Identity
Provider
(IDP)
Trust
LDAP
Active Directory
32. ADFS Authentication
ADFS
Proxy
ADFS
Server
Enterprise
LDAP
Active Directory
ADFS Proxy - 2.x
Web Application Proxy - 3.x
33. ADFS Authentication
Basic Authentication
• Username & password sent in clear
text over network
• You should always use SSL/TLS
Windows Integrated (IWA)
• Kerberos, NTLMSSP
• Can work silently / background
34. ADFS Authentication
Forms
• Webpage
• 2FA
• Works with virtually any device
X509 / Client Certificates
35. ADFS Authentication Matrix
ADFS 2.x ADFS 2.x Proxy ADFS 3.x Web Application
Proxy
Basic Auth
Windows Integrated
Forms
X509 / Client Cert
38. IdP / SP Architecture
Claims
SaaS Solution Enterprise
Service
Provider
(SP)
Identity
Provider
(IDP)
Trust
Claims
LDAP
Signed
Active Directory
39. Claims
SAML assertions contain claims
Attribute claims contain information about the user (email address)
Transformations can convert / modify data before creating the claim
43. IdP / SP Architecture
What does a SP do with the claim?
Verify trust information (cert)
Match claim against an user object in
its database/directory
This database usually needs to be pre-populated
although it is possible to use
the assertion / claims to do this
SaaS Solution
Service
Provider
(SP)
Claims
Signed
44. IdP / SP Architecture
Claims
SaaS Solution Enterprise
Service
Provider
(SP)
Identity
Provider
(IDP)
Trust
Claims
LDAP
Signed
Active Directory
Populate with
accounts
61. Office 365 & Azure Active Directory Services
Identity
Provider
(IDP)
Service
Provider
(SP) Azure Active Directory
Local Active Directory
Claims
62. Office 365 & Azure Active Directory Services
Identity
Provider
(IDP)
Service
Provider
(SP) Azure Active Directory
Local Active Directory
63. Office 365 & Azure Active Directory Services
Identity
Provider
(IDP)
Service
Provider
(SP) Azure Active Directory
Local Active Directory
64. DirSync
DirSync populates Azure Active Directory
with user accounts and groups from a
local Active Directory
http://blogs.office.com/2014/04/15/synchronizing-your-directory-with-office-365-is-easy/
73. Office 365 Federated Login
Authorization succeeds, account is
matched to O365 mail account
74. Problem Solved?
How many times would you want to do this on a mobile device?
SAML / WS-Federation is a heavy process
2-factor authentication is a common enterprise
IdP implementation
Cumbersome to end users
75. Problem Solved?
How can we streamline AuthN?
Cache password on mobile device
• What about 2FA?
• Apps get complete access to a users account
• Users can’t revoke access to an app / device except by
changing their password
• Compromised apps expose the user’s password
• Remember WebDav?
76. Enter OAuth
AuthZ
Authorization (AuthZ) without passwords
Tokens can be revoked
Tokens can be scoped
Tokens can be time-limited
Lightweight
77. Example OAuth Token
{"expires_in”:28800,"token_type":"bearer","apicp":"sharefile.com",
"access_files_folders":true,"change_my_settings":true,"admin_users”
:true,"expires_at_unix":"1,405,816,443.33826","refresh_token":"m5r
U7aWB….","subdomain":"danbrinkmann","modify_files_folders":true,
"web_app_login":true,"admin_accounts":true,"appcp":"sharefile.com",
"access_token":"m5rU7aWB….."}
78. OAuth vs SAML Token
And I even trimmed out the signing certificate of the SAML Token
{"expires_in”28800,"token_type":"beare
r","apicp":"sharefile.com”,"access_fil
es_folders":true,"change_my_settings":
true,"admin_users”:true,"expires_at_un
ix":"1,405,816,443.33826","refresh_tok
en":"m5rU7aWB….","subdomain":"danbrink
mann","modify_files_folders":true,"web
_app_login":true,"admin_accounts":true
,"appcp":"sharefile.com”,"access_token
":"m5rU7aWB….."}
<samlp:Response ID="_97c40e4a-d04e-409d-8ecc-1a2728f87873" Version="2.0" IssueInstant="2013-
01-21T17:50:41.470Z" Destination="https://onprem.sharefile.com/saml/acs"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="_ef94eec3026e4b49b86d6d162a3def59"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.sharefiletest.com/adfs/services/trus
t</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"
/></samlp:Status><Assertion ID="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca" IssueInstant="2013-01-
21T17:50:41.470Z" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://adfs.sharefiletest.com/adfs/servi
ces/trust</Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference URI="#_f1ad9c25-5632-
414e-9b9c-e80d08c1f3ca"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
/><ds:DigestValue>KXdq8sGKJoFSBSB9YkF9LN7/8Ik=</ds:DigestValue></ds:Reference></ds:SignedInfo>
<ds:SignatureValue>aUaw…dzA==</ds:SignatureValue><KeyInfo
xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC…KOw==</ds:X50
9Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:
emailAddress">juliano.maldaner@citrix.com</NameID><SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData
InResponseTo="_ef94eec3026e4b49b86d6d162a3def59" NotOnOrAfter="2013-01-21T17:55:41.470Z"
Recipient="https://onprem.sharefile.com/saml/acs"
/></SubjectConfirmation></Subject><Conditions NotBefore="2013-01-21T17:50:41.467Z"
NotOnOrAfter="2013-01-
21T18:50:41.467Z"><AudienceRestriction><Audience>http://onprem.sharefile.com/saml/info</Audien
ce></AudienceRestriction></Conditions><AttributeStatement><Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"><AttributeValue>juliano.malda
ner@citrix.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement
AuthnInstant="2013-01-21T17:50:41.429Z" SessionIndex="_f1ad9c25-5632-414e-9b9c-e80d08c1f3ca"><
AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</Authn
ContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
79. OAuth in Consumer Lives
Creating a separate username /
password not required
82. How OAuth is used in Enterprise Apps
Instead of AuthN each time use AuthZ
Protect mobile application using PIN / Passcode
83. Mobile App Solution
Authenticate
via
IdP
(FTU)
Exchange
SAML Token for
OAuth Token
Use OAuth
Access Token to
access the
application
84. Mobile App Solution
If the Access
Token fails get a
new one using
the Refresh
Token
If the Refresh
Token fails then
prompt user to
re-authenticate
Re-authenticate
via IdP
85. Summary
Federation necessary for next-generation & mobile applications
Authentication
(AuthN)
Authorization
(AuthZ)
SAML OAuth
with refresh token
send API request with access token
If access token is invalid, try to update it using refresh token
if refresh request passes, update the access token and re-send the initial API request
If refresh request fails, ask user to re-authenticate