Tuesday, May 17, 2016

Enabling FIDO U2F Multi-Factor Authentication for the AWS Management Console with the WSO2 Identity Server

This tutorial on Medium explains how to enable authentication for the AWS Management Console against the corporate LDAP server and then enable multi-factor authentication (MFA) with FIDO. FIDO is soon becoming the de facto standard for MFA, backed by the top players in the industry including Google, Paypal, Microsoft, Alibaba, Mozilla, eBay and many more.


Wednesday, May 11, 2016

How Netflix secures Microservices with short-lived certificates?

Today we had our 6th Silicon Valley IAM meetup at the WSO2 office Mountain View. We are glad to have Bryan Payne from Netflix to talk on the topic — ‘PKI at Scale Using Short-Lived Certificates’. Bryan leads the Platform Security team at Netflix and prior to Netflix, he was the Director, Security Research at Nebula.

 This post on medium is written based on Bryan’s talk at the meetup and other related resources.

Friday, May 6, 2016

JSON Message Signing Alternatives

In this post we explore following alternatives available to sign a JSON message and then build a comparison between each of them.
  • JSON Web Signature (JWS) 
  • JSON Cleartext Signature (JCS) 
  • Concise Binary Object Representation (CBOR) Object Signing 
Read the complete article on Medium.

Tuesday, April 26, 2016

JWT, JWS and JWE for Not So Dummies!

JSON Web Token (JWT) defines a container to transport data between interested parties. It became an IETF standard in May 2015 with the RFC 7519. There are multiple applications of JWT. The OpenID Connect is one of them. In OpenID Connect the id_token is represented as a JWT. Both in securing APIs and Microservices, the JWT is used as a way to propagate and verify end-user identity.


This article on medium explains in detail JWT, JWS and JWE with their applications.

Saturday, April 23, 2016

GSMA Mobile Connect vs OpenID Connect

Mobile Connect is an initiative by GSMA. The GSMA represents the interests of mobile operators worldwide, uniting nearly 800 operators with more than 250 companies in the broader mobile ecosystem, including handset and device makers, software companies, equipment providers and internet companies, as well as organizations in adjacent industry sectors. The Mobile Connect initiative by GSMA focuses on building a standard for user authentication and identity services between mobile network operators (MNO) and service providers.


This article on medium explains the GSMA Mobile Connect API and see how it differentiates from the OpenID Connect core specification.

Saturday, April 16, 2016

Thirty Solution Patterns with the WSO2 Identity Server

WSO2 offers a comprehensive open source product stack to cater to all needs of a connected business. With the single code base structure, WSO2 products are weaved together to solve many enterprise-level complex identity management and security problems. By believing in open standards and supporting most of the industry leading protocols, the WSO2 Identity Server is capable of providing seamless integration with a wide array of vendors in the identity management domain. The WSO2 Identity Server is one of the most powerful open source Identity and Entitlement Management server, released under the most business friendly Apache 2.0 license.


This article on medium explains thirty solution patterns, built with the WSO2 Identity Server and other WSO2 products to solve enterprise-level security and identity management related problems.

Monday, April 11, 2016

Securing Microservices with OAuth 2.0, JWT and XACML

Microservices is one of the most trending buzzword, along with the Internet of Things (IoT). Everyone talks about microservices and everyone wants to have microservices implemented. The term ‘microservice’ was first discussed at a software architects workshop in Venice, in May 2011. It’s being used to explain a common architectural style they’ve been witnessing for some time. With the granularity of the services and the frequent interactions between them, securing microservices is challenging. This post, which I published on medium presents a security model based on OAuth 2.0, JWT and XACML to overcome such challenges.