SSOCircle and IDPee now support different SAML2 authentication contexts. The SP is now able to require that a user is authenticated at the specified security strength. SSOCircle will determine the current authentication level and if necessary, asking the user to reauthenticate to the stronger security level.
Think of three different types of use cases. For example a simple bookmarking application that is accessed by a mobile device. For convenience you might decide to use a simple MSISDN automatic user recognition at SSOCircle. But if you are now accessing your Email at Google Apps, you definitely like to have a better protection of the emails. SSOCircle now enforces username/password authentication and upgrades your existing session. Consider now you like to regard your companies sales report application. In this case username / password might not be enough. The application may require that you are authenticated by a X.509 client certificate, issued to your Smart Card token.
Read our technical description for a detailed explanation of how all this works, what you have to do to leverage authentication context levels and which levels SSOCircle and IDPee support. Have a look on our secure lightbulb example which complements the previous lightbulb application to a demonstration of how an application might enforce a stronger authentication.
Posts Tagged ‘X.509’
Service Provider controlled Security Levels
Sunday, June 8th, 2008Strong Two Factor Authentication with USB Hardware Smart Card Tokens
Saturday, November 10th, 2007Continuing the road to secure strong authentication SSOCircle now supports USB hardware smart card tokens. These tokens are a combined smart card and smart card reader with a USB interface. Because of their small size, they can be easily attached to a key ring. Have you ever been worried using a public internet terminal ? Have you been bothered about a keystroke logger could be installed on the PC and is grabbing your passwords ? If yes, ePass USB smart card token is the perfect solution for you. SSOCircle offers now automatic enrollment of X.509 certificate to ePass USB tokens. Just enroll a certificate at SSOCircle.com, go to the internet cafe and insert the stick and single sign on to SSOCircle and all integrated Service Providers. After finishing your work, logout and remove the USB token and be 100% safe that nobody can grab your credentials and reuse it. The certificate store on the token can not be exported or copied from the stick. That’s simply the meaning of two factor authentication: one thing you know (the PIN of the token) and one thing you have (the token itself). Security made simple.
ePass tokens can be used driverless. For Firefox you only need to setup the security device. To ease that step we are now providing a Firefox addon. The addon probes for the PKCS11 libraries, creates the device and imports the SSOCircle CA certificates automatically.
But if you think that installing an addon is not feasible on a public terminal, read this: StorePass is a device with flash memory and a smart card on one device – and cool as it is – it doesn’t need a driver. So, just put your fully configured firefox on the flash, start the browser from the stick and off you go.
If you are looking for the ePass or the StorePass, please visit RS-Computer.
Technical note:ePass2000ft11 tokens work on Windows Windows 98SE/Me/2000/XP/Server 2003/Vista, Linux and MacOS. For use with Firefox you just need the PKCS11 library but no additional drivers.
StorePass is a device combining flash storage and the ePass smart card functionality.
For more information and details visit RS-Computer.
Strong Authentication and Public Key Infrastructure
Saturday, August 18th, 2007As one of our main goals has always been the improvement of authentication security, SSOCircle is now offering Strong Authentication with X.509 Certificates and a PKI supporting automatic enrollment of Certificates. Using Certificate based authentication reduces the threat of Phishing ( a malicious site that pretends to be the login mask of someother and reads your password – no matter if it was encrypted over the wire or not ). With Certificate based LogIn there is no need to let your password travel over the network.
