On February 27, Duo Security reported SAML single sign-on has a vulnerability that could enable attackers to easily take over a victim’s account. Vendors impacted by the vulnerability such as Okta, OneLogin, OmniAuth, Clever Inc and the Shibboleth Consortium have been alerted, although it’s difficult to identify and notify all users who could be at risk.
We are into the second month of 365 Days of Passport and we are publishing a free whitepaper. We debated long and hard if we should gate this whitepaper and require you to fill out a form to get access. After much thought, we’ve decided to open this whitepaper to everyone (including the Google bot). If you like this new direction and want us to open all our content (old and new), let us know by emailing us at email@example.com.
It’s week 3 of 365 Days of Passport. Today, we are going geek on you. Let’s talk about JWTs (JSON Web Tokens).
JWTs are becoming more and more ubiquitous. CIAM providers everyone are pushing JWTs as the silver bullet for everything. JWTs are pretty cool, but let’s talk about some of the downsides of JWTs and other solutions you might consider.
The way I usually describe JWTs is that they are portable units of identity. That means they contain identity information as JSON and can be passed around to services and applications. Any service or application can verify a JWT itself. The service/application receiving a JWT doesn’t need to ask the identity provider that generated the JWT if it is valid. Once a JWT is verified, the service or application can use the data inside it to take action on behalf of the user.
Over the years, we’ve tried a number of different methods for letting developers get their hands on our products to try them out. During our 365 Days of Passport, we are going to try something new.
Our new evaluation system will let anyone create an account with us and immediately get access to the installable version of our products. You’ll be able to download any of our bundles (DEBs, RPMs or ZIPs), install on your dev box or on any server, and immediately start testing.
We also added another option to try our products. We created two sandbox servers in AWS, one for Passport and one for CleanSpeak. These sandboxes are open to the world and easy to log into. The username and password for our sandboxes will always be:
You will find the URL for the sandbox on your account page once you create an account. Once you log into the sandbox, you can edit the configuration, create API keys and start calling the APIs. We will periodically reset the sandbox servers, so don’t rely on your configuration and data always being there.
And finally, we still want to provide the ability to evaluate our products using one of our private-cloud servers. Since these servers do cost money for us to run, we’ve added a button to the account page for you to request a private-cloud server. Once we receive your request, someone from the Inversoft team will reach out to you and get your private-cloud server setup.
Keep in mind that Passport is single-tenant. That means that your user data is completed isolated from everyone else’s. That is why we start a separate server (or multiple servers) for each customer we host for.
We hope this new evaluation model will help you quickly get started with either of our products. If you have questions or feedback, don’t hesitate to send it our way by emailing firstname.lastname@example.org.
We are a couple of days into 365 Days of Passport, and it’s time to give you a preview of our plans to grow.
The first step of our plan is a little counter-intuitive, specifically in the current market climate. Step one is to stay bootstrapped for all of 2018. We want to prove that even in a heavily VC-funded space like CIAM, you can build a better mousetrap without taking any money. We want to prove that bootstrapped companies can compete with the the others who have $50M in the bank.