Security Alert: SAML Single Sign-On Is Vulnerable

Brian Pontarelli

Security Alert by Inversoft Passport Cleanspeak

On February 27, Duo Security reported SAML single sign-on has a vulnerability that could enable attackers to easily take over a victim’s account. Vendors impacted by the vulnerability such as Okta, OneLogin, OmniAuth, Clever Inc and the Shibboleth Consortium have been alerted, although it’s difficult to identify and notify all users who could be at risk.

Continue reading

Single-tenant vs. multi-tenant

Brian Pontarelli

Single-tenant vs. multi-tenant

We are into the second month of 365 Days of Passport and we are publishing a free whitepaper. We debated long and hard if we should gate this whitepaper and require you to fill out a form to get access. After much thought, we’ve decided to open this whitepaper to everyone (including the Google bot). If you like this new direction and want us to open all our content (old and new), let us know by emailing us at feedback@inversoft.com.

Continue reading

Let’s talk about JWTs baby!

Brian Pontarelli

jwt-knuckle-bump

It’s week 3 of 365 Days of Passport. Today, we are going geek on you. Let’s talk about JWTs (JSON Web Tokens).

JWTs are becoming more and more ubiquitous. CIAM providers everyone are pushing JWTs as the silver bullet for everything. JWTs are pretty cool, but let’s talk about some of the downsides of JWTs and other solutions you might consider.

The way I usually describe JWTs is that they are portable units of identity. That means they contain identity information as JSON and can be passed around to services and applications. Any service or application can verify a JWT itself. The service/application receiving a JWT doesn’t need to ask the identity provider that generated the JWT if it is valid. Once a JWT is verified, the service or application can use the data inside it to take action on behalf of the user.

Continue reading

Tags:
JWT

New Evaluation System

Brian Pontarelli

Let's make some magic

Over the years, we’ve tried a number of different methods for letting developers get their hands on our products to try them out. During our 365 Days of Passport, we are going to try something new.

Our new evaluation system will let anyone create an account with us and immediately get access to the installable version of our products. You’ll be able to download any of our bundles (DEBs, RPMs or ZIPs), install on your dev box or on any server, and immediately start testing.

We also added another option to try our products. We created two sandbox servers in AWS, one for Passport and one for CleanSpeak. These sandboxes are open to the world and easy to log into. The username and password for our sandboxes will always be:

Continue reading

Tags:
None

Let’s Bootstrap this Sucker

Brian Pontarelli

bootstrap-blueprint-small

We are a couple of days into 365 Days of Passport, and it’s time to give you a preview of our plans to grow.

The first step of our plan is a little counter-intuitive, specifically in the current market climate. Step one is to stay bootstrapped for all of 2018. We want to prove that even in a heavily VC-funded space like CIAM, you can build a better mousetrap without taking any money. We want to prove that bootstrapped companies can compete with the the others who have $50M in the bank.

Continue reading

Tags:
None