Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

The latest EC2 Bootstrapper code and developer specification has been added to the CodePlex site for that project. The specification document includes prototype screenshots as well as the latest graphic design mock-ups (integration of which is pending).

Permalink | Comments (0)

I was working at the Geneva (Microsoft’s claims based access and federation technology; the next incarnation of ADFS) pod at TechEd this week and heard a good example of why such a technology is useful.

Suppose JW Secure has an internal website called http://paycheck for employees who want to view semi-monthly paystub information online. But as a cost-cutting measure, the company wants to outsource payroll processing to a company such as ADP. How to let employees continue to access the same information, with the same level of convenience, securely, while using existing ADP’s online services, without creating duplicate accounts or exposing non-essential infrastructure data externally? And let’s make it standards-based ;)

Geneva is a good approach. To accomplish this, JW Secure and ADP both setup a Geneva server. ADP’s Geneva server is configured to trust a limited set of claims from JW Secure’s Geneva server - for example, that a given token holder is in fact the named JW Secure employee (say, Dan Griffin).

Then, when user Dan Griffin opens http://paycheck from his desk, the internal server refers him to an external URL such as http://online.adp.com/jwsecure. The latter server determines that the user needs to be authenticated and refers Dan’s browser to ADP’s Geneva server. The latter server, based on the “jwsecure” in the referral URL, refers Dan’s browser back to JW Secure’s Geneva server.

So far, it’s just a chain of referrals, but here’s the magic. JW Secure’s Geneva server authenticates Dan using his internal Active Directory credentials (i.e., good old extensible Integrated Windows Authentication). Thus, authentication is seamless to Dan, and no shadow or duplicate accounts are required. The Geneva server then builds a SAML token for Dan, signs it with a key trusted by the ADP Geneva server, and refers Dan’s browser back to ADP.

Now, ADP’s Geneva server receives and validates Dan’s SAML token, determining if it trusts the claims made therein. Assuming it does, Dan views his paycheck on http://online.adp.com/jwsecure, having done nothing more than open his browser to http://paycheck (assuming he was already logged into his JW Secure domain account).

Permalink | Comments (3)

I was probably the last hold out. Account name = jwsecure.

Permalink | Comments (0)

We’re live on CodePlex with the first end-to-end (but command-line only) version of Cloud Backup. In summary, this version allows you to export a virtual machine from Hyper-V and upload it to Windows Azure cloud storage for disaster recovery purposes.


>CloudBackupCmd.exe
CloudBackup v1.0 Command line utility
Usage:
  CloudBackupCmd.exe <cmd> <name>
    cmd : Can be one of the following values
      backup - Backup the specified virtual machine
      restore - Restore the specified virtual machine
      listlocal - List local virtual machines
      listremote - List remote virtual machines
      clearremote - Remove all remote virtual machines
    name : Specifies the name of the virtual machine to operate on
  Use the CloudBackupCmd.exe.config file to specify options

Permalink | Comments (2)

Check out our logo-certified Secure Password Storage project (hosted on CodePlex), currently featured on the Build a Better App site.

Permalink | Comments (0)

The document is here.

Permalink | Comments (0)