Gluu https://www.gluu.org Open Source Authentication & API Access Management Tue, 26 Apr 2016 21:32:39 +0000 en-US hourly 1 https://wordpress.org/?v=4.5 FIDO U2F https://www.gluu.org/resources/documents/standards/fido-u2f/ Wed, 23 Mar 2016 21:06:11 +0000 https://www.gluu.org/?p=6993 Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication using specialized USB or NFC devices.

U2F enables Internet users to securely access any number of online services, with one single device, instantly and with no drivers or client software needed. While initially developed by Google and Yubico, a leading strong authentication provider, with contribution from NXP, the U2F standard is now hosted by the FIDO Alliance.

The technical specifications were launched in late 2014, including native support in Google Accounts and Chrome, and have since resulted in a thriving ecosystem of hardware, software and service providers. The U2F protocol passed a significant milestone in June 2015, adding new transport protocols that address support for mobile devices. U2F works on mobile devices using NFC — Google Authenticator v4.44 and GitHub both deployed the new transport protocol in December 2015.

U2F ADVANTAGES

Strong security — Strong two-factor authentication, using public key crypto and with native support in the browser (starting with Chrome). Protects against phishing, session hijacking, man in the middle, and malware attacks.

Easy to use — Works out-of-the-box, enabling instant authentication to any number of services. No codes to re-type and no drivers to install.

High privacy — Allows users to choose, own and control their secure online identity. Each user can also choose to have multiple identities, including anonymous (no personal information associated with the identity). A U2F device generates a new pair of keys for every service, the public key is only stored on the specific service it connects to. With this approach no secrets are shared among service providers, and even low-cost U2F devices can support any number of services.

Multiple choices — Designed for existing phones and computers, for many authentication modalities (keychain devices, mobile phone, fingerprint reader, etc.) and with different communication methods (USB, NFC, Bluetooth).

Interoperable — Open standard backed by leading internet and financial services, including Google, Bank of America and 250 companies in the FIDO Alliance. U2F allows every service provider to be their own identity provider, or optionally let users authenticate through a federated service provider.

Cost-efficient — Service providers do not have to take the cost and support of secure distribution of U2F devices. Users can choose from a range of low-cost devices from multiple vendors, available at Amazon and other retail stores worldwide. Yubico offers free and open source server software for back-end integration.

Electronic identity —  For services requiring a higher level of identity assurance, services are being developed, both online and in the physical world, for tying your U2F device to your real identity.

Secure recovery — It is recommended that users register at least two U2F devices with every service provider, which may optionally also provide the user with a backup code should a U2F device be misplaced.

HOW IT WORKS

This diagram explains the basic process flow of U2F:

U2F Process Flow

Content borrowed heavily from Yubico.

]]>
The IAM Building Blocks https://www.gluu.org/resources/documents/data-sheets/the-iam-building-blocks/ Mon, 29 Feb 2016 16:56:14 +0000 http://www.gluu.org/?p=6937

Download (PDF, 117KB)

]]>
Gluu CEO to host two sessions at RSA Conference 2016 https://www.gluu.org/press-releases/2016/gluu-ceo-host-security-sessions-rsa-conference-2016/ Wed, 17 Feb 2016 15:08:18 +0000 http://www.gluu.org/?p=6677 Open source evangelist and Gluu founder Mike Schwartz will present a survey of new authentication technologies and ideas on how organizations can modernize their identity and access management services.

Austin, TX — January 4, 2016 — Gluu CEO and founder Mike Schwartz will be hosting two sessions at RSA Conference 2016, the premier global security conference which is world renowned for providing industry professionals an opportunity to connect with the technology, trends, and people that protect our digital world. The event will take place at the Moscone Center in San Francisco, CA, February 29 – March 4, 2016.

“Our industry is changing rapidly, with attention shifting away from purely single sign-on (SSO) to a more comprehensive focus on web and API access management, multi-factor authentication (MFA), and cloud directory services,” said Schwartz. “API access management is the next big wave, and no one understands this better than Gluu.”

As Gluu’s CEO, Schwartz is responsible for guiding development of the company’s core products, including its industry leading open source access management platform called the Gluu Server. Schwartz founded Gluu after more than a decade consulting in the directory services and single sign-on industries. Gluu continues to be at the forefront of the access management revolution. In 2015 alone the Gluu Server was downloaded by more than 5,000 organizations and people worldwide in need of better and more affordable tools to centrally manage digital authentication and authorization security policies.

“For years we have been talking about the rise of new standards and technology to strengthen digital identity. We are finally starting to see the potential that new standards like OpenID Connect and UMA can deliver to the Internet,” said Schwartz. “At RSA Conference 2016, I look forward to sharing Gluu’s perspective on how we as an industry are using new standards and open source software to drive innovation, create better experiences online, and enable a more secure approach to conducting business online across industries and geographies.”

Find out more about each session below:

Session Title: Who Are You? From Meat to Electrons and Back Again
Session Track: Security Basics
Scheduled Date: 02/29/2016
Scheduled Time: 9:30 AM – 10:20 AM
Short Abstract: Authentication technologies are intersecting science fiction and comedy. A flyby of recently discovered and invented mechanisms to digitally identify a person makes it clear that it’s not for lack of options. If the usability and security of strong authentication have been solved, how can we improve deployability, which is the main reason we are still using passwords?

Session Title: DON’T Use Two-Factor Authentication… Unless You Need It!
Session Track: Identity
Scheduled Date: 03/04/2016
Scheduled Time: 10:10 AM – 11:00 AM
Short Abstract: Conventional wisdom tells us to use two-factor authentication–and it does help to improve security. But the best way to reduce user-friction is to never require a person to authenticate. This talk will provide a modern solution to reconcile these two divergent imperatives by leveraging standard profiles of OAuth2 for “trust elevation.” Its not just the front door that needs protection!

About Gluu:
Gluu publishes free open source Internet security software that universities, government agencies and companies can use to enable Web and mobile applications to securely identify a person, and manage what information they are allowed to access. Using a Gluu Server, organizations can centralize their authentication and authorization service and leverage standards such as OpenID Connect, UMA, and SAML 2.0 to enable federated single sign-on (SSO) and trust elevation.

]]>
Gluu Server 2.4 includes new graphical user interface and support for the SCIM 2.0 identity management specification https://www.gluu.org/press-releases/2015/gluu-server-2-4-includes-new-graphical-user-interface-and-support-for-the-scim-2-0-identity-management-specification/ https://www.gluu.org/press-releases/2015/gluu-server-2-4-includes-new-graphical-user-interface-and-support-for-the-scim-2-0-identity-management-specification/#comments Thu, 19 Nov 2015 15:47:38 +0000 http://www.gluu.org/?p=6640 SCIM 2.0 is designed to make managing user identities in cloud-based applications and services easier, enabling distributed and secure cloud identity.

News Highlights

  • The Gluu Server 2.4 includes a new responsive user interface, and a dashboard that displays real time authentication metrics.
  • SCIM 2.0 will reduce the cost and complexity of user management, making it fast and easy to move users in, out, and around the cloud.
  • Enhanced logout capabilities based on the new OpenID Connect draft for HTTP front channel logout.
  • Support for private key OAuth2 client authentication.
  • Support for persistent pairwise identifiers in OpenID Connect

Austin, TX — November 17, 2015 — Gluu announced today general availability of the Gluu Server Community Edition 2.4, a leading free open source software (FOSS) identity and access management platform. The latest edition includes a revamped user interface and support for SCIM 2.0, an identity management specification that is designed to make managing user identities in cloud-based applications and services faster and easier.

“The upgrades in 2.4 continue to make the Gluu Server one of the most useful tools available for centralizing access management within an organization,” said Gluu CEO MIke Schwartz. “As new, modern web standards like OpenID Connect, UMA, FIDO and SCIM proliferate–especially through free open source software–we are able to collectively drive up security and drive down the cost of interoperability for identity and access management on the Internet.”

Since the initial release of linux packages in the summer of 2014, the free open source Gluu Server has been deployed by thousands of organizations to solve a wide range of identity and access management problems, including single sign-on (SSO), customer authentication, web and API access management, multi-factor authentication and more. Gluu continues to enhance its platform with additional features that directly address the needs of small, medium, and large organizations worldwide.

Version upgrades are made to not only improve performance, security, and usability, but to add new features that respond to the specific needs of the community. To that end, current users are always encouraged to upgrade to the latest version.

Find out more about the Gluu Server:

About Gluu
Gluu publishes free open source Internet security software that universities, government agencies and companies can use to enable Web and mobile applications to securely identify a person, and manage what information they are allowed to access. Using a Gluu Server, organizations can centralize their authentication and authorization service and leverage standards such as OpenID Connect, UMA, and SAML 2.0 to enable federated single sign-on (SSO) and trust elevation.

]]>
https://www.gluu.org/press-releases/2015/gluu-server-2-4-includes-new-graphical-user-interface-and-support-for-the-scim-2-0-identity-management-specification/feed/ 1
Gluu Server Cluster Edition — Secure and Scalable Digital Authentication & Authorization https://www.gluu.org/gluu-server-cluster-edition-secure-and-scalable-digital-authentication-authorization/ Thu, 20 Aug 2015 15:54:14 +0000 http://www.gluu.org/?p=6335

The Gluu Server Cluster Edition utilizes Docker containers to enable an organization to meet business requirements for high availability, dynamic scalability, and rapid multi-cloud deployments.

]]>
FIDO U2F Club — Secure Online Two-Factor Authentication https://www.gluu.org/fido-u2f-club-secure-online-two-factor-authentication/ Wed, 05 Aug 2015 19:58:51 +0000 http://www.gluu.org/?p=6315

The Gluu Server now supports FIDO U2F Tokens for secure online two-factor authentication (2FA). To see how easy it is, check out our video: How to Identify people with FIDO U2F Tokens using the Gluu Server.

Combined with OpenID Connect, an application can request FIDO authentication. It’s a great way to offer two-factor authentication without having to issue tokens–your users can just buy the tokens online at their favorite retailer. The Gluu Server also supports SAML authentication if your organization wants to setup strong authentication to Google, Salesforce, or any other SaaS solution that supports SAML.

]]>
Gluu Sever UMA Overview for Centralized OAuth2 Access Management https://www.gluu.org/gluu-sever-uma-overview-for-centralized-oauth2-access-management/ Tue, 14 Jul 2015 20:51:02 +0000 http://www.gluu.org/?p=6201

This video is a high level overview of how the Gluu Server supports the User Managed Access (UMA) profile of OAuth2 for centralized web and mobile access management.

]]>
Identify people with FIDO U2F Tokens using the Gluu Server https://www.gluu.org/identify-people-with-fido-u2f-tokens-using-the-gluu-server/ https://www.gluu.org/identify-people-with-fido-u2f-tokens-using-the-gluu-server/#comments Thu, 02 Jul 2015 15:58:49 +0000 http://www.gluu.org/?p=6186

Learn how to use the Gluu Server for FIDO U2F authentication. The Gluu Server enables applications to leverage your domain’s U2F service using OpenID Connect or SAML API’s.

]]>
https://www.gluu.org/identify-people-with-fido-u2f-tokens-using-the-gluu-server/feed/ 1
Gluu Server 2.3 release includes support for FIDO U2F authentication and conformance with all OpenID Connect 1.0 profiles https://www.gluu.org/press-releases/2015/gluu-server-2-3-release-includes-support-for-fido-u2f-authentication-and-conformance-with-all-openid-connect-1-0-profiles/ Wed, 24 Jun 2015 18:15:28 +0000 http://www.gluu.org/?p=6173 The FIDO U2F standard enables convenient cryptographic authentication for tokens and mobile applications, providing a usable, secure, and inexpensive alternative to passwords.

News Highlights

  • The Gluu Server supports enrollment and authentication for any FIDO U2F 1.0 compliant client. Watch Gluu CEO Mike Schwartz display how to use FIDO U2F in the Gluu Server.
  • Compliance with all OpenID Connect conformance profiles as defined by the OpenID Connect Foundation’s certification program.

Austin, TX — June 22, 2015 — Gluu, Inc., a leading provider of open source identity and access management software, today announced that the Gluu Server 2.3 is now publicly available for download and includes out of the box support for the FIDO U2F 1.0 authentication standard. With the latest version of the Gluu Server, organizations can implement single sign-on (SSO) to any SAML or OpenID Connect protected application, to centralize the business logic for smart, adaptive, and context aware authentication.

FIDO U2F is an emerging open authentication standards initiative with strong support from more than 200 organizations in the FIDO Alliance. Now using the Gluu Server, companies can enable people to enroll a FIDO U2F token in addition (or as an alternative) to passwords. FIDO U2F was developed to thwart phishing and man-in-the-middle attacks. In addition to traditional usernames and passwords, U2F hardware authenticators, such as YubiKeys, generate public key-based signatures as a strong second factor to authenticate users.

“We are excited to announce that the Gluu Server is one of the first free open source identity and access management suites to support FIDO U2F compliant authentication devices,” said Gluu CEO Michael Schwartz. “The vast majority of security incidents are the result of bad person identification. Passwords have historically been the cheapest credentials to support, but new standards like FIDO U2F are making it easier and more scalable for organizations to enforce strong authentication for access to a large number of applications. Now any organization can authenticate using some of the same advanced technology as industry leaders like Google.”

The Gluu Server now supports the most promising standards for digital authentication and authorization, including OpenID Connect, FIDO U2F, SAML, UMA, and even LDAP, making it one of the most useful access management suites available.  

Full release notes for the Gluu Server 2.3 can be viewed here. Watch Gluu CEO Mike Schwartz display how to use FIDO U2F in the Gluu Server.

Find out more about the Gluu Server:

About Gluu:
Gluu publishes free open source Internet security software that universities, government agencies and companies can use to enable Web and mobile applications to securely identify a person, and manage what information they are allowed to access. Using a Gluu Server, organizations can centralize their authentication and authorization service and leverage standards such as OpenID Connect, UMA, and SAML 2.0 to enable federated single sign-on (SSO) and trust elevation.

]]>
Gluu to Promote OAuth2 Access Management at Cloud Identity Summit https://www.gluu.org/press-releases/2015/gluu-to-promote-oauth2-access-management-at-cloud-identity-summit/ Mon, 08 Jun 2015 17:45:24 +0000 http://www.gluu.org/?p=6157 Gluu CEO Mike Schwartz to promote OAuth 2.0 as the solution for achieving increased identity assurance in digital transactions during session at the Cloud Identity Summit in San Diego, California.

Austin, TX — June 3, 2015 — Gluu, a leading provider of open source identity and access management software, is hosting a session at the Cloud Identity Summit where CEO Mike Schwartz will discuss how OpenID Connect and UMA, two new profiles of OAuth 2.0, are enabling organizations to centrally manage and enhance authentication and authorization security across web, mobile, and IoT applications. The Cloud Identity Summit takes place in San Diego, CA, from June 8-11, and is an annual gathering that includes workshops and presentations by industry experts on new innovations in the field of Identity and Access Management (IAM).

Organizations worldwide are recognizing the need for more secure identity proofing under certain circumstances, for instance during high value financial and personal data transactions. In addition, new requirements have emerged around mobile and Internet of Things (IOT) devices that have limited the ability of existing tools to solve new challenges. OpenID Connect and UMA enable organizations to securely identify individuals and authorize access to privileged resources based on the strength of an authentication mechanism, for example an out-of-band (OOB) push notification or biometric scan, and contextual data such as device type, location, and previous user behavior.

In the session, Schwartz will share how organizations can use these two profiles of OAuth 2.0 to increase trust in an online identity in order to mitigate the risk of fraud. Attendees will leave this session with a better understanding of the Enterprise UMA use case, as well as some of the useful OpenID Connect features that can be leveraged to create centralized authentication policies.

Session details can be found by following the link below:
AuthZ is the new AuthN: Trust Elevation with UMA and OpenID Connect: June 11th, 1:00pm to 1:55pm

About Gluu:
Gluu publishes free open source Internet security software that universities, government agencies and companies can use to enable Web and mobile applications to securely identify a person, and manage what information they are allowed to access. Using a Gluu Server, organizations can centralize their authentication and authorization service and leverage standards such as OpenID Connect, UMA, and SAML 2.0 to enable federated single sign-on (SSO) and trust elevation.

]]>