Gluu Open Source Authentication & API Access Management Wed, 25 May 2016 18:26:36 +0000 en-US hourly 1 Gluu Server ‘Cache Refresh’ configuration: Part 3 Mon, 23 May 2016 11:00:36 +0000

Part 3 of Gluu Server Cache Refresh configuration video tutorial. Details are available in:…

Gluu Server ‘Cache Refresh’ configuration: Part 2 Mon, 23 May 2016 10:57:45 +0000

‘Cache Refresh’ video tutorial – Part 2. Base CR configuration. Details are in documentation:…

Gluu Server ‘Cache Refresh’ configuration: Part 1 Mon, 23 May 2016 10:53:42 +0000

‘Cache Refresh’ video tutorial – Part 1. What is Cache Refresh and what does it do? Details are in public documentation:…

FIDO U2F Wed, 23 Mar 2016 21:06:11 +0000 Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication using specialized USB or NFC devices.

U2F enables Internet users to securely access any number of online services, with one single device, instantly and with no drivers or client software needed. While initially developed by Google and Yubico, a leading strong authentication provider, with contribution from NXP, the U2F standard is now hosted by the FIDO Alliance.

The technical specifications were launched in late 2014, including native support in Google Accounts and Chrome, and have since resulted in a thriving ecosystem of hardware, software and service providers. The U2F protocol passed a significant milestone in June 2015, adding new transport protocols that address support for mobile devices. U2F works on mobile devices using NFC — Google Authenticator v4.44 and GitHub both deployed the new transport protocol in December 2015.


Strong security — Strong two-factor authentication, using public key crypto and with native support in the browser (starting with Chrome). Protects against phishing, session hijacking, man in the middle, and malware attacks.

Easy to use — Works out-of-the-box, enabling instant authentication to any number of services. No codes to re-type and no drivers to install.

High privacy — Allows users to choose, own and control their secure online identity. Each user can also choose to have multiple identities, including anonymous (no personal information associated with the identity). A U2F device generates a new pair of keys for every service, the public key is only stored on the specific service it connects to. With this approach no secrets are shared among service providers, and even low-cost U2F devices can support any number of services.

Multiple choices — Designed for existing phones and computers, for many authentication modalities (keychain devices, mobile phone, fingerprint reader, etc.) and with different communication methods (USB, NFC, Bluetooth).

Interoperable — Open standard backed by leading internet and financial services, including Google, Bank of America and 250 companies in the FIDO Alliance. U2F allows every service provider to be their own identity provider, or optionally let users authenticate through a federated service provider.

Cost-efficient — Service providers do not have to take the cost and support of secure distribution of U2F devices. Users can choose from a range of low-cost devices from multiple vendors, available at Amazon and other retail stores worldwide. Yubico offers free and open source server software for back-end integration.

Electronic identity —  For services requiring a higher level of identity assurance, services are being developed, both online and in the physical world, for tying your U2F device to your real identity.

Secure recovery — It is recommended that users register at least two U2F devices with every service provider, which may optionally also provide the user with a backup code should a U2F device be misplaced.


This diagram explains the basic process flow of U2F:

U2F Process Flow

Content borrowed heavily from Yubico.

The IAM Building Blocks Mon, 29 Feb 2016 16:56:14 +0000

Download (PDF, 117KB)

Gluu CEO to host two sessions at RSA Conference 2016 Wed, 17 Feb 2016 15:08:18 +0000 Open source evangelist and Gluu founder Mike Schwartz will present a survey of new authentication technologies and ideas on how organizations can modernize their identity and access management services.

Austin, TX — January 4, 2016 — Gluu CEO and founder Mike Schwartz will be hosting two sessions at RSA Conference 2016, the premier global security conference which is world renowned for providing industry professionals an opportunity to connect with the technology, trends, and people that protect our digital world. The event will take place at the Moscone Center in San Francisco, CA, February 29 – March 4, 2016.

“Our industry is changing rapidly, with attention shifting away from purely single sign-on (SSO) to a more comprehensive focus on web and API access management, multi-factor authentication (MFA), and cloud directory services,” said Schwartz. “API access management is the next big wave, and no one understands this better than Gluu.”

As Gluu’s CEO, Schwartz is responsible for guiding development of the company’s core products, including its industry leading open source access management platform called the Gluu Server. Schwartz founded Gluu after more than a decade consulting in the directory services and single sign-on industries. Gluu continues to be at the forefront of the access management revolution. In 2015 alone the Gluu Server was downloaded by more than 5,000 organizations and people worldwide in need of better and more affordable tools to centrally manage digital authentication and authorization security policies.

“For years we have been talking about the rise of new standards and technology to strengthen digital identity. We are finally starting to see the potential that new standards like OpenID Connect and UMA can deliver to the Internet,” said Schwartz. “At RSA Conference 2016, I look forward to sharing Gluu’s perspective on how we as an industry are using new standards and open source software to drive innovation, create better experiences online, and enable a more secure approach to conducting business online across industries and geographies.”

Find out more about each session below:

Session Title: Who Are You? From Meat to Electrons and Back Again
Session Track: Security Basics
Scheduled Date: 02/29/2016
Scheduled Time: 9:30 AM – 10:20 AM
Short Abstract: Authentication technologies are intersecting science fiction and comedy. A flyby of recently discovered and invented mechanisms to digitally identify a person makes it clear that it’s not for lack of options. If the usability and security of strong authentication have been solved, how can we improve deployability, which is the main reason we are still using passwords?

Session Title: DON’T Use Two-Factor Authentication… Unless You Need It!
Session Track: Identity
Scheduled Date: 03/04/2016
Scheduled Time: 10:10 AM – 11:00 AM
Short Abstract: Conventional wisdom tells us to use two-factor authentication–and it does help to improve security. But the best way to reduce user-friction is to never require a person to authenticate. This talk will provide a modern solution to reconcile these two divergent imperatives by leveraging standard profiles of OAuth2 for “trust elevation.” Its not just the front door that needs protection!

About Gluu:
Gluu publishes free open source Internet security software that universities, government agencies and companies can use to enable Web and mobile applications to securely identify a person, and manage what information they are allowed to access. Using a Gluu Server, organizations can centralize their authentication and authorization service and leverage standards such as OpenID Connect, UMA, and SAML 2.0 to enable federated single sign-on (SSO) and trust elevation.

Gluu Server 2.4 includes new graphical user interface and support for the SCIM 2.0 identity management specification Thu, 19 Nov 2015 15:47:38 +0000 SCIM 2.0 is designed to make managing user identities in cloud-based applications and services easier, enabling distributed and secure cloud identity.

News Highlights

  • The Gluu Server 2.4 includes a new responsive user interface, and a dashboard that displays real time authentication metrics.
  • SCIM 2.0 will reduce the cost and complexity of user management, making it fast and easy to move users in, out, and around the cloud.
  • Enhanced logout capabilities based on the new OpenID Connect draft for HTTP front channel logout.
  • Support for private key OAuth2 client authentication.
  • Support for persistent pairwise identifiers in OpenID Connect

Austin, TX — November 17, 2015 — Gluu announced today general availability of the Gluu Server Community Edition 2.4, a leading free open source software (FOSS) identity and access management platform. The latest edition includes a revamped user interface and support for SCIM 2.0, an identity management specification that is designed to make managing user identities in cloud-based applications and services faster and easier.

“The upgrades in 2.4 continue to make the Gluu Server one of the most useful tools available for centralizing access management within an organization,” said Gluu CEO MIke Schwartz. “As new, modern web standards like OpenID Connect, UMA, FIDO and SCIM proliferate–especially through free open source software–we are able to collectively drive up security and drive down the cost of interoperability for identity and access management on the Internet.”

Since the initial release of linux packages in the summer of 2014, the free open source Gluu Server has been deployed by thousands of organizations to solve a wide range of identity and access management problems, including single sign-on (SSO), customer authentication, web and API access management, multi-factor authentication and more. Gluu continues to enhance its platform with additional features that directly address the needs of small, medium, and large organizations worldwide.

Version upgrades are made to not only improve performance, security, and usability, but to add new features that respond to the specific needs of the community. To that end, current users are always encouraged to upgrade to the latest version.

Find out more about the Gluu Server:

About Gluu
Gluu publishes free open source Internet security software that universities, government agencies and companies can use to enable Web and mobile applications to securely identify a person, and manage what information they are allowed to access. Using a Gluu Server, organizations can centralize their authentication and authorization service and leverage standards such as OpenID Connect, UMA, and SAML 2.0 to enable federated single sign-on (SSO) and trust elevation.

]]> 1
Gluu Server Cluster Edition — Secure and Scalable Digital Authentication & Authorization Thu, 20 Aug 2015 15:54:14 +0000

The Gluu Server Cluster Edition utilizes Docker containers to enable an organization to meet business requirements for high availability, dynamic scalability, and rapid multi-cloud deployments.

FIDO U2F Club — Secure Online Two-Factor Authentication Wed, 05 Aug 2015 19:58:51 +0000

The Gluu Server now supports FIDO U2F Tokens for secure online two-factor authentication (2FA). To see how easy it is, check out our video: How to Identify people with FIDO U2F Tokens using the Gluu Server.

Combined with OpenID Connect, an application can request FIDO authentication. It’s a great way to offer two-factor authentication without having to issue tokens–your users can just buy the tokens online at their favorite retailer. The Gluu Server also supports SAML authentication if your organization wants to setup strong authentication to Google, Salesforce, or any other SaaS solution that supports SAML.

Gluu Sever UMA Overview for Centralized OAuth2 Access Management Tue, 14 Jul 2015 20:51:02 +0000

This video is a high level overview of how the Gluu Server supports the User Managed Access (UMA) profile of OAuth2 for centralized web and mobile access management.