Hardware software requirements for SAML and OAUTH - oauth

I am preparing a report on SAML and OAUTH for a comparative study on these two technologies.
I have got a few pages ready describing what SAML and OAUTH can do.
The next thing I need is the hardware and software requirements to implement SSO using SAML and OAUTH.
This would help analyis the costs involved and come to a decision on choosing any of the two technologies.
If you are aware of the H/W and S/W requirements please enumerate them.
Thanks,
david

On the software side, the cost will really depend on what solution you're using. Both technologies have good opensource and commercial implementations (and often, the same product supports both). So, I don't think that the software costs will make a difference.
On the hardware part, SAML is probably a little more power-consuming, because it implies XML parsing, XML digital signature (which needs more resources than a simple digital signature).
But if you have a reasonable number of concurrent users, the raw-power of the most basic servers will be able to absorb the load without problems in each case.
To give some figures, our SAML 2.0 solution (which admittely is performance and not features-oriented) is able to generate ~100 SAML responses per second on my workstation (a low-end sandy bridge pentium). The main factor determining performance is CPU. I/O and memory are somewhat negligeable.
How many authentications per second do you plan to have in production ?

Related

Keycloak for IDM

First and foremost, this post doesn't have any intention to strike down any parties as mentioned in my question.
In fact, I'm not sure whether i should ask this question to this forum or not, but after some thoughtful considerations i decided to just post it here due to my curiosity.
Shortly speaking, I'm working on IAM platform for one of my customer. I've prepared it using keycloak within a day which also cover custom provider to connect with their legacy user internal database.
But I got a pretty shock statement from my customer that they don't trust keycloak since it's free and open source. They only trust commercial products, and they suggested me to go with either forgerock or okta.
I have my own way to answer that statement, but I would also like to hear some feedbacks from the experts here with regards to that matter. Thanks in advance.
Maybe the customer concern is that there is no commercial support with Keycloak. It's a very practical concern, eg if you are not available at some future time and all apps are broken when something strange happens after upgrading the Authorization Server.
Of course on the technical side of things, keep code portable by implementing standards based solutions, so that you can switch providers. Avoid stuff like Keycloak Adapters if they are vendor specific.
DEPLOYMENT
As a containerized solution, Keycloak's deployment model supports multi cloud and means you can run in any cloud provider.
Then again, the Platform as a Service model of some providers is often attractive - no infra to manage and the hope of high availability. With some PAAS providers the trade off may be that there is less control over behavior.
WHAT ARE THE REAL REQUIREMENTS?
Commercial support
Guidance on app scenarios
High Availability
Ease of management
Extensibility
Portability
Different customers have different viewpoints and there is no right answer. The usual thing that software architects do is understand their audience, make recommendations, but let the customer decide - they are the boss after all.

What is the best practice to deploy CoAP-DTLS server that can support multiple PSK identity/secret sets?

We're estimating the practicability to replace our conventional HTTPS/RESTful over cellular network (4G-LTE) with CoAP/DTLS over NB-IoT, to prolong the battery life of remote devices. The IoT application we've deployed only takes a tiny proportion of 4G-LTE data bandwidth and UDP over NB-IoT is good enough; so transmission performance is not our main concern.
But the problem is, we're now using mutual authentication in SSL/TLS layer and we assign different client certificates to different sub-groups. And I'm not sure how to do that in CoAP/DTLS.
I've learned that the default credential model of CoAP/DTLS is Pre-Shared Key (PSK) and I also learned from RFC4279 that I may use the PSK identity / shared-key pair as an easy alternative to username, which could just fit my needs. But when I'm trying to figure out how to implement this, I found the internet resource is very limited. So far I've surveyed node-coap.js and libcoap but I can't find any hints in the documents. Both seemed to support only one credential at the same time.
What is the best practice to deploy CoAP-DTLS server that can support multiple PSK identity/shared-key sets ? Or do I need to implement the whole authentication mechanism in application layer ?
One option for server/cloud side CoAP is Eclipse Californium. I am involved in that project and may thus be biased. That said, we have actually built Californium for exactly this purpose.

Is there any opensource tool for loadtesting on SAP GUI Based applications?

Do I know, whether any load testing tool is there for testing SAP GUI based applications?
I have been using Load Runner as of now, but the license is going to expire soon. So, I am in a position to find the better replacement for the same.
Responses are appreciated :-)
Thanks in advance.
There are no open source tools for testing SAPGUI applications. Architecturally, none of the existing open source applications have hooks to the automation interface used by SAP. So, you may discount the previous answer which concentrates on web-based interfaces or a generic TCP interface. The interface for SAPGUI automation is on the client.
SAPWeb, on the other hand, may be tackled with standard commercial and open source solutions which architecturally support the capture, modification and reproduction of traffic at the HTTP protocol layer.
Renew your LoadRunner license. The cost in hours of labor to modify any of the available open source tools will more than exceed the cost of your LoadRunner license. You will need to establish a relationship with SAP for the interface documentation. You will need to build a recording interface and a playback interface. You can look to the R&D output from the big vendors, HP, Borland, IBM, to see what a non trivial and high engineering dollar challenge this is.

Security for Web Apps

I'm working on a web application and we are getting ready to launch it. Because it will hold sensitive data for users, I want this to be as secure as possible. Here is a list of what we are currently doing...
Running the app on Heroku (Ruby on Rails)
Site is encrypted with 256 SSL (with forced SSL turned on)
Cookies are encrypted and we pass the Firesheep test
Their password and everything in the database is one way encrypted.. so even if someone got access to the database it would be useless.
We do not store any keys or passwords openly in the source code but rather use Config Vars
Other than that what else should/could we be doing. We are considering McAfee's site scan but they quoted us $2,500 a year. I'm not sure it's worth it.
Does anyone have any suggestions at all?
Make sure to read the OWASP Top 10. Also $2,500 is a rip off, Sitewatch is free. You should also consider running a Web Application Firewall like mod_security, but keep in mind this will cause problems for testing tools like McAfee or Sitewatch. You should configure mod_security to allow specific ip addresses. Or test your application before enabling the WAF.
After ruling out the usual suspects (XSS, SQL injection, mass assignment, etc), client side is where most problems come from, and this is often overlooked. I don't know what your site is about, but things like telling your users that they shouldn't follow links on emails they did not explicitly request usually delivers highest bang-for-the-buck.
Best regards,
-- J. Fernandes
I'd recommend checking out the OWASP Top 10: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
To verify your SSL configuration, you can try https://www.ssllabs.com/ssldb/index.html.
If you're curious about the sheer variety of attacks, check out Jeremiah Grossman's post titled Top Ten Web Hacking Techniques of 2010 and scroll down until you see "The Complete List".
If you want to fire off a few web app vulnerability scans tools to catch the low hanging fruit you can try:
skipfish: http://code.google.com/p/skipfish/ (free)
netsparker community: http://www.mavitunasecurity.com/communityedition/ (free)
look here for more https://security.stackexchange.com/questions/32/what-tools-are-available-to-assess-the-security-of-a-web-application/
If you're really concerned about security then adopting a secure development plan and working with someone trained in app security would obviously boost your confidence things are being done right.
Regarding development, you may like the ideas presented in Microsoft's simplified SDL:
"The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development."
"The process outlined in this paper sets a minimum threshold for SDL compliance. That said, organizations aren’t uniform – development teams should apply the SDL in a way that is suitable to the human talent and resources available, but doesn’t compromise organizational security goals."
Also it is important to note automated vulnerability scan tools fail to identify most logical vulnerabilities so don't rely solely on automated tools. For example (taken from OWASP):
"Setting the quantity of a product on an e-commerce site as a negative number may result in funds being credited to the attacker. The countermeasure to this problem is to implement stronger data validation, as the application permits negative numbers to be entered in the quantity field of the shopping cart."
Human intelligence is key to spot logical issues.
Security is also all about maintenance. Assigning someone or a team the responsibility to astutely play continuous defense is important.
Note: Encrypting the passwords doesn't imply infallible security. Dictionary/password lists/brute force attacks work all the time to reveal weak passwords. A very common attack is to use SQL injection to dump the user table (with password hashes) then use a password cracker to discover legitimate user/password pairs.
You can find information about common Ruby on Rails application vulnerabilities and their countermeasures at the Zen Rails Security Checklist, including most of the OWASP Top 10 items.

What is the best Delphi n-tier low bandwidth technology?

I need to deploy a Delphi app in an environment that needs centralized data and file storage system (for document imaging) but has multiple branch offices with relatively poor inter connectivity. I believe a 3 tier database application is the best way to go so I can provide a rich desktop experience with relatively light-weight data transfer needs. So far I have looked briefly at Delphi Datasnap, kbmMW and Remobjects SDK. It seems that kbmMW and Remobjects SDK use the least bandwidth. Does anyone have any experience in deploying any of these technologies in a challenging environments with a significant number of users (I need to support 700+)? Thanks!
Depends if you are tied to remote datasets. If you aren't dataset bound then SOAP would likely be a good choice. Or, what I've done is write my own protocol that is similar to SOAP in nature. This was done before SOAP was standard and I'm glad I did - this gives you the ability to control more of the flow of data. It's given that if you have poor connectivity then you will be spending time supporting it. It's very nice if it's your own code you are supporting versus having to wait on a vendor. (Although KBM and REM are known to be pretty good vendors.)
Personal note: 700 users in a document imaging application over poor connectivity sounds like a mess. Spend the money on upgrading connectivity as it'll be cheaper in the long run.
Both kbmMW and RO SDK offer binary format, which is more compact than SOAP format,specially you are working with documents.
RO sdk seems to offer more GUI tools to help you doing your services.
Also give a RealThinClient SDK a look, it's a lightweight remoting framework.
But what ever framework you go with, your design of work will make it fast or slow, I have some applications working on slow 128kb lines, and it's working perfect without any user complain, but I don't do a large transfer for files.
One thing to remember...its not the number of users, but the number of them using the resources at the same time that will be the issue. Attempt to develop your application "server stateless" if at all possible, this will allow greater flexibility in the long term if you find you have to add more servers to the pool to support your customer base. The hardest thing about n-tier is scaling beyond the first server...plan on that from the start. Each request should not know anything about a prior request...or at the very least the request should have a way of passing the context so the server can look it up in a session table or something.
Personally, I would recommend RemObjects. I have used it with good results.
I don't know if it's the very best / most efficient (glad you asked this question!), but I've had good results w/RemObjects SDK + DataAbstract. The latter made much of the plumbing details less involved, which was helpful. Still implementing, but so far so good.
If you really wanna go "low-bandwidth" use BSD Sockets API - that'll give you full control over what's being sent and there you can send as little information as you want. Of course then you'll have to implement all the tiers yourself, but hey - that's still an option :D

Resources