Extending APS Packages with Single Sign On Brian Spector, CEO, CertiVox / Gene Myers, VP Engineering, CertiVox
Introducing APS 2.0 A Platform for Integration APS Dynamic UI HTML5 Extensibility Certified Services APS Service Bus User/account context Secure cross-resource integration APS Authentication Protocol Multi-factor, multiprovider SSO (OpenID Connect, SAML, AD ) Profit from the cloud 2
Today s APS/Developer SSO Session will cover: Who is CertiVox? What is Parallels Identity Manager? What problem does it solve? What is new in SSO in APS 2.0 and POA 5.5? APS Authentication Security What is the APS Authentication Protocol (APS AP)? Why APS AP is an SSO internet security game changer How to enable your APS 2.0 syndicated service for the APS Authentication Protocol Nuts and Bolts Q&A Profit from the cloud 3
About CertiVox Security Leader Provider of certificateless cryptography software and services to Global 2000 Founded in 2008, with technology in development since 2006 SaaS cryptographic key management and open-source crypto SDKs Experienced leadership team 100 s of blue chip companies Our clients & references Profit from the cloud 4
The CertiVox World Open Source Library for Elliptic Curve Cryptography IaaS Offering APS Authentication Frictionless 2-factor Browsers and smartphones IaaS Offering Based upon MIRACL Frictionless Key Management and Certificateless Crypto Full SaaS Solution Offering Frictionless Easy to Use Secure Messaging and Secure Managed File Transfer Capture regulated SMB market segment with highest growth potential Sales model: Provisioned entirely through APS High value free version upgrade to Professional differentiated value / reduce churn Profit from the cloud 5
Parallels Identity Manager Single-Sign-On (SSO) multi-factor authentication services for Parallels Automation, Parallels Plesk Panel products, and APS
Parallels Identity Manager Universal, federated SSO multi-factor authentication services for Plesk, PPA, PBA / POA and APS Reduces username / password database smash and grab attacks and client vulnerabilities Provides for rich upsell / cross sell opportunities for mobile multi-factor authentication as a service to your customers Profit from the cloud 7
Revolutionary Multi-factor Authentication Easily integrates with existing websites / web apps via API Frictionless on-boarding through APS 2.0 for existing users Profit from the cloud 8
Revolutionary Multi-factor Authentication Infinitely stronger and easier than username / password HTML5 or Seamless Mobile 3-Factor O.O.B. Authentication 1 Integrated SkyPin 2 Login with mobile 3 providing secure login Scan and authenticate with SkyPin App Profit from the cloud 9
Before SkyPin User Authentication for SSO After SkyPin Multi-Factor Authentication for SSO Difficult to remember Insecure easy to phish, scam, key log, etc. Bad user experience leads to insecurity 4 digit PIN - infinitely easier than username / password Elliptic curve cryptography based infinitely more secure than username / password Profit from the cloud 10
Before SkyPin Service Provider Authentication for SSO After SkyPin Service Provider Authentication for SSO Username Bob28 v.noir Alice_467 Sarah.h! Password sarah password123 linkedin facebook1 Email Bob28@ho Vince.noir Alice.h@g S.hard@g Username Bob28 v.noir Alice_467 Sarah.h! Samsam10 sunnykid1 Password sarah password123 linkedin facebook1 hello Pass1! Email Bob28@ho Vince.noir Alice.h@g S.hard@g Sam@yah sunny@ma SkyPin Authentication Server Samsam10 hello Sam@yah sunnykid1 Pass1! sunny@ma Databases are inherently not secured and difficult to protect Smash and Grab attacks are the new normal Liable for legal action if hacked With SkyPin there is no username /password database, just one server cryptographic key If the key is compromised, it reveals nothing about the users on the system Profit from the cloud 11
SkyPin vs. Hardware 2-Factor SkyPin Hardware 2-Factor Cost Free* Avg $100 per user per year SkyPin has these additional advantages: Easy to use and easy to implement Profit from the cloud 12
SkyPin vs. Hardware 2-Factor SkyPin Hardware 2-Factor Cost Free* Avg $100 per user per year Implementation 2 Hours Weeks to Months SkyPin has these additional advantages: Easy to use and easy to implement Dramatic cost reductions no complex hardware or software provisioning Profit from the cloud 13
SkyPin vs. Hardware 2-Factor SkyPin Hardware 2-Factor Cost Free* Avg $100 per user per year Implementation 2 Hours Weeks to Months User Training Minimal Extensive SkyPin has these additional advantages: Easy to use and easy to implement Dramatic cost reductions no complex hardware or software provisioning Single sign on across multiple services and cross-domain Profit from the cloud 14
SkyPin vs. Hardware 2-Factor SkyPin SkyPin has these additional advantages: Easy to use and easy to implement Hardware 2-Factor Cost Free* Avg $100 per user per year Implementation 2 Hours Weeks to Months User Training Minimal Extensive Open Standards APS Authentication Typically Proprietary Dramatic cost reductions no complex hardware or software provisioning Single sign on across multiple services and cross-domain Up-sell / cross-sell SkyPin mobile for out-of-channel multifactor authentication Profit from the cloud 15
Parallels Automation 5.5: SkyPin Secured multi-factor authentication Increase top-line with strong authentication CertiVox Data Center Parallels Identity Manager Service SkyPin Managed Server Service Provider Data Center Alice APS 2.0 Controller Parallels Identity Manager Server SkyPin for HTML5 (Firefox, Chrome, etc.) Parallels Automation 5.5 Free for Parallels Customers Frictionless On-boarding Works out-of-the box with PA 5.5 Upgrade to Mobile 3-Factor Profit from the cloud 16
What is new in APS 2.0 Single-Sign-On?
APS 2.0 Security Parallels Identity Manager Architecture APS SSO API New PA 5.5 Service New PIM SSO Server APS PIM Application AD / LDAP Open ID Connect What s new in 5.5 and APS 2.0? Scalable LDAP Directory SAML PIM APS Package POA 5.5 MN APS Controller 2.0 Open DJ Highly Scalable LDAP Directory Migration Script/ Upgrade Script Profit from the cloud 18
APS 2.0 Security Parallels Identity Manager Architecture APS SSO API PIM APS Package New PA 5.5 Service New PIM SSO Server APS PIM Application POA 5.5 MN APS Controller 2.0 AD / LDAP Open ID Connect SAML Open DJ Highly Scalable LDAP Directory What s new in 5.5 and APS 2.0? Scalable LDAP Directory APS 2.0 Identity Provider: Existing LDAP/AD OpenID Connect Legacy SAML Migration Script/ Upgrade Script Profit from the cloud 19
APS 2.0 Security Parallels Identity Manager Architecture APS SSO API PIM APS Package New PA 5.5 Service New PIM SSO Server APS PIM Application POA 5.5 MN APS Controller 2.0 AD / LDAP Open ID Connect SAML Open DJ Highly Scalable LDAP Directory Migration Script/ Upgrade Script What s new in 5.5 and APS 2.0? Scalable LDAP Directory APS 2.0 Identity Provider: Existing LDAP/AD OpenID Connect Legacy SAML LDAP synchronization Profit from the cloud 20
APS 2.0 Security Parallels Identity Manager UI Authentication User visits your website User securely signs in with any APS 2.0 Authentication Provider (like SkyPin) User only has to login once to go anywhere across all applications and service boundaries Adding Parallels SSO through APS 2.0 to your website or web app is as easy as adding an advert to your page! Pluggable iframe Profit from the cloud 21
What is the APS Authentication Protocol? 3 party authentication Strong end-to-end encryption of user identity without PKI No complicated server side code User Identity Cross Infrastructure Boundaries One-pass Protocol Maximum Security Standards Based Profit from the cloud 22
APS Authentication Protocol Token Structure User ID A unique ID of the user in the system Scope / App ID Some UUID of the application Expiry User Data (Scope Params) Provider Inner Token Signature Token expiry information This field is filled by the application for additional token scope The authentication provider ID that actually issued the token Some additional information provided by the authentication provider for later use Allows any application that speaks APS AP to validate the token instantly, without re-directs Profit from the cloud 23
APS Authentication Protocol Overview Internally Provisioned Applications http://my.wordpress.provider.com/ Welcome to The Blog! 01-01-12 This is first record in my Blog which I m going to. 02-01-12 This is my second record in my Blog, which I wrote on the second day Profit from the cloud 24
Cross Syndication / Domain Barriers with APS AP Parallels Automation User Parallels Identity Manager User Login Across Domains Encrypted Token User Browser Successful Authentication APS 2.0 Enabled Syndication Service User Logged in Parallels Enabled APS 2.0 Service Provider Customer Decrypted User Token Verify + = Signature ID Information Profit from the cloud 25
Summary: Make the move to APS 2.0/ Parallels Automation 5.5 SkyPin state-of-the-art multi-factor authentication works out of the box! Scalable SSO means authenticate users once for all services, including Parallels Automation Support integration of nearly all identity management standards APS Authentication Protocol enables SSO across service boundaries with strong encryption, no configuration, no excessive bandwidth re-directs Profit from the cloud 26
ISV/Developer Get started with the APS Authentication Protocol for your Cloud Service or APS package 1. Sign up for developer account on http://parallelsskypin.certivox.com Dev sign up 4. Call SkyPin PIN PAD from your test URL 2. Get your APS AP SkyKeys 5. Sign up and authenticate test users 3. Download the APS AP code from GitHub and integrate it into your application (easier than supporting Ouath/ OpenID Connect, etc)! Integrate APS AP APS 2.0 Leverage APS AP 6. Get APS 2.0 enabled by incorporating PIM SSO into your APS package Profit from the cloud 27
Next Steps Plan to Build APS 2.0 Packages Parallels PartnerNet Portal Cloud Services Developer Program - Sign up by March 13th (for APS-enabled ISV/SI partners) APS 2.0 Beta Program - Access to APS 2.0/PA 5.5 Hands-on-labs, Sandbox, and documentation - Additional online technical training & regular readiness check-in calls with APS engineers and architects - Program Requirements Include the scenario you want to solve with APS 2.0 to qualify to participate If qualified, you will be invited to the APS 2.0 Beta kickoff - Get your hands dirty with APS 2.0 Beta Be ready for launch your own packages! www.parallelsnetwork.com Profit from the cloud 28
For more information on CertiVox, contact: Questions? Brian Spector CEO / CertiVox brian@certivox.com Gene Myers VP of Engineering gene@certivox.com