Sunday, December 20, 2020

Friday, December 18, 2020

Thursday, December 17, 2020

SAML and oAuth



Solution it solves

SAML evolved from the business requirement to allow applications to de-couple authentication and the service the user is requesting. Similar to Kerberos, it uses a token (signed XML assertion) from a ticketing system (IDP) to grant access to the service (SP). In contrast to Kerberos, SAML uses HTTPS as the transport.

Use cases

Web applications where the service can be internal to an organization or public where the service is multi-tenant. The focus of the solution is that the service does not need to store or maintain authentication passwords or know the level of access in the case of group or privilege. Group memberships can be centrally managed in AD, for example, users who are promoted and need elevated access to multiple services.

Method it uses

A IDP (Identity Provider) usually bound with Active Directory or LDAP issues the assertions.

The SP (Service Provider) consumes the assertion, and with the embedded information enables the application with the appropriate level of access to the application.

Assertions are signed-XML within the HTTPS payload.

Signed security is maintained by PKI (Public Key Infrastructure), a trust relationship needs to be established with the IDP and SP in advance.

Limitations of solution

SAML solves the problem of separating the service from the authentication but has limited features for authorization other than group membership. Additional extension using artifacts where the SP can query for additional parameters is available.

But the solution does not work well on mobile devices and API connections where the mobile device may not have a consistent IP and also the app may not have all the Javascript features of a full desktop browser.

But the main limitation of SAML is that it does not allow the user to easily view or consent to the authorization the SP is requesting from the IDPs APIs.


SAML works great in an enterprise setting where there is little concern between the scope of what the SP may want to do with the information in the assertion from the IDP. But more widespread use of social applications and distributed teams that may not have a central IDP, SAML does not work as well. For example, when a user would like to limit sharing their birthday or profile photo, there is no way to allow the user to easily see that level of detail. Also, in 2010, mobile web browsers and apps had limited functionality and were not able to work around the security constraints such as cross-site domain scripting and need to access multiple API endpoints quickly within a user session.


Solution it solves

oAuth initial focus was to solve the authorization limitation that SAML did not address where the user was unable to easily see the scope of the assertion. This evolved as public websites and apps requested limited information from a user, but were unable to convince end users that their services only had limited scope. Later as oAuth evolved and the stack was adapted for authentication, OpenID was released as an extension to oAuth to standardize authentication within the oAuth ecosystem.

Use cases

A fictitious app, such as a COVID tracker, would like to collect the user location for contract tracing and also public statistics of location gatherings. The app would like this information from Google Maps that is already installed and using this information when moving around. Legal and public relations aside, the app developers notice that Google publishes the scopes for Google Services and writes their app to request those from the user. The user installs the app and then the app is able to access the Google API endpoint where that information is current. No other information is shared between Google and the App other than what was specified in the oAuth scope.

Method it uses

oAuth is similar to SAML. The user opens the app or website of the service and selects the Authorization Provider that they would like for authorization. Then the user is redirected and proceeds to login, or if already is logged into their IDP, then their service will ask the user if they agree to the scope that the original application is requesting. Once permitted, the Authorization Server will generate an authorization code to the app’s server. That app’s backend server will then contact the Authorization Server and exchange that authentication code for a token that the users app will then use to contact the API endpoint directly. This exchange for a token increases security by not exposing the token to the end client device where it can be intercepted by proxies or browser plugins.

There is an alternative response type called implicit where the Authorization Server will send back a token without the additional handshake, this was needed for single-page-websites where the code ran in client-side Javascript and page reload was not possible. There is an updated method called PKCE that increases security by using hashes.

Limitations of solution

oAuth did not define how authentication should be done. Different services developed different methods to perform authentication and then used the oAuth spec to do authorization. OpenID evolved to address the authentication limitations, but the adoption is not as widespread. In addition the code method that exchanges the authorization code for a token has limitations with some mobile devices and Javascript. There is an alternative method (Implicit Flow) where the token is issued without the exchange. In addition there are additional extensions such as PKCE that generate hashed values for the components that are exchanged in the process.


oAuth is evolving. The initial requirement of authorization was addressed but the details around authentications were not defined, so several services adapted and generated their own methods. In addition, in 2010 mobile devices had many more limitations that they do now. Newer oAuth Javascript libraries address some of the older limitations and also newer extensions such as PKCE focus on the problems mobile APIs had and those same solutions are now moving to the desktop libraries too.

Compare and Contrast

Both SAML and oAuth (with OpenID) address the same problems that Kerberos worked to address in the 1980’s. The problem of offering a service and keeping the store of user profiles with their credentials separate. Kerberos worked within the space of desktop, servers and printers all connected on a common network with multiple ports. As applications evolved to be based on the Web, the common transport was HTTPS. Microsoft evolved their Kerberos and LDAP implementation to ADFS where it was based on SAML. The SAML protocol uses HTTPS as transport and also has an assertion that was based on PKI to separate the authentication store from the service the user is accessing.

But as mobile devices became more popular and services and ID providers more widespread, the idea of one trusted domain was broken apart. Users wanted to see more details of the permissions they were allowing and also to have control.

oAuth addresses the authorization method by defining individual scopes on the API  side and then the application is able to select the ones it needs. When the user connects to the service via the IDP, they are able to see in human format the claims the application is requesting from IDP and API. At this point the user is able to accept or even modify the scopes they allow from their IDP to the service. SAML does have an artifact resolution method, but it’s based on group membership and it’s not as easy to define granular groups on API endpoints that map to particular functions the API may offer, it’s also a backend channel communication.

Wednesday, December 16, 2020

Morning Sunrise

Winter sunrise over SFO airport

Monday, December 14, 2020

Sunday, December 13, 2020

Water in Tamron 150-600 Lens

The Tamron 150-600 G1 lens is not weather sealed!
Wanted to wash off some mud after a hike and falling, then the water just flowed into the lens

Had to take the lens apart and clean out the front element. Needless I also took apart the mounting element, and ended up spending too much time putting it back together.  In the end, I watched a few Youtube videos that detailed the repair of this lens.

Sunday, May 10, 2015


Went for a weekend trip to Berlin.  Last time I was in Berlin was something over 10 years ago when I went there for a business trip to visit a customer.  Back then the city was just a massive construction site and everything was being redone.  There’s still a lot of things that are being worked on now, but most of the city is finished being rebuilt.

I was impressed how big Berlin is.  Compared to London where everything is small and cramped, Berlin has wide streets with new sidewalks.  I hope that the city will continue being a place where things improve (if they just manage getting BER airport done!)

Evening takeoff from London

Hackescher Markt

Großer Tiergarten

Großer Tiergarten


My dinner, love this stuff

The new VW T6, my dream van (for touring)

BER airport, note it's still not open

Sunday, May 3, 2015


The first bank holiday weekend in the UK.  Spring is in full swing and the trees are starting to turn green.  I've been waiting for the moment all winter.  So I wanted to go out in nature, hike somewhere nice and go camping with my new kit.
Originally I wanted to go up to Snowdonia as there's some forest there and the nature looks quite nice with patches of forest and what British people call mountains.  But then I was reading that you can't really camp there and that in Scotland you can camp pretty much anywhere that's public land.  So I started looking into it and found the Galloway Forest that was not that far away (still half a day's drive).  So ok, that's it.  I'm going.  My wife was heading up to Scotland the week before and was told it's snowing up there, ok - perhaps they are exaggerating.  So my wife did go for work and said the weather is bad.

Crap.  I didn't want to go up to Scotland to be faced with snow and poor weather.  At this point I started looking again into Dartmoor, something I though about last year.  It's the only place in the UK (outside Scotland) that you can also camp pretty much without a permit and more importantly won't be confined to camp near kids.  Ok, I started looking into it and it looked like something to do.  My plan was to leave on Saturday and come back on Monday.  But then the forecast showed that Saturday was heavy rains and figured I'd go on Sunday and enjoy two days.

So with my new Rab Bivy and North Face down sleeping bag I headed off early in the morning.  The drive was a bit rainy but this was the storm that was still from Saturday.  When I got near Exeter the weather cleared and looked promising.  I found that park's office and registered my car just to park overnight.  All really easy.  The guy at the park office asked where I was from, said London then unconvinced asked again differently and said something about States.  He gently smiled and wished me luck.

Back in the car I displayed my "WARNING - Don't bother breaking-in" sign that I was given at the park office and set off.

Immediately after leaving the parking lot it started to drizzle.  Ok, no problem, it's England after all.  The landscape was quite nice, very tranquil and gentle in a steady way.  No rugged peak edges or sharp lines.  All very smooth and rolling.

Saw some sheep that were just shaved and looked quite miserable... Oh, that reminds me, want to look into woolen clothes.

Walking over the moors was quite easy, the ground seamed solid and there's not much of obstacles that are in the way.  Feels like I could do on in any direction for hours.  There are may rock formations and some are ancient settlements that were build around the time of Stonehenge.  (Did drive past in earlier on my way here)

Further down the valley I came to a river.  I tried to look on the OS map to see what the plan is, but sadly the wind was too strong to hold the map and worse there's no real paths in Dartmoor, it's just a landscape that is void of any trails.

I tried following the river to go further north into the park.  It was getting more and more muddy and was watching ever step I was taking.  At one point I came to a pool of mud that what I thought was a rock was just a leaf in the mud.  Stepping onto it my foot sank straight into the mud.  Mud was everywhere, but I did bring extra socks with me so at my next break I changed.

Going further into the moor I got to a point where I was thinking, do I want to continue?  What is really out here?  Why did they make this national park if it's just a massive swamp?  Then I remembered that half the park is a training ground for the UK Army.  On the weekends it's free passage, but other days they practice live fire and what a poster called, "Defensive Maneuvers"  This had me further thinking that it seams a bit of a insult to the English people that they declared one of the most useless areas in England for nature and people who want to go camping.  Scotland at least let's you roam and camp on public land, but England is another story all together.

At this point, the weather was starting to turn sour, the mist was coming in and the wind picking up.  I thought about it half joking that I should head back and just go home.  But I continued and came to a river that I needed to cross if I wanted to continue north.  Now there's no bridges, no where that looks like where you can jump, just mud and moors.

I looked around and saw some large rocks that I could sit behind and watch the landscape.  Also a great place to make some tea in my stove and watch the other hikers in the distance struggle with the mud and weather.  It was around 4pm and figured I could still make it in a sane time, beating the traffic that I'm sure was going to be a mess on Monday when everyone comes back to London.

So that was it, I started heading back and near the same point that I fell into the mud, my other leg got a good dose of Dartmoor mud.  Great.  On the way back to the car I was getting soaked in the rain and was just thinking about the fresh clothes I had in the dry car.

On the way home I stopped by to have dinner in Exeter's car park with M&S.  Had a nice salad with Italian salami and some other goodies.  Did beat my camp food that I had packed for the trip.  I did enjoy going out to Dartmoor and think it's something work seeing.  Don't expect to camp or anything that you would do in nature.  It's a harsh environment and should be approached with respect.

Saturday, April 11, 2015

Putney Boat Race

The Putney Boat Race between Cambridge and Oxford has been going on for many years.  I thought it would be a good idea to check it out given that I live in Putney and this event puts putney on the map.

Monday, February 16, 2015

Victoria BC

Being in Seattle for training I thought it would be a cool idea to go up to Canada and see Victoria myself.  The trip was amazing, something I didn't expect.  Canada is a little different from the States, especially Seattle.

I really enjoyed the vastness of the nature and how open the land is.  It's somewhere I don't think I would mind living.

As you can see, Spring was in full swing and coming back to London after this was quite a depressant.  It took another 3 months before I would see any greenery in London.