My wife & I began subscribing to the MetroWest Daily News back in 2002. At the time they published in the afternoons, so it was the paper I read when I’d get home from work in the evening. When we moved from Framingham to Westborough back in 2008, we opted to keep subscribing to the MetroWest even though it’s Framingham-centric paper and there are probably better candidates for local news. As everyone knows, I’m a craft beer geek and always look forward to Norman Miller’s Beer Nut columns on Wednesdays. If you’re reading this and wondering why we subscribe to a physical newspaper in the Internet age, well, I’m not going to convince you why it’s worth it. Suffice it to say we like the routine of knowing there’s morning news in our driveway, and we also enjoy supporting quality reporting by paying that subscription fee. Of course, the subscription fee also funds the delivery of the paper. Which leads me to my story…

We enjoyed reliable delivery service for most of the 8 years we subscribed. Then, a couple months ago, our regular delivery person was replaced. It’s still unclear to me whether it was just a new person from the existing delivery service or an entirely new delivery service. Apparently the MetroWest Daily News farms the delivery part out to a 3rd party, which I’m sure is much cheaper for them in the long run.  We knew the carrier had changed on that first morning when our newspaper wasn’t there (we later discovered it in our neighbor’s driveway). The next day we didn’t get any paper at all and it wasn’t in our neighbor’s driveway either. In the days that followed we had some days where we got the paper, some where we got the wrong paper, and some with no paper at all. I grew accustomed to calling the MetroWest’s Circulation Dept to report the problem. Within a couple of weeks I had their phone menu options memorized because I had dialed in so frequently (side note- why does one option say “to have your paper REdelivered, press..”? How can a paper be redelivered if it wasn’t delivered in the first place??). It was not going well.

After several days of issues a MetroWest manager called the house to apologize. He gave us his direct dial line to call if we had further issues, and he even called on some days to check and made sure we got the paper. This was the GOOD side of dealing with the problem. Unfortunately there was a BAD side too. The delivery service itself called our house a couple of times. They were rude, abrupt, and apparently suspicious of our motives. On one call they implied that we were inventing the issues (did I miss the announcement that one can use accumulated newspaper credits toward their kids’ college savings plans?). On another day when the service had already “redelivered” the paper because they’d missed the morning delivery, a 2nd driver showed up to give us a 2nd copy. When I politely explained that we’d already gotten the paper, the driver commanded in an annoyed voice “just keep it because I don’t want to have to come back out here.”

I’m guessing we had at least ten days of newspaper delivery issues over the course of 6-8 weeks. We’re

not high-maintenance people, but our patience was wearing thin. Eventually we decided “1 more strike and they’re out”. That final strike happened last week when I went outside and found no MetroWest Daily News. I was tired of calling their circulation desk at least once a week, and I didn’t understand why our service went from excellent to miserable so quickly. I made the final call to the subscription desk to cancel. When the woman I spoke with politely asked why, I made things very clear: “I love your newspaper, your staff has been great to deal with, but your delivery service has been awful lately.” She immediately saw my list of calls and was very sympathetic. A manager is supposed to call us at some point, no doubt to regain our business. At this point I don’t see that happening.

Here’s what I learned from this whole saga:

1. Don’t take excellent service for granted. We always sent tips to our old carrier, but I would have sent more had I realized how much aggravation his reliability saved me.
2. If you outsource any aspect of your business to partners, choose wisely. Partners share as much responsibility for representing your business as your employees do. Chances are your clients/customers won’t make the distinction between a full-time employee and a partner when something goes wrong. More often than not, your business will pay for your partners’ mistakes. If you don’t believe me, just ask the MetroWest Daily News.
3. If you or your company resells or performs a service on behalf of another entity, you should strive to represent them in the best possible light. This will help to differentiate you from other partners. If you end up making a poor impression, you risk costing them money. Go the extra mile and you’ll be recognized and appreciated.

At CoreBlox we’ve been fortunate to be part of some productive strategic partnerships. I think a big part of that success comes from taking the lessons we learn as individual consumers and applying them to our business. This experience with my local newspaper has reminded me that when it comes to partnerships, there’s no substitute for reliability and professionalism.

– Newspaper photo courtesy of DRB62 on Flickr

– Handshake photo courtesy of aroberts on Flickr

The inspiration for this post was a recent interview conducted with Dieter Schuller, VP of Business Development for our partner Radiant Logic. The interview covers its own fair share of acronyms and concepts, most of which are at the core of what this blog’s readership does for a living. But eventually it shifts into a practical (and very powerful) example of what identity correlation can do for a business, courtesy of Dieter:

For example, we just worked with a major electronics company, where they started with access management, single sign-on, delegated administration, but they wanted to make their portal a much better experience so when the user logged in, rather than just serving up products, the idea is you know enough about me because you have an order entry system that tracks what I bought online, you have a product registration system that tracks what I bought offline, you have a product database so you know that I bought a camera and now you should try to sell me a camera case.

They actually took it a step further and actually integrated it to their partner systems as well. They have a relationship with Facebook, for example, and, for that particular identity, started to look at what their movie and music preferences are and serving up content based on that.

Take a step back and think of what this interview would have meant to a non-IAM professional had it not included this real-life scenario. I think it would have led to multiple Google searches to define MDM, CDI, virtual directory, etc, if the reader had the time. Instead the reader comes away thinking about what this technology meant to an electronics company and how this might help his/her own business. In the real world this can mean the difference between a company becoming a prospect, and a prospect becoming a client or a customer.

“For example” can be powerful words in the context of security technology. We need more for examples in this space, not less. Have you seen examples of IAM companies providing practical real-world descriptions of how their products and services are being leveraged? If so, please share in the comments!

Error: No registration on File

I’m one to usually skim through documentation and like to just start installing software, especially when it comes to something that I’m already familiar with. As it turns out, SiteMinder WAM R12 requires additional steps in order to complete the installation and configuration of the Policy Server. After a number of failed attempts, I finally walked through the SiteMinder WAM R12 online documentation and figured that I was missing a few steps so I thought I’d pen it here to save others some trouble.

The title of this blog post pertains to the error you get when you try to launch the SiteMinder R12 Administrative UI and try to log in using the Siteminder user. As it turns out, it basically means that the Admin UI managed to contact the Policy Server and verify that it is allowed (trust) to act as the Admin UI. The Policy Server does a check and finds no trusted relationship between the two and returns the “No registration on File” error.

The normal route to resolve this issue is to run the XPSClient command (see Quick Guide to installing SiteMinder WAM R12) to register the client (this is done on the Policy Server machine). However, if you didn’t install the Policy Server properly, you will run into issues, which will result in the same error message.

A good indicator that your Policy Server is incorrectly configured is to look at the output when running the XPSRegClient command to reg:

As you can see in the output above, the command executed failed to register the client. If you attempt to log in using the SiteMinder Admin UI Client after running this command, you’ll get the “No Registration Found on File” error. This error is also logged in the smps.log file.

SiteMinder 6.x

For those with previous SiteMinder experience, you probably know the general steps in installing a new instance SiteMinder Policy and get the Policy Store up and running in a few minutes. In a nutshell, this were the basic steps:

1. Configure the Schema for the Policy Store
   1. For LDAP stores:    run smldapsetup ldgen & ldmod <schema.ldif>
   2. For SQL:      execute SQL queries with the specific sql files provided in the /db/sql folder
2. Set the super user(siteminder) using smreg to establish the password.
3. Import the base objects in the smpolicy.smdif file with the ‘smobjimport’ command smpolicy.smdif file
4. Restart the Policy Server and verify from the smps.log that SiteMinder has successfully started.
5. You’re done at this point and can launch the SiteMinder Admin UI or if you didn’t opt to configure the SiteMinder UI with an existing web server during the install, you would run the smps-config script.

SiteMinder R12

Here is the new way of installing and configuring the SiteMinder R12 Policy Server

1. Configure the Schema for the Policy Store
   1. For LDAP Stores:
      1. Run smldapsetup ldgen & ldmod <schema.ldif>
      2. Run smldapsetup ldmod /xps/db/<ldap directory type.ldif> <- This is NEW & a REQUIRED step.
         1. IMPORTANT: This is the step to extend the current schema to include the XPS objects.
         2. NOTE: For some directories (ADAM, AD), you will need to modify the ldif file to specify the root (eg dc=coreblox,dc=com) or the guid (eg B34F9AA5-C669-48E4-B8CF-DF3F5E9EFD20). The guid replacement is the value of the root of the ADAM directory that contains the cn=Configuration object.
   2. For SQL Stores:
      1. Run the sql query (Oracle/MSSQL) located in the /siteminder/db/SQL directory against the designated database instance.
      2. Run the SQLServer.sql or Oracle.sql script located in the /siteminder/xps/db directory to create the XPS objects. <-This is NEW & a REQUIRED Step.
2. Set the super user(siteminder) using smreg to establish the password.
3. Import the base objects in the smpolicy.smdif file with the ‘smobjimport’ command smpolicy.smdif file
4. Import the SiteMinder Policy Store Data Definitions  <- This is NEW and a REQUIRED step
   1. According to the documentation, the sequence in which you execute the steps are important. It warns that not following the sequence will result in a failure to import other objects.
   2. The executable that is used to run the import is XPSDDInstall its located in the siteminder\bin directory.
   3. The data defintion files are located in the siteminder\xps\dd directory
   4. Here is the sequence that needs to be executed:
      1. XPSDDinstall SmObjects.xdd
      2. XPSDDinstall  EPMObjects.xdd
      3. XPSDDinstall  SecCat.xdd
      4. XPSDDinstall  FssSmObjects.xdd
5. Restart the Policy Server and verify from the smps.log that SiteMinder has successfully started.
6. Proceed to installing the SiteMinder Administration UI component or run the XPSRegClient to register a new SiteMinder UI client if you already have installed the SiteMinder Administration UI client.

Logs:

Example of a successful Client registration:

Here are errors in the smps.log that indicates that you failed to import the XPS objects into the SiteMinder Policy store. See the steps above on how to rectify it

I hope you find this article useful and as usual, please don’t hesitate to let us know if you’ve got any questions, comments or tips!

Stamford, Conn.-based Gartner Inc. will announce Thursday that during the next 12 months, it expects that enterprises will spend approximately 5% of their total IT budgets on information security technology. While that percentage is down slightly from 6% last year, Gartner forecasts that overall IT budgets will increase by nearly 2%, meaning security spending will largely hold its ground.

But as we all know, security is a broad term that is used to cover everything from virus scanning software to virtual directories. A closer look at Gartner’s findings reveals the type of news I like to see:

Identity management was ranked as the No. 1 security technology priority among respondents in Gartner’s 2010 CIO Survey, with more than 20% listing it as a spending priority. [Gartner Managing Vice President Vic] Wheatman said the interest in identity management is tied to several trends: increased focus on the integration of self-service applications, both internally and to trusted external partners; the need to ensure strong authentication for systems that provide sensitive data; and the necessity of passing compliance audits.

It’s interesting to note how these broader trends directly correlate to some of the projects we’re working on at CoreBlox. Over the past year we’ve implemented a password management process for a company looking to increase its focus on self-help, enabled federation for companies with trusted partner relationships, and given companies easier ways to audit their accounts for compliance. In the process we’ve continued to develop and refine best practices for system deployments around these areas. What began 5 years ago as a SiteMinder focused services practice has greatly expanded, and we welcome the new challenges ahead!

The article states:

According to Deloitte’s 2010 annual security survey for global financial institutions, entitled “The Faceless Threat,” identity and access management was identified by survey respondents as the industry’s top security initiative for 2010. Among 19 different types of initiatives, 44 percent listed this as their top initiative; it is also a significantly higher priority for larger organizations with more than 10,000 employees (63 percent).

Furthermore:

Security budgets also appear to be reversing the current trend of cost-cutting. More than half of the survey’s respondents (56 percent) indicate that their information security budget has increased. Additionally, there is a significant drop, as compared to last year, in the number of respondents who state that “lack of sufficient budget” is one of the major barriers that their organization faces.

Why did this story catch my eye? Because it represents opportunity! As demonstrated by our client list, CoreBlox has a wealth of experience working with large organizations like the ones that are referenced in the article, including those that reside in the insurance & financial space. We know how to work in these environments, and we’re ready to meet your challenges with you. If you’d like to learn more about our company and our enterprise security services then please contact us!

Skyworth TTG Holdings, Inc. (STTG), (www.skyworthttg.com) and CoreBlox, Inc. (www.coreblox.com) announced today that they have entered into a strategic partnership to deliver the highest quality Identity & Access Management solutions to world-class enterprises. As two of the best of breed IAM, Federation, and Virtual Directory service providers, this partnership allows for expanded service levels and even greater depth of experience and skill sets from over 65 dedicated IAM specialists across the globe.

With over 100 successful IAM deployments for Fortune 500 companies delivered across 14 countries and 4 continents, STTG & CoreBlox have established themselves as the trusted 3rd parties of choice for deploying key components of CA’s Identity Lifecycle Management suite of products: CA SiteMinder, CA Identity Manager, and its companion products. The combination of STTG’s distinctive product offerings and CoreBlox’ virtual directory expertise provides a one-stop shop for companies seeking reliable service and measurable ROI.

“We are excited to work closely with CoreBlox as we continue to expand our product and services offerings in the IAM space,” said Richard Sand, Chief Executive Officer of STTG. “ STTG’s and CoreBlox’s extensive enterprise security knowledge and experience ideally compliments and enhance the other, as we strive to continue providing the highest level of service excellence, worldwide, that our clients have come to expect.”

“Our partnership with STTG underscores the commitment we’ve made to expand our capacity for service and support. Working together, we can make more efficient use of the talents of our respective teams while maintaining the trusted advisor status we’ve earned with our clients” said Todd Clayton, Chief Executive Officer of CoreBlox.

About Skyworth TTG Holdings Limited

STTG is a rapidly expanding global system integrator specializing in fast growing information technology areas such as Identity & Access Management, Service Oriented Architecture implementation, Security/Risk management, Document management, and Open Source development. STTG has offices in New Jersey/USA, Oslo/Norway, Singapore, Hong Kong, Shen Zhen/China and Wuhan/China.

STTG’s Fortune 500 customers and partners span the globe and are diversified throughout Banking and Insurance, Education, Entertainment, Telecom, Aviation, Transporation, Information Technology, Logistics, Manufacturing, Retail, and Government and Government Sponsored Organizations.

About CoreBlox, Inc.

CoreBlox, headquartered in Framingham, MA/USA, focuses its technology services practice on enterprise security and technical support operations. The CoreBlox team specializes in single sign-on (SSO) and web access management solutions, SAML and identity federation services, and LDAP Directory Virtualization, with broad experience managing, executing and supporting CA SiteMinder and Radiant Logic Virtual Directory deployments.

CoreBlox is proud to provide solutions for a variety of industries including Banking, Information Technology, Insurance, and Telecommunications.

Now that my webinar with Mike Donaldson and Lisa Grady is over I wanted to post up some additional information and also a video of the working demo. Thanks to Ping Identity and Radiant Logic for working with us on this demo.

Overview:

As a recap of the demo scenario, our theoretical company, MyComany, is looking to leverage cloud-based services and their strategy is to continue to migrate a significant amout of infrastructure to the cloud. The first application they have migrated is Salesforce CRM for Sales management. After that, they plan on expanding into Google Apps, a hosted provider for time and expense submission, HR, etc. The company has an internal Enterprise Directory (LDAP) which stores Employee profile information and the sales region and list of accounts for a Sales Rep is stored in Salesforce CRM. Since not all employees have access to Salesforce, there is also an internal portal that employees use to find Sales Rep and customer information.

Since they started using Salesforce, they are noticing these main problems:

1. Managing the provisioning/de-provisioning of internal users in Salesforce is a time consuming manual process and in one case an terminated employee was not de-provisioned correctly and wound up getting access to information they should not have been able to access as a non-employee.
2. They have a high number of password management issues since users have a separate account in Salesforce.
3. Certain pieces of information are managed about salespeople and accounts in Salesforce and are not visible through the portal. This limited access to information required for the distribution of new leads and to contact the correct Sales Rep in case of a customer issue.

So, they want a solution that provides the following benefits:

1. Automates the provisioning and de-provision of users in Salesforce based upon membership in a group in LDAP
2. Centralized view of internal user information with attributes coming from LDAP and Salesforce that can be surfaced through the portal
3. Centralized view of customer information that shows both the information coming from Salesforce but also includes the information from the accounts payable database for the complete view of the customer
4. Single Sign-on into Salesforce from the MyCompany Portal

Solution:

• Ping Identity PingFederate for provisioning and de-provisioning of users based upon group membership in the salesforce group in VDS
• Ping Identity PingFederate for Internet SSO using VDS as the LDAP directory for the Identity Provider (IdP) and Salesforce as the Service Provider (SP) using SAML

• Radiant Logic VDS Context Edition to create a single view of the employee information with cached attributes coming from LDAP and Salesforce
• Radiant Logic VDS Context Edition to create a single view of the customer with cached attributes coming from the Salesforce Users and Accounts tables

For larger images, please see the slides from the presentation included below.

Results:

Once implemented, this simplified their environment and provided greater flexibility as they looked to expand into the other cloud services, minimized trouble tickets for Salesforce password resets and improved internal access to information.

Demonstration:

The following video shows the working demo which addresses the requirements above. This is just the starting point of what will eventually become a centralized hub for access to critical user and contextual data across repositories both internal to your company and also across cloud services outside of your firewall.

3 Building Blocks for Managing Cloud Applications – Video Demo

Webinar Recording:

A recording of the webinar is available on Ping Identity website. Note that registration is required.

View the Replay

I have also uploaded the slides to SlideShare so that you can more easily see the larger images:

I would love to hear what you have to say about this concept. Special thanks to Ian Barnett (Ping Identity) and Prashanth Godey (Radiant Logic) for helping to get this demo set up.

Thanks,
Todd

-Dave

Cloud computing offers virtually limitless business opportunities and continues to grow at a rapid pace. In the U.S. government sector alone, Market Research Media anticipates Cloud demand to grow at an annual rate of 40% per year between 2010-2015, with expenditures exceeding $7 billion annually at the end of that cycle. But as Gartner warns, “cloud computing is fraught with security risks” which must be avoided or mitigated by organizations that choose to take this approach. This webinar will provide advice from seasoned industry veterans as you begin your planning.

Please register here: http://marketing.pingidentity.com/?elqPURLPage=27. We look forward to having you join us next Thursday!

One thing we’ve noticed that the SiteMinder community can do a better job of is helping people to understand where to look for help with their SiteMinder needs. On the Twitter side, we’ve created a list of SiteMinder professionals who frequent that network. These are folks we’ve interacted with or accounts that tend to generate interesting links related to SSO and enterprise security.

Of course, you can also sign up and participate in our SSOhelp community.

By the way, good news for those of you who are interested in Radiant Logic VDS: there’s a list for you too! Follow our list of Radiant Logic professionals.

We’ll continue to grow both lists over time, and if you feel you should be added then feel free to drop us a line @coreblox.