A recent incident affecting a small number of entities in the UK federation has alerted us to some issues related to the distribution of default cryptographic keys. The following advice applies to both service providers (SP) and identity providers (IdP). The risk of using a default key is that someone may impersonate you. As […]
Category: UK Access Management Federation
User tracking for digital marketing can violate user privacy on the web. Now that browser vendors are looking to implement methods to stop user tracking, we must ensure these methods do not clobber other frameworks which protect privacy such as Single SignOn through the UK federation, SAML and OpenID Connect. Problems and mitigations Digital […]
We all know how it goes. We face a challenge, we find a solution, we implement it, and if we’re lucky – it works! Before you know it – the successful solution is all but forgotten. Neglected. A distant memory in the chaos of the day-to-day; buried beneath a pile of new challenges that we’re […]
Bear with me while we have a little history lesson. As anyone who has ever used an Inertial Navigation System knows, you can only get to where you want to be, by knowing where you are coming from… Coming of age in the 80’s, I had a few certainties. Liverpool FC always won, C15 blank […]
IdP operators: consider using MDQ (metadata query) Configuring your self-hosted IdP to use MDQ (metadata query) has three key benefits: a reduced memory footprint mitigation against a class of disruptive errors as the size of metadata increases robustness against problematic metadata. Half of the IdPs in the UK federation use MDQ already. The UK federation […]
A core aspect of Cyber Essentials is keeping your systems up to date. This is true both for operating systems and any installed apps or software, and these must always be kept updated. Applying these updates is one of the most important things you can do to improve security. It ensures that devices and software are not vulnerable to known […]
“Are THEY listening to us?” “Who’s they?” “You know, the phones, the laptops?” And so goes the conversation that I sometimes have with my wife. Perhaps after we’ve had a chat about hiking poles, when every ad on our social media feed then shows hiking poles, despite neither of us having directly Googled them. (Although […]
You wouldn’t serve someone alcohol without appropriate ID. Nor would you buy a car without airbags, or leave your phone unlocked in a busy pub. Federated access is the equivalent safety check for students and staff accessing your online resources. So if you’re not using federated access, how secure is your access management set-up? This post answers this question and […]