Business identity org started by Financial Stability Board pilots blockchain identity

Today, The Global Legal Entity Identifier Foundation (GLEIF) said it is working with self-sovereign identity firm Evernym to enable organizations to use digital identity on the blockchain. The two are piloting a solution for ‘organization wallets,’ which would hold digital credentials of an organization and verify the authority of employees to act on its behalf.

GLEIF, established in 2014 by the Financial Stability Board, is tasked with implementing legal entity identifiers (LEI), a global identifier for companies and organizations participating in financial transactions. The blockchain-based solution uses the organization wallet and verifiable credentials to connect an employee’s name to the organization’s LEI.

This blockchain-based identity management system improves the trustworthiness of a business process, so it’s known that an employee is authorized when they sign a contract with new suppliers, or submit information to regulators.

GLEIF and Evernym ran a proof-of-concept (PoC) for a regulatory filing and leveraged verifiable credentials on the Sovrin Network. As a global foundation, GLEIF registered its own public Decentralized Identifier (DID) on the Sovrin Network. There are several LEI Issuers, typically financial exchanges, that issue and maintain these identifiers. GLEIF accredits each of these issuers.

An organization is validated by the Issuer and assigned an LEI.

For the PoC, an organization requested verifiable credentials with its LEI from the Issuer and used that data to issue verifiable credentials for its employees. These credentials were stored in the ‘organization wallet’.

“By partnering with Evernym, we have extended the idea of self-sovereign identity beyond individuals to legal entities for the first time,” said Stephan Wolf, CEO of GLEIF. “The process of cryptographically recording credentials, linked to an organization’s LEI in a chain of trust rooted on distributed ledger technology, gives organizations full control over the issuance and management of their own employee’s digital credentials,”

GLEIF has previously trialed blockchain digital identity for LEIs on Ethereum and Hyperledger blockchains. The Sovrin Network, originally initiated by Evernym, is based on Hyperledger Indy.

Among its recent projects, Evernym is participating in the COVID Credentials Initiative. It is on the steering committee of Trust over IP (ToIP) Foundation, a standards initiative of the Linux Foundation.

Last year, the governments of British Columbia (BC), Ontario and Canada jointly explored decentralized identity and trusted credentials for businesses using Hyperledger Indy. The solution is called Verifiable Organizations Network (VON).


Related:

ShareFile Connectors Authentication and Single Sign-on

ShareFile Connectors Authentication and Single Sign-on

ShareFile Enterprise includes support for connecting to existing network drives and SharePoint document libraries from within the ShareFile app for iOS and Android. This article details the authentication events for ShareFile Connectors when deployed as part of a XenMobile solution.

Figure 1: Authentication events

There are five authentication events involved for ShareFile Connectors in a XenMobile deployment:

User-added image

  1. Secure Hub authenticates to XenMobile.
  2. The ShareFile app authenticates to ShareFile.com.
  3. ShareFile app authenticates to NetScaler in the DMZ when accessing connectors.
  4. NetScaler authenticates to the ShareFile StorageZone controller. HTTP Basic is the default method for this step. However, Kerberos authentication is also possible.
  5. StorageZone Controller impersonates the domain user account and authenticates to the Network share or SharePoint server on behalf of that user. Kerberos and NTLM are supported.

Single sign-on to ShareFile.com

When using MDX-wrapped apps with XenMobile, single sign-on form Secure Hub to ShareFile.com is achieved using SAML. The App Controller acts as the SAML Identity Provider (IDP) configured in the ShareFile account. When the app is launched, Secure Hub obtains a SAML token for the user from App Controller and passes it to the ShareFile MDX app along with information about the ShareFile sub-domain. Secure Mail for iOS uses the same technique for authentication to ShareFile in order to present the user with a list of files and folders when they select the Attach from ShareFile option.

Separate Authentication Required for Connectors

The sign-on to ShareFile.com enables access to native ShareFile data if the data resides in a Citrix-managed StorageZone in the ShareFile cloud or in a customer-managed StorageZone, but it does not authenticate the user to any StorageZone Connectors that may be assigned to the user.

To access Connectors data sources like Network drives and SharePoint document libraries, the user must also authenticate to the Active Directory domain in which the network shares or SharePoint servers reside. Steps 3 through 5 in
Figure 1 represent this separate authentication flow.

XenMobile MicroVPN Settings

ShareFile MDX-enabled mobile applications app can be configured to use the following Network access policies in XenMobile App Controller:

Network Access setting options

  • Blocked – In this mode of operation, which is the default setting for new applications, network access is not allowed and the ShareFile app cannot function. The network access setting must be changed to one of the preceding options.
  • Unrestricted – In this mode of operation, traffic from the ShareFile app is permitted to contact any host on the Internet. When communicating with the ShareFile.com control plane, traffic flows directly from the client to ShareFile.com, or directly to the external address of any storage zone.
  • Tunneled to the internal network – In this mode of operation, all network traffic from the ShareFile app is intercepted by the Worx MDX framework and redirected through the NetScaler Gateway using an app-specific MicroVPN.

    When the Network access settings is configured for Tunneled mode, the Initial VPN Mode setting becomes relevant to the connection.

Initial VPN Mode setting options

  • Full VPN Tunnel – In this mode of tunneling, traffic between the client and the destination is not modified in any way by NetScaler Gateway. This method is required for applications that perform end-to-end SSL connections using certificate-based authentication.
  • Secure browse – In this mode of tunneling, SSL/HTTP traffic from the MDX app is terminated by the MDX framework, which then initiates new connections to internal connections on the user’s behalf.
  • User-added image

Consider the following points as you design your XenMobile and ShareFile deployment:

  • Single sign-on to ShareFile.com is available for the ShareFile MDX-wrapped applications and Secure Mail, by configuring App Controller with ShareFile account details.
  • Authentication to ShareFile.com is not sufficient to authenticate users to domain-joined network shares and SharePoint document libraries.

Additional Resources

Configure ShareFile Single Sign-On with XenMobile

XenMobile ShareFile Mobile App SSO using SAML

Secure Mobile Data Access with Worx-enabled ShareFile

Related:

Unable to sign in to Citrix Files when using Azure iDP for Single Sign On (SSO)

Attempts to use Single Sign On (‘Sign in with Company Credentials”) to access Citrix Files may fail when Microsoft Azure is used as the iDP (identity provider).

Upon closer inspection, you may find errors similar to the following:

AADSTS50105: The signed in user ‘a.user@domain.com’ is not assigned to a role for the application ‘ab12cd34-abcd-1234-0987-abcd43vf56567′(Citrix ShareFile).


This error can be seen despite the user being a member of the relevant Active Directory groups so as to be entitled to the role assignment. This membership can be seen when viewed via on-premises Active Directory. You may not be able to identify the same group membership when inspected via the Azure portal. When on the Azure portal, you may instead receive an error stating ‘Microsoft_AAD_IAM’.

Attempts to manually sign in (without using SSO) succeed.

Related:

Error on mysymantec to download the endpoint application

I need a solution

Hi All,

I have a issue:

– After login to mysymantec, i unable to view my products. Found out issue from url address as below :

ErrorCode=5&ErrorDescription=Unable+to+create+user&ErrorDetails=User+cannot+access+this+community

– Anyone did having the same issue and got solution as I need to download the latest version of endpoint protection for the user.

0

Related:

  • No Related Posts

BCAAA agent SSO max thread limit reached

I need a solution

Hello, 

Our problem is cannot authenticate client with ip address. We have been using windows sso authentication with DCQ and CQ. We were checking bcaaa agent event log and saw some error and information event log.  BCAAA agent version is 6.1.4.0 and ProxySG version is SGOS 6.7.4.2

Information log : SSO max thread limit reached. You may need to increase the MaxSSOThreads parameter in sso.ini ( Event id : 2208 ) 

Error log : Could not send response to remote system: 0x2736 (10038); status=10038:0x2736:An operation was attempted on something that is not a socket. ( Event id : 400 ) 

Anyone help us ? please

0

Related:

  • No Related Posts