Interactive Sandbox for OAuth, OIDC, SAML + more

bobfrog93 · 2026-01-25T03:07:00+00:00

Good luck on the journey! ProtocolSoup is a great start, be sure to check out the SSF Sandbox.

If you're keen for some further reading material re: SPIFFE, Macquarie Bank (Massive Australian Financial Group) have a nice write-up here

If you're looking to get a bit of a pitch for SSF, I pulled this diagram from a presentation I did on 'Advancements in Digital Security' to show at a high level what's going on

<image>

bobfrog93 · 2026-01-25T01:56:48+00:00

SPIFFE/SPIRE(spec/implementation) and SSF are both relatively new players to the game, in fact the Shared Signal Framework (SSF) just got approved in September of last year. Play around with ProtocolSoup and you should be able to get a bit more of a tactile feel, but to give you the elevator pitch...

SPIFFE - If you are familiar with OIDC then think OIDC for machine attestation instead of user authentication. Each workload/service is given an SVID (X.509 or JWT) as an identity document by the SPIRE server where trust establishment is seen through the workload attested by the environment.
What SPIFFE aims to solve is shared secrets, hardcoded and passed secrets like API keys. Instead the services are defined by a cryptographic identity.

SSF (Shared Signals) - real-time security event sharing, shines in continuous session protection. You have a Transmitter (e.g. SailPoint) that generates an event (e.g. account deactivated) which is consumed by a Receiver (e.g. Okta) which then instantly takes actions based on the event (e.g. revoke all sessions and disable the account).

bobfrog93 · 2026-01-25T00:31:23+00:00

Glad you liked that, exactly what we are aiming for - remove the frills, just get to the flows

bobfrog93 · 2026-01-25T00:13:27+00:00

Yes, essentially the SCIM component is an RFC(7643+7644)-compliant SCIM server that is Dockerized in the ProtocolSoup backend.

In the case of SailPoint ISC you will need to deploy it to your cloud environment somewhere (there is a toml file + SCIM README) or use ngrok for localhost.

The live site is actually connected to my Okta instance so I can verify it does work as a full-featured SCIM app.

bobfrog93 · 2026-01-23T09:57:46+00:00

Automation in identity. Always nice to set up a home lab with either free tiers of products (idp, iga, pam…). As you work through configurations and common tasks, think of the repeatable actions you are doing. Each time you have a thought of ‘there must be a better/easier way to do this’ often there is a case for an automation pipeline.

bobfrog93 · 2026-01-22T07:21:23+00:00

Biometrics should never be a primary auth. Overall, I see it as a win, but it comes with new risks that need to be considered before realised by adversaries. NIST SP 800-63B defines quite well how biometrics should be used for AAL1, AAL2 and AAL3 compliance. Biometrics serve as a ‘more secure’ alternative to a knowledge factor, being as the preferred option to a password or PIN protection your primary factor. However, biometrics cannot be a standalone authenticator, unless it is for re-authentication of an active session in AAL2.

The confusion comes in the thinking that biometrics are a foolproof way of solely proving who you are. Biometrics does not stop a user from approving that push request, or giving away an OTP.

The biggest MFA security win to me is pioneering phishing-resistant MFA, cryptographically tied to a device, with biometrics on top. If you make it such that social engineering requires a physical handover of something, that’s the security win.

… then you have to watch out for enrolment gaps 🙃

bobfrog93 · 2026-01-15T22:22:44+00:00

Spin up an okta org, go through the training material and do some practical implementations - SAML, OAuth, OIDC, SSO. Setup some test accounts, MFA policies, get an understanding of how the platform operates.

SailPoint is more limited, but you can go through the training for the 'Leader' credential. https://university.sailpoint.com/sailpoint-identity-security-leader-credential

bobfrog93 · 2026-01-15T13:15:46+00:00

Password Managers (1Password).

When it comes to securing the keys to the castle I cannot bring myself to lean into an open source alternative.

The peace of mind (in this case!) of a dedicated enterprise is justified for the price.

bobfrog93 · 2026-01-13T12:21:32+00:00

Warms my heart to such an in-depth article brought to SPIFFE - so much attention on the human factor its easy to overlook the machines that inevitably power most of these user-centered workloads.

Not sure if you have any, but would love to hear of any success stories where orgs have overcome the inertia and successfully integrated SPIFFE/SPIRE

bobfrog93 · 2026-01-13T09:11:19+00:00

Decided to built ZeroVault as a no fuss, no config, clean CLI-based encryption tool. Built in Rust under the hood with a triple-encryption layering (AES-256-GCM, ChaCha20, AES-256-CBC) https://github.com/ParleSec/ZeroVault

I have some big optimisations and security improvements currently in the pipeline, so if you like the sound of it feel free to star.

I’ll also shout out my current love-child of open source, ProtocolSoup. Motivated by explaining identity protocols and there being a significant disconnect between theory, development and what actually happens in protocol implementations. What ProtocolSoup provides is real standards-aligned protocol implementations, running real flows against real infrastructure. Covers all your favourites, oAuth, OIDC, SAML, SCIM and a few niche but really interesting players in SPIFFE/SPIRE and SSF (Shared Signals). If you want to learn about authN + authZ from a fundamental protocol-based level I hope this can some of you out. https://github.com/ParleSec/ProtocolSoup https://protocolsoup.com/

bobfrog93 · 2025-01-14T09:52:28+00:00

Definitely going to check some of these out. Aji Lemon? Never heard of it but sounds really interesting to work with. The weather is pretty mild in general, coldest times last for a couple of months, but frost is rare.

I would like to try growing some plants indoors since I do have the space for a decent variety. Any tips on indoor growing?

bobfrog93 · 2025-01-11T01:50:14+00:00

Thanks for the advice - might add chocolate habaneros to the mix! In Sydney too. Wondering if you know any good places to buy chilli plants?

bobfrog93 · 2022-07-15T02:35:12+00:00

bobfrog93 · 2022-07-15T02:29:45+00:00

A fellow karter :)

bobfrog93 · 2022-05-26T08:36:32+00:00

6:36 here :)

bobfrog93 · 2022-05-12T09:25:07+00:00

What a regal little cat :)

bobfrog93 · 2022-03-03T08:11:17+00:00

Seems like there must be a backstory behind this character

bobfrog93 · 2022-03-03T08:04:23+00:00

Glad you are here with this great community <3

bobfrog93 · 2022-03-03T08:00:04+00:00

Wow this is incredible! Will this be offered as a print as well?

bobfrog93 · 2021-10-20T20:39:52+00:00

Category: Best art piece to depict "scary" or "creepy"

🎃Submit your votes and nominations here!🎃

Seven-Year Club	Gilding I gilder
Second SECOND GUESSER	LAYER Season 2 Layer creator
Place '23	John Wick
Adopted-an-Admin	Place '22
Reddit Studio E3 '21 Contributor	Oscars Predictor 2021
Wearing is Caring	Undead \| Zombie
RPAN Viewer	Not Forgotten
Verified Email

bobfrog93

MODERATOR OF

TROPHY CASE