Inversoft CEO Brian Pontarelli Discusses New Passport SSO User Management Platform

We recently visited with Inversoft CEO Brian Pontarelli to talk about his company’s new Passport single sign on (SSO) user management solution that goes beyond standard single sign-on to support messaging in the user’s localized language, built-in analytics, and the ability to discipline/reward users (e.g. mute, ban, suspend, reward) based on activity.

Brian is the founder and CEO of Inversoft, a Colorado based software company. In addition to Inversoft, Brian works on many open source projects including Struts, Savant and Java.net commons. He has more than 14 years of experience in the software industry including work with a range of companies such as BEA, US Freightways, Orbitz, Texturemedia, and XOR. Brian has published various articles in both print and online magazines about Java, J2EE security, Java Server Faces, and NIO.

ADM: Supporting RedHat, Debian, Mac OS, and Windows, is there a particular platform you recommend to install Passport on?

Pontarelli: Any variant of Linux is the best way to run Passport. We provide RPM and DEB packages that make installation and upgrades simple. We also have an AWS image based on Debian that can be used to get Passport up and running in minutes. We support Windows and Macs as well.

ADM: Can you talk about any plugins currently available, or that are coming down the pipe?

Pontarelli: Right now Passport only has one plugin point. You can write your own password encryption scheme and drop it in as a plugin. We added this plugin point so that when users are imported from other systems, they won’t have to reset their password. Instead, you simply write a password encryptor that matches the current one you are using and Passport will use that for the imported users. 

This feature also means that two users can have different password encryption schemes because they were imported from different systems. This adds additional security, but also makes importing users much simpler for the company and less painful for the users.

We are planning on adding more plugin points in upcoming releases. As we hear feedback from customers, we will be adding new plugin points that will help them successfully manage their users with Passport.

ADM: Do you have any use case examples you can share?

Pontarelli: Our main use case right now is our own website. We converted www.inversoft.com from a custom user database to use Passport. The development and migration of the user data only took a few days to complete. We’ve hooked it up to a few additional backend applications as well using the OAuth single sign-on feature.

All the emails you receive from Inversoft also come from Passport. For example, we have a styled “Forgot Password” email template that Passport uses in case you need to reset your password.

ADM: Can you talk a little bit about the security layers behind the SSO solution, particularly as it relates to some of the changes in iOS9 and Android Marshmallow? 

Pontarelli: OAuth relies pretty heavily on the fact that everything is done over HTTPS. In iOS 9 and other platforms, providers are dropping support for traditional SSL in favor of TLS. This inherently means that Passport will use TLS as well. 

Beyond the requirement for HTTPS, the security features of Passport resides outside of the operating system. For example, we added two-factor authentication and flexible password encryption. These work regardless of the platform Passport is deployed to or the platform the user is logging in with.

ADM: Knowing that Passport supports OAuth, is there a “gotcha” that developers will need to be aware of when selecting an endpoint?

Pontarelli: I don’t think there are many “gotchas” when selecting the endpoint to call. It just takes time to understand the OAuth specification and implement everything correctly. Once you know how it all works, it goes pretty fast. 

The only thing to consider is whether or not to embed a mini browser window in a mobile app to do the OAuth authentication workflow or just hit an API directly. Both work well, but each has its drawbacks. The web browser method works well with session cookies and session timeouts. The API method might require the app to ship with a global or shared API key. 

Luckily, Passport handles both methods and can secure them both nicely to prevent packet sniffing and other attacks.

ADM: What did you see lacking in the industry that made you want to build a solution like Passport?

Pontarelli: I’ve always felt like the industry was stuck using old school technology that takes far too long to implement. And forget about unifying user accounts from multiple legacy databases, that can take forever to get right. I just didn’t understand why it wasn’t simpler and faster to setup and integrate with a user management system. 

I kept asking myself, why does it take months and months to get everything working right? And, why do developers have to wade through massive SAML responses and read through horrible messes of LDAP data?

Then I thought, what if there was a simple API that used more modern technologies like REST and JSON? What if that API made it simple to register, login and authorize users? What if it also had features like discipline and rewarding? What if this system also provided reports companies actually need? What if the system was built from the ground up to be a global solution that would allow communication with users in their preferred language? What if this solution also worked with a user moderation tool like CleanSpeak?

These are the reasons we built Passport.

ADM: Why would you build Passport as a single-tenant solution instead of a multi-tenant solution?

Pontarelli: Security, plain and simple. I personally wouldn’t want all my users’ data stored in the same database on the same server as 100 other companies. What happens if that server gets hacked? Not only are all my user accounts compromised, but so are everyone else’s. 

There is a rule in lawsuits that says, always go for whoever has the most money. Doesn’t the same rule apply for hackers? Always go for the servers with the most data?

ADM: Why doesn’t Passport use LDAP or Active Directory behind the scenes?

Pontarelli: LDAP and Active Directory have been around for a long time. They work fairly well when setting up logins for computers or servers, but they fall down quickly for web applications, games and mobile apps.

A humorous part of LDAP is that the name stands for Lightweight Directory Access Protocol. However, when you actually go to implement one of these technologies, it can quickly become overly complex and implementation costs often skyrocket.

We decided that simplicity was the better policy. For example, rather than using policies, domains, units and groups, we added simple role-based authorization.

You can think of the difference between LDAP and Passport similar to the difference between a dial-up BBS and Yahoo.com. Dial-up BBSes were great in the 80s, but the industry has moved forward and so has the technology.

ADM: What are the new features of Passport that separate it from the competition?

Pontarelli: The top features that really separate Passport are:

- The ability to discipline and reward users

- Real-time user searches, even with millions of users

- Integration with CleanSpeak allowing for username filtering and user moderation

- A complete email templating system

- Localization of emails, disciplines, and other content that might be sent to the user

- Two-factor authentication

ADM: How does Passport make developers' lives easier?

Pontarelli: I’ve probably written registration and login features for web applications 30 times in my career. They all required me to setup some database tables, write all the code to pull and store that data and write all the code to handle authentication and authorization. I’ve also used a bunch of different open source frameworks that saved me time after I spent weeks learning how to use them.

All of this work and learning takes time, and that doesn’t even get an application to the point where it can discipline users, send them emails in their preferred language, or show me real-time login reports as well as daily and monthly active user reports. All of this takes a long time to implement, test, performance tune and get working. 

Passport short-circuits development time and provides you all of these features in days not months. You can install Passport in AWS in minutes and call an API to start registering users.

ADM: Is Passport just another single sign-on tool?

Pontarelli: No. Passport is a complete user management system. It provides everything from registration and login, to emailing, reporting and moderation. Unlike other single sign-on systems, Passport isn’t trying to stitch together other backends, it becomes the single backend for all user data and management.

ADM: What about managing users outside of the US and other English speaking countries?

Pontarelli: Passport stores a list of locales for each user. These are the user’s preferred languages. Passport can then send the user localized emails in one of their preferred languages. We are adding more localization features in upcoming releases, so stay tuned.

ADM: Isn’t adding SSO and unified user management expensive and time consuming?

Pontarelli: We’ve heard horror stories of customers spending 9, 12, 18 or more months implementing other SSO solutions. These technologies are often so complex that it requires teams of consultants and engineers to implement them across an entire enterprise.

Passport aims to fix this problem. We worked hard to try and minimize the time it takes to install Passport. Rather than complicated 87 step installs, Passport only takes a handful of steps to get up and running. 

Once Passport is installed, you can immediately start calling the API. Our Java client library makes calling the API from a Java application simple. We will be building client libraries for other languages in the coming months as well. 

We understand that some companies have many existing systems and therefore it will still take time to implement SSO across them all. But, if they can do it in a few months with no consultants, that can be a huge savings and really impact the bottom line.

ADM: How does Passport help companies track user acquisition and engagement?

Pontarelli: Passport tracks every time a user registers for an application and logs into the application. It aggregates these numbers to produce a set of reports that allow companies to see how quickly their applications are taking off. They can also see when their peak usage times are. We are exploring adding geocode reports so companies can see where their users are as well.