« Previous month (Jul 2009) | Main | Next month (Sep 2009) »
Monday Aug 31, 2009

Addicted to Session Attributes in a SAMLv2 Assertion

So you want to copy session attributes and set them to a SAMLv2 assertion? Simply modify the attribute mapping for the identity provider or the remote service provider (you can do it using the OpenSSO console). The default OpenSSO SAMLv2 attribute mapper will find the appropriate attributes in the session and set them in the SAMLv2 assertion.

Now how about Puretone (aka Josh Abrahams featuring Amiel Daemion) and Addicted to Bass?

Posted at 03:06PM Aug 31, 2009 by Michael Teger in Sun  |  Comments[0]

Monday Aug 24, 2009

Breakaway from the Policy Service with OpenSSO Entitlements

Appropos to Dennis's announcement of the Entitlements Service source code being moved into the OpenSSO workspace, here's some information about the developing OpenSSO Entitlements Service.

The Entitlements Service is an authorization and policy component developed for inclusion in the soon-to-be-released OpenSSO Express 8. The user interface provides an easy-to-follow process to define rules for controlling access to applications and web resources. You can create fine-grained policies, and referrals (to assign policy creation based on an OpenSSO realm hierarchy), using these work flows.

The Entitlements Service is being developed in tandem with a new beta OpenSSO administration console. The OpenSSO Enterprise Policy Service, used for more coarse-grained policy implementation, is still available using the standard OpenSSO administration console. See The New OpenSSO Console Rip-Off.

From a high level a service used to create and manage access to web resources consists of the following:
  • A policy administration point (PAP) that comprises the interfaces used to create, read, update and delete the policies.
  • A policy evaluation engine or policy decision point (PDP) that, acting as a policy information point (PIP), is used to query permissions and privileges in order to obtain policy decisions. It gets identity attributes and applicable policies, evaluates the information, and returns the latter with a policy decision to be used for enforcement.
  • A policy enforcement point (PEP) is an agent, installed on the same machine as the resource, that protects it from unauthorized access.
  • A user data store for storing and obtaining identity data.
  • A policy data store for storing policies and the service's configuration attributes, and obtaining said data. (OpenSSO embeds OpenDS for its configuration data store. This configuration data store is used to store Entitlements Service data.)

Different types of resources can be protected by the Entitlements Service. By selecting a general application and adding a more specific resource with applicable subjects and conditions, a policy can be created to define authorization using the new beta console administration interface. An application (term as used in the Entitlements Service) consolidates meta data for generic resource types that share a common set of actions. The format of a resource's definition, supported actions, conditions and subjects, decision combining algorithms (to resolve conflicting policy results) and other data can be defined as a schema for an application. Examples of applications in the Entitlements Service could be calendars, web resources, or user profiles. The following applications are added by default when deploying opensso.war.
  • Web Agent defines actions that can be used to create and manage policies that protect HTTP and HTTPS URLs through the use of a policy agent. This is the most common application use case with the following actions.
    • GET has these operations.
      • Allow: Enables access to the resource defined in the Rule.
      • Deny: Denies access to the resource defined in the Rule.
    • POST has these operations.
      • Allow: Enables access to the resource defined in the Rule.
      • Deny: Denies access to the resource defined in the Rule.
  • Liberty Personal Profile allows administrators to create and manage policies corresponding to actions that can be performed on identity attributes in a personal profile service defined by the Liberty Alliance Project specifications; for example, the OpenSSO implementation of the Liberty Personal Profile Service.
    • MODIFY has these operations.
      • Interact for Value: Invokes the Liberty Alliance Project ID-WSF Interaction Service Specification protocol to retrieve a value from a resource in order to modify it.
      • Interact for Consent: Invokes the Liberty Alliance Project ID-WSF Interaction Service Specification protocol for consent to modify a value on a resource.
      • Allow: Enables access to the resource defined in the Rule in order to modify an attribute value.
      • Deny: Denies access to the resource defined in the Rule therefore modification is disallowed.
    • QUERY has these operations.
      • Interact for Value: Invokes the Liberty Alliance Project ID-WSF Interaction Service Specification protocol to retrieve a value from a resource.
      • Interact for Consent: Invokes the Liberty Alliance Project ID-WSF Interaction Service Specification protocol for consent to query a resource.
      • Allow: Enables access to the resource defined in the Rule in order to query the resource.
      • Deny: Denies access to the resource defined in the Rule therefore the query is disallowed.
  • Discovery Service allows administrators to create and manage policies corresponding to actions that can dynamically determine a web services provider (WSP) registered for a particular principal.
    • LOOKUP: Allow or Deny access to search the discovery service.
    • UPDATE: Allow or Deny access to modify data in the discovery service.
A resource is an object on which you can perform an operation or an action. The policy is specifically configured to protect this object. A resource is a string; it could be a URL, a web service, a bank account, or graphical user interface controls (buttons, text fields and the like). Examples could be MyCalendar or other portal type services (located with URLs), a bank account, or a Submit button on a text form.

More information on the Entitlements Service will be forthcoming; these definitions should help you get started, in a small way, by following the inline help developed for the Entitlements Service GUI. But first - enjoy Tracey Ullman singing Breakaway into her hairbrush.

Posted at 09:28AM Aug 24, 2009 by Michael Teger in Sun  |  Comments[0]

Thursday Aug 20, 2009

St. Charles' JSP to Print Session Token Properties

Charles, a Sun QA engineer, recently posted a JSP to the OpenSSO mailing list that allows you to print out the properties (UserID, Principal, Client Address, and the like) populated in an SSOToken. I'm reposting the code here so it doesn't get lost in the maelstrom. 

<%--
   Copyright (c) 2007 Sun Microsystems, Inc. All rights reserved
   Use is subject to license terms.
--%>

<html>
<head>
   
   <title>Show Session Property</title>

   <%@page import="com.iplanet.sso.*" %>

</head>
<body>

<%  
   SSOToken ssoToken = SSOTokenManager.getInstance().createSSOToken(request);
   String value = "";
   String propertyName  = request.getParameter("propertyName");
   if (propertyName != null) {
       value = ssoToken.getProperty(propertyName);
   }
%>

<h1>Session Property</h1>

<form action="show-session-property.jsp" method="POST">
   Property Name <input name="propertyName" value="<%= propertyName %>" size="40"/>
   <p/>
   <input name="submit" type="submit" value="GetValue" />
</form>
<br/>
<%=propertyName%>: <%=value%><br/>
Principal: <%=ssoToken.getProperty("Principal")%><br/>
Principals: <%=ssoToken.getProperty("Principals")%><br/>
UserToken: <%=ssoToken.getProperty("UserToken")%><br/>
UserId: <%=ssoToken.getProperty("UserId")%><br/>
sun.am.UniversalIdentifier: <%=ssoToken.getProperty("sun.am.UniversalIdentifier")%><br/>
Organization :<%=ssoToken.getProperty("Organization")%><br/>
IndexType: <%=ssoToken.getProperty("IndexType")%><br/>
Service: <%=ssoToken.getProperty("Service")%><br/>
AuthType: <%=ssoToken.getProperty("AuthType")%><br/>
AuthLevel: <%=ssoToken.getProperty("AuthLevel")%><br/>
authInstant: <%=ssoToken.getProperty("authInstant")%><br/>
moduleAuthTime: <%=ssoToken.getProperty("moduleAuthTime")%><br/>
amlbcookie: <%=ssoToken.getProperty("amlbcookie")%><br/>
Host: <%=ssoToken.getProperty("Host")%><br/>
CharSet: <%=ssoToken.getProperty("CharSet")%><br/>
Locale: <%=ssoToken.getProperty("Locale")%><br/>
</body>
</html>
In honor of CMW, here's Jefferson Starship and the promotional film (cough, video) for their 1976 single, St. Charles. Although it's a great song, at 6 minutes and 40 seconds, I can see why it peaked at number 64. (Don't ask how I remember these things.)

Posted at 09:23AM Aug 20, 2009 by Michael Teger in Sun  |  Comments[2]

Friday Aug 14, 2009

The New OpenSSO Console Rip-Off

OK, it's not technically a rip-off but that's all I could come up with in the time allotted.

The team of OpenSSO engineers have been working on a new administration console. The plan is to release a beta version of the new console with OpenSSO Express Build 8. Although the trees that contribute to the nightly build and the Express 8 build have not yet been consolidated, portions of the new beta console are available for your perusal in the nightly build. Things will undoubtedly change before the actual release; the following information is so you can take a look at the direction we are going.

This new OpenSSO administration console is in beta and should only be used for test environments. Continue to use the standard OpenSSO administration console for real-time deployments.

After deploying opensso.war to a web container, login to OpenSSO as the administrator and enter protocol://machine.domain:port/deploy-uri/admin in the Location Bar of a browser to display the new console interface.

The Entitlements, Federation and Web Service Security tabs comprise the bulk of features currently in this new console. Accommodations have been made for these features by providing inline help displayed on the console screen. Additional documentation will be available after the beta release. Working With the Entitlements Service The Entitlements tab contains the new work flows for ease-of-use when creating new, and managing existing, policies for the new Entitlements Service. These features are only available in the beta administration console. You must choose the framework with which you will be creating policies for your resources. The options are the Policy Service using the standard administration console and the Entitlements Service using the beta administration console. Once the choice is made (by creating and saving a policy using one or the other), only that service (Entitlements or Policy) will be enabled. Migration of policies from previous versions of OpenSSO is not supported.

Using the Federation Work Flows The Federation tab contains the new work flows for ease-of-use when creating and registering entity providers for the Federation Service using the SAMLv2 protocol. These work flows are available in either the standard or beta administration console. If you create SAMLv2 entity providers using the work flows in the beta administration console, you manage the configurations using the standard administration console.

Using the Web Services Security Work Flows The Web Service Security tab contains the new work flows for ease-of-use in creating profiles to work with the Web Service Security framework. These work flows are available only in the beta administration console although profiles can also be created by manually configuring attributes using the standard administration console. You can create profiles in the beta console and manage them in the standard console.

Displaying Realms The intent with the beta administration console is to hide realms. If no realms are configured using the standard console, the applicable interface to switch realms will not be visible in the beta console, nor anything about referrals. If you create a realm using the standard console, realm and referral menu items are visible.

Now enjoy the greatly, soulful Laura Lee and her 1972 hit, Rip-Off.

Posted at 10:22AM Aug 14, 2009 by Michael Teger in Sun  |  Comments[0]

Monday Aug 10, 2009

Store & Retrieve Authentication Info with OpenSSO, She & Him

Here are some words on storing authentication information in an OpenSSO session and retrieving it. It assumes that the authentication module extends AMLoginModule and the information is to be shared with a post authentication plug-in.

If the size of the information is small, you can store it in the SSOToken. If the information is security sensitive and not to be readable by the Client SDK, you could encrypt it before setting it in the SSOToken. (Prefixing the property name with am.protected. defines it as NOT readable by the Client SDK.)

After you put the required information from the authentication module into the module principal class, implement the com.sun.identity.authentication.service.AuthenticationPrincipalDataRetriever interface. It has the following method to get the module principal from authSubject, retrieve the required data, and return that data as a Map (key/value pairs). 
    /**
     * Returns the attribute map from the required Authentication module
     * Principal, to be set in the SSOToken.    
     *
     * @param authSubject Authenticated user Subject.
     * @return the Attribute Map.
     */
    Map getAttrMapForAuthenticationModule(Subject authSubject);
The Authentication Service will store this Map in the authenticated SSOToken. A post authentication plug-in can retrieve this data from the SSOToken later. You will need to set your implementation class as a value of the com.sun.identity.authentication.principalDataRetriever property in the OpenSSO configuration data store.

Now here is Zooey Deschanel and M. Ward, plugged in as She & Him. Why Do You Let Me Stay Here? is from their album, Volume 1. I love M (especially his album Transistor Radio), love Zooey (especially as an actress in the ScyFy take on Oz called Tin Man) and also Zooey's sis, Emily (especially as the femme lead on Bones). The video is quirky and endearing and bloody.

Posted at 09:13AM Aug 10, 2009 by Michael Teger in Sun  |  Comments[0]

Monday Aug 03, 2009

Don't Stop Believin' in the OpenSSO Public Javadoc

I was contacted by an OpenSSO engineer last week who wanted to know where she could get the latest Java API Reference documentation - that's the real name for the untrademarked Javadoc. I was surprised at the request because I thought anyone who was anyone in the community knows that the Java API Reference is available in the nightly build (and has been for a while). So, for others who might not know, here is how to open and display the public Java API Reference from opensso.zip.

  1. Download opensso.zip.
  2. Decompress opensso.zip.
    The files are unzipped into the opensso directory.
  3. Change into the /opensso/docs directory.
  4. Decompress opensso-public-javadocs.jar.
    jar xvf opensso-public-javadocs.jar
  5. From a local browser, choose File -> Open File.
  6. Navigate to the docs folder from within the Open File window.
  7. Select index.html to open in the browser window.
    index.html is the public home page for the Java API Reference.
Because of the ease with which you can now access them, the Java API Reference will no longer be published as part of the documentation set for releases of OpenSSO. So remember this procedure!

How many thought I might be linking to Journey's Don't Stop Believing? I could've even used the version from Glee. Well, I'm not that predictable. (Note the spelling of believin'.) Here is Olivia Newton-John singing the tune that kept my spirits up as I failed two tests for my driver's license in 1975 and waited to take the third. I listened to this for days before that final test. I didn't stop believin', passed the third test and having been driving offensively ever since.

Posted at 01:56PM Aug 03, 2009 by Michael Teger in Sun  |  Comments[0]