I'll Get My Coat

Identity Management? I'll Get My Coat...

Monday Nov 16, 2009

Debugging Identity Connectors with Sun IDM and Netbeans

Thought it was about time I finally checked out the new open source Identity Connectors that are to replace the Resource Adapters within Sun Identity Manager. Looking at Sun IdM 8.1 Patch 5 you can see that as more Identity Connectors reach ready state they are being shipped with subsequent IdM releases. Here's a peek at what Connectors ship with 8.1 Patch 5.

Expect this list of Connectors to grow in the future. For those of you wondering if you need to manually reconfigure your system to use the new Connectors do not fear since there's a migration facility to migrate your existing Resource Adapters to become Connectors. Here's the project page that shows you what Connectors are shipped with which Sun IdM release.

An important gotcha is that the Connector bundles are not present in /WEB-INF/lib as other third party jar's , as the project page states, "IDM searches for local Identity Connector bundle files with .jar suffix in the WEB-INF/bundles directory within your web app. First, make sure that this folder is present in your IDM deployment. If it doesn't exist, create it". So make sure you're looking in WEB-INF/bundles!

My end goal here was to configure a test system for debugging, so I could learn about the code execution flow by using Netbeans (or your fav IDE) to trace the Identity Connector code. I've got Netbeans 6.5.1 installed locally and used the Versioning/SVN feature to check out the source code from identityconnectors.dev.java.net.

For my testing I want the Database Table Connector, so you can either checkout the whole head of the trunk or select the individual bundle that you're interested in. For me this involved grabbing the databasetable and dbcommon folders from SVN.

Once I had the source checked out locally I quickly unpacked Tomcat6 and deployed IDM 8.1.0.5 inside of Tomcat by copying the idm.war to /apache-tomcat/webapps folder.

Next thing is to enable the JPDA debugger - aka the Java Platform Debugger Architecture (JPDA) technology. This is pretty easy, with Tomcat I created a new script within ./bin to help me with this, here's the script:

more ./startupdebug.sh
export JPDA_ADDRESS=8000
export JPDA_TRANSPORT=dt_socket
./catalina.sh jpda start

I created a Netbeans Java Application Project and included the DatabaseTableConnector source that I had previously checked out from the Identity Connectors SVN repository as source folders. Now from within Netbeans I can attach to the Tomcat instance that is JPDA enabled on port 8000. Select "Attach Debugger" from the Debug menu of Netbeans...

On the following screen validate your port and host name....

From within Netbeans you should now be able to see the Debugger Console with the following output:

"Attaching to greasemonkey.home:8000
User program running"

Now you can set breakpoints and trace your Identity Connector

Comments[0]

Thursday Jul 09, 2009

Generating Unique ASCII AccountIds

In many situations on my travels I've been requested by customers to show how we can generate UID attribute values that are ASCII only. Take for example the name TODORIć SNJEžANA or for example the French name, Françoise, we want to replace the ç with an ASCCI c. Since using extended characters for userNames can actually break many systems that expect ASCII only. For this reason I'm sharing some code that I've reused many many times during proof of concepts with Sun Identity Manager.

First of all we're assuming you're in an ActiveSync scenario here, so we've got a <Field> element on an ActiveSync form. Let's see how we'll call this Rule to generate a unique Identity Manager accountId using ASCII characters only.

   <Field name='waveset.accountId'>
        <Expansion>
          <rule name='Custom - Generate IDM Account Id'>
            <argument name='p_firstname' value='$(activeSync.firstname)'/>
            <argument name='p_lastname' value='$(activeSync.lastname)'/>
          </rule>
        </Expansion>
      </Field>

The Rule "Custom - Generate IDM Account Id" iterates over the input strings and checks each character replacing it with a specificied ASCII alternative.

In the Rule called "Custom - Test String" there's a list of source characters that will be taken as the source list of characters to replace

    <set name='sourceList'>
     <List>
       <String>Ć</String>
       <String>Š</String>
       <String>Č</String>
       <String>Ž</String>
       <String>Đ</String>
       <String>è</String>
     </List>
   </set>

In the Rule called "Custom - Swap Char" there's the actual case statement that does the swap between the original non-ASCII char and the specified ASCII alternative.

      <case>
        <s>Š</s>
        <s>S</s>
      </case>
      <case>
        <s>Ć</s>
        <s>C</s>
      </case>
      <case>
        <s>Ž</s>
        <s>Z</s>
      </case>
      <case>
        <s>Đ</s>
        <s>DJ</s>
      </case>

Finally, the Rule "Custom - Generate IDM Account Id" ensures the generated candidate accountId is unique by querying the IdM repo and using a numeric suffix to ensure uniqueness.

You can download my original XML Rules here

Comments[1]

Wednesday Apr 22, 2009

Oracle & Sun IdM Stack, One Perspective from KuppingerCole

Hello Everyone, well... what interesting times we come to, our number one competitor in the Identity Management space has stepped up and has announced plans to acquire us, sure you've all seen the news... assuming everything goes through as planned, what would any future Identity Management stack look like? Oracle have a very comprehensive and broad line of products from many recent acquisitions, Sun's stack is no where near as wide but does the river run more deeply with the Sun products? We'd like to think so but obviously and most importantly need to share these thoughts with our prospective new employers and here their opinion. This was an acquisition of Sun after all and not a merger.

Another interesting point is in the interim period prior to the acquisition being formalised (where Sun are still an independent) and I'm looking at my presales proof-of-concept (PoC) run list for the coming weeks and months and seeing a whole bunch of PoCs where we (Sun) are up against Oracle as our primary competitor, makes for interesting times !

Personally I'm looking forward to sharing with our new colleagues our roadmap plans, some confidential, some openly broadcast on the open source forums of dev.java.net (think OpenSSO) and seeing how Oracle perceive these plans.. If business as usual is anything (Think back to the Siebal and PSFT acquisitions etc) to go by at Oracle regarding acquisitions then its likely that no customer will be left behind this shows Oracle's integrity to customer commitment and is reassuring news for both Oracle and Sun Identity Mgmt customers who've invested in IdM software tech.

Here's one perspective from KuppingerCole on how the shake down could look like:

http://www.kuppingercole.com/articles/fg_mk_oracle_sun220409

Comments[0]

Tuesday Jan 20, 2009

Sun IdM & Virtual Desktop Infrastructure Demonstrator

So I finally got around to encoding and uploading this video that shows in about 10 minutes how the Sun Identity Management suite can complement the Sun VDI product. The products used in this demon included the following (in no particular order)

Our goal (Joachim Andres and I) was to show how Sun are uniquely placed to provide the whole stack from the operating system, smartcards, SunRay thin client device, through to the desktop delivery mechanism including the actual virtualised image and to top it all off a splash of Identity Management (IdM) in the form of Single Sign On and Provisioning services.

The benefits of the Sun Virtual Desktop solution are so many it's hard to actually express it clearly I keep fumbling I truly believe that this market is huge and one hopes that Sun and their partners can make significant progress helping our customers implement desktop virtualization. I'm not going to list all the benefits of Sun VDI and the supporting software stack above, I'll let the VDI product manager explain in person here

Remember, your desktop is not your PC or Mac, it's where you get your work done ! The desktop can be delivered independent of the actual physical device you're using, that's the whole point, use the internet to get your work done wherever you may be and whatever device you may be using.

Hope you find the demo useful, it actually includes several use-cases that I had to deliver to a Telco in the UK on a proof of concept, so these are real customer driven use-cases. Here's the demo link

Comments[7]

Thursday Dec 18, 2008

How can Sun Identity complement Sun's Desktop Virtualization solution?