Superpatterns

OpenSSO Build 4.5
[ blogwatch opensso ]

It's been a while since Build 4 of OpenSSO, as we work towards an early access (EA) build of Sun Federated Access Manager 8.0, OpenSSO's commercial 'twin'. Our plan designates OpenSSO build 5 as the FAM 8.0 EA, but we still have some minor issues to iron out before we're ready for EA, hence the release of OpenSSO 1.0 Build 4.5.

Here are some of the new features in Build 4.5, compared to Build 4:

• The Fedlet - quick and easy Federation for SP's, where you'd rather (slightly) modify your web app than deploy more infrastructure - much more on the Fedlet in the Sun blogosphere.
• Federation Validator - test harness for checking single sign-on between a SAML 2.0 Identity Provider and Service Provider.
• SiteMinder Integration - support for co-existence of OpenSSO and SiteMinder.

Many more enhancements are listed at the bottom of the Build 4.5 release notes. Watch the OpenSSO blogosphere for more details on these new features.

The more I work on OpenSSO, the more I realize the nuances of open source development. The fact that we released this 'interim' stable build between builds 4 and 5 is one example of this - the demand for build 4.5 has come from the OpenSSO community, which is now MUCH larger than the FAM team within Sun.

OpenSSO Javapolis Video Online at Parleys.com
[ javapolis opensso parleys video ]

A few days ago, the good people at JavaPolis (which now seems to be called Javoxx) posted the video for my OpenSSO session from JavaPolis 07 at Parleys.com. Go take a look and see how it compares with the SAML 2.0 session they posted back in February.

Slides from Jazoon 08
[ jazoon opensso ]

The slides for my OpenSSO presentation at Jazoon 08 (last week) are now online - just click on the link from the session page at the Jazoon 08 site. If you attended my session, you can give it a rating (out of 5 stars) at that page. You can also see my photos from Jazoon 08 in a Flickr set.

links for 2008-07-01
[ exchange funny geek web ]

• The Website Is Down
  Sales Guy vs. Web Dude
  (tags: funny exchange web geek)

OpenSSO Community Passes 700 Members
[ opensso ]

Over the past few days, the number of participants registered at opensso.dev.java.net passed the 700 mark. It was almost exactly a year ago that we passed 400, so we're currently adding new members at the rate of nearly one a day!

Just to clarify, you can download the OpenSSO binaries and check out the source code without any kind of sign-up whatsoever. You only need to register to file issues, subscribe to the mailing lists and start submitting patches.

It's not always obvious how the java.net account and OpenSSO membership are related, so here's a quick 3-step guide to getting onto the OpenSSO mailing lists:

1. Register for a java.net account.
2. Request 'Observer' role on OpenSSO.
3. Subscribe to 'users@opensso.dev.java.net' and/or 'dev@opensso.dev.java.net'.

Both of these mailing lists are moderated - subscribers' emails go straight to the list, but emails from non-subscribers go into a moderation queue. If you are posting to the OpenSSO lists and wondering why your email hasn't appeared yet, ensure you are using the email account you registered in step 1!

There are many other ways to participate in the OpenSSO community - here's a round-up:

• OpenSSO Wiki - read and write about OpenSSO
• OpenSSO IRC Channel - chat about OpenSSO
• OpenSSO CafePress Store - wear OpenSSO
• OpenSSO @ Ohloh - delve into OpenSSO's stats
• OpenSSO Facebook Group - decorate your profile
• OpenSSO LinkedIn Group - network with other OpenSSO'ers
• OpenSSO Plaxo Group - network with even more OpenSSO'ers
• OpenSSO Xing Group - network with (mostly) European OpenSSO'ers

OWASP Bay Area Meeting - June 25th 2008
[ owasp security ]

Prompted by James, I signed up a little while ago to the OWASP Bay Area chapter, keen to learn more about application security, both in hardening OpenSSO and Access Manager and in how those projects/products can contribute to securing applications. Well, whaddya know, the next meeting is a half day Application Security Summit at the Microsoft facility in Mountain View next Wednesday, when I'll be out of town. Keen as I am to attend OWASP, I think the Jazoon folks would be a little upset if I didn't show up for my session on OpenSSO, so I'll have to be content with encouraging folks in the Bay Area to attend - all the details are here and, apparently, space is limited, so if you're interested, sign up now!

From the Trenches - Virtual Federation: a Pioneering Way for Exchanging Authentication
[ fam federation opensso rajeevangal virtualfederation ]

The Sun Developer Network's Marina Sum spent some time recently talking to my fellow Federated Access Manager architect Rajeev Angal about Virtual Federation, a new feature forthcoming in Sun Federated Access Manager 8.0 (but available now, of course, in OpenSSO). Virtual Federation promises to simplify federation by allowing legacy applications to interact across enterprise boundaries via a SAML 'tunnel'.

Read the interview for an overview of Virtual Federation; this article has the gory details under the old name 'Secure Attribute Exchange'.

links for 2008-05-27
[ brain glassfishv2 google java jillboltetaylor opensso performance productivity ryandelaplante sethgodin stroke ]

del.icio.us' link posting function seems to be on the blink right now; here are my last few, lovingly hand-pasted...

• Is Sun Microsystems Re-Inventing Itself?
  Ryan de Laplante gives a great overview of Sun's open source product lines, from OpenSolaris to OpenSSO
  (tags: glassfishv2 netbeans opends opensolaris opensso ryandelaplante sun ultrasparct2)
• Time to overcome Java misconceptions
  Google engineers Jeremy Manson and Paul Tyma challenge commonly-held assumptions on Java performance
  (tags: google java jvm performance)
• The new standard for meetings and conferences
  This is why I often just leave my laptop at home when I go to the office - I'm there for the interaction, not to type alone in my office.
  (tags: blog businesssethgodin travel web work productivity conference)
• TED | Talks | Jill Bolte Taylor: My stroke of insight (video)
  Neuroanatomist Jill Bolte Taylor had an opportunity few brain scientists would wish for: One morning, she realized she was having a massive stroke. She watched as her brain functions shut down one by one: motion, speech, memory, self-awareness. Well worth the 18 minutes.
  (tags: brain jillboltetaylor stroke ted)

Definitely the Best Version of AM Ever!!!
[ accessmanager fam opensso ]

The title of this blog entry is a direct quote from an email we received from a very happy Sun SE today. He's kindly given me permission to share it. I added the links for convenience

Date: May 23, 2008 7:04:20 AM PDT
Subject: Federation POC Success
Guys,
Wanted to let you know I just had worked on a POC for a long term oppty for some common activities going on at several government operations.
I used build 4 of OpenSSO and the most exiting part for me and please share with the team was:
1) How nice the install experience was
2) The Federation Wizards are awesome (only suggestion is to allow user to name the MetaAlias; I don't think you can add more than two entities using the wizard)
3) Integration with third party (HP Select Federate) was a dream!!!

1) Install AM
2) Run Local IDP Wizard
3) Run Remote SP Wizard to point to HP Data URL
4) HP Points to my URL for Meta Data
5) Test and WORKED FIRST TIME!!!

No kidding!! I have no idea of effort for the HP install, but with that in place, my entire time spent before I was exchanging SAML assertions with HP was about an hour (had I known I would be breaking personal records here, I think I could have sped that up)
Best news is a partner who recommends Sun witnessed that (jaws dropped).
Thanks to you and your team for what is definitely the best version of AM ever!!!

Says it all, really. Kudos to the entire AM engineering team, and, indeed, the wider OpenSSO community for what is turning into something very very special.

Slides Online for OpenSSO CommunityOne Presentation
[ communityone2008 javaone javaone2008 opensso ]

The CommunityOne folks have posted all the 2008 slides online - you can find them via the session catalog (don't forget the username/password for downloading the PDFs - contentbuilder/doc789) or just get the OpenSSO slides directly.

Do Not Doubt The Power of The Fedlet!
[ fedlet opensso paulmadsen saml ]

The inimitable Paul Madsen writes on the Fedlet today, wondering

Would the fedlet, once deployed by an SP, be reusable with other IDPs (than the one that created it initially) and thereby be considered a quick and easy way to SAML enable an SP? I bet not.

On the contrary, my dear Madsen, it could indeed be reused with other IdPs. The Fedlet is configured via SAML 2.0 metadata, saved to a directory on disk. The very first time you visit the Fedlet's deployment URI, it offers to save configuration to disk:

At this point, as explained on the screen, you can expand the Fedlet WAR manually and copy the files yourself, or let the Fedlet do it for you. In either case, you can edit the SAML 2.0 metadata to use any SAML 2.0 identity provider (or providers). OpenSSO even includes an 'unconfigured' Fedlet for doing this all completely manually.

So, yes, the Fedlet is a quick and easy way to SAML enable an SP!

UPDATE (5/22/08) - Paul. Says. It. Was. All. Down. To. Misplaced. Punctuation.

links for 2008-05-17
[ ad analysis authentication bbc bigadmin fedora gartner identity infrastructure kerberos ldap linux microsoft opensource opensso solaris solaris10 sun t1000 t2000 ubuntu windows xtech ]

• Linux shop adds Solaris for performance boost
  Wow - "[...] it turned out that Solaris 10 had a throughput that was 50 times better."
  (tags: fedora linux solaris solaris10 sun t1000 t2000 ubuntu)
• Open Source at Sun Microsystems, 2008
  Gartner Analysis. Synopsis: Open source at Sun Microsystems is strong, and Gartner expects an increasing role for open source within its business strategies in coming years.
  (tags: analysis gartner opensource sun)
• BigAdmin Feature Article: Using Kerberos to Authenticate a Solaris 10 OS LDAP Client With Microsoft Active Directory
  This document describes configuration of a Solaris client to use Microsoft Windows Server 2003 R2 Enterprise Edition (Active Directory) for authentication and naming services.
  (tags: ad authentication bigadmin kerberos ldap microsoft solaris solaris10 sun windows)
• XTech 2008 - BBC Tech Refresh and Identity - Brendan Quinn And Ben Smith » SlideShare
  Presentation from XTech 2008 in Dublin, about the BBC's plans to reinvigorate its technical platform and to create new user management services. Slides 38 and 39 are my favourites :-)
  (tags: bbc identity infrastructure opensso xtech)

Be an Identity Hero!
[ identityhero ]

It's Friday afternoon, time for some fun! We've put together a neat little game where you can protect your enterprise from the like of disgruntled former employees, Sarbox gremlins and the deadly auditors with the help of Sun's identity management products: Identity Hero! Here's a screenshot:

Go save your enterprise!

OpenSSO at JavaOne
[ javaone javaone2008 opensso ]

Marina is covering JavaOne 2008 for the Sun Developer Network - she's written a review of our Monday OpenSSO session, which also appears in the today's 'JavaOne Today' newspaper. Lucas Jellema at AMIS Technology also wrote a nice review, even including a screenshot of OpenSSO.

If you're at JavaOne, come along to the Sun stand in the pavilion - we're on pod 181, just under the poster of an old geezer with a red pickup. I'll be here today (Wednesday) and tomorrow (Thursday) from 11am to 2pm, but feel free to stop by any time the pavilion is open for a demo and a chat.

The Fedlet Lives!!!
[ fedlet opensso ]

If you're following OpenSSO at all, you can't have failed to notice the recent buzz around the Fedlet - from Daniel (complete with screencast), Eve Mark D, Mark H, Tatsuo, Derrick, Marina and Daniel at Sun to Coté at RedMonk and Enrico at Tenthline.

Briefly, the 'Fedlet' is a package that a SAML 2.0 identity provider can create to quickly federation-enable a small service provider. The idea is that, if you're running a single web application, you're not going to want to deploy a whole 'nother server to run a standalone service provider. What you want is a little package of code and configuration to federation-enable your web app. You want the Fedlet.

I've been wrapped up in demos and travel for the past month or so, so I haven't had much of a chance to play with the Fedlet. Since I'm planning to demo it in my session at CommunityOne on Monday, I thought I'd better do so - I set aside this afternoon to get it working. Turns out I was a little pessimistic there - here's what I did, in less than an hour:

• Update from OpenSSO CVS (cvs -q update -dP)
• Cleaned out previous build detritus and built the WAR file (ant clean && ant server-war)
• Deployed onto Glassfish (don't forget to change GF's -client JVM option to -server, as detailed in the release notes!)
• Pointed Flock (my preferred web browser du jour) at the newly deployed OpenSSO at http://demo.example.com:8000/opensso (I alias demo.example.com to 127.0.0.1 in /etc/hosts), configured OpenSSO to use the embedded OpenDS instance for its configuration and user stores.
• Logged in as amadmin, created a SAML 2.0 identity provider and a Fedlet.
• Unzipped the Fedlet, deployed it into Glassfish.
• Ran the Federation validator to check that SSO is operational.
• And...
  

When you spend your time in the weeds of a project, you always half expect any given step to fail due to some issue or another. Perhaps some recent fix destabilized something; perhaps some errant process has eaten my laptop's memory; whatever. So it was extremely gratifying when all of the above passed off without a hitch. I won't tell you what I muttered under my breath as the federation validator completed and gave me the thumbs up, but the second word was "cool!"

@ 03:19 PM PDT Comments [2]