Superpatterns

CPqD provides Operations Support and Business Support systems, training and consulting services to the telecommunications industry. Mário Celso Teixeira, of CPqD's Brazilian facility, describes their OpenSSO deployment in an email today to the users@opensso.dev.java.net mailing list:

I want share with you that CPqD have deployed the OpenSSO as a single sign-on solution for 3000 users and 75 applications in October, 2008.

After 4 months, 75 corporate applications was customizeds to use the single sign-on system where the user´s identity are provided for Windows Active Directory.

Primarily we went to install CAS server as a single sign-on product but, in April 2008, me (Mario Celso Teixeira) and Gustavo Chaves were at FISL 9.0 in RS, Brasil and saw the Pat Patterson presentation and we decided test the solution.

The strategy adopted was to install the Policy Agents in the application servers that are used for our applications (IIS 6.0, Apache, Jboss, Tomcat) and not customize each one using Opensso API, to minimize implementation efforts.

After one week live in production, the users are very satisfied because, before, each user could have 15 different accounts and passwords to access the applications.

Next, we want to implement Federation and Identity Management

Wow. 75 applications in four months, across IIS, Apache, JBoss and Tomcat. That's impressive! Thank you for sharing your OpenSSO success story, Mário

I was looking at MarkMail today, specifically at September 2008's emails to users@opensso.dev.java.net, and it struck me how many were from folks outside Sun. In fact, looking at the Top 20 senders, only 10 are in the 'OpenSSO team' at Sun. Another 4 (shown highlighted in light yellow) are folks from elsewhere in Sun, with 6 of the Top 20 (highlighted in yellow) being participants from outside Sun.

1)	Pat Patterson	27
2)	Rohan Pinto	22
3)	Dennis Seah	21
4)	Aaron Sheffey	19
5)	Shesh Kondi	17
6)	Deepak Pasupunatla	13
7)	David Goldsmith	12
8)	John Domenichini	11
9)	Robert Dale	11
10)	Hua Cui	10
11)	Dilli Dorai	9
12)	Tim Reynolds	9
13)	Damien Covey	8
14)	Amit Snyderman	7
15)	Nikolaos Giannopoulos	7
16)	Sean Brydon	7
17)	Ashok Anumandla	6
18)	Ezra Simeloff	6
19)	Florian Thiel	6
20)	Qingwen Cheng	6

Intrigued, I looked at the Top 20 senders since OpenSSO began, expecting to see far fewer 'external' senders over the long run, but was very pleasantly surprised to see just as many there:

1)	Pat Patterson	288
2)	Dennis Seah	271
3)	Michael Teger	125
4)	Sean Brydon	117
5)	Hua Cui	116
6)	Nikolaos Giannopoulos	103
7)	Dilli Dorai	100
8)	Hedrick, Brooke	86
9)	David Holroyd	76
10)	Milton Lima	72
11)	Nebergall, Christopher	69
12)	Subba Evani	63
13)	David Goldsmith	61
14)	Ping Luo	61
15)	Tim Reynolds	59
16)	Indira Thangasamy	57
17)	Rajeev Angal	53
18)	Shivaram Bhat	53
19)	Robert Dale	49
20)	Qingwen Cheng	46

One consequence of this diversity is that the pool of OpenSSO expertise is growing and we now have questions being asked and answered on the mailing list, by folks 'out there' in the wider community, while we in Santa Clara are all tucked up in bed. You know, I think there's some substance to this 'open source' thing...

• Mac OS X, Perl and SSL
  Perl on MAC does not support SSL out of the box. So you must install SSL support: sudo perl -MCPAN -e "install Crypt::SSLeay"
  (tags: perl mac osx ssl)

Sun Solution Architect Joachim Andres (aided and abetted by Paul Walker and Andy Hall) has just written up an integration [PDF] of OpenSSO with Sun Secure Global Desktop. Secure Global Desktop (SGD for short) provides secure access to centralized Windows, UNIX/Linux, Mainframe and Midrange applications from a wide range of popular client devices, including Microsoft Windows PCs, Solaris OS Workstations, thin clients and more (can you tell I cut'n'pasted that from the product page? ). One of the most interesting client interfaces to SGD is via a Web browser - you can see it in the demo I recorded with Michael Coté of Redmonk - which brings it into OpenSSO's sphere of control.

This integration is a great example of the use of policy agents with existing applications - the policy agent sets the REMOTE_USER server variable and SGD is configured to pick that up rather than use its own login page. With that, and a tweak to SGD's logout logic to send the browser to OpenSSO's logout page, we have a very neat integration. Check it out [PDF].

• OpenSSO Gets SaaSy - Federated Identity Across the Firewall with Google and SalesForce.com
  Michael Coté of Redmonk and Daniel Raskin and Pat Patterson of Sun talk about federated identity, software as a service and OpenSSO
  (tags: opensso identity redmonk saas google salesforce federation)
• Demo - OpenSSO Quick
  Demo of single sign on from Active Directory Federation Services (ADFS) to OpenSSO, then from OpenSSO to Google Apps for Your Domain and SalesForce.com
  (tags: demo adfs opensso google salesforce federation identity redmonk)
• Demo - Getting Started Quick with OpenSSO
  Demo of OpenSSO QuickStart - deploy OpenSSO and an embedded instance of GlassFish v3 using the Java Web Start mechanism
  (tags: opensso quickstart demo glassfish glassfishv3 identity redmonk)

I covered the OpenSSO Enterprise 8.0 launch event yesterday - here is a selection of the more interesting articles and quotes in reaction to the announcement:

• Sun's press release has Chris Harvison, an Enterprise Architect at Scotiabank, looking forward to deploying OpenSSO: "Sun OpenSSO Enterprise brings innovations such as Fedlets and multi-protocol support that will simplify the on-boarding of new federation partners and reduce the costs of doing so. The new tools provide a means to quickly and economically drive SSO across our global organization."
• In Sun goes commercial with OpenSSO, Network World quotes Gerry Gebel of analyst firm The Burton Group: “We are seeing a growing interest in OpenSSO and open source in general. People are looking for different options on software licensing and support. They are not always happy with the price tag on commercial software licenses.”
• Meanwhile, SearchSecurity.com quotes Andras Cser of Forrester Research in its article Sun launches open source OpenSSO for identity management: "If something is open source, you get a whole community feeling, a community buzz around the product. The features are one thing, but at the end of the day, you really want to have a developer community and commercially available implementation talent for software."
• Felix Gaehtgens of European analysts Kuppinger Cole closes his article Sun's new Access Manager is now OpenSSO Enterprise "With some sarcasm, many IT professional note that 'Express' is a synonym for 'limited' and 'Enterprise' is a synonym for 'Expensive'. Sun will have to educate its customers that this is certainly not the case for OpenSSO." Message received and understood, Felix!
• Finally, Redmonk's Michael Coté interviews Daniel and me on OpenSSO's support for single sign-on to software as a service (SSO to SaaS, if you're feeing terse), including demos of single sign-on to Google and SalesForce.com, plus Rajeev's OpenSSO QuickStart prototype.

• Sun's new Access Manager is now OpenSSO Enterprise
  Felix Gaehtgens of Kuppinger Cole gives some in-depth info on OpenSSO Enterprise 8.0 (registration required).
  (tags: federation identity saml opensso accessmanager kuppingercole felixgaehtgens sun)

I went to the launch of OpenSSO Enterprise 8.0 (press release) this morning in Second Life, hosted by none other than the IdentiCat - Daniel Raskin, and my boss, director of engineering for OpenSSO - Jamie Nelson. It was definitely a different experience from a traditional webinar - there was audio and slides, but somehow it was more immersive, sitting in the hall with the other attendees. Some technical glitches, but, all in all, a great event.

(Confession - the image (click on it for a larger version) is a composite - when that slide was up, Daniel was off flying somewhere, and when he was sitting down, I just had a gray screen where the slide should have been).

UPDATE - if you missed the Second Life event, you can catch the replay!

The Cancer and Leukemia Group B (CALGB) is a national clinical research group sponsored by the National Cancer Institute, with its Central Office headquartered at the University of Chicago and its Statistical Center located at Duke University.

A couple of weeks ago, Robert Dale of CALGB contributed an OpenSSO/Spring Security integration to the OpenSSO project. I asked him how CALGB were using OpenSSO, and he was good enough to send me this explanation and allow me to publish it.

We're probably not too different than many places where we have many applications each using its own authentication mechanism from disparate data stores. The primary goal here is to unite all these applications to use the same authentication mechanism using a single data store, hence a single username and password. Because we deal with clinical data, HIPAA comes into play. So certain applications need specific restrictions, for instance having a session timeout in 15 minutes. Other applications - administrative, those for developers, IT staff - can be logged in all day long. Therefore our secondary goal is to place these policies across all the apps. We have our own authorization and audit system and won't be using those from OpenSSO.

We also have the case where we need to federate to other identity providers, such as caBIG, so our users can seamlessly use the grid applications. But we also share data with labs and other facilities that develop their own applications and need to federate identities (and authorizations) to us either through user interaction and/or web services. And in one special case, we have an authentication module that authenticates users via webservice to CTSU where they don't yet have federated identities.

This is a great mini-case study of an OpenSSO deployment - internal SSO, federation, web services and a bit of customization on the side. It's great, too, to be able to support such vital research through OpenSSO - CALGB didn't have to ask or tell us about their OpenSSO deployment - they just got on and got it done, and were good enough to share their success story with us.

Have you deployed OpenSSO? Care to share your story?

• A kinder, gentler federation agreement
  Via James McGovern - BPuhl, an AD engineer in Microsoft's IT department describes one federation partner's approach to information gathering
  (tags: microsoft identity federation)
• A Sun Identity Manger Resource Adapter for Google Apps
  Warren Strange has written a custom resource adapter for Sun Java System Identity Manager, using the Google Provisioning API to manage Google Apps accounts.
  (tags: identity google identitymanager sun idm provisioning resourceadapter)

Next week at the Sun Developer Network Ask the Experts site, Rajeev Angal, Aravindan Ranganathan, Dilli Dorai, and Qingwen Cheng will be answering your questions on OpenSSO. If you have a question on access management, identity federation, secure web services or anything else OpenSSO-related, post it to the Ask the Experts page during the week of September 29. Go on - see if you can stump them

• Boxer: Mac-Friendly DOS Emulation
  Nice - maybe I'll get some of my old games up on my MacBook Pro :-)
  (tags: windows mac osx opensource virtualization dos free games emulator dosbox)

• Squeezebox™ Boom All-in-one Network Music Player: Plug it in. Turn it on. Rock the house.
  Looks cool - I've been a happy SliMP3 user for years.
  (tags: gadgets audio squeezebox boom slimdevices logitech)

On Friday morning, Jim Gellman of the Institute for Systems Biology asked a question on the OpenSSO Users mailing list about OpenSSO/Spring Security (formerly known as Acegi) integration:

We'd like to use opensso with an app that's using Spring Security currently, but we don't have the resources at the moment to develop a module to do this.

Instead we're hoping we can use Spring Security's container adapter for tomcat along with the OpenSSO agent. Does anyone know for sure whether this is a reasonable approach?

Just a few minutes later, Robert Dale of CALGB replied:

I actually have code based on acegi-security 1.0.3 that provides an AuthenticationProvider, LogoutHandler, AuthenticationProcessingFilter, and AuthenticationProcessingFilterEntryPoint. I would be more than happy to donate to OpenSSO extensions if they want it.

How can you refuse an offer like that? Actually, it turns out that Robert had also done some work with Seraph (Atlassian's security framework, used by Jira and Confluence). So, this morning I created two new 'Authentication Provider' OpenSSO Extensions - one for Spring and one for Seraph - and Robert checked in his code. If you've been scratching your head, wondering how to integrate OpenSSO with Spring or Seraph, go check 'em out!

Back in June, OpenSSO reached 700 members. Less than three months later, we're getting close to the 800 mark. For a bit of fun, we're offering a $50 gift certificate for the CafePress OpenSSO store to our 800th member. But, there's a twist. There's more to it than just signing up for a dev.java.net account and requesting the Observer role in OpenSSO - we need to know how the deployment went for you, so you'll have to download OpenSSO and deploy it on your favourite Java web container (we like GlassFish, but Tomcat, JBoss, WebSphere and many more work fine - see the release notes [PDF]), or simply click here to install and run the Java Web Start version (it has its own embedded instance of GlassFish v3).

Once you're signed up and have played with OpenSSO, subscribe to the users@opensso.dev.java.net mailing list and let us know your dev.java.net username, which version of OpenSSO you downloaded (e.g. build 5), which container you used, and your general impressions. We're working hard to make the deploy/configure process rock solid, so reports of problems are even more valuable than "It works great!" - much as we like to hear that