Sidharth's blog

OpenSSO Express 8, an early access version of next release of Sun's Web Access Management solution (and that's fully supported and indemnified by Sun Microsystems for customers), is now available for download. You can download OpenSSO Express 8 by visiting, https://opensso.dev.java.net/public/use/index.html.

OpenSSO Express 8 introduces number of exciting new features such as:

- One Time Password based Strong Authentication
- Federated SSO for Dot Net applications using DotNET Fedlet.
- Support for MySQL as an user data store.
- Entitlement Service
- A new look Beta Administration Console that allows to administer Entitlement Service and makes available easy to use workflows for Federation and Web Services Security.
- Common task based workflow for federated SSO setup with Salesforce.COM.
And more...

A list of all the new features and enhancements in OpenSSO Express 8 is available as part of Release Notes, at - http://wikis.sun.com/display/OpenSSO/OpenSSO+Express+8+Release+Notes#OpenSSOExpress8ReleaseNotes-WSS

Detailed documentation on OpenSSO Express 8 and the features, is available on OpenSSO Documentation wiki, at - http://wikis.sun.com/display/OpenSSO/Sun+OpenSSO+Documentation

Congratulations to all OpenSSO community members and special thanks to those that contributed towards OpenSSO Express 8!

OpenSSO Express 8(being released end of Aug '09) introduces  lots of exciting new features, such as Fedlet for Dot Net, OTP based Multifactor Authentication support, Federated Single sign on workflow for Salesforce, REST based web services for  Entitlements, Support for OAuth etc.

We recently did a webinar covering the details and demonstrated the features.  Certainly download and give OpenSSO Express 8 a try!

OpenSSO at JavaOne/CommunityOne... tons of interesting stuff!

OpenSSO Community Day

Join us Sunday May 31st, for OpenSSO Community Day at the Moscone Center in San Francisco. It's our 'unconference' before the main conference and discussions will include OpenDS and Identity Connectors. Just show up prepared to talk about any topic related to Sun's open source identity projects. As always attendance is free. Join our Meetup to participate in this discussion.

CommunityOne West Conference

Whether you're a developer, technologist, or student, join us Monday, June 1- Wednesday, June 3 at the Moscone Center for technical education, OpenSSO talks, and a Hands On Lab at CommunityOne West.

Monday, June 1

• Hands On Lab --Web Application Security with OpenSSO by Himanshu Vijay and Baby Sunil.
• Pragmatic Identity 2.0--Invoking Identity Services with a Simplified REST/ROA Architecture by Daniel Raskin.
• Metro Web Services, NetBeans IDE, GlassFish Application Server, and OpenSSO in Action with Amazon WS, Azure, and Office by Harold Carr.
• Secure Web Services in Time for Tea, Using Metro and OpenSSO by Jonathan Scudder.

Wednesday, June 3

• Deep Dives-- Identity Management with OpenSSO: Deploy an Identity Management Solution in Four hours by David Goldsmith.

JavaOne Conference

Continue the fun with more OpenSSO related talks, a BOF, and a Hands On Lab at JavaOne Tuesday, June 2- Friday, June 5. Stop by our pod (#462) to talk with identity experts and get a free t-shirt and open source CD! And, don't miss the following identity-related presentations:

Tuesday, June 2

• Using and Participating in the OpenSSO Project by Sean Brydon, Pat Patterson, Aravindan Ranganathan.

Wednesday, June 3

• Designing and Building Security into REST Applications by Sean Brydon, Aravindan Ranganathan, Paul Bryan.

Thursday, June 4

• Pragmatic Identity 2.0: Simple, Open, Identity Services Using REST by Pat Patterson, Ron Ten-Hove.
• Web Application Security with OpenSSO: From Simple Log-In to Single Sign-On to Federation by Pat Patterson, Himanshu Vijay, Baby Sunil.
• A RESTful approach to identity-based web services by Hubert Le Van Gong, Marc Hadley.

It was indeed a privilege and a pleasure to have participated in what turned out to be a superb event. Was great to see active participation by almost all the community members who were there.

The presentations used are available here.

The community events will be in an informal unconference setting and attendance is free. All are welcome to partcipate and present / discuss OpenSSO related topics of their interest. The first event in NY has already seen a response beyond original estimates, and we had to move to an alternate bigger setting.

Sign up and join in.

Software as a Service(SaaS) has evolved as the service delivery mechanism of choice in the internet age. Managed Services and SaaS provide enterprises options for deployments that deliver levels of service to fit individual needs and offload overworked IT departments.  For key, business critical software, though most large companies have still been using the traditional locally stored licensed software, they are keeping a close eye on the SaaS space. Given the current economic scenario and the pressures, SaaS adoption could accelerate in the coming days as a means of limiting maintenance costs and as a way of addressing business priorities.

Salesforce and Google have been leading and early adoptors of SaaS based software delivery mechanism. Salesforce.com offers an alternative to locally run sales force automation (SFA) packages; Google provides productivity applications via Google Apps Premier Edition. Here's an earlier screencast on usage scenario of these SaaS applications with Single Sign-On. 

For Single Sign On, both Google Apps and Salesforce have support for the OASIS Security Assertion Markup Language (SAML) standard, that can be used to provide single sign-on system access to these two SaaS vendors. This lets customers who invested in SAML to implement single sign-on in Salesforce and Google Apps easily and cost-effectively. Also, SAML never sends passwords to Salesforce and Google, so it is inherently more secure than other authentication mechanisms.

These 2 new Sun Developer Network articles(Google Apps article / Salesforce integration article) describe the steps involved in configuring and using OpenSSO for SAML based SSO integrations with Google and Salesforce, in detail.

Certainly take a look at these very interesting articles and give the integrations a try!

SugarCRM is a leading provider of commercial open source customer relationship management (CRM) software for companies of all sizes. SugarCRM's open source architecture allows companies to more easily customize and integrate customer-facing business processes in order to build and maintain more profitable relationships. SugarCRM offers several deployment options, including on-demand, on-premise and appliance-based solutions to suit customers' security, integration and configuration needs.

Thomas and Marina collaborate on this article, which describes Security Assertion Markup Language (SAML) based single sign-on (SSO) integration between a PHP-based Service Provider(simpleSAMLphp) used by SugarCRM and OpenSSO(a Java language-based Identity Provider, and the only comprehensive open source solution for Web access management, federation and secure web services!). simpleSAMLphp is a service provider / relying party implementation based on PHP and in this case is configured to be used as SSO solution for SugarCRM.

It's finally here... The much awaited release, which is Industry's Very First Enterprise Support For Open Source Identity Management and Web Single Sign-on Software! Congratulations to everyone involved, at Sun and in the OpenSSO community... it's been lot of hard work and not to mention, a fantastic team effort.

Tons of new and cool features. Certainly download and give it a try, if you've not already.

A free of cost deployment training is now available to the OpenSSO developer community, thanks to David and our friends in Sun Learning Services.  The training comprises five self-paced, downloadable labs that take you through a set of complex real world OpenSSO deployment scenarios.

What's even more interesting is that the lab infrastructure is powered by Solaris and ZFS, which allows the developers to choose and try out particular labs and skip some.  ZFS is an amazing technology. Its snapshot capability quickly changes the way you work on the desktop or server. Add replication via zfs send and zfs recv, and life gets even better. In case of ZFS the replication is just a simple stream. Simply brilliant that is, because it means you can dump a ZFS Snapshot into a single file which acts as an archive that can be restored later at any point in time. The OpenSSO training virtual machine infrastructure leverages these features of this very powerful file system.

If you've been on the look out for  a structured and step by step hands on training, on various aspects of single sign on using OpenSSO, you'll find the training very helpful. More details on the training is available here.

Today was a great day for the OpenSSO project and the community, as Sun announced comprehensive enterprise-class support and indemnification for OpenSSO to it's customers, via support for Sun OpenSSO Express. It's been a privilege working on the launch and some of the details as part of the OpenSSO team. Here's some highlights of this new support offering:

OpenSSO Express:

• OpenSSO Express is an option available to Sun Customers, if they choose to avail latest features and innovations happening the community(that are not yet part of a commercial offering). Sun customers are entitled to support and indemnification, if they choose to deploy OpenSSO Express.
  
• Maps to latest OpenSSO stable builds, which are supported by Sun.
• Released approximately every 3 months and these undergo extensive automated testing and moderate manual testing by Sun QA Engineering.

Benefits Of OpenSSO Express

• Allows customers to use OpenSSO Express in development and avail support.
• Allows customers to use OpenSSO Express in production, if they are require latest features.
• Allows OEMs to keep pace with Sun, as they come up with new product offerings.

Details on OpenSSO Express and a mini FAQ is here.

A screencast on Fedlets demonstrating;

- An IDP generating Fedlets, SP configuring and using this Fedlet for IDP initiated SSO, SP initiated SSO and transfer of identity attributes as part of the assertions from the IDP.

Here's also the details and a write-up of steps, which I've used for the setup in the screencast.
1. Create 2 Glassfish domains, "idp" and "sp".
2. On the Glassfish instance idp, install opensso. For installing and deploying opensso, follow steps at - http://blogs.sun.com/sid/entry/installing_opensso_b4_on_glassfish1
    (Installation/Configuration UI has changed a little bit since build-4. If you're using a latest periodic build - you can use the embedded opends as the user directory, for this demo/poc.)
3. You can edit the /etc/hosts file (or the corresponding file on other OS), to refer to your localhost as, www.idp.com and www.sp.com  and use either of the FQDNs, as appropriate.

Configure IDP
1. Login to OpenSSO console.
2. In the "Common Tasks" tab, click on the "Create Hosted Identity Provider" link.
3. In the next screen, select the "Signing Key", as "test".
4. Create a new circle of trust - "fedlet_cot". (Alternatively, you could select an existing one, if available.)
5. Click on the "Configure" button.
6. You will see a dialog box with the message that the IDP was configured. Click on the "Fedlet" button. You will be taken to the "Create Fedlet" screen.
7. Enter "http://<fqdn-of-SP-Server>:<port>/fedlet", in the following fields:
    • Name
    • Destination URL
Note: This write-up assumes the fedlet.war is deployed with context-root "/fedlet" on the SP.
8. In the "Attribute Mapping" section, add these mappings:
mail | mail
telephonenumber | telephonenumber
9. Click on the "Create" button. At the end of the process, you will see a message :  Fedlet zip file is created, and the location of the same.

10. Click on the "OK" button. You will be taken back to the "Common Tasks" tab.

Verification - IDP
1. Now if you click on the "Federation" tab, you will see a new entry for SP in the "Entity Providers" and "Circle Of Trust" sections.
2. Also, you should see this file:
<OpenSSO-config-dir>/myfedlets/<fedlet-destination-url>/Fedlet.zip

The "Fedlet.zip" file contains:
    • README - a text file that contains instructions about how to deploy the demo fedlet.war and how to integrate the the fedlet into an existing application.
    • fedlet.war - the fedlet demo
3. Logout from the OpenSSO console.

Configure SP
1. Request the Fedlet.zip file from the IDP. Extract the contents of the zip file into some temporary location and deploy the fedlet.war on the SP web-container.
    Note: This write-up assumes the fedlet.war is deployed with context-root "/fedlet" on the SP.
2. Go to http://<fqdn-of-SP-Server>:<port>/fedlet/index.jsp . You will see a message about the absence of the Fedlet configuration directory.
3. Click on the hyperlink to create the configuration directory.
4. Click on the hyperlink on the webpage, to continue. You will be taken to the "Validate Fedlet Setup" page.

Verification - SP
1. Go to the directory "<user-home-dir>/fedlet", that was automatically created, as part of the setup above. You will find these configuration files in it:
    • Name and Members of Circle Of Trust in which the SP is participating
    • Metadata of the IDP and SP
Note: The reference to “user-home-dir” above, indicates the home directory of the system-user that the SP web-container process is running as.

Demonstration
1. Login as user demo/changeit, at IDP. Provide values for attributes mail and telephonenumber - the two attributes which are passed as part of the assertion from the IDP to the SP.
2. Go to http://<fqdn-of-SP-Server>:<port>/fedlet/index.jsp
3. Click on the hyperlink "Run Fedlet (SP) initiated Single Sign-On".
4. You will be redirected to the IDP login screen. Login as demo / changeit.
5. You will be single-signed-on to the SP, and on the webpage you will see the mapped attributes of the user that you logged in as. You will also be able to see the following SAML communication:
        • SAML2 Response
        • Assertion
        • Authentication Statement
        • Attribute Statement
6. Open  a  new  browser  window  and  go  to  http://<fqdn-of-SP- Server>:<port>/fedlet/index.jsp. This is the "Validate Fedlet Setup" page.
7. Click on the hyperlink "Run Identity Provider initiated Single Sign-On".
8. You will be redirected to the IDP login screen. Login as demo / changeit.
9. You will be single-signed-on to the SP, and on the webpage you will see the mapped attributes of the user that you logged in as. You will also be able to see the following SAML communication:
    • SAML2 Response
    • Assertion
    • Authentication Statement
    • Attribute Statement

Enjoy! and let me know if you could get things working .

A screencast of OpenSSO / Federated Access Manager integration with Software As a Service application providers (Google, Salesforce).

Paul wasn't quite convinced, of the power of Fedlet, as I mentioned in my previous post, I thought. Pat weighed in and as Paul clarified later, it was all to do with a missing punctuation in his post.

Here's some more details on the options that SP has in procuring and deploying the Fedlet (and I mentioned this briefly as part of a screencast few days back). There are two ways a Fedlet can be procured and deployed by a Service Provider, in order to be quickly SAML enabled.

I - IDP Workflow generated Fedlet

1. IDP installs and configures FAM / OpenSSO.
2. IDP follows a simple set of FAM workflows to create Fedlet.zip for the Service Provider. The Fedlet.zip contains

• fedlet.war - A ready to deploy war file, for use by SP.
• A README file - A text file with instructions on how the SP can integrate a Fedlet with an existing application.

3. IDP sends the generated zip file (fedlet.zip) to the SP.
4. SP deploys the war file. 5. SP tests the Fedlet deployment by accessing the index.jsp for the two common scenarios

• IDP initiated SSO.
• Fedlet/SP initiated SSO.

(And yes, the SP can edit the metadata in this case to federate with another IDP. However, SP also has the following option - i.e. of using the Pre-packaged Fedlet, available as part of the FAM/OpenSSO distribution in order to do so.)

II - The Pre-built Fedlet

1. SP downloads/procures the unconfigured/pre-built fedlet zip(Fedlet-unconfigured.zip) file via OpenSSO/FAM, which has the following;

• fedlet.war - Fedlet war file.
• conf -  A directory with metadata templates, Circle Of Trust (COT) templates and configuration files.
• README - A file that shows use of conf files with configuration info for setting up the Fedlet.

2. SP edits the conf  files, as appropriate(values for metadata).
3. SP sends it's metadata details to the IDP and requests for IDP metadata info. 4. Tests the deployment for the 2 scenarios

• IDP initiated SSO
• Fedlet initiated SSO

Tags: OpenSSO, FAM, Fedlet

Fedlet is a lightweight Service Provider implementation of SAML2 SSO protocols, embeddable in a Java EE web application. Fedlet is a new feature, which will be part of upcoming Sun Federated Access Manager (OpenSSO) release.

Fedlets are extremely light weight, and they can be easily embedded into a Service Provider application, and enable it to accept SAML POST from an Identity Provider, and use that to pull user attributes into the Service Provider application. The user attributes are part of the SAML Response from the IDP, that the IDP sends to the Fedlet, once an user successfully authenticates at the Identity Provider. Fedlets have many interesting usage in Federation scenarios such as -

• Quick federation enablement of Service Providers, which allows Identity Providers to make them a part of their business circle of trust in no time and to use their feature Offerings.

• Federation enablement at minimal cost and minimal investment in hardware and services.

• Support minimal SSO related needs in business scenarios, without the need for a full fledged Federation product/solution deployment.

Here's a screencast on Fedlets which covers business usage scenario, process flow and some Frequently Asked Questions on Fedlets. In a future post will write more on how to generate Fedlets, and configure them in IDP/SP initiated SSO scenarios.