Full OpenSSO adoption questionnaire responses from Suncorp's Damien Covey.
Full OpenSSO adoption questionnaire responses from Suncorp's Damien Covey.
Date : August 2009
Can you tell us about the application, site, or service in which you have adopted OpenSSO?
A new initiative to create a single entry point for our insurance broker channel lead to the creation of the SunCentral portal. This site combines together several existing separate applications under the one entry point. A key requirement in the initiative was to have single sign-on (SSO) between each of the participating applications which included both in house hosted as well as externally hosted applications.
OpenSSO was chosen as the mechanism to deliver SSO due to its maturity and completeness in platform coverage.
How and when did you first find out about OpenSSO?
We came to find OpenSSO during evaluation of various open source Access and Identity Management tools to provide an alternative to Tivoli Access Manager and CA SiteMinder for future application deployments.
Did you go through an evaluation process before selecting OpenSSO?
If so, can you tell us a little bit about the process and results?
The evaluation process compared established commercial offerings as well as competing open source solutions. OpenSSO was chosen due to its feature completeness, enterprise readiness, support options and because it is open source software.
What specific version of OpenSSO are you using?
OpenSSO Enterprise 8.0
On what container (application server/web server) do you run OpenSSO?
Do you use the same container for both development and production deployment?
Tomcat 6.0.14 hosting OpenSSO. All our environments use the same containers.
On what operating system do you run OpenSSO?
Do you use the same OS for both development and production deployment?
Red Hat Enterprise Linux 5.2 in development, user acceptance test (UAT), production.
On what hardware platform do you run OpenSSO?
Do you use the same platform for both development and production deployment?
Virtualised (VMware ESX 3.5), mix of 64bit and 32bit Intel.
On what containers are your protected applications running?
Tomcat 6.0.14. IIS 6. Sun Java System Web Server (JBoss coming).
Have you purchased a OpenSSO license? If not, have you thought about doing so and do you know it includes support for both the commercial OpenSSO Enterprise release and OpenSSO Express builds?
(more details from http://wikis.sun.com/display/OpenSSO/Sun+OpenSSO+Express)?
We have not purchased a license. Choosing to commit resources to the project and provide own support and contributions.
What specific features or modules of OpenSSO are you using?
We are currently using Java EE agents to provide SSO and security for Tomcat. We leverage the web agent to provide web security for Sun Java System Web Server in reverse proxy mode which we have fronting back end applications. We have multiple applications deployed across several domains with cross-domain single sign-on (CDSSO) between domains.
Are you using any other commercial or open source access management solutions?
(Examples include JA-SIG CAS, Tivoli Access Manager, CA SiteMinder)
Both Tivoli Access Manager and CA SiteMinder have existing deployments within the organisation.
What do you like most about OpenSSO?
Openness, licensed support availability, growing community, increasing industry adoption. The feature set offered by OpenSSO stacks up well against the alternatives, at least as we reviewed them. Particularly the ability to see the source and patch and fix issues as well as extend the platform are great attractors to us.
What would you most like to see improved in or added to OpenSSO?
The release schedule for agents needs to be made clearer, possibly aligning with OpenSSO Express releases.
Are there any figures about the scale of your adoption which you would like to share? (such as how many users are you supporting, how many applications have you SSO-enables, how many partners are you federating to, how much traffic is being handled, how many servers are used, how much admin/developer time went into your OpenSSO deployment)
We have six internet facing applications in production that are SSO and CDSSO enabled as well as federating with one external provider who provides four separate applications. These applications are accessed by a network of brokers and other business partners numbering approximately 3000. There are numerous other applications planned to be integrated with OpenSSO for SSO over the next 12 months.
OpenSSO is also providing SSO and access control to internal corporate applications accessed by internal staff members. These applications are used by approximately 15,000 staff members from the corporate desktop and network.
Initial POC of OpenSSO took approximately three months with two engineers and two Architects on the team. After the success of that project an additional 3 engineers joined the team to work on production enablement. From the start of production enablement through to being live with three integrated applications took approximately five months and included building three separate fully HA environments for development, UAT and production. The team is now working on providing further services to the organisation including federation (SAML2), Web services security and centralised policy authorisation services.
How has OpenSSO performed since your application went live? Have you run into any production issues which you would attribute to OpenSSO?
OpenSSO has been stable in our production environment. In the 6 months since we've been live we've had one issue caused by OpenSSO. This issue has now been patched in OpenSSO (after our issue report) and we are running with that temporary fix.
Would you recommend OpenSSO to others? Why?
Yes. We'd recommend for all the reasons we use it, openness, license support availability, growing community, increasing industry adoption. The feature set offered by OpenSSO stacks up well against the alternatives as we reviewed them.
How does OpenSSO figure in your future plans?
(For example, using additional functionality like federation or web services, or expanding the scope of single sign-on from employees to customers)
We are working on leverage the federation capabilities of OpenSSO, specifically SAML to provide federated access to externally hosted applications including Salesforce. The STS service is also being investigated to provide web services security throughout the enterprise. Initial investigations are under way to investigate how we might leverage the Policy Service of OpenSSO to provide an centralised authorisation framework for insurance polices and quotes. There is also some movement toward replacing the TAM and Site Minder implementations with OpenSSO.
How would your describe your participation in the OpenSSO project
(e.g. user only, submitter of bug reports and RFEs, developer who has contributed code)?
We are a user, submitter of bug reports and RFE's. We have contributed fixes for some of the bug reports we have made. We intend to increase our participation in the community and become a developer/commiter to the project providing features and fixes.