Date : December 2008

Can you tell us about the application, site, or service in which you have adopted OpenSSO?

Telenet is a leading supplier for media and telecom services in Belgium. They provide broadband Internet, multi-media, fixed-line and mobile telephony and digital TV services to residential and professional clients in Flanders and Brussels. They required a fine grained access control mechanism for all their internal users that could act as a service towards existing and new business applications. Access control to applications and data based on roles and related entitlements had to be administered centrally according to business rules instead for each application separately. The project was named WebASM (Web Access Security Manager).

How and when did you first find out about OpenSSO?

For more than 10 years now, ACA IT-Solutions has offered end-to-end solutions and services, using Java technology. With an agile approach, solutions are implemented rapidly, effectively and in a flexible manner, with a focus on quality, robustness and reliability. Today, ACA IT-Solutions is probably the largest and most successful independent Java solution provider in Benelux. With a commitment to deliver high quality IT solutions, ACA IT-Solutions effectively combines commercial and open source Java technology. ACA IT-Solutions strives to build its solutions based on open standards, using the best technologies in combination with expert people and a proven methodology.

Prior to the OpenSSO era, we mainly used Sun Access Manager for implementing these type of solutions. Because OpenSSO is actually the core of Sun Access Manager, it was really a no-brainer to evaluate it. In addition, being able to dive into the source code often proved to be very useful for documentation's sake or making very subtle customisations.

Hey, who doesn't want to be in control? :)

Did you go through an evaluation process before selecting OpenSSO?
If so, can you tell us a little bit about the process and results?

We set up a specific POC to validate OpenSSO against competitive (commercial) solutions. OpenSSO proved to be the best fit and most mature solution available. Taking into account the licensing model and possibility to dive into the source code, made it stand out tall from the rest.

What specific version of OpenSSO are you using?

Build 4, soon to be upgraded to Build 6.

On what container (application server/web server) do you run OpenSSO?

Oracle/BEA Weblogic 8.

Do you use the same container for both development and production deployment?

Yes.

On what operating system do you run OpenSSO?
Do you use the same OS for both development and production deployment?

Production environment runs Sun Solaris 10.
Non-Production (acceptance, integration, etc.) runs Sun Solaris 10.
Windows XP / Mac OSX on local development machines

On what hardware platform do you run OpenSSO?
Do you use the same platform for both development and production deployment?

Development = local development machines (Apple / HP / ... )
Non Prod & Prod= Sun M5000

On what containers are your protected applications running?

Oracle/BEA Weblogic 8

Have you purchased a OpenSSO license? If not, have you thought about doing so and do you know it includes support for both the commercial OpenSSO Enterprise release and OpenSSO Express builds?
(more details from http://wikis.sun.com/display/OpenSSO/Sun+OpenSSO+Express)?

No we have not bought a license.
Yes we know about its contents.

What specific features or modules of OpenSSO are you using?

SSO, AMSDK, Policy Management.

Are you using any other commercial or open source access management solutions?
(Examples include JA-SIG CAS, Tivoli Access Manager, CA SiteMinder)

No

What do you like most about OpenSSO?

It is a very mature solution that offers a lot of customisation possibilities and has a lot of features.

What would you most like to see improved in or added to OpenSSO?

Our impression is that the current quality of the documentation has a negative effect on the adoption of the product. In addition, the error messages can be improved (get rid of static initializers!).

Are there any figures about the scale of your adoption which you would like to share?
How many users are you supporting?

2800 users

How many applications have you SSO-enabled?

All custom built internal web applications making up the OSS/BSS at the customer site (10+ business applications)

How many partners are you federating to?

Currently no federation in place

How much traffic is being handled?

No figures available - we are handling all authentication requests, and only coarse grained policy evaluation requests. Fine grained are handled by a distributed policy decision point.

How many servers are used?

2 OpenSSO instances are used, deployed in a Weblogic Cluster. We are not using the high-availability features of OpenSSO.

How much admin/developer time went into your OpenSSO deployment?

Deployment to the different environments has been automated. The scope of the project was a lot broader that OpenSSO alone. OpenSSO deployment and configuration effort was limited to 15 man days (including automatic deployment scripts).

How has OpenSSO performed since your application went live?

No performance issues with OpenSSO in production.

Have you run into any production issues which you would attribute to OpenSSO?

Only one issue encountered related to OpenSSO - tcp timeout problems due to starvation of the resource pools. This will be solved by upgrading to JDK 6, and OpenSSO v6.

Would you recommend OpenSSO to others? Why?

Definitely, we believe it is a mature product with a lot of potential and a solid community supporting it.

How does OpenSSO figure in your future plans?
(For example, using additional functionality like federation or web services, or expanding the scope of single sign-on from employees to customers)

At the moment there are no such plans but the possibility to extend has been an important aspect during selection of OpenSSO.

How would your describe your participation in the OpenSSO project
(e.g. user only, submitter of bug reports and RFEs, developer who has contributed code)?

Submitter of bug reports and RFEs.

Is there anything else you think would be of interest in a story about your OpenSSO adoption?

The solution we created allows us to process very fine-grained authorisation requests. We decided to implement a distributed policy decision point (PDP) where we push the policies from the central policy administration point (PAP). This allows massive scaling and reduces risk of single point of failure. This way, we avoid OpenSSO being the most critical component in the chain.