Superpatterns

Presidente Lula visited FISL yesterday and received a rockstar reception. This is a crop of a picture I got by holding my camera in the air and snapping away:

Ludo got a much better one, but he cheated by standing on a chair

As I blogged the other day, I'm in Brazil this week, speaking at the Javali and FISL conferences in Porto Alegre. I'm all done with my sessions now, and, as promised, here are the slides:

• Secure RESTful Web Services with OpenSSO (Javali)
• Open Source Identity Services with OpenSSO (FISL)

The Javali presentation is a fairly deep dive into OpenSSO's brand new OAuth implementation, while the FISL slides are a higher level overview of identity services in OpenSSO. Grab one or both and mix yourself a caipirinha for the full Brazilian experience

• The Zen of Community
  Nice essay by John Mark on the art of building a community by NOT trying to build a community. Via Matt Asay
  (tags: zen community linux)
• Grails - Plugin: Grails OpenSSO Plugin
  The plugin delegates your Grails app's authentication and authorization to OpenSSO, allowing single sign-on, URL policy enforcement, use of GSP security tags and programmatic security. Nice work by Warren Strange!
  (tags: grails groovy opensso security sso authentication authorization gsp)

I just got confirmation that I'm on the bill at the Javali event next Tuesday, June 23, in Porto Alegre, Brazil. Javali, organized by SouJava and RSJUG, focuses on Java and free software, and is held immediately prior to FISL (on which more below). I'll be doing quite a deep dive on the secure RESTful web services (via OAuth) work we have going on right now, which was first seen in public a few weeks ago at CommunityOne West and JavaOne. Javali will be at the Porto Alegre Serpro offices, Av. Augusto de Carvalho, 1133, from 09:00 to 20:00. I'm on at 18:30 in the Bill Joy Room, just before the pizza, assuming I make my 1 hour layover in Buenos Aires!

As I mentioned above, Javali precedes FISL, now in its 10th year, South America's biggest open source conference with, according to the FISL home page, over 6000 attendees registered. I spoke at FISL 9.0 last April, and, I have to say, had a GREAT time. I saw an incredible display of energy and enthusiasm for all things open source, from kernel hacking to Ruby on Rails via every application of Java, although I think our evening expeditions in search of churrasco and caipirinhas probably also contributed to my positive recollections

My session this year, 'Open Source Identity Services with OpenSSO', on Friday June 26 at 09:00 in room 40T, looks at the three different approaches we take to identity services in OpenSSO - insulating applications from identity via container plugins, support for standards such as SAML, and lightweight SOAP and REST for interacting directly with OpenSSO. I'll be covering the secure RESTful web services demo again, but it will be a much higher level view than the Javali presentation.

So - probably not enough notice for anyone to book a trip to Brazil, but, if you're going to be there anyway, drop in one one or both sessions and say "Hi"! And bring the cachaça!

UPDATE - slides posted.

If you're in the Chicago area next week you might be interested in attending the Chicago Java Users Group (CJUG) meeting on Tuesday (June 16 2009) - Kiran Ramineni, Principal at Ramp Info, will be presenting on OpenSSO and Identity Federation. The event starts at 6pm in the Lewis Towers Ballroom, Beane Hall at Loyola University of Chicago, and is free to CJUG members and first time guests. Sounds like a bargain to me, so get yourself down there next Tuesday night and then leave a comment here to let us know how it went!

Among the OpenSSO-related news items that popped up while I had my head down over the past few weeks, I noticed the Google Blog entry and Valeo press release concerning the global industrial group's Google Apps deployment - 30,000 Valeo employees now have access to a new communication and collaborative working platform based on Google Apps Premier Edition and supported by Capgemini, one of the largest enterprise deployments of Google Apps to date.

It's not mentioned in either story, but, if you a regular reader of Superpatterns, you'll already know that Capgemini deployed OpenSSO at Valeo to handle single sign-on, allowing Valeo employees to access their email at Google via their Valeo credentials, without having to manage a separate Google username/password.

If you're looking at Google Apps, click here to download the 'starter kit' we recently produced, which explains exactly how to set up single sign-on to Google Apps using OpenSSO.

Wow - is it really over a month since my last blog entry? I guess that's what happens when you get your head down into a project - in this case, building a demo for CommunityOne West and JavaOne 2009 to show off the latest OpenSSO features.

The demo brought together a number of existing Java technologies - the Java Persistence API (JPA), the Jersey implementation of JAX-RS (aka JSR 311) on both the client and server, and JavaFX - with some new aspects of OpenSSO - fine-grained authorization (aka entitlements), OAuth protocol support, and a JDBC data store. Briefly, the demo centered on a cellphone account management system delivered as a JavaFX rich Internet application (RIA) client and a (more or less) RESTful web service back-end, communication between them secured by OAuth.

I'll be uploading source code for the demo client and server apps to the OpenSSO project in the next few days, as well as documenting how to bring up the demo environment. Watch this space for updates!

Sitting next to The Smoking Monkey here at Sun's Open IAM day in Brussels, I just got word that the Fedlet last night won the 'Best Innovation' award at the European Identity Conference 2009. In Kuppinger Cole's words:

In the category “Best innovation”, the award went to the OpenSSO initative, founded and supported by Sun Microsystems. Their project, OpenSSO Fedlet has provided a lean solution for the Identity Federation.

This capped a fantastic week for us at EIC2009 - our second OpenSSO Community Day, hosted here on Tuesday, was a great success, with about 50 attendees coming together for a full day of presentations and discussions centering on OpenSSO. I've started uploading slides to the event wiki page - more will arrive over the next few days as I receive them from the presenters.

Felix Gaehtgens managed to corner me on the Sun booth on Wednesday - here's what I had to say about the OpenSSO Community Day and the latest Fedlet news:

About a month ago, Nick mentioned a presentation that Chris Lucock, head of Enterprise Architecture desktop products for Thomson Reuters, had given at March's Gartner Identity & Access Management Summit in London. The video for this presentation has just gone online and, like the last Gartner video I blogged, by Damo Bashyam of Verizon Wireless, it's got some great information on a large scale real world deployment of OpenSSO Enterprise.

In the video, Chris explains how OpenSSO is on track to provide single sign-on across Thomson Reuters' Markets services to 330,000 users worldwide by the end of 2011. In many ways it's a very different deployment to Verizon Wireless; 1% of the user base in terms of sheer numbers, but far more complex in terms of the services provided. One example: Thomson Reuters have implemented 'exclusive access', controlling the numbers of concurrent users of third party services (and thus Thomson Reuters' costs) by ensuring that each user only has a single session active at any time, for example, terminating a desktop session left open over lunch when a user logs in from their mobile phone. Another good one: single sign-on is provided across services delivered by the public internet and Thomson Reuters' private network, again allowing cost savings as streaming video can be more cheaply delivered via the internet while sensitive financial data is more tightly controlled.

There's much more in the video, including integrations with Siebel and the Reuters Messaging product, so spend a few minutes with Chris, exploring OpenSSO at Thomson Reuters...

It's been possible to configure OpenSSO for single sign-on (SSO) to Google Apps ever since Google implemented the SAML 2.0 protocol for federated SSO back in 2006. Last year, I covered Wajih Ahmed and Marina Sum's article on implementing SSO between OpenSSO and Google Apps, which described precisely how to quickly get it up and running. The process took about 10 or 15 minutes, but involved editing an XML configuration file, which does introduce some, uh, opportunity for user error.

So, we looked at how we could streamline the process, making it as foolproof as possible, and, in OpenSSO Express Build 7, built a task flow specifically for federating with Google Apps. The new task flow is described in one of the first open source starter kits for Sun's identity products - Federating to Google Apps with OpenSSO (the other starter kit covers setting up OpenDS as a Naming Service for OpenSolaris). We now have the process down to less than four minutes, and it's so easy, even a smoking monkey can do it

We released four new 'version 3.0' policy agents for OpenSSO today:

• Apache Tomcat 6.x - documentation, download
• IBM WebSphere Application Server 6.1/7.0 - documentation, download
• JBoss Application Server 4.x - documentation, download
• Sun Java System Proxy Server 4.0 - (documentation link coming soon), download

These join the existing version 3.0 policy agents for Sun Glassfish Enterprise Server (formerly known as Sun Java System Application Server) 8.x/9.x (documentation, download) and Oracle/BEA WebLogic Server/Portal 10 (documentation, download). While the 3.0 agents add centralized configuration and some other features, it's important to note that all of the version 2.2 agents are tested and supported with OpenSSO.

A celebration this week and events over the next month in the world of OpenSSO...

• OpenSSO is 1000 members strong! Many more than 1000 people have downloaded OpenSSO (in fact, there are well over 1000 downloads every month), but 1000 people have registered at opensso.dev.java.net to be able to participate in the mailing lists and forums, and to be able to file and track issues. All I can say is... wow!
• If you're going to the RSA Conference next week at the Moscone Center in San Francisco, don't miss The Smoking Monkey and I presenting A Pragmatic Approach to Building Identity Management for the Enterprise. We'll be in the Briefing Center on Wednesday April 22, 2009 at 5:30pm. More details and a qualification code for a FREE Expo pass [PDF].
• If, on the other hand, you're planning to take in the MySQL Conference next week, at the Santa Clara Convention Center, the OpenSSO team's very own Sean Brydon will be moderating a 'birds of a feather' (BoF) session - Using the OpenSSO Project and MySQL to Secure Users and Applications - at 8:30pm on Tuesday April 21st, 2009 in Ballroom C. If you're thinking of coming, but hadn't planned to attend the MySQL Conference, you might be interested to know that a $25 Exhibit Hall Only Pass will get you into all the BoF's. Register Here.
• A little bit further out, registration is still open for the second OpenSSO Community Day, to be held at the Forum am Deutschen Museum in Munich (hosted by the European Identity Conference 2009) on Tuesday May 5th 2009. The first Community Day last month in New York City was a great success, with nine sessions on a variety of identity-related topics. We'll be using the 'unconference' format again in Munich, so come along and join in!
• At the European Identity Conference proper, I'll be participating in the Realigning AuthZ and Access Control with the Business panel, alongside Bavo De Ridder (De Ridder Consulting), John Aisien (Oracle), Kim Cameron (Microsoft), Keith Grayson (SAP) and Finn Frisch (Axiomatics), at 11:30am on Wednesday May 6th, 2009. If you're staying in Munich for the entire week, be sure to catch Sun's Dr. Steffo Weber and Abdi Mohammadi, along with Vittorio Bertocci of Microsoft for Hands-On SOA and Web Security with the Geneva Framework and with OpenSSO.
• Alternatively, later that same week are Sun Microsystems' Northern Europe Open IAM User days. Spanning Thursday and Friday May 7th-8th, 2009, the user days will be held at Sun's Belgian office at Zaventem, just east of Brussels. I'll be speaking on Thursday, when we'll be focusing on OpenSSO and OpenDS, while Friday will be more oriented towards Sun Identity Manager and Sun Role Manager. Register now for what promises to be a fascinating couple of days.

So - there you have it - a packed few weeks in OpenSSO-land, and evidence that the OpenSSO community is as active IRL (in real life) as on IRC (Internet relay chat)

As announced yesterday on the OpenSSO users mailing list, OpenSSO Express Build 7 is now available!. Congratulations and thanks to the OpenSSO team for their hard work, and to the whole OpenSSO community for continued support in the form of issue reports, patches and other contributions.

So, what's new in Express Build 7? Here are some highlights - full details are in the release notes

• The first phase of support for OpenDS as an external user store.
• Easy single sign-on integration with Google Apps.
• The Fedlet can now sign the SAML 2.0 authentication request and decrypt encrypted attributes in the response.
• Virtual Federation (also known as SAE) now supports encrypted attributes.
• IBM WebSphere Application Server 7.0, Oracle WebLogic Server 10g Release 3 (10.3) and GlassFish Prelude 3 are now supported web containers.
• About a gazillion other enhancements and fixes.

The other question going through your mind may be "What on earth is an 'Express Build', anyway?". The short answer is that an OpenSSO Express build is a supported 'snapshot' of development between full 'OpenSSO Enterprise' releases. The long answer is on the OpenSSO wiki.

Following in Ludo's footsteps I have to say thank you to Marina for getting OpenSSO onto the java.net front page:

As Ludo mentioned, Marina is looking for new opportunities - if you need a top flight technical author, then email me at and I'll pass your message on to her.

As always, a bumper crop of OpenSSO news from the last couple of weeks...

• One piece of advice I often give to people wrestling with tricky issues relating to redirects and cookies is to download the LiveHTTPHeaders Firefox plugin, or its IE equivalent ieHTTPHeaders. In Troubleshooting OpenSSO with Firefox Add-Ons, Jim Faut and Rick Palkovic explain just how to use LiveHTTPHeaders and HackBar, which is a new one on me. Where LiveHTTPHeaders gives you detail on the HTTP requests and responses flying back and forth, HackBar lets you drill into the associated data, removing layers of URL and Base64 encoding from URL parameters and HTTP headers. Jim and Rick get right into the detail of the OpenSSO login process, using the tools to uncover what is really going on. A great read for anyone wanting to go under the covers of OpenSSO.
• One that got away from me here on Superpatterns, though Eduardo covered it at The Aquarium - Sidharth Mishra, OpenSSO Technical Product Manager and Ajay Sondhi, OpenSSO Deployment Engineering Manager, presented a webinar last week covering OpenSSO - Overview, Stories and Roadmap last week as part of The Aquarium Channel. Ajay's section includes details of the Verizon Wireless deployment I've mentioned before, so this is well worth investigating if you're interested in ultra high-scale OpenSSO deployments.
• We just got done with CommunityOne East, last week in New York City, CommunityOne West will run alongside JavaOne in San Francisco in June, but did you know about CommunityOne North? On April 15th, CommunityOne comes to the Folketeatret in Oslo, Norway. Flying the flag for OpenSSO will be Jonathan Scudder, a consulting identity architect, with a session on Developing Secure Web Services for the Cloud. More details at the Community One North Content Catalog - Jonathan's session is at 13:00 in Breakout 1.
• While we're 'out in the community', Qingfeng Zhang, a Senior Java Developer at the University of New South Wales, Australia, has posted a video showing how to install and configure OpenSSO on Tomcat on Windows. I know folks often stumble when deploying OpenSSO on Tomcat, since, compared to GlassFish, there are a couple of additional steps required. Qingfeng's video clearly shows how to get it done.
• Back at Sun, Metro supremo Harold Carr presented at the Utah Java Users Group last week on Metro, Jersey, GlassFish, OpenESB and OpenSSO - a real whirlwind tour, particularly since he only had a 20 minute slot! Harold has posted slides, plus Q&A and other notes from the session.
• Finally, DocTeger has rewritten Chapter 11 of the Sun OpenSSO Enterprise 8.0 Technical Overview: Choosing a Federation Option. The new version is much clearer on the relative positions of the various federation protocols - use SAML 2.0 where possible, WS-Federation if you really need to integrate with ADFS, and SAML 1.1 or Liberty ID-FF only if you're connecting to partners with no SAML 2.0 capability. Great job, Michael!

That wraps things up for another week - I'm off to jump in the Patmobile and brave 101. See you next time!