Monday Dec 10, 2007

OpenSSO and WS-Federation: PoC ready and more !

It was surprisingly easy to setup FAM/OpenSSO Build 1 for single sign-on with ADFS through WS-Federation. The HowTo-Guide from OpenSSO and especially the ADFS Step-by-step guide (referenced in the document) were really helpful.
The biggest pain turned out to be the setup of the ADFS forest through the ADFS GUI (granted, I am wasn't familiar with it beforehand). The configuration of FAM/OpenSSO through metadata was however very straightforward.

Friday Dec 07, 2007

OpenSSO (FAM) Single Sign-On with IBM DataPower

In a recent customer proof-of-concept/prototype I integrated with my esteemed colleague Sergio O., OpenSSO and IBM DataPower for single sign-on. It appeared to be easier and quicker than I initially thought. Here's how it worked for us:

IBM DataPower can be configured in many different ways. In our case it is used a an XML firewall which exposes endpoints that asserting parties can post SAML assertions to (SAML 1.1 and SAML2). DataPower proceeds as follows :
1.) Receive SAML assertion (through HTTP-POST)
2.) Verify assertion signature
3.) Extract user name from the NameIdentifier (SAML1.1) or NameID (SAML2) field
4.) Issue appropriate LTPA token to user

IBM DataPower was also configured to POST SAML (1.1 and 2.0) to specific endpoints (relying parties, here FAM) upon initiation by user (e.g. click a link or button).

In order to achives bi-directional SSO based on SAML, we were faced with the following challenges:

- Certificates
DataPower needs to be configured so that it can validate the signature by FAM. FAM in turn needs to be configure with the asserting parties signature key (through metadata).

- User name mapping
The NameIdentifier (SAML1.1) and NameID (SAML2) tags had to match the Websphere username that DataPower issues an LTPA token for. This requires a custom NameIdentifier mapper for SAML1.1 that injects only the RDN attribute value rather than the user DN in the NameIdentifier tag. For SAML2 it had to be a custom IDP account mapper that does the same and sets the NameIDFormat to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

- Craft DataPower Metadata
This is relativly easy from a template generated by famdadm. It is important to include the correct certificate though.

- Correct DataPower's Assertions
We had to correct some elements in the SAMLResponse sent by DataPower like the presence of the ResponseTo field of an unsolicited response. The debug logs (when log level set to message) really helped here (files libSAML and libSAML2).

Hopefully getting this in a more detailed paper soon.

Thursday Oct 11, 2007

The value of OpenSSO to build Access Manager prototypes and PoCs !

Over the last couple of months I built various prototypes and PoCs for customers to evaluate Sun Access Manager. The fact that the Access Manager source code repository is public provided and provides significant advantages in this process. And here's how.

\* Rapid and controlled customization
Situation: Before authenticating a user against an LDAP authentication module, it needs to be verified with the identity management system in place if the user is active. This translates into a custom authentication module with an API call to the external identity management system.
The value of OpenSSO: Developping a custom LDAP authentication module with the additional functionality is the traditionally supported way. However this introduces the risk that comes with re-writing a core piece of the security infrastructure (the LDAP authentication module). OpenSSO provides the source code of the standard LDAP authentication module (along with a build environment). Adding 10 lines of code and rebuilding the module from OpenSSO is not only a rapid but more importantly a low risk approach to customization here.

\* Technology Partner Integration
Situation: For a prototype a custom authentication module for a particular strong authentication provider was build. Following this exercise, various parties volunteered to own and maintain the element. However we quickly figured that the right way to maintain this is inside OpenSSO. The technology partner gets great visibility within OpenSSO and to the community. The commity gets the obvious benefit of more functionality.

\* Prototypes with "Early Access" software
With OpenSSO and a community strongly backed by Sun engineering, we build prototypes with much better early access bits (than before) while still getting some level of support (through the community).

I'll bump across further elements - and will post them here.

Wednesday Oct 03, 2007

FAM 8 Build 1 Available Now !

The first build of Sun Federated Access Manager (FAM) 8.0 off the OpenSSO code base is available at A milestone in converging the code bases for Access Manager, Federation Manager and OpenSSO.

FAM 8.0 features and timeline are briefly described by the Daniel of the PM team at his blog




« July 2014