Wednesday Jul 01, 2009

VALid Authentication for OpenSSO

Validsoft's VALid provides out-of-band multi-factor Authentication. I allows for instance to validate a user's identity to ring back the individual on a registered phone number or send SMS in order to obtain a PIN code which needs to be entered in the login screen.
I made a first cut of a VALid authentication module available as an OpenSSO extension. It allows 2nd-factor authentication through mobile callback and SMS. It doesn't however cater for the display of progress messages in the login process and the flexibility to let the user pick the callback type.
In order to compile and run it you need to get the VALid client libraries from ValidSoft ( - of which you probably got the VALid server in the first place.

Here's the source code:

Creating a SAML Assertion with OpenSAML

Here's handy way to create a SAML assertion programmatically using OpenSAML (

xalan.jar (2.7.1), xercesImpl.jar, xml-apis.jar,
opensaml-1.1.jar, xmlsec-20050514.jar,
log4j-1.2.5.jar, commons-logging-1.03.jar, commons-codec-1.3.jar
Here's the Java Source:
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLException;
import org.opensaml.\*;

import java.util.Date;
import java.util.HashSet;

public class AMUserAssertion {

   private static String strIssuer = "Example:FrontEnd";
   private static String strNameID = "testUserID";
   private static String strNameQualifier = "Example:FrontEnd";
   // private static String strNamespace = "urn:oasis:names:tc:SAML:1.0:assertion";
   private static String strNamespace = "urn:bea:security:saml:groups";
   private static String strAttrName = "Groups";
   private static String strAuthMethod = "SunAccessManager";

   public static void main(String args[]) {
      try {
          // Crate the assertion
         SAMLAssertion assertion = new SAMLAssertion(strIssuer, null, null, null, null, null);
         // Create the subject
         SAMLSubject subject = new SAMLSubject(new SAMLNameIdentifier(strNameID, strNameQualifier, SAMLNameIdentifier.FORMAT_UNSPECIFIED), null, null, null);


         // Create the authentication statement
         Date date = new Date();
         SAMLAuthenticationStatement authStatement = new SAMLAuthenticationStatement(subject, strAuthMethod, date, null, null, null);


         // Create the attribute statement
         SAMLAttribute attrGroups = new SAMLAttribute(strAttrName, strNamespace, null, 0, null);
         // Here some hardcoded values for the groups attributes

         HashSet set = new HashSet();

         SAMLSubject subject2 = (SAMLSubject) subject.clone();
         SAMLAttributeStatement attrStatement = new SAMLAttributeStatement(subject2, set);


         SAMLDoNotCacheCondition condition = new SAMLDoNotCacheCondition();

         System.out.println("AMUserAssertion 1:\\n"+assertion.toString());
      catch (Exception e) {
The output looks like:
<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="" xmlns:xsi="" AssertionID="_4e138dee03e2e826b58b9310e2d8a1e5" IssueInstant="2009-07-01T10:03:06.103Z" Issuer="PND:FrontEnd" MajorVersion="1" MinorVersion="1">
   <AuthenticationStatement AuthenticationInstant="2009-07-01T10:03:07.078Z" AuthenticationMethod="SunAccessManager">
         <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="PND:FrontEnd">testUserID</NameIdentifier>
         <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="PND:FrontEnd">testUserID</NameIdentifier>
      <Attribute AttributeName="Groups" AttributeNamespace="urn:bea:security:saml:groups">

Monday Jan 26, 2009

Identity Management for Virtual Desktop Infrastructure (VDI): A Demo

Simply speaking, a virtual desktop is a desktop in form of a virtual image (e.g. VMWare, xVM Virtual Box) and virtual desktop infrastructure are the means to deliver the virtual desktop to the user.

With desktops and a smart cards (e.g. for Sun Ray access) being user assets, Sun's Identity Management provides a number benefits for managing them. It allows for instance the assignment of desktops and smart cards as part of a typical HR driven user on-boarding process with approvals, notifications and reports. Another crucial element in the user life cycle is de-activation, where Sun IdM provides the platform to assure that when a user is disabled, the user assigned assets are disabled or even unassigned as well.

Paul Walker and myself put together a demo around these use cases which is at

The products integrated in this demo include Sun VDI (xVM Virtual Box, Sun Ray Server, Virtual Desktop Connector, Secure Global Desktop, MySQL) and Sun Identity Management (Identity Manager, OpenSSO, OpenDS, DSEE, MySQL).

Friday Oct 03, 2008

Secure Global Desktop and OpenSSO Single Sign-On

Sun Secure Global Desktop can be nicely integrated in a web access management infrastructure based on OpenSSO for single sign-on and authorization. Here's a paper I published with the OpenSSO community on how to do this:

Thursday Dec 13, 2007

OpenSSO, WS-Federation & IBM DataPower

I wrote-up the procedure I used in a recent PoC to setup OpenSSO/FAM as a multi-protocol federation hub for single sign-on with ADFS (through WS-Federation) and IBM DataPower (through SAML1.1 and SAML2). This contains a lot more detail than my last blog entries.

The document is available as part of the OpenSSO project at:

It is also linked of the articles and procedures pages:

The direct link to the .pdf is:

Enjoy and let me know your comments.

Monday Dec 10, 2007

OpenSSO and WS-Federation: PoC ready and more !

It was surprisingly easy to setup FAM/OpenSSO Build 1 for single sign-on with ADFS through WS-Federation. The HowTo-Guide from OpenSSO and especially the ADFS Step-by-step guide (referenced in the document) were really helpful.
The biggest pain turned out to be the setup of the ADFS forest through the ADFS GUI (granted, I am wasn't familiar with it beforehand). The configuration of FAM/OpenSSO through metadata was however very straightforward.

Friday Dec 07, 2007

OpenSSO (FAM) Single Sign-On with IBM DataPower

In a recent customer proof-of-concept/prototype I integrated with my esteemed colleague Sergio O., OpenSSO and IBM DataPower for single sign-on. It appeared to be easier and quicker than I initially thought. Here's how it worked for us:

IBM DataPower can be configured in many different ways. In our case it is used a an XML firewall which exposes endpoints that asserting parties can post SAML assertions to (SAML 1.1 and SAML2). DataPower proceeds as follows :
1.) Receive SAML assertion (through HTTP-POST)
2.) Verify assertion signature
3.) Extract user name from the NameIdentifier (SAML1.1) or NameID (SAML2) field
4.) Issue appropriate LTPA token to user

IBM DataPower was also configured to POST SAML (1.1 and 2.0) to specific endpoints (relying parties, here FAM) upon initiation by user (e.g. click a link or button).

In order to achives bi-directional SSO based on SAML, we were faced with the following challenges:

- Certificates
DataPower needs to be configured so that it can validate the signature by FAM. FAM in turn needs to be configure with the asserting parties signature key (through metadata).

- User name mapping
The NameIdentifier (SAML1.1) and NameID (SAML2) tags had to match the Websphere username that DataPower issues an LTPA token for. This requires a custom NameIdentifier mapper for SAML1.1 that injects only the RDN attribute value rather than the user DN in the NameIdentifier tag. For SAML2 it had to be a custom IDP account mapper that does the same and sets the NameIDFormat to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

- Craft DataPower Metadata
This is relativly easy from a template generated by famdadm. It is important to include the correct certificate though.

- Correct DataPower's Assertions
We had to correct some elements in the SAMLResponse sent by DataPower like the presence of the ResponseTo field of an unsolicited response. The debug logs (when log level set to message) really helped here (files libSAML and libSAML2).

Hopefully getting this in a more detailed paper soon.

Thursday Oct 11, 2007

The value of OpenSSO to build Access Manager prototypes and PoCs !

Over the last couple of months I built various prototypes and PoCs for customers to evaluate Sun Access Manager. The fact that the Access Manager source code repository is public provided and provides significant advantages in this process. And here's how.

\* Rapid and controlled customization
Situation: Before authenticating a user against an LDAP authentication module, it needs to be verified with the identity management system in place if the user is active. This translates into a custom authentication module with an API call to the external identity management system.
The value of OpenSSO: Developping a custom LDAP authentication module with the additional functionality is the traditionally supported way. However this introduces the risk that comes with re-writing a core piece of the security infrastructure (the LDAP authentication module). OpenSSO provides the source code of the standard LDAP authentication module (along with a build environment). Adding 10 lines of code and rebuilding the module from OpenSSO is not only a rapid but more importantly a low risk approach to customization here.

\* Technology Partner Integration
Situation: For a prototype a custom authentication module for a particular strong authentication provider was build. Following this exercise, various parties volunteered to own and maintain the element. However we quickly figured that the right way to maintain this is inside OpenSSO. The technology partner gets great visibility within OpenSSO and to the community. The commity gets the obvious benefit of more functionality.

\* Prototypes with "Early Access" software
With OpenSSO and a community strongly backed by Sun engineering, we build prototypes with much better early access bits (than before) while still getting some level of support (through the community).

I'll bump across further elements - and will post them here.

Wednesday Oct 03, 2007

FAM 8 Build 1 Available Now !

The first build of Sun Federated Access Manager (FAM) 8.0 off the OpenSSO code base is available at A milestone in converging the code bases for Access Manager, Federation Manager and OpenSSO.

FAM 8.0 features and timeline are briefly described by the Daniel of the PM team at his blog




« June 2016