Friday Feb 29, 2008

Identity Management, FAM 8, Policy Agent 3.0, and Glory

In the following blog entry, Policy Agent 2.2 With Access Manager 7.1, I compared Policy Agent 2.2 to marathon runner Derek Clayton because they both exemplify high endurance. Well, I have another similar comparison to make. This comparison has to do with Sun's Identity Management suite and Sun's attitude toward identity management in general.

First, let me give you a little Sun identity management background:

Sun Java Identity Manager continues to be the absolute power house in user provisioning:

Moreover, Gartner has also just placed Sun in the Magic Quadrant for the web access management (WAM) market: Magic Quadrant for Web Access Management

That puts Sun in the leader's pack. However, with Federated Access Manager 8.0 coming out, including Policy Agent 3.0, Sun's is getting ready to break from the pack.

Okay, so given that background, if Sun's identity management suite were a runner, it would be this runner:

Paula Radcliffe, New York Marathon 2007

I'm talking about the leader in this photo. She's Paula Radcliffe, the British long distance runner. Her personal best in the marathon is the world record of 2 hours 15 minutes and 25 seconds. There are very few men in the U.S. today that could run that fast. The second fastest time by a women is more than three minutes slower than that.

Some years back, amongst the most elite, Paula was a middle of the pack runner. Her running form has even been criticized. She kind of bobbles her head when she runs. But she persevered. She analyzed everything about her diet and training and tried new things. Icing down her legs after a training run, weight training, physical therapy, shoes, clothing, you name it. She even looked at the bobble of her head before deciding not to tweak that particular aspect of her running form. Her improvement was slow and steady and she kept tweaking things here and there until she became best of the best. Still, she's had disappointments. She doesn't win every single race she enters. She was struggling during the 2004 Olympics and dropped out at around the 23 mile mark. Recently, she had a baby and tried to come back real quick but found that she had to take her time. She seems to be back in form, though, winning the New York Marathon in 2007. She'll be competing in the 2008 Olympics in Beijing. Her future is looking bright. So, yeah, Sun's identity management suite is a bit like that.

Sun's commitment to identity management has been clear to me in a visceral sense for years. However, I never could articulate that importance until about a year back. I was reading the white paper Positioning Federated Identity For The UK Government by Sun's very own Robin Wilton, when suddenly there it was:

Sun's vision and the role of identity

Sun is known for its original corporate vision that “the network is the computer”, a vision since supplemented with the idea of “everything of value connected to the network”. There is a strong
technological dimension to Sun's vision statements - but they are also important for what they imply about identity, authentication, authorisation, access control, trust and privacy. The more we assume that everything of value is connected to the network, the more vital it is that identity, appropriate access and online trust form the foundations of online service provision.

I couldn't have said it better myself. And trust me, I tried. That's it. That's why Sun must succeed in the identity management space. I would say the importance of identity management to Sun is something along these lines:

By hook or by crook, through hell and high water, Sun absolutely, positively must ensure that the identity management available for Sun systems is top notch, best of breed, as good as it gets. Sun's very survival depends on it.

It's an attitude. I imagine that Paula Radcliffe feels driven in a similar fashion. Her very survival isn't at risk, and yet her status as the greatest female runner in the world is. So, in such a situation, you search for what works and you do it. For Sun, it means embracing open source and embracing non-Sun platforms, R&D, acquisitions, blood, sweat, and tears: experiment, tweak, pay attention, analyze, repeat. You don't win them all, but you always keep a can-win attitude, and you learn. Then you go back to the drawing board: experiment, tweak, pay attention, analyze, repeat.

When it comes to web access management, Sun has been very attentive to the market and is incorporating big changes in Federated Access Manager 8.0 and Policy Agent 3.0.

Daniel Raskin explained a great deal of this in two blog entries about the FAM 8 roadmap back in September:

Especially since Access Manager and Federation Manager are being combined in FAM 8, there's a huge emphasis on simplifying the customer experience. I write Policy Agent documentation, and Policy Agent 3.0 is the new version of Policy Agent that coincides with FAM 8. The big, big thing here is that FAM 8 provides centralized agent management with Policy Agent 3.0. This is huge. Customers have had to manage agents one at a time in the deployment container. Still Sun has had a very competitive product. With centralized agent management, Sun is really charging forward. Just saying "centralized agent management" is not enough to explain all the effort going into the agents to make them simpler to manage in so many ways. In time, you will see many things about Policy Agent 3.0 to be happy about. For now, here are a couple links to help you monitor what's going on with Policy Agent 3.0:

That first link above provides a lot of info, including some installation information.

In the Paula Radcliffe analogy, at this time, Sun is running amongst the front runners of the elite pack and is starting to focus on key factors that will launch it out to the very front with room to spare. Therefore, I'd say that in the identity management space, Sun hasn't yet run it's 2 hour 15 minute and 25 second marathon, but it's coming up real soon. Just as I wouldn't bet against Paula Radcliffe in Beijing in 2008, I wouldn't bet against Sun in the identity management space, in fact all indications are that Sun's the endurance athlete to beat in this race.

Monday Jul 09, 2007

Access Manager Policy Agent 2.2 & OpenSSO

I blogged about the OpenSSO project a while back, thusly: Open Source: Access Manager and Beyond

Well, it's not going away. Open source at Sun is for real and identity management has been moving full force ahead into the open source community.

I'm not perfectly clear on the info in this entry. Therefore, I might come back here to change things if I have my facts wrong, which is quite possible. I could use the community's input here more than usual. Please comment on this blog if you think you can help. Thanks.

Introduction to Policy Agent 2.2 & OpenSSO

As goes OpenSSO, so goes Policy Agent: That somewhat cryptic sentence means a few things, but one thing it means is that new happenings with Policy Agent (same for Access Manager and Federation Manager) are showing up on the OpenSSO site first. Discussions, bugs ("bugs" are called "issues" in the OpenSSO project), hints and clues to what's coming up: if they're to be had at all, they are out there.

Let me go over some of the reasons why you might want to continue to read this entry:

  1. To find out what's up and coming in Policy Agent 2.2
  2. To find out about Sun Java System Access Manager Policy Agent 2.2 for Sun Java Web Server 7.0
  3. To get a sense of how open & transparent Policy Agent is, as part of the OpenSSO project
  4. To learn how to get basic (unofficial) Policy Agent 2.2 install instructions for an agent before it's released (or even after it's released).

Being the technical writer for Sun Java System Access Manager Policy Agent, I tend to pay attention to agents in the Policy Agent software set. Well, they've been going open source for a little while now. It seems that all new agents will be part of the OpenSSO project.

So, new agents in the Policy Agent 2.2 software set are open sourced. Conceivably, you could contribute code to these agents. Even those of you who are not interested in contributing code to any of the agents in the Policy Agent software set, might have some interest in seeing what's going on with the upcoming agents.

What's Up and Coming in Policy Agent 2.2

If your question is, "Will a new agent be coming out for the Jin Web Server 12.7 (this is a fictitious web server name)?" Chances are that if the Jin Web Server isn't mentioned on OpenSSO, an agent in the Policy Agent software set will not be available for the Jin Web Server anytime soon. More specifically, if you see agent for Jin Web Server in the Nightly Builds, you'll know that the agent's release is probably imminent. Now, if you will be contributing code to the agents, then you'll love this stuff; but even if you aren't, there's info to be gleaned from this nightly build stuff, so you should at least "like" this stuff.

Policy Agent Builds on the OpenSSO Site

First let me run through how to view/access Nightly Builds in the OpesnSSO project.

The link to the homepage of the OpenSSO project is as follows:

On the Nightly Builds page, in the left column you'll see Nightly Builds under the Downloads heading.

On that page you'll see the following downloadable items:

  • Access Manager
  • Open Federation Library
  • Open Federation
  • J2EE Agents
  • Web Agents

My interest here is in the last two items, "____ Agents." If you click J2EE Agents from that list, you'll get a list of builds. It won't take too many clicks to see, at this point in time, that it's all for "Agent for Sun Application Server." You'll often see a "V9." So, I think it would be safe to say that an agent is coming up soon named something like Policy Agent 2.2 for Sun Java System Application Server 9.SOMETHING, not to be confused with "Sun Java System Access Manager Policy Agent 2.2 for Sun Java System Application Server 9.0 /Web Services," which is an authentication agent specific to web services. So this will be another case where two agents have confusingly similar names.

If you were to look into Web Agents instead, you'd see a few web agents. For example, you could click "latest" on that page to see the latest builds. If you're doing this in July of 2007, one of the agents you should see is "Agent for Sun Java System Web Server 7.0." In fact, that agent is now available for download and I don't mean from the OpenSSO site. It's been promoted from the OpenSSO site (though, still available out there) to the official Sun download site, available from this page: Download Agent for Sun Java System Web Server 7.0

Getting Policy Agent Installation Notes From the OpenSSO Site

But wait a minute, I haven't finished the document for Agent for Sun Java System Web Server 7.0 yet. I guess that just shows how effective this whole open-source thing is. They're getting software out so fast, I can't even get the related official documentation out at the same time. Well, I'm not really sure if that's what it shows, but I do know that the product is officially released and the document isn't.

Fret not (not that you were fretting), I'm going to explain how you can access basic (unofficial) Policy Agent 2.2 install instructions from the OpenSSO site. I'll be specifying Agent for Sun Java System Web Server 7.0, but it won't take much imagination to figure out how to get to the instructions for other agents as they become available.

By the way, moving Policy Agent 2.2 into the OpenSSO world, has had some affect (though relatively minor) on the installation and configuration tasks. Hopefully, it will all be reflected in the documenation; that's the intention, anyway.

Now, let me provide an example of how to navigate through the OpenSSO site to get to the basic installation notes for Sun Java System Access Manager Policy Agent 2.2 for Sun Java Web Server 7.0 (other agents will be accessed in a similar but somewhat different way). This Web Server 7.0 agent example is especially useful (at this time) to those who want some sort of documentation on this agent before the official documentation is released.

  1. Go to
  2. In the left column, select Browse CVS
  3. In the list of files that are displayed, select products/
  4. In the list of files that are displayed, select webagents/
  5. In the list of files that are displayed, select docs/
  6. Select the appropriate platform: Linux, SunOS, SunOS i86pc, WINNT

For both the INSTALL.txt file and the README.txt file, select the revision in the REV column. At this time, the most recent revision is 1.2. The README.txt file is for would-be agent developers. The document explains how to build and compile an agent that you download from the OpenSSO project, with libary and other dependencies described as well. The INSTALL.txt is targeted to people who retrieved the agent from the OpenSSO site. However, the document could be used, in an unofficial capacity mind you, for an agent, for example Agent for Sun Java System Web Server 7.0, downloaded from the official Sun download site.

Though, I've provided the navigation above to these files, the following are direct links to the 1.2 revisions of the README.txt and INSTALL.txt files associated with Agent for Sun Java System Web Server 7.0:

More About Policy Agent and the OpenSSO Project

As more agents get developed through OpenSSO, there will be a greater need to get involved with the OpenSSO project to follow an agent that is of interest to you. This is a good thing. You can track agents better in OpenSSO than those developed prior to OpenSSO because it's open. Now, you have more ways of discussing issues and questions that come up around Policy Agent. You also can track issues (or "bugs" if you prefer that term, but I'm calling them "issues" from here on out) that are filed against an agent.

Viewing Policy Agent Issues in the OpenSSO Project

Can I get a little help here? Please add a comment if you can. It would be great if the community can assist here. Are people looking for issues related to Policy Agent in the OpenSSO project. If so, what works for you?

Issue Tracker is the tool used to file and track issues in the OpenSSO project.

I did the following to search for Policy Agent related issues in Issue Tracker (of course, pick the options that fit your situation. Any tips or suggestions here?):
  1. Visit the OpenSSO homepage.
  2. In the left column, click Issue Tracker.
  3. Click Reports.
  4. Specify options (Examples are provided)
    • View: Open Issues
    • Type: DEFECT
    • Containing: agent
    • Rows: Subcomponent
    • Columns: Priority
  5. Click Generate Report
    You'll see a list of subcomponents. One subcomponent is J2EE agents and one is Web agents. The issues are listed by priority. You can click the number of Total issues for a subcomponent or the number of issues at a certain priority. The following link shows the page generated when one selects the options shown above: An example report, where the goal is to list all Policy Agent issues.

Discussing Policy Agent Amongst the OpenSSO Community

You can get info in a number of ways, as listed in the left column of the OpenSSO homepage under the heading Discussions. There's a also a Discussions web page that provides a bit of a description of the various discussion types. Here's my take on these discussion types:

  • IRC Channel: I don't know much about IRC. The link didn't work for me in the Firefox browser. However, it did work in Mozilla. Nothing was going on at that time. So, I don't know much about IRC.
  • Mailing Lists: There are quite a few mailing lists. In my humble opinion is going to be the most used one. The description is "A general discussion list for the projects end users." I visited the "View mailing list archive" link. From there, I clicked around and saw that Policy Agent issues are discussed, mixed in with other topics.
  • Wiki: Well, there's something about an OpenSSO Setup out there. It mentions Apache agent. So, there's that. I don't have anything else to say about that.
  • Forums: At this time, the click you make into "Forums" basically just gives you the following description: "General discussion on opensso not covered by other forums." Actually, I've added a link to the OpenSSO forum in the right column of this blog. Anyway, back to the OpenSSO site, if you click General you'll see lots of "Subjects," some of them are about Policy Agent. This is good stuff.

Wednesday Jun 20, 2007

Quick and Clean Overview of Sun Java System Access Manager and Much More

In yesterday's entry, Getting timely Sun Java System Access Manager info, I should probably have hyped (I'm using "hype" as an intransitive verb, which shows how excited I am. In normal conditions, I would never do that.) more about the site that I mentioned at that time. The following is the link to that site, the Sun's Identity Management Solutions site:

Identity Management Solutions

I've been going through that site and there's lots of good stuff about identity management. For one, I learned that Pat Patterson has added a 'stub" to Wikipedia for Sun Java System Access Manager. Here's the link to that Wikipedia entry:

Pat's blog entry was out there in the blog feed I mentioned in my blog entry yesterday. His blog entry might not be out there by the time you visit since new blog entries are fed out there (replacing the old) all the time. For example, the entry you're reading right now, yeah this one, will be out there soon (well, "soon," from my perspective).

I also came upon a very nice overview of Sun Java System Access Manager. Officially, I suppose it's called a "product data sheet." It provides a lot of key info in a succint manner. It is a marketing piece (at least in my mind it is) and it does have a little obligatory marketing spin, especially in the first paragraph. However, once you get through that, it's mostly details and specifications. Here's the link:

Product Data Sheet: Sun Java System Access Manager

If you want the complete technical overview of Access Manager, you would want to look at the official documentation, depending on the Access Manager version, as such:

  • Sun Java System Access Manager 7.1 Technical Overview
  • Sun Java System Access Manager 7.0 Technical Overview

Besides that stuff, there's plenty of other good stuff out there, such as the following:

It's all good! And there's plenty more where that came from!

Thursday Jun 14, 2007

Why does "XACML support" not necessarily mean much?

I brought up this question in the following blog entry: Understanding the Web Access Management Market

In that entry, I talked about Burton Group analyst Mark Diodati's paper: Web Access Management Market 2007: Expanding Boundaries

The reason I brought up the qustion, "Why does XACML support not necessarily mean much?" was basically because I found that Mark's paper answered it. The quote I provided as an answer from Mark on this question was as follows: "It is unclear if additional services besides XACML R/R are required to provide true PDP-PEP interoperability."

In that paper, Mark went on to say the following: "Many of these concerns would be mitigated by a formal interoperability test among vendors, but none has been announced or planned."

That paper is dated May 31, 2007 and boom, Burton Group is announing today (June 14, 2007) that the OASIS XACML Technical Committee has put together an interoperability project team that will put together a public XACML interoperability demo on June 28. That's pretty fast to go in one month from "no plan" to "having a conference." Here's the Burton Group blog entry on the topic:

Time for an XACML interop demo? YES!

Actually, it sounds like the XACML Technical Committee has been moving in this direction for a while. Still, it seems to me that Burton Group has a lot of influence in the area of identity management.

Wednesday May 30, 2007

Understanding the Web Access Management Market

Previously, in my So many access managers, so little time entry, I blogged about the Burton Group's, specifically Mark Diodati's, research of five players in the Web Access Managment (WAM) market: CA, IBM, Oracle, RSA & Sun Microsystems. The disclaimer is that I work for Sun Microsystems.

Image from Burton Group Web Site

Well, Mark's done it again: only bigger and better than before and with more humor and clarity. If your organization manages or wants to manage access to web resources, this is must-know info. If you're just generally into technology, you might also find this paper useful. If your a lounge singer, a brain surgeon, or a hermit, you might also be amused by this paper. One of the section headings in Mark's paper is "Federation and WAM: Best Friends Forever (BFF)". Now that's just plain funny, no matter what you do for a living. Are you telling me that's not funny? Anyway, there are other humorous section headings. I mean, in a dry (but very funny) kind of way.


The Title of the Research Paper

The paper is referred to as a Market Landscape paper. The title is Web Access Management Market 2007: Expanding Boundaries Here's a teaser about the paper: This is just a Teaser.

The following is what I explained in my previous entry about Burton Group, in terms of accessing their research:

Your company has an annual subscription, you get everything. Your company doesn't have an annual subscription, you get a few things here and there. One can do a guest log in. Then you can get something. I have no idea what that will get you, but something free anyway.

The "Expanding Boundaries" part of the title is in reference to how the players in this market are not only improving upon the traditional functionality of WAM products, but they are intruducing new functionality and greater interoperability.


Ten Players, Not Just Five

Mark has written five papers about individual WAM products. That's what my previous blog entry on this topic discussed. However, this market landscape paper covers ten companies: the five original and five more. For the five new companies, he provides a synopsis of their WAM product(s).


The Expanding Functionality

First, he goes through some of the new functionality being introduced in WAM products outside of the traditional functionality such as single sign (SSO) and authorization. He covers a few areas of new funtionality, this includes the following: provding Web services security, XACML support, and Integration with eSSO. For the expanding functionality, he provides a table that lists the ten players and explains what their product offers in that specific area of functinality.


Other Areas Covered

The paper also covers the traditional functionality of WAM products: things like what the basic components are and how such functionality can be achieved in different ways by different products, even how such basic funtionality is improving. In addition, he discusses the many identity management vendor acquisitions.


Is the Paper Really So Clear?

Yes, I think it is. It could partially be that I'm getting used to this information and I'm simply starting to get it. But I think that Mark has provided key info in a few areas that allowed me to see the light where I did not see the light before. The following are examples of how things suddenly became clear to me. In the table below, the "Subject" represents an area where my understanding was lacking. The "Quoted Material" represents the exact wording from the paper that helped me understand things better. Of course it's out of context. It would be better to see the entire paper.

Subject Quoted Material
Why does "XACML support" not necessarily mean much? It is unclear if additional services besides XACML R/R are required to provide true PDP-PEP interoperability.
WAM Integration with eSSO In some respects, WAM systems and eSSO systems both provide SSO functionality to heterogeneous applications. However, eSSO systems work with non-web applications, require a client, and achieve SSO via the replay of user credentials (typically passwords). In contrast, WAM systems require only a browser, generally only work with web applications, and use a cryptographically protected session ticket compartmentalized in an HTTP cookie to provide SSO to heterogeneous applications. While minor overlap exists between the two product classes (i.e., providing SSO to web applications), these products are complementary.
Identity Administration Point (IAP) It's helpful to think of IAPs as lightweight provisioning tools—tools that provision users to a single repository (usually Lightweight Directory Access Protocol [LDAP]), with limited workflow capabilities.

Furthermore, I found areas that I understood somewhat well before to be even more clear to me after reading his paper. For example he explains how WAM products can usually support both reverse-proxy servers and endpoints, but that each WAM product is "architected toward one mechanism or the other." I don't know, that just makes it so much more clear than it was before. By the way, Sun Java System Access Manager is more endpoint centric.

I'll close with more or less what I said at the close of my previous blog entry on this topic, which was that if you're in the market for a WAM product make each company that's presenting to you do a proof of concept because this stuff is complicated. It's more clear than it was before (or that might just be me), but it's still complicated.

Nothing to see hear. No, really!!

Friday May 18, 2007

Sun is way ahead of the open source curve (maybe)

I like the following quote:

"So far, it has taken Sun about three years to get to the point it’s at in the big transition. If other companies follow and it takes as long, could that lead to an advantage for Sun as a company that’s ready to get on with it?"

The quote comes from David Berlind of ZDNET in his blog. The blog entry basically explains the accompanying podcast. David interviewed (in MP3 format) analyst James Governor of RedMonk. Both of these guys blogged about the interview. You can access the interview and listen to it from both of their blogs:

  1. David Berlind's Blog
  2. James Governor's Blog

They talk about a few things, but Sun gets a decent amount of attention in the second half of the interview. I would say their attitude toward Sun is controlled enthusiasm. To me it seems they're both giddy about Sun's open source approach of late.

They throw in the appropriate disclaimers, but in their conversation Sun was sounding real intelligent.

Of course, I'm always listening for anything about identity management. That's where James said he wanted to see Sun do more. It was just one quick sentence. I'd like to know "More in what areas of identity management and why?" I mean, how is Sun lacking? I hear things like this from time to time, but I'm not sure if the analysts who say such things have ideas where Sun is missing out. In James' case, I'm sure he has very clear ideas of what Sun should be doing, but I don't know exactly what those ideas are.

Anyway, I took the interview to be very, very positive. Unfortunately, it means we have to work extremely hard now. I say that because whenever there's positive news about Sun, immediatley somebody says, "Yeah, but we still have a lot more work to do." This time I wanted to say it before somebody else did.

Tuesday May 15, 2007

Identity Management: SAP and others

Maybe it's just me, but this latest blog entry from Burton Group about SAP acquiring MaXware, which has a presence in identity management (specifically user provisioning), seems very exciting:

Why "exciting" exactly? Maybe because I blogged about about Burton Group's coverage of the Web Access Management market and very much enjoyed doing so:

Maybe because Sun's all in and around the area of identity management and this promises to be fun.

Maybe it's just an insightful entry.

Maybe my perception of "exciting" has become thwarted and I need a vacation.

Tuesday May 08, 2007

JavaOne and Identity Management

I'll be attending JavaOne tommorow, so I thought I'd get any info I could that has already gone on there or will go on there related to identity management.

First, while searching around, I saw I could create a profile and act like I'm a key player. That's what I've done, thusly:

Join Me at the 2007 JavaOne Conference Event Connect Tool!

Okay, I'm no cooler than I was before, probably a little less cool, but I have another bling-like thing on my blog.

Back to my Point:

There have already been some Sun blog entries that have the JavaOne/Identity Management connection going on, as such:


A few JavaOne sessions as shown in the link below are related to identity management (OpenSSO):

Identity Management Related Sessions


The JavaOne Pavilion has lots of exhibitors. The following URL lists all exhibitors, but at the bottom of the page is a list of exhibits (booths) that Sun has there.

All Exhibitors with Sun highlighted

The following link brings the description of the identity management exhibit to the top of the page:

Identity Management: 1 Identity 1 World

The following link brings the description of the OpenSSO/OpenDS exhibit to the top of the page:

OpenIdentity: OpenSSO and OpenDS

JavaOne Blogs:

Okay, the blogs listed at the following page don't necessarily have anything to do with identity management, but I liked the fact that there's a JavaOne Web page dedicated to blogs:

JavaOne Blog Page

Documentation-Related Exhibit:

There's another exhibit going on that I'll be interested in, though it has nothing to do with identity management. It has to do with creating a structured XML based documentation system. Get Java Technology Technical Publication Tools

What Have I Missed?:

Lots probably!

Friday Apr 06, 2007

So many access managers, so little time

If you want to learn a lot, fast, about what's available on the market for access management software products, two words, Burton Group. Access Manager this, Access Manager that, and Access Manager the other.

Image from Burton Group Web Site

What's My Point of Reference?

Again, I'm a technical writer for Sun Microsystems. I write about Sun Java System Access Manger, specifically the agents; by that I mean the Access Manager Policy Agent software set. Of course, the Burton Group has done research on Sun Java System Access Manager, but they've done research on several access managers (if I can be so bold to call them “access managers.”) The Burton Group calls the market for this product “Web Access Management Market.” If you want to make a competitive analysis, Burton Group is a good place to start. One thing I've learned in life, you can't be all things to all people. None of these Web Access Manager systems or WAMs, as Burton Group is calling them, is going to fit everyone. So, while Sun Java System Access Manager is obviously the best (a little humor), there's going to be some corner case (more humor) where it isn't the best choice .

Who/What is the Burton Group?

They provide research services in various areas. My interest is in the following area: Identity and Privacy Strategies Coverage Areas

It turns out that I have full access to all of Burton Group's research but, much to my dismay, it's not because I'm so charming. I work for Sun Microsystems and Sun has an annual subscription with Burton Group. That's the way it works. Your company has an annual subscription, you get everything. Your company doesn't have an annual subscription, you get a few things here and there. One can do a guest log in. Then you can get something. I have no idea what that will get you, but something free anyway.

I actually contacted Burton Group to ask if people could buy a research paper here or there from them. In a word, “No!” Now, I could just attach all the cool research papers I got right here in my blog, but I might go to jail: a lot of downside, not much upside.

The good thing for me is that they were the sweetest people in the world. My first thought was “Wow! Sun must be paying lots of money for this annual subscription.” But then I don't know. Usually, you can't even buy customer service like that. Still I'm not letting down my guard. As I've said before, “I guess I don't trust anybody...”

All the same, I think they go a long way to make things right. This is from their Web site:

Q: What is Burton Group's vendor-independence policy?

A: At Burton Group, we take pride in our vendor independence. More than 80 percent of Burton Group's customers are enterprise organizations, and our singular commitment to be an unbiased advocate for the enterprise customer guides all of our work.


Burton Group does not publish vendor-sponsored research of any kind. Since the company's founding in 1990, we have never published any vendor-sponsored research. Likewise, Burton Group covers relevant vendors and products without regard to whether vendors subscribe to or use our services. In all of our endeavors, we maintain independence from vendor agendas, providing unbiased assessments of markets, vendors, and products. In keeping with its mission, Burton Group provides technically in-depth, independent research and advice for the enterprise technologist.

Who Did the Research on the Web Access Management Market?


It was all done by one person, Mark Diodati. You can see by his bio that he worked at a very high level for CA (Computer Associates – it isn't Computer Associates? Everything seems to be just CA now.) for 15 years. Anyway, one of the research papers is about CA SiteMinder. I think it's natural for me to question a former CA VP reviewing a CA product. Back to my “I guess I don't trust anybody” quote. Still his writing comes across painfully objective. So, five brownie points for that. It would seem hard to find an expert on WAM products who didn't actually somewhere in the past work with one WAM product more than the others.


I wouldn't normally correct an error I've made in my blog, but Mark Diotadi himself added a comment pointing out an error I made that changes my outlook a bit. Mark didn't work at CA for 15 years. At the time, his bio showed 15 years experience in information security in general. His Bio now shows 16 years total experience. Somehow, I jumped to the conclusion that he worked at CA the entire time, even though his bio mentions other companies, such as RSA. In his comment, Mark breaks the time down a little more specifically as such:

"I worked at CA for two years. I also worked at RSA for six years, and as you point out they have a WAM product as well."

Now, if we can just get IBM, Oracle, and Sun to each hire him for two years, we'll really be on to something.


Another thing about Mark that I found was that he sometimes contributes to the Burton Group Identity Blog, such as this entry: I like that entry because it points out how confusing it all is. Does identity management really have to be this complex? It seems the answer is “Yes, for now at least!”

Okay, What 's the Research Already?

I'm talking about five papers that each have these labels:

  • Identity and Privacy Strategies

  • In-Depth Research Product Profile

The specific titles are as follows:

CA SiteMinder v6 SP5 (November 29, 2006)

Oracle Access Manger 10gR3 (December 06, 2006)

RSA Access Manager 6.0 (December 13, 2006)

Sun Java System Access Manager 7.1 (March 02, 2007)

IBM Tivoli Access Manager for e-business v.6.0 (March 26, 2007)

The section titles tend to be the same so it's relatively easy to compare one product to another. For example, there's a section titled “Bottom-Line Assessment.” That's broken into two sections that pretty much say:

Things about this WAM product that might influence you to buy it

Things about this WAM product that might influence you to buy another WAM product

Each paper includes pricing information, a graphic of the architecture, and a lot of other things. Another reminder: I write about Access Manger Policy Agent, which is a policy enforcement point (PEP). Therefore info about PEPs (and there was a decent amount) was really good for me. I have a better sense now about how other WAM products handle the PEPs. There's some variety there. And each method has it's advantages and disadvantages.

Where To Go From Here?

I'm not sure what's next. From these five papers, one could definitely make it even easier to compare these products by coming up with even more charts, tables, and graphics. A lot of the hard work has been done. Soon, I'm going to contact Burton Group again to talk to their experts. Apparently, I can do that. I can have “dialogues” with Burton Group experts. I keep thinking that they're going to figure out that I was accidently added to the wrong list and then they're going to make me give back everything I've already learned

Now, I don't know nothing about nothing. But I can tell you this, if you're ever in the market for a WAM product, make the sales/marketing/engineering reps, Sun's and/or whoever else's, do a proof of concept. Because this stuff is complex.

Okay, you got anything else needs reading? Cuz I'm on a tear!!

UPDATE: JUNE 1 - I have a more recent entry on Burton's coverage of the WAM market here: Understanding the Web Access Management Market.

Wednesday Mar 07, 2007

Liberty Alliance: I'm gonna hafta look into that

All the indications are that I don't know enough about Liberty Alliance. Sun is a huge player in this alliance, too.

So, I get this alert for an InfoWorld article today about an outline (in PDF) put together by the Liberty Alliance.

Cool! I'm getting some good info lately related to identity management. I'm starting to get these alerts tweaked well. I notice Piper Cole, VP, Global Government & Community Affairs, is a contributor to the outline. I've met Piper Cole. I'm, like, such an insider now.

Unfortunately, I don't completely get the Liberty Alliance thing. Looks like I'm going to have to actually look into this thing. I mean, I have looked into it, but I'm going to have to get all involved and everything.

I did read the outline and it was much more legal than I had anticipated, which makes me wonder how many corporations who have set up a circle of trust have run into significant issues. It also surprised me because I didn't think the liberty alliance would make non-technical suggestions, which just points out my ignorance of the alliance.

Another Liberty Alliance thing, more than a week back, I got a comment from James McGovern here:

I'll repeat the comment:

“The Identity Governance Framework also speaks to XACML usage which is about authorization. Do you think the folks at Sun and participating members of Liberty will finally start talking about authorization and stop overhyping identity? Would be great if your next blog entry went into detail on this topic.”

Okay, so I'm not such an insider because I couldn't begin to go into detail about such a topic. Still. Perfectly still at this point, but there's hope for me that I'll get this stuff one of these days and actually be able to interact with the real players. Or maybe not.

Monday Feb 26, 2007

Oracle, Liberty Alliance, and me

Oracle has contributed to the Liberty Alliance by giving the alliance it's Identity Governance Framework. I most certainly don't get the full import of this. However, it's significant to me since I got this information automatically.

I'm still not “in,” but I'm not so far out. I'm going to create a trackback to the blog from which I got this info:

No, I'm not going to create a trackback. I just tried. Either I'm doing something wrong, or I need to register in order to create a trackback. It seems I need to register, but I'm not that interested.

Now let's see if you can understand the twisted logic that follows. Recently, I set up a ZapTxt alert (I plan to make an entry about ZapTxt one of these days) to various blogs and such trying to capture identity management-related stuff. I've played with the key words and tags and such, to get info that suits me. I have the info being emailed to me and then I have a filter which sends all ZapTxt alerts to a separate folder. Okay, I think I have a couple alerts that are actually sending me things that are useful for me.

Today, I got an alert to Ash's blog. Inside his entry was a quote from Don Bowen, director of Identity Integration at Sun. I've actually met Don Bowen. Now, suddenly everything seems more personal. So I see that as reason to celebrate. There, is that followable logic?

Truth is that information has been out there for a while:

That's almost three weeks ago. However, the quote from Sun wasn't in there. Anyway, slowly I'm figuring out how to get info I want. After I got that alert, I did a search and found that Info World article. Then I set up another ZapTxt alert to the InforWorld site. Again, I'll probably have to play with the keywords and tags to see if I can get the right amount of info.

Is it just me?

Sunday Feb 18, 2007

Getting Even More Identity

By now, my blog has definitely acquired more of an identity.

Look around this blog and you'll more or less see a real blog. I come across pretty much like a blogger.

Considering that I didn't understand a thing about blogging just four months ago, I'd say that's good. The truth is that at this point I don't really understand all the widgets on my own blog, but I do know that it somehow seems appropriate to use the word “widgets” in this context, so there's that. I might not actually be using the word correctly, but one thing at a time.

I think I'll focus a few blog entries here and there over the next few weeks on things I've added to my blog, but as of yet, have not explained. For example:

  • I've recently added a few links in the right column to other people's blogs.

  • I've also added the following:

    • A Technorati button:

    • A ZapTXT button:

    • A StatCounter counter (at the bottom of this blog):

The identity-management-ness of all this new stuff is not obvious, but the connection is often there behind the scenes. For example, the way I've been experimenting with the Technorati and ZapTXT stuff has a pretty strong relationship to identity management.

I'll transparentize all of that stuff soon enough. Right now, I'm just coining words and otherwise abusing the language for no transparent reason.

Tuesday Jan 30, 2007

Identity Management: Only the Paranoid Survive

I just read a white paper from IDC that supports what I often say when bidding someone farewell, “ Don't trust anybody!” It usually comes out like this, “Okay, see you later; don't trust anybody!” I'm not positive why I say that. I guess I don't trust anybody, and according to IDC, when it comes to your company's resources, you shouldn't trust anybody either. Not even your own people.

The white paper I read is titled Privileged Password Management: Combating the Insider Threat and Meeting Compliance Regulations for the Enterprise. It's good reading.The fact that I find this kind of paper “good reading” frightens me. It seems that I've crossed a line from which I can never return. Still, there is something very spy-thriller, espionage-like about it. So, I guess it makes some sense that I find it interesting. Who knows, you might just find it interesting, too. I mean, if your into this sort of thing. This article was sponsored by Cyber-Ark software. As of today, you can get your hands on it in a couple of ways. Will it be available in the same manner tomorrow? I don't know. The two methods are:

  1. Indirect: and click Download Now. You'll then have to register.

  2. Direct: That's the PDF. The company providing the PDF is Noxs. They provide solutions that often include Cyber-Ark products.

I get the feeling that Cyber-Ark gets frustrated that few people understand how well their products solve huge security issues. I've only recently started hearing about the internal security concerns that are discussed in this article. I mean, I've heard for a long time that internal security risks are usually more dangerous than external ones, but I've only recently started hearing the specifics of those internal risks.

Cool Take-Aways from the Article

  • More than 70% of Identity & Access Management implementations are driven by government and industry compliance regulations.

  • Compliance regulations present some huge technological challenges.

  • The tendency is for larger companies to be more concerned with internal security threats than with external security threats.

  • Generic accounts, such as administrator on Wintel platforms, root on UNIX systems, DBA passwords and hard-coded passwords in application scripts can be a huge risk for a company.

Random Thoughts in Closing

  • So what Andy Grove's been saying for years, “Only the paranoid Survive,” might indeed be true.

  • It seems I've heard that Sun Microsystems works well with Cyber-Ark, but I don't know if that means that Sun's products work well with Cyber-Ark's products or if the two companies cooperate nicely with each other.

  • Okay, see you later; don't trust anybody!

Thursday Jan 04, 2007

Open Source: Access Manager and Beyond

All the open source projects going on around Sun Microsystems is enough to make your head spin.

Again, I'm a technical writer for Identity Management Software. More specifically, I write about Access Manager and Policy Agent, usually Policy Agent.

Therefore, I'd like to have a better understanding of OpenSSO. It's all good, but it's all too much. I can't possibly keep up with all the open source projects happening at this company. I wish I could, because I sense potential synergies. One who knows such things, must see possibilities of how some of these various open source projects can come together in the future to make this a better world planet (for some reason, people at Sun always refer to Earth as “planet.” For example, “We have the best identity management software on the planet.” I never got the memo on this, so I don't know why this particular term has been chosen. That's okay, I'll use it all the same.).

The link to OpenSSO is

So, I looked around and I think there's some good info at that site. The following paragraphs are FAQs

from that I thought provided the key info.

Q: What is OpenSSO?

The Open Web Single Sign-On Project, also referred to as OpenSSO, is an open development effort based on the source code for Sun Java TM System Access Manager, a core identity infrastructure product offered by Sun Microsystems, Inc. The goal of OpenSSO is to provide an extensible foundation for an identity services infrastructure that will facilitate single sign-on (SSO) for web applications hosted on web and application servers in the public domain.

Q: How are OpenSSO, Sun Java System Access Manager and Sun Java System Federation Manager related?

A: OpenSSO is based on the Access Manager 7.0 code base (including components under development for 7.1). There are some changes (for example, Access Manager contains some third-party source code which we cannot redistribute) but we have worked to minimize these. The next versions of both Federation Manager and Access Manager will be built from the OpenSSO source (just as Sun Java System Application Server is built from the Glassfish source). When Sun decides that OpenSSO contains the features we want to use in the next Access Manager/Federation Manager product release, we will branch the code and stabilize the release branch - all in public. New feature development can and will continue on the trunk and fixes in the Sun release branch will be copied back to the OpenSSO trunk.

For an example of using Sun open sourced projects together, check out Indira's blog:, which combines components from OpenSSO and GlassFish. GlassFish is the open sourced project for Java EE 5 Application Server.

This is cool to me because it gets heavy duty involved with Policy Agent 2.2. specifically for Sun Java System Application Server 8.1, which is pretty much (but not exactly) what the GlassFish server is.

Anyway, my prediction is that combining open sourced projects will be all the rage soon enough. Those will be all the cool people, the one's who get invited to the Hollywood parties and rub elbows with celebrities all over the planet.

Tuesday Dec 12, 2006

Getting Some More Identity

I've done more to give this blog some Identity. 

In the process, I've learned more about who blogs about identity Management at Sun and I've learned more about how to customize Roller blog software.

Right now, I'm using the editor that comes with Roller . In my search for more blog identity, I learned that this blog editor (it's called Xinha) is new and improved over prior the prior editor. We'll see, I tried it before it was improved and I can confidently say it needed improving. I couldn't get the fonts to do what they said they were going to do. If you follow me. We'll see how this all looks.

I also started playing with tags and with the search. That's how I came across other Sun bloggers who mentioned Identity Management in some way. That's a big topic actually. I also found some entries about Policy Agent.

For example, though I don't  understand Japanese, I know these entries discuss things like policy and Policy Agent:

Call me a visual learner. 

 About my blog, I've a section in the column on the right: My Recent Blog Entries. I've looked at the documentation: Roller 3.0 User's Guide and Roller 3.0 Template Guide quite a bit, but still. For this I did a search and found a Sun blogger who explained how to do it.

 I went to and searched for the following:

blog customization recent entries

That search led to this entry:

I knew enough to know that I was going to have to do things a little differently for my blog in terms of customizing the templates. But it gave me the info I needed. I added the 15 most recent entries. Actually, I only had 15 entries, so that made sense.

 Keep in mind my Nov 17 entry, which explains tha t what I'm describing about my blog might not apply by the time you read this since it my be 2046 when you're reading this. A lot could change from 2006 to 2046.

 I've learned so much more recently, but that's all I have time for. Blogging, it's not bad.


Darn it! Just before submitting this entry, I did a full preview and the fonts are all messed up. Do you see how the first line is all small? That's not the way it looks in the editor. As Pat Patterson told me today, editors tend to be WYSIMOLWYG (what you see is more or less what you get). Well it's back to other methods, either doing HTML by hand or typing it in a program like Star Office (with HTML) and cutting and pasting it into my blog. By the way, Star Office has a blog editor extension. I haven't been able to use it yet. That's another story.



What does this box do?


« February 2017