Friday Sep 04, 2009

OpenSSO Express 8 Shall Be Released

Congratulations to all on the release of OpenSSO Express 8, an early access version of Sun OpenSSO Enterprise that is fully supported and indemnified by Sun Microsystems for customers. The new ZIP archive is available for download on opensso.dev.java.net.

OpenSSO Express 8 introduces:
  • One Time Password Authentication
  • A new Resource Authentication Type
  • Federated single sign-on for .Net applications using the .NET Fedlet
  • Support for MySQL as a user data store
  • The new Entitlements Service
  • A new monitoring framework built using the Java Dynamic Management Kit (JDMK)
  • A new Administration Console (in beta) that allows authorization administration with the new Entitlements Service and new work flows for configuring federation and web services security
  • A new work flow for setting up federated single sign-on with Salesforce.COM
A list of all the new features and enhancements in OpenSSO Express 8 is available as part of Release Notes. Detailed documentation on the new features is available on the OpenSSO Documentation wiki.

And here's an incredible (and incredibly old) performance of Bette Midler singing Bob Dylan's I Shall Be Released.

Monday Aug 24, 2009

Breakaway from the Policy Service with OpenSSO Entitlements

Appropos to Dennis's announcement of the Entitlements Service source code being moved into the OpenSSO workspace, here's some information about the developing OpenSSO Entitlements Service.

The Entitlements Service is an authorization and policy component developed for inclusion in the soon-to-be-released OpenSSO Express 8. The user interface provides an easy-to-follow process to define rules for controlling access to applications and web resources. You can create fine-grained policies, and referrals (to assign policy creation based on an OpenSSO realm hierarchy), using these work flows.

The Entitlements Service is being developed in tandem with a new beta OpenSSO administration console. The OpenSSO Enterprise Policy Service, used for more coarse-grained policy implementation, is still available using the standard OpenSSO administration console. See The New OpenSSO Console Rip-Off.

From a high level a service used to create and manage access to web resources consists of the following:
  • A policy administration point (PAP) that comprises the interfaces used to create, read, update and delete the policies.
  • A policy evaluation engine or policy decision point (PDP) that, acting as a policy information point (PIP), is used to query permissions and privileges in order to obtain policy decisions. It gets identity attributes and applicable policies, evaluates the information, and returns the latter with a policy decision to be used for enforcement.
  • A policy enforcement point (PEP) is an agent, installed on the same machine as the resource, that protects it from unauthorized access.
  • A user data store for storing and obtaining identity data.
  • A policy data store for storing policies and the service's configuration attributes, and obtaining said data. (OpenSSO embeds OpenDS for its configuration data store. This configuration data store is used to store Entitlements Service data.)

Different types of resources can be protected by the Entitlements Service. By selecting a general application and adding a more specific resource with applicable subjects and conditions, a policy can be created to define authorization using the new beta console administration interface. An application (term as used in the Entitlements Service) consolidates meta data for generic resource types that share a common set of actions. The format of a resource's definition, supported actions, conditions and subjects, decision combining algorithms (to resolve conflicting policy results) and other data can be defined as a schema for an application. Examples of applications in the Entitlements Service could be calendars, web resources, or user profiles. The following applications are added by default when deploying opensso.war.
  • Web Agent defines actions that can be used to create and manage policies that protect HTTP and HTTPS URLs through the use of a policy agent. This is the most common application use case with the following actions.
    • GET has these operations.
      • Allow: Enables access to the resource defined in the Rule.
      • Deny: Denies access to the resource defined in the Rule.
    • POST has these operations.
      • Allow: Enables access to the resource defined in the Rule.
      • Deny: Denies access to the resource defined in the Rule.
  • Liberty Personal Profile allows administrators to create and manage policies corresponding to actions that can be performed on identity attributes in a personal profile service defined by the Liberty Alliance Project specifications; for example, the OpenSSO implementation of the Liberty Personal Profile Service.
    • MODIFY has these operations.
      • Interact for Value: Invokes the Liberty Alliance Project ID-WSF Interaction Service Specification protocol to retrieve a value from a resource in order to modify it.
      • Interact for Consent: Invokes the Liberty Alliance Project ID-WSF Interaction Service Specification protocol for consent to modify a value on a resource.
      • Allow: Enables access to the resource defined in the Rule in order to modify an attribute value.
      • Deny: Denies access to the resource defined in the Rule therefore modification is disallowed.
    • QUERY has these operations.
      • Interact for Value: Invokes the Liberty Alliance Project ID-WSF Interaction Service Specification protocol to retrieve a value from a resource.
      • Interact for Consent: Invokes the Liberty Alliance Project ID-WSF Interaction Service Specification protocol for consent to query a resource.
      • Allow: Enables access to the resource defined in the Rule in order to query the resource.
      • Deny: Denies access to the resource defined in the Rule therefore the query is disallowed.
  • Discovery Service allows administrators to create and manage policies corresponding to actions that can dynamically determine a web services provider (WSP) registered for a particular principal.
    • LOOKUP: Allow or Deny access to search the discovery service.
    • UPDATE: Allow or Deny access to modify data in the discovery service.
A resource is an object on which you can perform an operation or an action. The policy is specifically configured to protect this object. A resource is a string; it could be a URL, a web service, a bank account, or graphical user interface controls (buttons, text fields and the like). Examples could be MyCalendar or other portal type services (located with URLs), a bank account, or a Submit button on a text form.

More information on the Entitlements Service will be forthcoming; these definitions should help you get started, in a small way, by following the inline help developed for the Entitlements Service GUI. But first - enjoy Tracey Ullman singing Breakaway into her hairbrush.

Thursday Jul 17, 2008

Enabling PUT and DELETE Actions in OpenSSO Policy Definitions for Web URLs

Policy rules in OpenSSO allow control over GET and POST actions but, by default, do not list PUT and DELETE. Following are two procedures for adding the latter actions. When Deploying a New Instance of OpenSSO
  1. Explode opensso.war.
  2. cd WEB-INF/classes
  3. Create AttributeSchema elements for PUT and DELETE in amWebAgent.xml using the already existing AttributeSchema for GET and POST as the prototype.
  4. Add i18n keys and values to amWebAgent.properties for the elements created in the previous step.
  5. Regenerate the WAR.
  6. Deploy the WAR.

When Modifying an Existing Instance of OpenSSO
  1. Explode opensso.war.
  2. cd WEB-INF/classes
  3. Create AttributeSchema elements for PUT and DELETE in amWebAgent.xml using the already existing AttributeSchema for GET and POST as the prototype.
  4. Copy amWebAgent.xml outside the exploded WAR directory.
  5. Add i18n keys and values to amWebAgent.properties for the elements created in the previous step.
  6. Regenerate the WAR.
  7. Redeploy the WAR.
  8. Set up the famadm command line interface.

    • Download and unzip opensso.zip.
    • Change to the opensso/tools directory and unzip famAdminTools.zip.
    • Follow the instructions in README.setup.

  9. Run the following command:

    famadm delete-svc -s iplanetamwebagentservice
  10. Run the following command:

    famadm create-svc --xmlfile /path/amWebAgent.xml
And now enjoy Eddie Money and Ronnie Spector singing Take Me Home Tonight.

About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today