Tuesday Jan 19, 2010

Using OpenSSO with Microsoft Geneva Server

I just posted MICROSOFT® “GENEVA” SERVER AND SUN OPENSSO: ENABLING UNPRECEDENTED COLLABORATION ACROSS HETEROGENEOUS IT ENVIRONMENTS. This paper (written by another) focuses on Sun OpenSSO Enterprise and Microsoft Geneva Server — specifically, on their common support for the Security Assertion Markup Language (SAML) federation standard as a basis for interoperability. The paper:
  • Presents an overview of solutions and capabilities, both individual and interoperable solutions.
  • Describes the business benefits of interoperability between the two.
  • Shares detailed use cases demonstrating proven interoperability in real-world federation scenarios.
But before you leave, it's not Geneva, it's Vienna by Utravox.

Friday Aug 14, 2009

The New OpenSSO Console Rip-Off

OK, it's not technically a rip-off but that's all I could come up with in the time allotted.

The team of OpenSSO engineers have been working on a new administration console. The plan is to release a beta version of the new console with OpenSSO Express Build 8. Although the trees that contribute to the nightly build and the Express 8 build have not yet been consolidated, portions of the new beta console are available for your perusal in the nightly build. Things will undoubtedly change before the actual release; the following information is so you can take a look at the direction we are going.

This new OpenSSO administration console is in beta and should only be used for test environments. Continue to use the standard OpenSSO administration console for real-time deployments.

After deploying opensso.war to a web container, login to OpenSSO as the administrator and enter protocol://machine.domain:port/deploy-uri/admin in the Location Bar of a browser to display the new console interface.

The Entitlements, Federation and Web Service Security tabs comprise the bulk of features currently in this new console. Accommodations have been made for these features by providing inline help displayed on the console screen. Additional documentation will be available after the beta release. Working With the Entitlements Service The Entitlements tab contains the new work flows for ease-of-use when creating new, and managing existing, policies for the new Entitlements Service. These features are only available in the beta administration console. You must choose the framework with which you will be creating policies for your resources. The options are the Policy Service using the standard administration console and the Entitlements Service using the beta administration console. Once the choice is made (by creating and saving a policy using one or the other), only that service (Entitlements or Policy) will be enabled. Migration of policies from previous versions of OpenSSO is not supported.

Using the Federation Work Flows The Federation tab contains the new work flows for ease-of-use when creating and registering entity providers for the Federation Service using the SAMLv2 protocol. These work flows are available in either the standard or beta administration console. If you create SAMLv2 entity providers using the work flows in the beta administration console, you manage the configurations using the standard administration console.

Using the Web Services Security Work Flows The Web Service Security tab contains the new work flows for ease-of-use in creating profiles to work with the Web Service Security framework. These work flows are available only in the beta administration console although profiles can also be created by manually configuring attributes using the standard administration console. You can create profiles in the beta console and manage them in the standard console.

Displaying Realms The intent with the beta administration console is to hide realms. If no realms are configured using the standard console, the applicable interface to switch realms will not be visible in the beta console, nor anything about referrals. If you create a realm using the standard console, realm and referral menu items are visible.

Now enjoy the greatly, soulful Laura Lee and her 1972 hit, Rip-Off.


Monday Aug 10, 2009

Store & Retrieve Authentication Info with OpenSSO, She & Him

Here are some words on storing authentication information in an OpenSSO session and retrieving it. It assumes that the authentication module extends AMLoginModule and the information is to be shared with a post authentication plug-in.

If the size of the information is small, you can store it in the SSOToken. If the information is security sensitive and not to be readable by the Client SDK, you could encrypt it before setting it in the SSOToken. (Prefixing the property name with am.protected. defines it as NOT readable by the Client SDK.)

After you put the required information from the authentication module into the module principal class, implement the com.sun.identity.authentication.service.AuthenticationPrincipalDataRetriever interface. It has the following method to get the module principal from authSubject, retrieve the required data, and return that data as a Map (key/value pairs).
    /\*\*
     \* Returns the attribute map from the required Authentication module
     \* Principal, to be set in the SSOToken.    
     \*
     \* @param authSubject Authenticated user Subject.
     \* @return the Attribute Map.
     \*/
    Map getAttrMapForAuthenticationModule(Subject authSubject);
The Authentication Service will store this Map in the authenticated SSOToken. A post authentication plug-in can retrieve this data from the SSOToken later. You will need to set your implementation class as a value of the com.sun.identity.authentication.principalDataRetriever property in the OpenSSO configuration data store.

Now here is Zooey Deschanel and M. Ward, plugged in as She & Him. Why Do You Let Me Stay Here? is from their album, Volume 1. I love M (especially his album Transistor Radio), love Zooey (especially as an actress in the ScyFy take on Oz called Tin Man) and also Zooey's sis, Emily (especially as the femme lead on Bones). The video is quirky and endearing and bloody.

Friday Apr 17, 2009

What a Difference Updated OpenSSO Federation Docs Make

I recently posted two updated docs from the OpenSSO Enterprise engineering team regarding the federation architecture and use cases. You can access these documents from tree or using the links below.

Now, start the weekend early, get off your chair and dance away to Esther Phillips singing her disco version of the standard What a Difference a Day Makes.

Thursday Apr 09, 2009

Roam for Centralized Error Processing in the OpenSSO SAMLv2 Service

If you want information on Centralized Error Processing in OpenSSO's SAMLv2 Service roam over to this article on wikis.sun.com for some information I just put together on the concept and configuration.

But click play for this live version of Roam performed in various venues by the B-52's before you click work.

Excellent editing, wouldn't you say?

Tuesday Mar 17, 2009

Don't Ask Me Why XML Signing and Encryption in a Fedlet is Not Here

This is the first blog entry in which I will be using links to articles I've posted on wikis.sun.com. Moving forward the OpenSSO writers are going to be collecting documentation, articles and the like over there. I will though continue to blog these links because I know there must be one or two of you out there who would miss the music lessons.

The first article I've published is titled Enabling XML Signing and Encryption in a Fedlet and explains the titular procedure.

The first musical interlude in this new way of working is Don't Ask Me Why performed by Eurythmics. From 1980 through 1991 I saw Eurythmics in concert five times and there was not a bad performance in the bunch. Live vicariously now through this live version.

Tuesday Jan 27, 2009

Customize an OpenSSO IDPAttributeMapper For Once

To implement a federated solution where the consumer of a service can select which attribute is sent from the identity provider to the service provider as an assertion write a custom IDPAttributeMapper . The getAttributes() method takes the OpenSSO SSOToken as one of its parameters. From this, you can determine who the end user is, pull the correct attributes for that user and return the values as an attribute list. The identity provider will take the attributes and send them to the service provider as part of a SAMLv2 assertion.

Once you've finished, check out the video for the Academy Award-winning song from the movie Once. Excellent film about two people Falling Slowly in love. The love segued into real life until last night when I read that Glen Hansard and Marketa Irglova were no longer a couple. Worse things have happened but they were a sweet couple in the film.

Friday Jan 09, 2009

SAMLv2 Assertion Failover in OpenSSO

SAMLv2 Assertion Failover, when enabled, redirects a request for an assertion to a second identity provider if the identity provider that initially created the assertion is out of commission. The feature piggybacks on OpenSSO Session Failover configuration by using the same databases. Here is the procedure to configure and test SAMLv2 Assertion Failover.
  1. Deploy 2 instances of OpenSSO Enterprise to act as identity providers and 1 load balancer in front of them.
  2. Set up the entities as a site with servers (using the OpenSSO console) and confirm that the configurations work.
  3. Install and setup session failover as documented in the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.
  4. Deploy 1 instance of OpenSSO Enterprise to act as service provider.
  5. On all three provider instances of OpenSSO, enable SAMLv2 Assertion Failover.
    1. Log in to the OpenSSO console as administrator.
    2. Click the Configuration tab.
    3. Click the Global tab.
    4. Click the SAMLv2 Service Configuration link.
    5. Check the box next to Enable SAMLv2 Failover.
    6. Click Save.
    7. Log out of the console.
  6. Configure each server instance of OpenSSO as the appropriate entity provider and member of the same SAMLv2 circle of trust.
  7. Export the entity provider metadata from all three server instances of OpenSSO.
  8. Load the service provider and identity provider metadata on the respective instances of OpenSSO and on the load balancer.

    You need to create the metadata for the load balancer. See your load balancer's documentation for more information. Make sure you change the URL values in the load balancer metadata from the OpenSSO instances behind the load balancer to the load balancer URL itself.
  9. Modify the spAssertionConsumer.jsp on the service provider machine to add sleep that allows enough time to shutdown the identity provider on which the request will land. (See step 11.)

    Object newSession = null;
    SAML2Utils.debug.error("Before sleep Assertion Failover");
    SAML2Utils.debug.message("Before sleep Asserion Failover");
    Thread.sleep(50000);
    SAML2Utils.debug.error("After sleep Assertion Failover");
    SAML2Utils.debug.message("After sleep Asserion Failover");
  10. Initiate single sign-on using the following URL: http://host-machine.domain:port/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=
    /sp&idpEntityID=LB-host-machine.LB-domain

    Before proceeding to the next step, run tail on the SAMLv2 debug logs (located in OpenSSO-install-directory/opensso/debug) on the identity provider host machines to see where the single sign-on request lands.
  11. After providing the service provider user credentials, monitor the log and shutdown the identity provider on which the initial single sign-on request landed.

    Make sure the user is not federated before shutting down the identity provider. The sleep time added to spAssertionConsumer.jsp in the previous step should allow enough time for this. (See step 9.)
  12. Verify that federation successfully occurs after the identity provider is shutdown. This confirms that assertion failover was successful.
  13. Initiate single logout using the following URL:

    http://host-machine.domain:port/opensso/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=
    /sp&idpEntityID=LB-host-machine.LB-domain
  14. Bring the previously shutdown identity provider back up and, once again, initiate single sign-on again using the following URL:

    http://host-machine.domain:port/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=
    /sp&idpEntityID=LB-host-machine.LB-domain
  15. Monitor the log and shutdown the identity provider on which this second single sign-on request landed.
  16. Initiate single logout using the following URL:

    http://host-machine.domain:port/opensso/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=
    /sp&idpEntityID=LB-host-machine.LB-domain
  17. A successful logout confirms assertion failover is working.

And now that Assertion Failover has been correctly configured, put your footsies up and check out this live version of The Killers' latest hit - are we Human or are we dancer?

Wednesday Dec 03, 2008

A Spring Framework in the OpenSSO Step

OpenSSO Community member Miquel has developed an extension based on Spring Security. Spring Security provides comprehensive security services for J2EE-based software applications with an emphasis on those built using the Spring Framework, an open source Java application framework.

In honor of our new extension, enjoy The Go-Betweens Spring Rain.

Tuesday Dec 02, 2008

Fedlet Logging and Loggins' Footloose

The Fedlet is a small footprint SAMLv2 JAR that can be deployed with a service provider application. It handles only SAMLv2 identity provider initiated POST profiles. The application in which it is embedded can then consume a SAML assertion to identify the user and identity attributes. The Fedlet uses your installed JDK to log its authentication access and errors (single sign-on successes, single log outs, etc.). By default, it uses the configuration defined at JAVA_HOME/jre/lib/logging.properties. You can set the logging level to FINEST to see more details. For additional logging information, you can modify fedletSampleApp.jsp. More information on that modification can be found here. For debugging, the location of the file is defined in the OpenSSO file, FederationConfig.properties.

And when done logging, check out Kenny Loggins singing (and Kevin Bacon foot-syncing) in the music video for Footloose.

Wednesday Nov 26, 2008

Sweeping SAMLv2 Assertions from the 7th Floor

The following information was just put in the Sun OpenSSO Enterprise 8.0 Administration Guide but the new version won't be published until next week. Read the information here first. (There might be some changes to this entry based on answers to questions I have sent the engineer. I will update as necessary.) Requesting Identity Attributes via a SAMLv2 Assertion

The Assertion Query/Request profile specifies a means for requesting attributes (and the corresponding values) from a specific identity profile. A successful response is the return of an assertion containing the requested information. The identity provider acting as the attribute authority uses the com.sun.identity.saml2.plugins.AttributeAuthorityMapper to process queries. This default implementation uses the attribute map table configured in the identity provider's extended metadata; this table maps the requested SAMLv2 attributes to the user profile attributes in the identity data store. (If an attribute map is not configured, no attributes will be returned.)

To set OpenSSO to use a customized attribute mapper implementation, modify the values of the default_attributeAuthorityMapper and the x509Subject_attributeAuthorityMapper properties in the extended metadata of the provider defined as the attribute authority. The default_attributeAuthorityMapper value is used for a standard attribute queries and the x509Subject_attributeAuthorityMapper value is used for attribute queries with an X509 subject. The X509 mapper maps an X509 subject to a user by searching the identity data store for a specified attribute. (The specified attribute is defined as the value of the x509SubjectDataStoreAttrName property in the identity provider extended metadata of the attribute authority.) If the user has the specified attribute and the attribute's value is the same as that of the X509 subject in the attribute query, the user will be used.

Only SOAP binding is supported. Signing is required so make sure the Signing Certificate Alias attribute of the providers acting as the attribute requester and the attribute authority is configured.

  • To send an attribute query from the requester use the method of com.sun.identity.saml2.profile.AttributeQueryUtil.

    public static Response sendAttributeQuery(
    AttributeQuery attrQuery,
    String attrAuthorityEntityID,
    String realm,
    String attrQueryProfile,
    String attrProfile, String binding)
    throws SAML2Exception;
  • To construct an AttributeQuery object, use com.sun.identity.saml2.assertion.\* and com.sun.identity.saml2.protocol.\*.

Requesting a Cached SAMLv2 Assertion

The Assertion Query/Request profile specifies a means for requesting existing assertions using a unique identifier. The requester initiates the profile by sending an assertion request, referenced by the identifier, to a SAMLv2 authority. The SAMLv2 authority processes the request, checks the assertion cache for the identifier, and issues a response to the requester.

NOTE - In the metadata file of the identity provider acting as the SAMLv2 authority, add the following attribute to enable it to store assertions generated in the single sign-on, authentication query or attribute query process.

<IDPSSOConfig metaAlias="/idp">
<Attribute name="assertionCacheEnabled">
<Value>true</Value>
</Attribute>
</IDPSSOConfig>

com.sun.identity.saml2.plugins.AssertionIDRequestMapper is the default implementation used to process the assertion request. To define a customized mapper, change the value of the assertionIDRequestMapper property in the extended metadata of the provider acting as SAMLv2 attribute authority or authentication authority.

  • To send a request for an assertion from a provider use either of the methods of com.sun.identity.saml2.profile.AssertionIDRequestUtil as below.
    public static Response sendAssertionIDRequest(
    AssertionIDRequest assertionIDRequest,
    String samlAuthorityEntityID,
    String role,
    String realm,
    String binding)
    throws SAML2Exception;
    public static Assertion sendAssertionIDRequestURI(
    String assertionID,
    String samlAuthorityEntityID,
    String role,
    String realm)
    throws SAML2Exception;
  • To construct an assertion request object, use com.sun.identity.saml2.assertion.\* and com.sun.identity.saml2.protocol.\* .

If SOAP binding is used, signing is required so the Signing Certificate Alias attribute of the service provider, identity provider, attribute authority and authentication authority metadata must be configured. In order to implement URI binding, you must write a custom mapper so that authenticateRequesterURI will not throw an exception.

Requesting SAMLv2 Authentication Context Information

A SAMLv2 assertion contains information regarding the context of a principal's authentication. The requesting party may require this additional information (for example, the authenticating technology or protocol used) in order to assess the level of confidence they can place in the assertion. To retrieve authentication context information, the service provider issues a query to the authentication authority.

Only SOAP binding is supported for this request And signing is required so make sure the Signing Certificate Alias attribute of the service provider and the authentication authority is configured.

To Configure for Authentication Context Query
  1. Create and load the metadata for the service provider.
  2. Create the metadata for the identity provider using ssoadm and specifying the following additional options.
    • -C Defines the meta Alias for the hosted authentication authority to be created. The format must be realm name/identifier.
    • -D Defines the authentication authority signing certificate alias.
    • -E Defines the authentication authority encryption certificate alias.

    For example:
    ssoadm create-metadata-templ -u amadmin -f /tmp/pw -m /home/user1/tmp/mm -x /home/usr1/tmp/xx -s /idp -a test -r test -C /authna -D test2 -E test2 -y example.com
  3. Add the following attribute to the identity provider metadata file just created. This allows the identity provider to store assertions generated during the SAMLv2 single sign-on process.
    <IDPSSOConfig metaAlias="/idp">
    <Attribute name="assertionCacheEnabled">
    <Value>true</Value>
    </Attribute>
    </IDPSSOConfig>
  4. Configure for SAMLv2 single sign-on.
  5. Do either of the following:
    • To send an authentication query from the service provider use the com.sun.identity.saml2.profile.AuthnQueryUtil method.
      public static Response sendAuthnQuery( AuthnQuery authnQuery, String authnAuthorityEntityID, String realm, String binding) throws SAML2Exception;
    • To construct an AuthnQuery object, use com.sun.identity.saml2.assertion.\* and com.sun.identity.saml2.protocol.\*.

Mapping SAMLv2 Name Identifiers

The NameID Mapping Protocol allows a service provider that shares an identifier for a principal with an identity provider to obtain a name identifier for said principal in another format or that is in another federation name space (for example, is shared between the identity provider and another service provider). The requester initiates the profile by sending a NameIDMappingRequest message to the identity provider. After processing the request, the identity provider issues a NameIdMappingResponse message to the requester.

Only SOAP binding is supported. Signing is required so make sure the Signing Certificate Alias attribute of the identity provider and the service provider is configured.

To send a NameIDMappingRequest message from the service provider, use the method of the com.sun.identity.saml2.profile.NameIDMapping.

public static NameIDMappingResponse initiateNameIDMappingRequest( Object session,
String realm,
String spEntityID,
String idpEntityID,
String targetSPEntityID,
String targetNameIDFormat,
Map paramsMap) throws SAML2Exception;

And now that we are finished sweeping the floor, how about some dancing on the floor? Here's a home-made video to Paul Nicholas' number 7 hit from 1977, Heaven on the 7th Floor.

Wednesday Aug 27, 2008

Change the Fedlet's Preferred IDP with John Waite

In order to change the preferred identity provider configured for a Fedlet, you can either remove the identity provider discovery cookie from the browser, or choose another identity provider to perform a single sign-on interaction. Following the latter, the identity provider is then set as the preferred identity provider.

Now here's the original MTV video (with attempted suicide and all) for Change, the hit single from former Babys front man, John Waite.

Change was a WLIR Screamer of the Week before they realized Waite wasn't new wave.

I'm in huge writing mode for the upcoming release of OpenSSO so please forgive for the relative dearth of posts. You're gonna love the books though!

Sunday Aug 17, 2008

Sampling the OpenSSO Samples and Yazoo

There are three types of samples included with OpenSSO.

  1. Server samples are included with the OpenSSO WAR. The samples can be accessed by appending /uri/samples to the OpenSSO server URL and entering it in the Location bar of a browser; by default, this would be http://hostname.domain:8080/opensso/samples. The samples include authentication, Liberty ID-FF, SAMLv2, and multi-federation protocol. I haven't checked them out yet.
  2. The Client SDK samples are located in the opensso-client-jdk15.war inside the opensso-client.zip. More information is in these entries:

  3. Command line interface samples are located in the sdk directory inside the unzipped opensso-client.zip. See OpenSSO Client SDK: Command-line Samples for more information.
  4. And since we are talking samples, let's listen to a moment in time: the song that has one of the most used samples in music history. In 1982, Vince Clarke says something funny and Alison Moyet laughs during the recording of the Yaz song Situation and they decide to keep it in the recording. I have heard that laugh sampled on a huge number of remixes and new songs over the last 25 years but there ain't nothing like hearing it as originally intended.

    I saw them at the Paramount Theater in Oakland, CA on July 7, 2008. What a show!

Friday Aug 08, 2008

HELP! Review OpenSSO During Early Access

Sun is now soliciting feedback regarding the Early Access download (Express Build 5) of the OpenSSO software. Here's the official marketing shpiel:

The OpenSSO Project is soliciting feedback on their Early Access Build -- OpenSSO Express Build 5. With the release of this build, community members now have the opportunity to participate in the Early Access (EA) program for Sun's next commercial offering. Review the Early Access documentation and hammer away at Express Build 5! Send your EA feedback to opensso.eafeedback@dev.java.net so we can make the product perfect. Thanks in advance!

Now here's my shpiel - or should I say the Beatles shpiel in my stead:

But who would embed the Beatles HELP without also embedding the Bananarama version featuring Lananeeneenoonoo (or Dawn French, Jennifer Saunders and Kathy Burke).

And they did it all for others.

Just like all of us. Thanks.

Thursday Aug 07, 2008

Discovering and Setting (On Fire?) Preferred Identity Providers

Here is additional information on the Identity Provider Discovery Service. Discovering the SAMLv2 IDP Discovery Service and the Discovery LP has general information and the procedure for setting up and testing the Identity Provider Discovery Service. Here is the process to set a preferred identity provider.

NOTE: spSSOInit.jsp is used to initiate single sign-on from the service provider side. On receiving a request for access, spSSOInit.jsp verifies that the required parameters are defined. See the Sun Java System SAML v2 Plug-in for Federation Services User's Guide for more information.

  1. A user accesses spSSOInit.jsp to initiate single sign-on on the service provider side, and passes to it the value of the idpEntityID parameter.

    The value is the entity identifier of the identity provider to which the request should be sent.
  2. The service provider retrieves the identity provider's single sign-on service URL using the value of the idpEntityID and redirects the user to it.
  3. Assuming the user is not authenticated, the identity provider prompts the user for credentials.

    >If the Identity Provider Discovery Service is configured, the user will be redirected to the Identity Provider Discovery Service Writer Service URL with the identity provider information. The Discovery Service Writer Service URL sets the common domain cookie.
  4. The Identity Provider Discovery Service Writer Service URL sets the cookie with the identity provider information and redirects the user back to the identity provider's single sign-on service URL.

    The preferred identity provider is now set.
  5. The identity provider's single sign-on service URL completes the single sign-on process.

Here is the process when discovering a preferred identity provider.

  1. A user accesses spSSOInit.jsp to initiate single sign-on on the service provider side and one of the following occurs:

    • If the value of idpEntityID is passed, the identity provider will be contacted directly. See the previous procedure.
    • If there is no value for idpEntityID but the Identity Provider Discovery Service is configured, the user will be directed to the Reader Service URL to retrieve the preferred identity provider's entity identifier. In this case, the RelayState parameter points back to spSSOInit.jsp.
  2. The Identity Provider Discovery Service Reader Service URL checks for an identity provider discovery cookie and, if set, extracts the preferred identity provider, returning the information as a query parameter in the relay state URL.
  3. spSSOInit.jsp checks for the preferred identity provider in the returned URL.

    • If the preferred identity provider is set, the request is sent to it for single sign-on.
    • If the preferred identity provider is not set, an error is displayed stating this.
Whewww, that was hot! But not as hot as the 5000 Volts song (with an uncredited Tina Charles singing lead), I'm On Fire. Was there ever anything as remotely entertaining as disco? (Don't answer that if you are going to be mean.)

Sunday Aug 03, 2008

What Are You Doing The RESTful of Your Life?

I was looking for information on REST and found this great article on developers.sun.com. Check it out if you need to get REST.

And here is Miss Peggy Lee singing What Are You Doing The Rest If Your LIfe?

Monday Jul 28, 2008

Question Me An Answer About Federation

Following are a bunch of high-level answers to some questions regarding federation configuration.

  1. How can a service provider request one or more individual attributes (or a Class of Attributes) from an identity provider for a specified principal in a single request?

    • The identity provider can be configured to send any of a principal's attributes during the single sign-on process by defining simple attribute mappings for both the identity provider and service provider using the console.
    • Using SAMLv1 or SAMLv2, an explicit Attribute Query can be sent to an Attribute Authority.
    • Configure the Liberty Personal Profile Service.
  2. These options can also be used if an identity provider wants to send one or more attributes in a single response to the requesting entity.

  3. How can a service provider indicate that they are federated to an identity provider as a member of an affiliation rather than a circle of trust?

    An affiliation (referenced by an affiliationID) is a grouping of entity providers maintained by an affiliation owner who chooses the members without regard to the boundaries of any circles of trust which might also include the providers as members. Affiliation data is part of the provider metadata and the service provider request itself denotes whether it is an affiliation or not.
  4. How might a service provider or identity provider request a list of members in an affiliation?

    Affiliation-based federation is driven by a boolean flag at the service provider and uses the affiliationID defined for the remote provider (since a local provider can participate in more than one affiliation). The affiliationID can be used to request a list of members.
  5. How might a service provider indicate in an authentication request that they are acting as a member of an affiliation?

    Affiliation-based federation is driven by a boolean flag at the service provider and uses the affiliationID defined for the remote provider (since a local provider can participate in more than one affiliation). If enabled, the authentication request will be sent with the affiliation flag set to true.
  6. How might a service provider indicate in an attribute request that they are acting as a member of an affiliation?

    For explicit attribute requests, I am not sure if there is a flag to indicate whether it is acting as an affiliation however, if it is during authentication process, the affiliation can be used.
  7. How might an identity provider verify the affiliation membership indicated in an attribute request? For explicit attribute requests, I am not sure if there is a flag to indicate whether it is acting as an affiliation however, if it is during authentication process, the affiliation can be used.
  8. How might a service provider make anonymous attribute requests and receive anonymous attribute responses? In other words, the ability to share attributes without disclosing the identity of the Principal to the requestor or Service Provider.

    In requests using SAML or the Liberty Personal Profile Service, the identity of a principal is never disclosed. The interactions are made using an encrypted user ID. You could also use an anonymous user.
  9. How might a service provider associate intended usage with the corresponding requested attributes in an attribute request to an identity provider?

    See the usage directives are part of ID-WSF 2.0.
  10. Guideline for Attribute Providers (in the usage negotiation scenario) to reply, always, to a service provider's attribute request with usage directives that, for privacy purposes, are equal to or stricter than those originally stated in the Service Provider's attribute request.

    The usage directives are part of ID-WSF 2.0 which we plan to implement in FAM 8.next releases
Now Question Me An Answer from the movie musical, Lost Horizon.

Wednesday Jul 23, 2008

Here Comes the Express...OpenSSO and B.T.

Today is the day that Sun announces the OpenSSO Express build, and support and indemnification for OpenSSO. Here are some links with a bunch more information. In honor of this occasion, here comes the B.T. Express with, what else, Express.

Monday Jul 21, 2008

Watching MQ Traffic with OpenSSO Express

If you are using the new OpenSSO Express build 4.5 and want to watch as session updates, additions, or deletions are recorded to the amsessiondb.log when session failover is enabled, you must set the AMSESSIONDB_ARGS attribute with a value of "-v" in the amsfo.conf file. Then you can grep for MQ traffic with the following:
tail -f amsessiondb.log > a
grep WRITE a | wc; grep DELETE a | wc; wc a
Here is an example of what the log file that records writes looks like:

Starting...  true
   /usr/jdk/instances/jdk1.5.0/jre/bin/java -Xms128m -Xmx512m -classpath /opt/opensso/instance1/sfo/jmq/mq/lib/imq.jar:/opt/opensso/instance1/sfo/jmq/mq/lib/jms.jar:/opt/opensso/instance1/sfo/ext/je.jar:/opt/opensso/instance1/sfo/locale:/opt/opensso/instance1/sfo/lib/am_sessiondb.jar:. com.sun.identity.ha.jmqdb.client.FAMHaDB
   Initailizing and connecting to the Message Queue server ...
   Checking for peer BDB daemon processes. Please wait ...
   Successfully started.
   OP=WRITE
   service=session
   WRITE message received.
   >>>>>>>>>>>>>> Write by Primary Key : -1279015892
   OP=WRITE
   service=session
   WRITE message received.
   >>>>>>>>>>>>>> Write by Primary Key : -1279015892
   OP=WRITE
   service=session
   WRITE message received.
   >>>>>>>>>>>>>> Write by Primary Key : -1279015892
   OP=WRITE
   service=session
   WRITE message received.
   >>>>>>>>>>>>>> Write by Primary Key : -1279015892
   OP=READ
   service=session
   READ message received.
   >>>>>>>>>>>>>> Read by Primary Key : -1098220087
   >>>>>>>>>>>>>> Found record !
   OP=WRITE
   service=session
   WRITE message received.
   >>>>>>>>>>>>>> Write by Primary Key : -1098220087
   OP=WRITE
   service=session
   WRITE message received.
   >>>>>>>>>>>>>> Write by Primary Key : -1098220087

Now go eat some cannibals with Toto Coelo. Mmm, mmm, good.

Friday Jul 18, 2008

Touching Legacy Mode in OpenSSO

Legacy mode in previous versions of the code that was open-sourced as OpenSSO is based on the Sun Java System Access Manager 6.3 architecture. There is no longer a legacy mode installation option in OpenSSO. Legacy mode is supported through upgrade only; if you have Sun Java System Access Manager 7.0 or 7.1 installed in legacy mode, you can upgrade to OpenSSO and keep it in legacy mode. Also, if you have Sun DS with AM schema installed, you can use the legacy mode features with the AMSDK data repository plugin.
There is no timeline set for removing legacy mode but it is strongly recommended not to use this option.

So don't touch legacy mode anymore - instead take a listen to Kim Wilde's 1984 UK hit, The Touch. Loved this song (and album) back then and I also love the pretty girls at the beginning of the video which never made it to this side of the pond until now.

Wednesday Jul 16, 2008

Using Sub-Realms in OpenSSO Again & Again

In general, you should use the default root realm (opensso) to configure identity data stores, and manage policies and authentication chains. After deployment, OpenSSO creates a Realm Administrator who can perform all operations in the configured root realm, and a Policy Administrator who can only create and manage policies. The use of sub-realms in OpenSSO should be restricted to the following two scenarios.
  1. Application Policy Delegation The use case for this is when you need to have different Policy Administrators to create policies for a sub-set of resources. For example, let's assume a sub-realm is created and named Paycheck. This sub-realm is configured with a policy referral from the root realm for configuring protection of resources starting with https://paycheck.sun.com/paycheck. Within the Paycheck sub-realm, a Paycheck Administrator role or group is created and assigned Policy Administration privileges. These administrators are now able to login to the sub-realm and create policies for their applications. By default, the sub-realm inherits the same configuration data store and authentication chains configured for its parent; if these configurations change in the parent, a corresponding change would be needed in the sub-realm. Additionally, all users will still log in to the root realm for access to all the applications. The sub-realm is primarily for the Policy Administrator to manage policies for the application. An educated guess on the number of sub-realms that can be supported would be about 100.
  2. ISP/ASP/Silo The use case for this scenario is when each sub-realm is to have its own set of identity data stores, authentication chains, and policies. Ideally the only common thread between the root and the sub-realm would be the referral policy created in the root realm to delegate a set of resources to the sub-realm. Users would not be able to log in to the root realm (unless they are a member) but would have to authenticate to their sub-realm. Also, agents would have to be configured to redirect user authentication to the particular sub-realm. With regards to performance, the most resource consuming component would be when persistent searches created by the data stores connect to the same directory. An educated guess on the number of sub-realms that can be supported would be about 50.
So now you know how to use sub-realms again & again as confirmed by The Bird and the Bee in their song titled (what else) Again & Again.

Friday Jul 11, 2008

Absolutely Fabulous OpenSSO Notification Properties

Currently, OpenSSO uses the following absolutely fabulous properties to define notification URLs.
  • com.sun.identity.client.notification.url
  • defines the URL on the client side that will receive notifications from the Policy Service, the Session Service, and User Management features of OpenSSO. The value is the URL of the agent; for example, http://my.test.domain.com:6948/agentapp. The com.sun.identity.agents.notification.url property must also be set to true.
  • com.sun.identity.agents.notification.url is a server side property that allows you to enable (true) or disable (false) notifications to the agent caches.
  • com.sun.identity.idm.remote.notification.enabled allows you to enable (true) or disable (false) notifications to the am.sdk and IdRepo caches.
  • com.sun.identity.sm.notification.enabled allows you to enable (true) or disable (false) notifications to the service management caches.
NOTE: If com.sun.identity.idm.remote.notification.enabled and com.sun.identity.sm.notification.enabled are not set in the client side AMConfig.properties, their value defaults to true. If they are set to true but no URL is specified as a value for com.iplanet.am.notification.url, notifications will not be received. Finally, if the notification URL is defined but one of these properties is set to false, the cache update defaults to polling.

And here's my notification to you of the absolutely fabulous video for the Pet Shop Boys song Absolutely Fabulous featuring Jennifer Saunders and Joanna Lumley. Ahhhh, those were the days, my friend.

Friday Jul 04, 2008

2 for the 4th: SuperPat and Dolly Parton

Where else you gonna see those names together?
  • For those who weren't able to attend SuperPat's OpenSSO presentation at JavaOne, here is Marina Sum's summary of it all. Good stuff.
  • Celebrate the Fourth with no fireworks and a cut from Dolly's patriotic long player For God and Country called Welcome Home. Stuff good.

Thursday Jul 03, 2008

Affiliation-based Federation with...ABBA?

An affiliation (referenced by an affiliationID) is a grouping of entity providers configured using OpenSSO and maintained by an affiliation owner who chooses the members without regard to the boundaries of any circles of trust which might also include the entity providers as members. Affiliation-based federation is indicated by a boolean flag at the service provider and uses the affiliationID defined for the remote provider (since a local provider can participate in more than one affiliation). If enabled, the authentication request will be sent with the affiliation flag set to true.

Affiliation data is part of the provider metadata. A service provider request denotes whether the request is being made as part of an affiliation or not. If services are invoked as an affiliation member, a service provider might issue an authentication request for a user on behalf of the affiliation. When authentication is secured, the user can achieve single sign-on with all members of the affiliation.

And for those who don't know - I have an affiliation with ABBA. In honor of the upcoming release of Mamma Mia here's the group's music video for the title tune (mysteriously aped in Muriel's Wedding for Muriel and Rhonda's karaoke performance of...Waterloo?).

And here's the trailer for the film. Meryl Streep (sounding great), Julie Walters and an uncredited (?) Christine Baranski - what a trio!!

Wednesday Jul 02, 2008

Federated Access Manager Supported Data Stores and Operations

THIS INFORMATION IS STILL BEING UPDATED AND MAY CHANGE BEFORE THE FALL 2008 FEDERATED ACCESS MANAGER 8.0 RELEASE.

Federated Access Manager contains a lot of data and supports a number of products in which to store it. The following sections contain information regarding this support and the specific operations that can be performed on the data by each product.
  1. Directory Support
  2. Supported Identity Data Store Operations
  3. Notification Support

Directory Support

The table below lists the directories supported for the different types of data.


Sun Directory Server

Active Directory

IBM Tivoli Directory

LDAP v3 server (other)

User Data Store

Yes

Yes

Yes

No

Configuration Data Store\*

Yes

No

No

No

AM SDK (legacy)

Yes

No

No

No

LDAP Authentication

Yes

Yes

Yes

Yes

Membership Authentication

Yes

No

No

No

AD Authentication

N/A

Yes\*\*

N/A

N/A

Policy Subjects and Policy LDAPFilter Condition

Yes

Yes

Yes

Yes

Password Reset

Yes (with AM SDK only)

No

No

No

Account Lockout

Yes

No

No

No

Certificate Authentication

Yes

Yes`

Yes

Yes

MSISDN Authentication

Yes

Yes

Yes

Yes

Data Store Authentication (through LDAPv3 identity data store)

Yes

Yes

Yes

Yes

\* OpenDS can be configured as the embedded configuration data store during your initial Federated Access Manager configuration. It can not be configured as an external configuration data store as the Sun Directory Server can. OpenDS is not currently supported as a user data store.

\*\* There are some limitations.

As a side note, authentication also supports the JDBC repository through the JDBC authentication module.

Supported Identity Data Store Operations

IDRepo is the interface to provide basic management for user, group, role and agent entities. This interface allows support for any identity data repository with the development of a plug-in. Although currently limited to three directories, it can be expanded to include any LDAPv3 directory (like OpenLDAP or Novell Directory), a Java Database Connectivity (JDBC) directory, flat files, and others.

The matrix below specifies current support through the IDRepo interface. We have a specific implementation for each supported identity repository. The default implementation of this interface can be used and is supported for any LDAPv3 repository.

The following table lists operations supported by each data store type.


Sun DS

LDAP v3

IBM Tivoli

LDAP v3

AD

LDAP v3

LDAP v3

(generic)

AM SDK

(legacy)

User Create

Yes

Yes

Yes\*

No

Yes

User Modify

Yes

Yes

Yes\*

No

Yes

User Delete

Yes

Yes

Yes\*

No

Yes

Role create

Yes

Yes

No

No

Yes

Role Modify

Yes

Yes

No

No

Yes

Role Delete

Yes

Yes

No

No

Yes

Role Assignment

Yes

Yes

No

No

Yes

Role Evaluation for membership

Yes

Yes

No

No

Yes

Group Create

Yes

Yes

No

No

Yes

Group Modify

Yes

Yes

No

No

Yes

Group Delete

Yes

Yes

No

No

Yes

Group Assignment

Yes

Yes

No

No

Yes

Group evaluation for membership

Yes

Yes

Yes

No

Yes

Federation Attributes

Yes

Yes

Yes

No

Yes

\* Needs some fixes.

Notification Support

Data changes in directories need to be propagated to OpenSSO in a timely manner. The data in OpenSSO is updated in two ways:

  1. Polling of the directories
  2. Notifications from the directories

For notification, Federated Access Manager subscribes to persistent search notifications provided by the directories. For polling, it provides configurable parameters to specify the time intervals. When multiple instances of Federated Access Manager are running, the configuration data changes can also be propagated to those instances.

And now watch how the dancers support Goldie Hawn as she sings Star, the title tune from the 1960s film musical biography about Gertrude Lawrence and starring an excellently-cast Julie Andrews.

About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today