Dennis, Sun engineer extraordinaire, has just uploaded the Federated Access Manager 8.0
OpenSSO Commandline Interface Usage and Samples document. We'll have to get him to change the name next time he regenerates it but, in the meantime, here is everything you'd want to know about the newly-christened ssoadm command line interface.
But Dennis isn't the only one who has uploaded something hot off the press. My Jack Russell Terrier, Max, uploaded a video made as an ode to his treat ball. He's not the best singer (although back in the day he was considered the Manilow of the dog park) but he's sincere. His lyrics are published here.
Max hopes this video meets Dennis' high standards.
The OpenSSO Security Token Service was developed from the WS-Trust protocol which defines extensions to the WS-Security specification for issuing and exchanging security tokens and establishing and accessing the presence of trust relationships. The Security Token Service is hosted as a servlet endpoint and coordinates security based interactions between a WSC and a WSP. The Security Token Service:
Issues, renews, cancels, and validates security tokens.
Allows customers to write their own plug-ins for different token implementations and for different token validations.
Provides a WS-Trust based API for client and application access.
Provides security tokens including Kerberos, Web Services-Interoperability Basic Service Profile (WS-I BSP), and Resource Access Control Facility (RACF).
Here is some information on supported security tokens in OpenSSO.
Security Token Service Supported Tokens
Tokens that can be authenticated:
Tokens that can be issued:
End user tokens that can be converted or validated out of the box:
OpenSSO SSOToken to SAML 1.1 or SAML 2.0 token
SAML 1.1 or SAML 2.0 token to OpenSSO SSOToken
Additionally, end user tokens can be converted or validated after customization. In this case, the new token is an
On Behalf Of token (based on the WS-Trust protocol element) carried in the WS-Trust request as part of the SOAP body and not as an authentication token carried as part of the SOAP header. Custom tokens can also be created and sent On Behalf Of an end user token for conversion or validation by Security Token Service. To do this, implement the com.sun.identity.wss.sts.ClientUserToken interface and put the implemented class name in AMConfig.properties on the client side and the global Security Token Service configuration using the OpenSSO
Web Services Security Framework Supported Tokens
Tokens that can be authenticated:
Tokens that can be issued:
UserName (generated via STS or locally at WSC)
X509 (generated via the Security Token Service or locally at the WSC)
SAML 1.1 (generated via the Security Token Service or locally at the WSC)
SAML 2.0 (generated via the Security Token Service or locally at the WSC)
Kerberos (generated locally at the WSC)
After learning something new, now enjoy some music from Amy MacDonald. This is Mr. Rock & Roll.
The Web Services Security feature of OpenSSO implements the Web Services Interoperability Technology (WSIT). WSIT is an open source implementation of the web services specifications (commonly referred to as WS-\*). The project was started by Sun Microsystems, and consists of Java API that allow developers to create web service clients and services that enables operations between the Java platform and clients and servers developed with the WS-\* specifications. WSIT provides implementations of the following specifications for interoperability with .NET 3.0.
A number of command line interfaces originally developed for the products that have been integrated into OpenSSO have been EOL'ed. So here is some information on the new commands and options that can be used instead.
Although the legacy command line interface amadmin is still bundled with OpenSSO, certain LIberty Alliance Project Identity-Federation Framework (Liberty ID-FF) related options are no longer supported because of a change in the metadata format. Use the following ssoadm commands to import and export metadata. Be sure to append --spec idff to the command.
The command line interface saml2meta (originally developed for the Sun Java System SAMLv2 Plug-in for Federation Services) is not supported in OpenSSO. Use the corresponding ssoadm commands instead. Note that some of the new commands must have --spec saml2 appended.
import-entity with --spec saml2 option
export-entity with --spec saml2 option
create-metadata-templ with --spec saml2 option
delete-entity with --spec saml2 option
list-entities with --spec saml2 option
The command line interfaces saml2bulkfed (originally developed for the Sun Java System SAMLv2 Plug-in for Federation Services) is not supported in OpenSSO. Use the following ssoadm commands for SAMLv2 bulk federation. Be sure to append --spec saml2 to the command.
do-bulk-federation performs bulk federation.
import-bulk-fed-data imports the bulk federation data generated by the do-bulk-federation command.
The command line interface ambulkfed (originally developed for Access Manager to bulk federate using the Liberty ID-FF protocol) is not supported in OpenSSO either. The ssoadm commands that take the place of the SAMLv2 bulk federation CLI (above) can also be used for Liberty ID-FF bulk federation by appending --spec idff to the command rather than --spec saml2.
And now some new music (on this side of the pond anyway) from Alison Moyet. The Turn was just released in North America and features the single, A Guy Like You.
In case you haven't seen it yet, wikis.sun.com has an entry here that contains the procedure for creating a custom authentication module for OpenSSO - ok, Access Manager but you know the history. Note that there is an error pointed out at the bottom of the entry itself so take a look at that first.
And when you are done authenticating, you can be sure that the identity is, indeed, the son of a preacher man. Ahhhh, Dusty.
08/09/08 UPDATE: Oy gevalt to that segue.