Friday Aug 15, 2008

Hot Off Two Presses: Dennis' ssoadmin CLI Info and Max's Song

Dennis, Sun engineer extraordinaire, has just uploaded the Federated Access Manager 8.0 OpenSSO Commandline Interface Usage and Samples document. We'll have to get him to change the name next time he regenerates it but, in the meantime, here is everything you'd want to know about the newly-christened ssoadm command line interface.

But Dennis isn't the only one who has uploaded something hot off the press. My Jack Russell Terrier, Max, uploaded a video made as an ode to his treat ball. He's not the best singer (although back in the day he was considered the Manilow of the dog park) but he's sincere. His lyrics are published here.

Max hopes this video meets Dennis' high standards.

Wednesday Aug 13, 2008

Supported Security Tokens and Mr. Rock & Roll

The OpenSSO Security Token Service was developed from the WS-Trust protocol which defines extensions to the WS-Security specification for issuing and exchanging security tokens and establishing and accessing the presence of trust relationships. The Security Token Service is hosted as a servlet endpoint and coordinates security based interactions between a WSC and a WSP. The Security Token Service:

  • Issues, renews, cancels, and validates security tokens.
  • Allows customers to write their own plug-ins for different token implementations and for different token validations.
  • Provides a WS-Trust based API for client and application access.
  • Provides security tokens including Kerberos, Web Services-Interoperability Basic Service Profile (WS-I BSP), and Resource Access Control Facility (RACF).

Here is some information on supported security tokens in OpenSSO.

Security Token Service Supported Tokens

Tokens that can be authenticated:

  • UserName
  • X509
  • SAML 1.1
  • SAML 2.0
  • Kerberos

Tokens that can be issued:

  • UserName
  • X509
  • SAML 1.1
  • SAML 2.0

End user tokens that can be converted or validated out of the box:

  • OpenSSO SSOToken to SAML 1.1 or SAML 2.0 token
  • SAML 1.1 or SAML 2.0 token to OpenSSO SSOToken

Additionally, end user tokens can be converted or validated after customization. In this case, the new token is an On Behalf Of token (based on the WS-Trust protocol element) carried in the WS-Trust request as part of the SOAP body and not as an authentication token carried as part of the SOAP header. Custom tokens can also be created and sent On Behalf Of an end user token for conversion or validation by Security Token Service. To do this, implement the com.sun.identity.wss.sts.ClientUserToken interface and put the implemented class name in on the client side and the global Security Token Service configuration using the OpenSSO console.

Web Services Security Framework Supported Tokens

Tokens that can be authenticated:

  • UserName
  • X509
  • SAML 1.1
  • SAML 2.0
  • Kerberos

Tokens that can be issued:

  • UserName (generated via STS or locally at WSC)
  • X509 (generated via the Security Token Service or locally at the WSC)
  • SAML 1.1 (generated via the Security Token Service or locally at the WSC)
  • SAML 2.0 (generated via the Security Token Service or locally at the WSC)
  • Kerberos (generated locally at the WSC)

After learning something new, now enjoy some music from Amy MacDonald. This is Mr. Rock & Roll.

What's Going On with WSIT?

The Web Services Security feature of OpenSSO implements the Web Services Interoperability Technology (WSIT). WSIT is an open source implementation of the web services specifications (commonly referred to as WS-\*). The project was started by Sun Microsystems, and consists of Java API that allow developers to create web service clients and services that enables operations between the Java platform and clients and servers developed with the WS-\* specifications. WSIT provides implementations of the following specifications for interoperability with .NET 3.0.

  • WS-Metadata Exchange
  • WS-Transfer
  • WS-Reliable Messaging
  • WS-Reliable Messaging Policy
  • WS-Atomic Transaction
  • WS-Coordination
  • WS-Security 1.0 and 1.1
  • WS-Security Policy
  • WS-Trust
  • WS-Secure Conversation
  • WS-Policy
  • WS-Policy Attachment

While looking for information on WSIT, I found this great PDF file on called the WSIT Tutorial. If you need to know what's going on with WSIT, this is the paper to read.

And if you just want to hear What's Going On by Marvin Gaye, this is the clip to click.

Tuesday Aug 12, 2008

SOA's Readers' Choice Awards and Sia's Buttons

You can now vote online for the SOA World Magazine 2008 Readers' Choice Awards which recognizes, and I quote, excellence in the software, solutions, or services provided by the industry's top vendors. Readers can cast their votes until November 8, 2008.

That was SOA. Now here is Sia performing her song Buttons live on Jimmy Kimmel.

Click here for the official music video which is just the live performance.

Monday Aug 11, 2008

Turning Old Command Line Interfaces into New OpenSSO Command Line Interface

A number of command line interfaces originally developed for the products that have been integrated into OpenSSO have been EOL'ed. So here is some information on the new commands and options that can be used instead.


Although the legacy command line interface amadmin is still bundled with OpenSSO, certain LIberty Alliance Project Identity-Federation Framework (Liberty ID-FF) related options are no longer supported because of a change in the metadata format. Use the following ssoadm commands to import and export metadata. Be sure to append --spec idff to the command.

amadmin Optionssoadm Command


The command line interface saml2meta (originally developed for the Sun Java System SAMLv2 Plug-in for Federation Services) is not supported in OpenSSO. Use the corresponding ssoadm commands instead. Note that some of the new commands must have --spec saml2 appended.

saml2meta Optionssoadm Command
importimport-entity with --spec saml2 option
exportexport-entity with --spec saml2 option
templatecreate-metadata-templ with --spec saml2 option
deletedelete-entity with --spec saml2 option
listlist-entities with --spec saml2 option


The command line interfaces saml2bulkfed (originally developed for the Sun Java System SAMLv2 Plug-in for Federation Services) is not supported in OpenSSO. Use the following ssoadm commands for SAMLv2 bulk federation. Be sure to append --spec saml2 to the command.
  • do-bulk-federation performs bulk federation.
  • import-bulk-fed-data imports the bulk federation data generated by the do-bulk-federation command.


The command line interface ambulkfed (originally developed for Access Manager to bulk federate using the Liberty ID-FF protocol) is not supported in OpenSSO either. The ssoadm commands that take the place of the SAMLv2 bulk federation CLI (above) can also be used for Liberty ID-FF bulk federation by appending --spec idff to the command rather than --spec saml2.

And now some new music (on this side of the pond anyway) from Alison Moyet. The Turn was just released in North America and features the single, A Guy Like You.

Thursday Jul 31, 2008

Create an OpenSSO Custom Authentication Module

In case you haven't seen it yet, has an entry here that contains the procedure for creating a custom authentication module for OpenSSO - ok, Access Manager but you know the history. Note that there is an error pointed out at the bottom of the entry itself so take a look at that first.

And when you are done authenticating, you can be sure that the identity is, indeed, the son of a preacher man. Ahhhh, Dusty.

08/09/08 UPDATE: Oy gevalt to that segue.




« February 2017