Tuesday Mar 10, 2009

Sun Identity Manager 8.1 and Identity Connectors

At the end of last week Sun Identity Manager version 8.1 was released. I waited to post this until the open source project for the Identity Connectors was also made available (see below for more information).

The major new features of the Sun Identity Manager 8.1 release are:

For more information:

Identity Connector project

The Identity Connectors Framework and Toolkit is built to help drive development of Connectors. Connectors provide a consistent generic layer between applications and target resources. The main focus of the API is provisioning operations and password management.

For more information visit the open source project page

Saturday Feb 07, 2009

Identity Suite Essentials Tutorials

A collection of identity management tutorials have just been made public, available: Identity Suite Essentials. This material was originally developed last October by Sun engineers to provide tutorial information for our peers. We are making this available publically in the hope that others find value in the material for becoming acquainted with Sun Identity Manager and OpenSSO Enterprise.


The Identity Suite Essentials (ISE) is a collection of tutorials which are designed to provide the student with basic knowledge of these products. This self paced material covers the Sun Java Identity Management Suite. The purpose of these tutorials is to provide a positive first experience with these products. This includes initial installation and configuration of these products in a lab environment.

Thanks to the following contributors:

Friday Jun 27, 2008

OpenDS reconciliation with Identity Manager

In a configuration of OpenDS as a Resource Adapter for Sun Identity Manager, I ran into the following challenges while setting up reconciliation with the LDAP resource. After looking into this, the issue was the proxy user which is used in Identity Manager to connect to the LDAP resource. All normal provisioning succeeds, but reconciliation fails since that uses the server side sorting control to return all users.

Trying to use server side sorting (1.2.840.113556.1.4.473) with a normal user failed with insufficient access rights. An aci is needed to add to allow a normal user to use this control, but tracking this down was a bit of effort. Here are the details:

Original ldif file to create the suffix:
dn: dc=identric,dc=com
objectclass: top
objectclass: domain
dc: identric
aci: (targetattr!="userPassword")(version 3.0; acl "Anonymous access"; allow (read,search,compare) userdn="ldap:///anyone";)
aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ")
(version 3.0; acl "Allow self entry modification except for nsroledn, aci, resource limit attributes, and passwordPolicySubentry"; 
allow (write)userdn ="ldap:///self";)
aci: (targetattr = "\*")(version 3.0; acl "LDAP Administrator"; allow (all) userdn = "ldap:///uid=ldapadmin,ou=people,dc=identric,dc=com";)

# bin/ldapsearch --hostname localhost --port 1389 --bindDN "cn=Directory Manager" --bindPassword  
--searchScope sub --baseDN "dc=identric,dc=com" --sortorder sn,givenName "(objectclass=\*)"

But Not for a normal user (aci allows all, ldif used to create the suffix is shown above...):
# bin/ldapsearch --hostname localhost --port 1389 --bindDN "uid=ldapadmin,ou=people,dc=identric,dc=com" --bindPassword  
--searchScope sub --baseDN "dc=identric,dc=com" --sortorder sn,givenName "(objectclass=\*)"
SEARCH operation failed
Result Code:  50 (Insufficient Access Rights)
Additional Information:  The request control with Object Identifier (OID) "1.2.840.113556.1.4.473" cannot be used due to insufficient access rights

This was resolved by adding the required aci for targetcontrol = "1.2.840.113556.1.4.473":
dn: dc=identric,dc=com
objectclass: top
objectclass: domain
dc: identric
aci: (targetattr!="userPassword")(version 3.0; acl "Anonymous access"; allow (read,search,compare) userdn="ldap:///anyone";)
aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ")
(version 3.0; acl "Allow self entry modification except for nsroledn, aci, resource limit attributes, and passwordPolicySubentry"; 
allow (write)userdn ="ldap:///self";)
aci: (targetattr = "\*")(version 3.0; acl "LDAP Administrator"; allow (all) userdn = "ldap:///uid=ldapadmin,ou=people,dc=identric,dc=com";)
aci:  (targetcontrol = "1.2.840.113556.1.4.473")(version 3.0; acl "LDAP Administrator Server Sort"; allow (all) userdn = "ldap:///uid=ldapadmin,ou=people,dc=identric,dc=com";)

dn: ou=People,dc=identric,dc=com
objectClass: top
objectClass: organizationalunit
ou: People

dn: uid=ldapadmin,ou=people,dc=identric,dc=com
givenName: Ldap
sn: Admin
mail: ldap.admin@identric.com
uid: ldapadmin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
cn: LDAP Admin
userPassword: Passw0rd

Tuesday Oct 16, 2007

OpenPTK UML and OpenSSO configuration

The User Management Lite sample application was designed to provide a way to integrate user provisioning services into a remote java application. It uses the OpenPTK's provisioning tag library to provide a simple way to add user provisioning services to a java application.

The OpenPTK User Management Lite (UML) was designed to showcase user provisioning and self service functions. Authentication and Authorization are necessary for a complete solution deployment. The UML provides an interface for user authentication. The UML was designed to be protected by a web single signon infrastructure like Sun Acccess Manager or OpenSSO. If a web single signon infrastructure is not configured with the UML, it provides simulated authentication screens to enable the sample application's features to be used. In a real world deployment, it is expected that the authentication will be implemented in many different ways and is out of scope of the core OpenPTK framework features. The instructions below describe the steps to protect the UML application with OpenSSO. The same steps would be required with Sun Access Manager or another web single signon infrastructure.

Configuring OpenSSO to protect the OpenPTK User Management Lite (UML)

The UML was designed to be protected by a web single signon infrastructure. Once it is deployed to an application server, it can be protected by an agent for integration with the web single signon infrastructure. The following high level tasks will enable authentication of the UML to be provided by an external infrastructure:
  • Deploy UML .war file
  • Deploy OpenSSO infrastructure and Agent to protect UML's application server
  • Create a policy for UML access in OpenSSO (or Sun Access Manager)
  • Protect the UML application (if deployed on Application Server, this step is not required if deploying on Sun Web Server) in web.xml
  • Configure the agent to insert an HTTP header named: openptkid
  • Configure the agent to not enforce the UML welcome page
More details will be available in the Open PTK Samples User's Guide which will be available soon.

Wednesday Oct 10, 2007

Project OpenPTK launched!

Project Open Provisioning ToolKit (OpenPTK) provides a bridge between Identity Solutions and specialized user interfaces or access points. It is hosted on the Identity Management community on java.net.

Project Open Provisioning ToolKit (OpenPTK) is an open source User Provisioning Toolkit exposing API's, Web Services, HTML Taglibs, JSR-168 Portlets with user self-service and administration examples. The architecture supports several pluggable back-end services including Sun's Identity Manager, Sun's Access Manager and LDAPv3.

Available now are several sample applications which demonstrate the features of the OpenPTK. These samples are preconfigured to connect to a hosted Identity Management infrastructure. This infrastructure includes Sun Identity Manager and it's SPML interface. The applications include:
  • User Management Lite - a sample java web application which provides simple User Management in a remote interface, user self service, and user registration / forgotten password services. This leverages the OpenPTK's provisioning tag library.
  • Provisioning Web Service - This JAX-RPC web service provides the a .wsdl interface to define specific user management tasks. This leverages the OpenPTK's java api.
  • OpenPTK Command line interface - this provides a command line interface to access a remote provisioning infrastructure . This leverages the OpenPTK's java api.
  • Coming soon: JSR 168 Portlets for User Admnistration, Self Service, and Forgotten Password services. This leverages the OpenPTK's provisioning tag library and the java api.

Coming soon will be documentation to deploy these sample applications to connect to your Identity infrastructure, followed closely by full access to the source code for the OpenPTK framework.

This project was started last year by 3 Sun Systems Engineers (Scott Fehrman, Terry Sigle, and myself) to demonstrate the power and flexibility of Sun's Identity Management suite of products in new and flexible ways. Due to the demand and flexibility of the solution, this open source project was launched to enable others to extend the value of their Identity Management infrastructures. It is designed to be completely complementary to existing deployments of Identity Management infrastructures.

Wednesday Sep 19, 2007

SPML rising above the noise level?

I talk to customers about a lot of identity related topics and in the past few months, the topic of Service Provisioning Markup Language (SPML) has come up on many occasions. This is of course regarding integration to a provisioning infrastructure. The frequency of interest in SPML appears to demonstrate a pattern (at least from my perspective) of the maturity and applicability of the SPML standard to current identity solutions.

First, what is SPML? Service Provisioning Markup Language is an OASIS standard

Sun Java System Identity Manager includes SPML handlers which listen for incoming SPML requests. A sample SPML Resource Adapter is also provided in the REF-KIT for outbound SPML provisioning. In Identity Manager 7.x there are three SPML listeners:

1) The SPML1: http://://servlet/rpcrouter2
Using SPML 1.0 with Identity Manager Web Services

2) The SPML2: http://://servlet/openspml2
Using SPML 2.0 with Identity Manager Web Services

3) The SPMLspe handler: http://://servlet/spespml
Using SPML 1.0 with Identity Manager Web Services

Sample SPML 2.0 Resource Adapter
Identity Manager provides a sample SPML 2.0 resource adapter that can be modified and used to talk to third-party resources that support SPML 2.0 core operations.

SPML is capable of many things and the operations use SOAP / HTTP, however, due to the extensible nature of SPML to support extended operations and schema differences, SPML does not provide a .wsdl interface to define it's operations. This is not a limitation of Identity Manager, it is just how SPML was designed. It allows for tremendous flexibility using this approach.

The SPML options for interfacing with Identity Manager assume that you are using an SPML api. There is an openspml java api for SPML.

For an implementation which needs a web service with .wsdl defined web service (like a SOA infrastructure or .net application, for example). This effectively acts as a wrapper with specific operations around the more general purpose SPML interface which is exposed.

Since there is a java openspml api available, a web service which is specific to an implementation (for example CRUD operation with specific user attributes used in a deployment) in a .wsdl interface which in turn invokes spml operations to Identity Manager. This approach assumes that a Java application server is available to host the web service since the openspml apis are written in java. This approach could be hosted on the same application server or on a remote Java application server which uses SPML to contact Identity Manager. I have been involved in several examples of using this approach to integrate with Sun's Identity Manager in the past 6 months. This approach enables the provisioning infrastructure to do it's normal job of user provisioning and compliance auditing, but enables it to be accessible in new and interesting ways.




« June 2016