Wednesday Oct 29, 2008

WS-Federation is adopting SAML v2 metadata

WS-Federation is adopting SAML 2.0 metadata when it releases WS-Federation 1.2. OpenSSO uses WS-Fed 1.1 metadata which is now deprecated. Expect to see an openSSO release soon that will adopt WS-Fed 1.2

Sunday Oct 12, 2008

XACML - Declarative Access Control

Web applications need access control. I'm not gonna justify that fact. All web applications have the ability where you can restrict access to the resources that reside on it by simply modifying the deployment descriptors (web.xml). This method is called declarative security or declarative access control. Well, but does this really suffice ?

Well, say hello to XACML. XACML stands for eXtensible Access Control Markup Language.

It is a declarative access control policy language implemented in XML and a processing model, describing how to interpret the policies.

If you had followed what Daniel Raskins had said from a long time ago, about supporting XACML, well, here it is. OpenSSO now has XACML support.
Support for XACML allows our customers to share access control policies across corporate boundaries and offers more dynamic standards-based tools for creating federated mashups. As a result, our customers can continue to expand their business reach while using open-standards to enforce security decisions and minimize security risk.

The OpenSSO codebase also has a XACML client sample which you could download, compile and run in a few clicks.

Please Note: This is NOT sunxacml. sunxacml is implementation of XACML 2.0 specifications from sun labs. This does not have support for SAML2.0 profile of XACML 2.0 and is not part of OpenSSO.

OpenSSO XACML implements SAML2.0 Profile of XACML2.0 - supporting XACMLAuthzDecisionQuery and XACMLAuthzDecisionStatement. PEP makes XAML2.0/SAML2.0/SOAP request to PDP and gets response. The OpenSSO XACML client sample is a remote client library that could be used by an application to make XACML calls to PDP.

The returned XACMLAuthzDecisionStatement has XACML Response, Result, Decision and so forth. The OpenSSO XACML implementation leverages SAML2.0 capability of OpenSSO to manage SAML2 metadata of PDP and PEP and exchange SAML messages.

Here's a simple 5 step guide to running the XACML client and testing it with opensso.

  • get the, extract and get the under samples directory

  • extract the, and goto "sdk" subdirectory

  • follow the README file to setup the samples

  • follow the instruction in scripts/ to setup the XACML.

I hope this post has been helpful. Cheers and enjoy building applications that use XACML !! interoperability rocks!!

Saturday Oct 11, 2008

What is Identity Management?

Explore how Sun can help you manage, audit, protect, share, and store identity data.

Click here to watch the webcast

OpenSSO WebServices REST interfaces

OpenSSO has an "extended" set of webservices (REST) interfaces that enables applications to interface with openSSO a piece of cake. The following table lists the REST URL's and their operations and parameters:

 The following code snippet shows how you can authenticate against openSSO using the REST interface and obtain an openSSO token for a user.

url = "http://localhost:8080/opensso/identity/authenticate";
String username = "rpinto";
String password = "testpass"; iurl = new; connection = iurl.openConnection();
connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
// Send POST output.
connection.setRequestMethod("POST"); printout = new ());
String content = "username=" + (username) +
"&password=" + (password);
printout.writeBytes (content);
printout.flush (); printout.close (); reader = new
( connection.getContent()));
out.println("<h2>Successful Authentication using REST</h2>");
String line;
while ((line = reader.readLine()) != null) {
out.println(line + "<br>");
int index = line.indexOf("token");
if (index != -1) {
token = line.substring(9);

This code opens an HTTP URL connection and performs a POST operation with the user name and password before displaying the response in the browser.

The request on the wire reads as follows:

POST /opensso/authenticate HTTP/1.1
Host: localhost
User-Agent: Mozilla/4.0
Content-Length: 27
Content-Type: application/x-www-form-urlencoded


And the response would be—

Thursday Jan 17, 2008


Back to normal programming. No more infocard stuff here. With a typical Access Manager deployment atop a webserver or appserver, there are many instances where apart from the Access Manager services deployed, one may deploy other applications on the same server instance and may need to "protect" them. The right way of going about it is to deploy a policy agent on the same server instance. I noticed that in some cases folks choose not to deploy an agent but "embed" code in every page of their webapp to check for the validity of the SSOToken issues by AM and enable access to thise pages that they need "protected". Well, if all one needs is to protect a few URI's that reside on the same server instance as AM, one could also use a Servlet Filter to do the same without having to embed code in every page of their application to check for it. This is a simple SSO only method and not a replacement for a policy agent. Here's what one needs to do to enable this. Declare the [filter] element in your web application deployment descriptor. For Sun's Webserver it would be the default-web.xml file. Map the filter to a servlet by defining a <filter-mapping> element in the deployment descriptor. This element maps a filter name to a servlet by name or by URL pattern. Add the URL's you would like to "protect" to the url-pattern tag element.
Now compile the attached code, build a jar file and add it to your servers classpath.
for some reason I just cannot post code on this blog. No matter what I try, the code gets converted over to HTML. I did follow Pat's advise, but that didnt help. So I'm uploading the file and providing you a link to download it instead of posting code as inline text
Restart your webserver.
  • Try accessing the "protected" URL without authentication.
  • Try accessing the "protected" URL with authentication.
You'd see the difference... NOTE: This is NOT a replacement for a Policy Agent. This is just an FYI/example of how one could achieve SSO only using a Filter.

SmartCard Reader Applet - LowDown

I was almost a quarter past ways devloping the smartcard applet which theoretically could read the info from the smartcaard and use the digital certificate from the smartcard to authenticate you to Access Manager. Here's the low-down on the effort. Smartcard readers are vendor specific. I used the ActivCard SDK for building the applet with some amout of minor hacking. So now; I have come to realize that the smartcard reader and the applet are vendor specific. whew !! what a painstaking effort. But nevertheless a good learning experience. So Now; I'm invesigating musclecard; and hope to learn that the applet that I develop is not vendor specific... If anybody has any info on developing a non vendor specific (smartcard reader manufacturer specific) applet, please, please please do "SHARE" the info. I wish everybody adopts the OpenSC Framework. Identity Alliance has a product called ID Alley.
ID Ally provides everything you need to begin deploying and using smart cards for security purposes. It provides the necessary software components to enable your smart card with a variety of applications and purposes such as:
  • Email Signing / Encryption using Outlook
  • Web Authentication using Internet Explorer
  • Signing and Encryption using Adobe Acrobat
  • Password wallet for secure password storage
  • Enrollment using Windows 2003 CA
  • Certificate Auto-Enrollment Options
  • Digital ID (certificate) Self-Enrollment Tool
  • Mozilla/Firefox Email, Web Authentication
  • Caching for convenience and speed
  • Utility for viewing certs and changing pin and unblocking
  • Card applet management capability
  • Easy to Use Installer and Documentation
ID Alleyis FREE for personal use, and has a 30 day free trial for professional use so you can trial the software before choosing whether to license it. Using Windows 2000 or XP, you can use the provided installer to install all the components and documentation needed to begin.

Download ID Ally

In order to use ID Alley, You need to do the following:
  • Download ID Alley
  • Unpack ID Alley
  • double click on the msi file to install it
  • start regedt32
  • change HKEY_LOCAL_MACHINE\\SOFTWARE\\Identity Alliance\\AuthShim\\PKCS11BaseModule to "opensc-pkcs11.dll"
  • change HKEY_LOCAL_MACHINE\\SOFTWARE\\Identity Alliance\\AuthShim\\PKCS11Module to "opensc-pkcs11.dll"
  • change HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Identity Alliance CSP\\PKCS11Module to "opensc-pkcs11.dll"
  • close regedt32
  • run "ID Alley Card Manager"
  • enter PIN
  • urn off virtual slots in opensc.conf
Test it by visiting some ssl client certificate protected web site with Internet Explorer AH !! you need to also use a PC/SC compliant smartcard reader FROM ANY VENDOR. And if you do this my SmartCard applet would work... So help me please...

InfoCard or JavaCard

Kim had posted a nice article on A simple managed payment card example a while ago. So basicaly what happens with a "issued" infocard is that the infocard only contains a pointer to where the user information is to be obtained from (in this case as per Kim's example the issuer happens to be Bank Of America, and the requestor is Well, Kapil had a nicer post on Smartcards and Federated Identity. Kapil quotes
Smartcards are the actually the real enabler of biggest network of identity federations world has known till date i.e GSM. [...] various standards like SAML, Liberty, InfoCard/WS-Trust, WS-Federation etc for identity federation respect and understand the usefulness of security devices like Smartcards. All these standards propose the solution to same set of problems in _almost_ same way and differ mostly in wire protocols used. SAML and Liberty has a profiles ECP (Enhanced client proxy) and LECP (Liberty enabled client or proxy) respectively which enables a Smartcard based authentication where as InfoCard (a profile of WS-Trust) treats Smartcard as another Security token service which can generate self issued security tokens.
nice... I see the light at the end of the tunnel. infocard treats a smartcard as a personal security token service (PSTS) which can issue security token in form of SAML assertions. and so i thought... or rather... continue to think... Whats the difference between the long existent JavaCard/Liberty vs InfoCard/WS-Federation ? I remember sometime back I had read an article on Microsoft Employees Get Carded" by Karen Epper Hoffman via Kapil's Blog. Well, Scott made us use these along from a long time ago... And Microsoft's views on smartcards are no different. Hubert has put together a nice demo of how a using Liberty’s ID-WSF protocols, we can create a module that greatly helps the user in dealing with his digital identities. Currently laptops, sunray 1g, sunray 170 and desktops ARE available with builtin smartcard readers. and hence my dilema...

Kim's Infocard Demo

As a taste of upcoming MIX06 sessions, Kim Cameron presents a thumbnail sketch of how InfoCards bring an architecture for identity to the Internet, a demo of how it works and a peek at how you integrate it into a Web page.
  1. 20060209InfoCardKC.EXE
  2. 20060209InfoCardKCDemo.EXE
source : MSDN TV
See Kim's full session on this topic at the MIX06 conference. UPDATE 1 : Also read Johannes Ernst's blog on "There are lots of things that are right about Microsoft InfoCard. After seeing the infocard demo, I feel that infocard really is a nice thing. I do not want to comment on the "open source or closed source" part as there are several of us in this field who are debating that topic. So I leave that upto those who better understand it and fight for it in the open source community. Here's my take. Sun has the Sun Java Systems Access Manager. This product really has extremely good visibility and usage in the real world, especially in the corporate sector. Individuals who care about secure identity and those who (by choice or otherwise) use a microsoft windows desktop as the client would end up using infocard for authentication in the future as microsoft plans to use infocard for building what they call a fundamentally secure platform. Now having said that I dont see the entire world not using windows as the desktop client. yep; true; mac's, linux, and solaris have a long way to go to becoming the defacto standard desktop for end users. So. All said and done, I thought of a small project that I would embark on in my free time. I would try to develop a InfoCard Authentication Plugin (using the Microsoft Federated Identity and Access Resource Kit and JAAS) for the Sun Java Systems Access Manager. Well; this may not be a good idea, but I guess it would be well worth my free time. As soon as I finish the module (hopefully soon, especially with Kim's & Kapil's help), I shall distribute the entire codebase and procedure for enabling you to deploy the infocard authentication plugin on Access Manager soon. (This may make for a good demo given that most users happen to have a windows desktop). One main reason for me to embark on this is because I see a strong similarity between this effort and nFactor Authentication (which I had blogged about a long tiem ago). After all SUN and Microsoft have joined hands for the inter-operability of Liberty and WS-Federation and the results of which have led to the Web Single Sign-On Interoperability Profile & the Web Single Sign-On Metadata Exchange Protocol (which have just been released). UPDATE 2 : Also read "Microsoft Employees Get Carded" (an old post) by Karen Epper Hoffman

Oscars of the Software Industry

The Readers' Choice Awards for SOA, Java, Linux, .NET, ColdFusion and XML Technologies was just published by SYS-CON. It's just a great feeleing to see Sun listed as number #1 on the Best Web Services Platform, Best Framework for SOA and Web Services, Best SOA IDE, Best XML Parser, Best XML Utility, Best SOA or XML Training, Best SOA or XML Site, Best SOA Security Solution, Best SOA Portal Platform, Best SOA Book, Best Java Training, Best Java Virtual Machine, & Best Java Application Development Framework.
Also known as the "Oscars of the Software Industry" the winners were chosen by more than 17,000 SYS-CON readers

Microsoft Hailstorm

Microsoft Passport has been around for a while. This article describes the Risks of the Passport Single Signon Protocol extensively. Contrary to my personal preferences and beliefs; I myself have been using passport for quite a while just because of the large list of participating sites that I frequent. However the frequent presentation of the following screenshot is compelling me to believe that someone needs to get their act together and also give other alternatives a shot...
This is a very good example of how a single point of failure can cause serious impact on business processes.

for everything on Identity, JCAPS, SOA, WebServices, Security, Single Signon, Federation, Provisioning, Virtualization, Optimization, Debugging, Workflows, Compliance, MySQL and more... WAY MORE....

[this is a group blog]


« August 2016