Saturday Jan 30, 2010

Belgian Edition European Usergroup OpenSSO Community

As communicated earlier, the OpenSSO community has annouced OpenSSO Express 9.  See new features details here.

This release will be the main topic on the next Belgian edition of the European OpenSSO Userdays.
The event is organized by ACA IT-Solutions together with Community Builder.

Time and place :
February 10th, from 8:30 AM till 12 PM
at Sun Microsystems Belgium Lozenberg 15, 1932 Zaventem

The agenda includes presentations by four internationally recognized OpenSSO experts: Alan Foster, Jonathan Scudder, Steve Ferris and Victor Ake.
The program includes “What’s new in OpenSSO Express 9, “Monitoring”, “Entitlements Service”, “Secure API authorization” and “Fedlet”. More information is available at

Participation is free. For registration, please contact Rikke Holten:

Tuesday Nov 10, 2009

Connect OpenSSO as a Shibboleth 2 IDP to a Shibboleth SP using SAML2

I've been receiving an increasing amount of questions on connecting OpenSSO with Shibboleth.

I previously wrote a blog on connecting OpenSSO in SP mode with a Shibboleth IDP using SAML2, and
have updated that article with links to more detailed information.

These are the steps to connect a Shibboleth SAML2 SP with OpenSSO in IDP mode :.

STEP 1: Create Hosted IdP Configuration in OpenSSO console (if you want to use it in production,  make sure to have your credentials in the keystore, for proof-of-concept scenarios the keystore contains one test key)

STEP 2: Grab the newly created OpenSSO IdP metadata XML (you can use either ssoadm.jsp export entity command or access directly /opensso/saml2/jsp/exportmetadata.jsp?entityid=<created-entitiy-id-of-the-idp>) and reference it in the Shibboleth SP configuration.

STEP 3: Edit the Shibboleth SP metadata (/Shibboleth.sso/Metadata), and remove all the XML digital signature AND the <md:Extensions> nodes.

STEP 4: Create a Remote Service provider in the same Circle of Trust (ssoadm.jsp, import-entity or from console wizard)

STEP 5: Make sure you connect the IdP and SP metadata to the same Circle of Trust profile

STEP 6: Use the OpenSSO console to edit IdP metadata, and add attributes. All the released attributes must use the URI-style attrname-format (Shibboleth won't accept unspecified attribute nameformat), so use the following syntax urn:oasis:names:tc:SAML:2.0:attrname-format:uri|<saml-attr-name>=<local-attr-name> 

Additional information regarding Shibboleth can be found in the OpenSSO mailinglist archive

That's it folks. Go play !

Thursday Apr 16, 2009

Northern Europe Open IAM User days @ Sun Microsystems Belgium - Zaventem

I'm proud to invite all customers, prospects and partners to the International userdays for IAM held this year on May 7th and May 8th 2009.

Contrary to the typical 1-day User days you have all come to like, we have decided to extend to a 2-day event, with the first day focussing on OpenSSO, federation, and the second day on Identity Manager and GRC. Aside from our general sessions dealing with various topics, we also provide free-form break-out sessions, where you as the audience can decide which topic should be discussed.

On Thursday May 7th, we will focus entirely on Authentication, Federation and Authorisation related topics. We start the day with 2 keynote presentations : one dealing with the value of identity - giving you an up-to-date overview, followed by a keynote on Identity in the Cloud, given by Pat Patterson. After lunch, the general sessions will continue with a customer case on how the Norwegian Government have implemented Access Management and Federation techniques. We continue with a session on XACML and finish with the roadmap. To end the day, a networking reception will be hosted by SUN.

Day 2, May 8th, changes focus and deals with Identity Management and GRC related topics. We start with a keynote delivered by an actual Auditor talking about IAM from their perspective, followed by a panel of experts discussing "certification". After lunch, another customer presentation on implementing Roles Successfully is followed by a session on how to integrated Identity Manager with SAP GRC's auditing component. And after the break we finish the day with a presentation on how to integrated Identity Manager and Role Manager, and what the roadmap for this product is all about.

The agenda can be found here :

Saturday Feb 28, 2009

OpenSSO 8.1 Express/Enterprise Roadmap update

The OpenSSO Community just released the roadmap for OpenSSO :

In a nutshell :

The primary goal of this release is to enable OpenSSO to be the only solution in the world to provide access management, federation, secure web services, entitlement enforcement and multi-factor authentication in a single offering.

It includes XACML based fine-grained authorisation for millions of policies including a killer management module, Task oriented management on top of object-oriented management, a 100% Java based reverse proxy server with password replay capabilities, out-of-the-box support for MySQL as an identity store, a .NET fedlet, Service Level Monitoring and more ...

Need more details ?  Go here :

Thursday Feb 26, 2009

Improved SPRING 2 support for OpenSSO

For a long time already, through the OpenSSO Extensions incubator, we have provided support for Spring Security (Acegi) and Spring Security 2.
Support for Spring Security 2 was just improved upon, by adding the ability to use Sprint security JSP tags, method security annotations and Sprint method security point cuts.

Interested ? Learn more here :

Wednesday Feb 25, 2009

Sun Glassfish Web Space Server and OpenSSO Enterprise

I'm at the Web Space Server bootcamp doing a deep-dive into Liferay's web2.0 core that was incorporated into the new Sun Space Server.
Sun Glassfish Space Server v10.0 is build on top of LifeRay Portal v5.2.

One of the nice add-ons (Xcellerators) Sun Microsystems provides today in the Space Server umbrella are the OpenOffice add-on and the OpenSSO add-on.
Without this add-on, Space Server can already connect to OpenSSO through the REST-based interface provided through the settings console.
This however only allows to authenticate through OpenSSO, and to inherit the basic user attributes through OpenSSO.

It does not allow you to connect to Access Manager 7.x (does not support REST), and it cannot map community names to LDAP groups/roles/filtered roles, nor can it map the realm users to Space Server organisations.
If you need any of these functionalities, you will be very happy with the OpenSSO add-on (that could also be considered the AM add-on).

If you have a supported release of Space Server, this add-on will be automatically available to you through the updatetool - along with other Xcellerators.
Instructions on how to install the add-on can be found here : .

Tuesday Feb 03, 2009

New release: Liferay Portal v5.2, which is part of the WebSynergy project

As you probably know, Project Websynergy is building a next generation enterprise portal platform.
This portal platform will use the LifeRay portal as a base portal engine, and add additional functionality in the form of accelerators.

Liferay 5.2 just released, with a wealth of new functionality. As a result, this added functionality will also become available in WebSynergy - and in the first commercial and supported release of this platform.

New features :

Presentation on websynergy :

Create your own custom authentication module for OpenSSO

Many times, one starts using opensso but needs a custom way to do authentication.
For instance, the authentication method is only exposed through a webservice, you need 2 passwords in stead of one, ...

I stumbled upon a blog entry explaining exactly what you need to do to write a custom module, and how to register it with OpenSSO.
You can find the article right here :

Friday Jan 30, 2009

OpenSSO webcast going into the functionality of OpenSSO Enterprise

On january 21th 2009, SUN Microsystems hosted a webcast on OpenSSO Enterprise.
The webcast takes about one hour, and dicusses both general and advanced technical topics of this exciting product.
Those that are interested in roadmap information and future-to-be functionality ready to be added in 2009 will find this webcast very interesting.

Additional technical information can be found at :
The commercial product page is located at :

Thursday Jan 29, 2009

Identity Based Content Delivery meets OpenSSO through WebSynergy

Sun's existing Portal platform, Sun Java System Portal Server 7.2, is tightly integrated with the SSO solution Sun Java System Access Manager.
That has been changed by evolving to Project WebSynergy, whereby integration with OpenSSO is much more loosly and established through the OpenSSO REST interface.

One thing that was missing was the ability to map OpenSSO User Roles to WebSynergy Communities when assigning roles, and when removing them.
Consequent assignment and removal of the respective Communities inside WebSynergy should be possible as well.

This is now possible through the OpenSSO add-on.
More information can be found at :, right in time for the commercial release of this exiting new product.

Bert Van Beeck is a Senior Software Architect at Sun Microsystems, specialized in Sun's Identity Management portfolio. He's part of the Northern European pre-sales software team.


« December 2016