Thursday Jul 02, 2009

SAML 2.0 SSO with CRM

SAML 2 support is available since Winter 09 Release. OpenSSO console team is in the process of building a cool task flow for this, which will significantly reduce the number of steps listed here. Look out for it in Build 12.

  • For each OpenSSO user that needs to access, choose a user profile attribute to map to a user. We will call this the "federationID". Note that this value should be unique for each user. As an example we will use the OpenSSO email profile attribute (mail). Also note that for obvious security reasons the identified profile attribute must be changeable by authorized administrators only, ie it should not be changeable by the user. Please refer to OpenSSO Delegated Admin feature to set up appropriate privileges.
  • Decide the exact SAML attribute name the IDP will populate the "federationID" with.
  • Setup up OpenSSO IDP with xml signing turned on. Note the provider id of the IDP configuration. In my setup it is :
  • Export the OpenSSO (IDP) public key to a file
    For example, if your OpenSSO IDP uses the out-of-the-box test certificate, execute the following in a terminal on the box hosting the OpenSSO server:
    $ cd <openssoconfig_dir>
    $ keytool -export -keystore keystore.jks -alias test -file cert.cer
    <openssoconfig_dir> is the base bootstrap directory you specified during OpenSSO installation. end :
  • Login to as admin user.
  • Navigate to Setup->Security Controls->SingleSignOn Settings. Enable SAML and fill up the dialog presented.
    • Select version 2.0
    • Import the IDP certificate - in my setup I entered cert.cer file saved in Prerequisites steps above.
    • Enter fields that tell how the authenticated user is identified in the SAML assertion from the IDP. In my example I specified mail saml attribute. Note that this must match exactly the OpenSSO setup described in "OpenSSO end" steps below.
    Saving the configuration displays a generated login url such as the following :
    Save this url string - it will be needed while configuring OpenSSO service provider.
  • Navigate to Setup->Manage Users->Users For each user enter the FederationID value corresponding to the OpenSSO profile attribute chosen. In my setup chose a user setup its FederationID to "" :

Configuring OpenSSO end
  • If not already created, login to OpenSSO console and create a Hosted Identity Provider either via the Task flow or other means. Make sure you choose the "Sign Assertion" option and specify a certificate to use for signing. OpenSSO comes with a default "test" certificate.
  • Provision the "federationID" value for each user that needs access to As an example - login to OpenSSO console as amadmin, navigate to RootRealm->Subjects->demo and setup the demo user's Email attribute as
  • Create a new Service provider representing
    • Login to OpenSSO console as amadmin
    • Download enclosed salesforceSPMetadata.xml
    • >Start "Create hosted SP" task flow
    • Import salesforceSPMetadata.xml metadata (Optionally : specify the URL from this blog :
      directly in the task flow field)
    • Navigate to service provider created in the last step, select Services tab and enter the URL obtained earlier in the " end" steps.

    • Setup saml attribute to be sent as part of the Assertion to identify user. This is done by configuring the attribute mapper either on IDP configuration or SP configuration. If IDP attribute mapper is configured, all SPs will receive the attribute and if only SP configuration is setup - that attribute will only be sent to In my setup I changed SP attribute mappper to map OpenSSO user profile attribute mail to SAML attribute mail.

Test :
  • Start browser and invoke IDP initiated SSO :

    In my setup I used:
    If things work correcly, OpenSSO in IDP role should prompt for user credentials and seamlessly Single SignON to as the user mapped to the authenticated user.
  • Troubleshooting : Both OpenSSO and provide excellent online facilities to test SSO.
    • Visit OpenSSO Test Connection Connectivity task flow.
    • provides a SAML assertion Validator where you can cut and paste a SAML assertion to report errors.
    • Both OpenSSO and provide error logs - SFDC user logs are under Setup->Manage Users->Login History.

Friday May 08, 2009

OpenSSO Fedlet Wins European Identity Award

Fedlet started out as "SAML2 lightweight SDK" 2 years ago with a small prototype with a UI to show levels of integration points. I recall Jamie demonstrating the prototype to customers in Canada and the surprisingly strong positive reactions it got. Congratulations to the Sun Federation team for productizing this into the neat concept it is today, to our friends in Canada (you know who you are) and to our energetic marketing team for coming up with the catchy "Fedlet" name.
I wonder if things would have been the same if we had kept the original "SAML2 lightweight SDK" name; likely not !! My lesson on how it takes a entire team to make anything successful.
Reall all about it here :

Thursday Jan 29, 2009

OpenSSO Community Day : "Unconference" - For Free

Great opportunity to meet OpenSSO developers and share your concerns and experiences.
Details here. And here. To join, please RSVP. The 40 available slots are filling fast!

Sunday Dec 07, 2008

.Net Fedlet (Prototype)

As I was revving up SecureAttrs C# api, stumbled upon .Net apis to perform XML signing and verification, and that lead to a usable Fedlet prototype for .Net environments.

To test drive it :
  • Download saml2.dll and sample fedlet.aspx.
  • Deploy them to your IIS server. ( I copied SAML2.dll to BIN and fedlet.aspx to c:\\Inetpub\\wwwroot )
  • Execute "Create Fedlet" Task on OpenSSO serving as IDP - point it to your IIS Server that will execute the Fedlet. E.g. : While you are on the console you may setup a attribute mapping to pass some user profile attributes such as cn, mail, employeeNumber etc from IDP to the Fedlet as part of SSO.
  • Export IDP public key and copy it to C:\\fedlet\\idp.cer
    cd <opensso_configdir>/<opensso_deploy_uri;>
    keytool -export -keystore keystore.jks -alias test -file idp.cer
  • Test : On a browser, invoke the fedlet : It will prompt you for IDP (OpenSSO) url. A URL representing IDP initiated SAML2 SSO is generated and shown as a link. Click on the link to initiate SSO. When prompted for autentication on the IDP end, try the demo user (password : changeit)

    Processing rules implemented :
  • IDP initiated SAML2 POST profile (Unsolicited AuthN Response)
  • verification of XML signature
  • verification of IDP entity id.
  • NotOnOrAfter rule
  • Single-use-assertion

    Work to be done :
  • Audience restriction and other SAML Conditions procesing rules
  • Option to verify signature via IDP public key stored locally
  • AuthNRequest for SP initiated SSO
  • Single Logout.
  • Support for multiple IDPs

    Code will be checked into the OpenSSO source repository shortly after it is reviewed, etc.
    fedlet.aspx demonstrates a simple C# SAML2 api, modelled after the Java Fedlet API. Feedback most welcome.
  • Tuesday Nov 11, 2008

    OpenSSO Enterprise 8 is here

    A superb team effort - Congratulations to all - Engineering, QA, Docs, Marketing, Sustaining, Release engineering, Training and the OpenSSO community.
    Download page.
    Release Notes.

    This release continues with the commitment to provide real value to customers without compromising ease of use and simplicity as represented by this feature list.

    Additional noteworthy aspects of this release :
  • Improved Documentation
  • Whetted end-to-end Deployment scenarios based on real customer deployments. Enterprise deployment, Federation Deployment
  • Free online training
  • Agents 3.0 - new features including centralized management.
  • Tuesday Oct 28, 2008

    Geneva : Microsoft adds SAML 2.0 protocol support

    The possibility of a ubiquitous SSO protocol looking so bleak just 2 years ago is all of of a sudden a reality with Geneva providing full support for SAML 2.0 !

    Also addressed is a key pain point to do with managing federation metadata between SP's and IDPs : From Don Schmidt's blog on "Harmonized Federation Metadata for WS-Federation and SAML"

    A key goal has been to develop a single specification that can support both passive web application and active web service requestors. In the interests of promoting engineering efficiencies for developers, and interoperability enhancements for deployers, the WSFED TC decided to make a substantive change to its federation metadata document structure during the first Public Review cycle. WS-Federation has been revised to take a normative dependency on the SAML 2.0 federation metadata document structure. The original format has been deprecated, although it is supported for backwards compatibility with early implementations. The preferred format must be rooted in either the <md:EntityDescriptor> element or <md:EntitiesDescriptor> element from [Samlv2Meta]. The WS-Federation specification defines extensions for web services constructs (such as Endpoint References) that are required for WS-\* protocols.

    As my co-architect, Pat mentions in his blog there are indeed some interesting times ahead in the world of Federation.

    Saturday Oct 04, 2008

    Ask the Experts - OpenSSO 2008 transcript

    We just concluded our OpenSSO - Ask the experts event. Many thanks to all those who posted their questions. Apart from technical questions we are glad we could clarify some queries people had on Enterprise vs Express and for that matter Access Manager. I do hope we were able to convey that although it appears to be all new, the source base continues to be on solid grounds whetted by large telcos, financial and enterprise customer more than 5 years now. The transcript is here.

    See you all on our mailing lists and IRC channel..... "where joining the community is free and contributing code is even better"....ok, maybe that was too much :-)

    Special thanks to Edward Ort for organizing and orchestrating the entire week so flawlessly.

    ....and last but definitely not the least the 40+ core engineers, often invisible, who helped with the answers and continue to work wee hours of the night and this weekend to ship the next rev of OpenSSO.

    Tuesday Sep 30, 2008

    OpenSSO Enterprise 8 launched on Second Life

    Congratulations to Daniel Raskin and Jamie Nelson for a such wonderful presentation.
    If you missed Identicat's frolics while eloquently describing the virtues of "Virtual Federation", no worries : its all recorded here.

    Thursday Sep 25, 2008

    "Ask The Experts" all next week (Mon Sep 29 - Oct 3 2008)

    Starting next week and all week I will be on the panel with my colleagues : Aravindan Ranganathan, Qingwen Cheng and Dilli Dorai to answer your questions on OpenSSO. Whatever level you are at with OpenSSO, new-bee, expert, customer, please feel free to ask anything ... source ... technology ... community ... products (including the older version : Sun Access Manager and upcoming OpenSSO Express and OpenSSO Enterprise releases) ...federation ... policy ... web services ... Fedlet ... anything.

    We are constantly looking for feedback on product improvement, so anything goes - please provide us with an opportunity to not only answer any queries you may have but also to discuss product improvements, features,what worked for you and above all what didnt.

    More details at this Ask The Experts link.

    Tuesday Sep 23, 2008 "Summer 08" has SAML 1.1 support

    Kudos to on SAML1.1 support with the Summer 08 release. This Release note covers it nicely:

    ...Unlike with delegated authentication, customers do not have to deploy Salesforce-specific software to use SAML. Also, SAML never sends passwords to Salesforce, so it is inherently more secure than other authentication mechanisms....

    Wanted to try it out with OpenSSO for a while and finally got a window thanks to the successful OpenSSO code freeze on its way towards Open Express Build 6 / OpenSSO Enterprise 8 (Congrats team!).

    Except for the initial learning curve and my rustiness on SAML1.1, it worked quite nicely! Shouldnt take you any more than 15 minutes:

    Configuring OpenSSO End (Identity Provider) :
  • Obtain OpenSSO.war, deploy it and configure it. If you want a quicker install, but with some risk since it is new: you can try OpenSSO QuickSetup using Java web start. I chose as my hostname.
  • Login to the OpenSSO instance as amadmin.
  • Navigate to Federation -> SAML1.1 configuration
  • Register as a "Destination site". I named it SFDC. Make sure the "POST profile" is chosen. Your config should look something like this :

  • Export the source site public key. OpenSSO provides a keystore with a test certificate in it.
    cd <basedir>/<deployuri>
    keytool -export -keystore keystore.jks -alias test -file cert.cer

    Configuring end (Service Provider) :
  • Get a account here.
  • Login to SFDC portal and navigate to Setup (right at the top)->Security Controls->Single Signon Controls
  • Enter all the mandatory fields, and import the OpenSSO public key experted earlier. My setup looks as follows :

    Note that I chose "Federated ID" for my name identifier to directly map the authenticated user in OpenSSO to user. Alternatively I could have configured OpenSSO to send the userid either as a part of the Subject or a attribute statement.
    Save your settings - a "Recipient URL" will be shown on he screen. Select and copy this string - this will be needed in the last step.
  • Navigate to Security->Manage Users-> Users - select a user and enter "Edit" mode. Enter the following string in "Federated NameID" field : id=amadmin,ou=user,dc=opensso,dc=java,dc=net Again this is a shortcut - in a real deployment I would have created a new user in opensso and used that dn here.
    One last step- thanks to the choice I made with respect to the name identifier. Login back to the OpenSSO instance, and navigate to SFDC SAML1.1 config. Paste the "Recipient URL" in the "POST URL" field.
    Thats it - to test your setup : Enter the following URL in a browser : Login as amadmin into OpenSSO if prompted - you should be automatically single signed on to SFDC portal page.

    A leading On-Demand/SaaS provider supporting a open standards based mechanism for single signon is indeed a significant step in accelerating the adoption of these standards over costly and often kludgy proprietary mechanisms. Hoping for SAML2/Logout/AuthZ/Attributes - other protocols in the future.
  • Tuesday Sep 16, 2008


    Scoop : Mr. Winky's ( IdentiCat ) preparation site spotted !!

    Sept 30th : OpenSSO Enterprise 8 launch party on Sun Island.

    Saturday Sep 13, 2008

    OAuth and Fine Grained User Controlled Authorization

    There is a lot of buzz around OAuth. It provides a very simple and secure way for users to give access to their personal data. At core of the protocol is a token access protocol between service providers (where personal data exists) and consumers (entity requesting personal data) and a mechanism to interact with the user for allowing the data access.
    Mere implementation of the OAuth protocol is not sufficient for a practical deployment - two key functions need to be supplied to make it useful:
  • Policy driven transfer of personal information. Eg : Particular picture/album, Home address, health records between start date and end date. This policy needs to be a union of service provider wide policies and user controlled policies.
  • Audit logs to record user content and data transferred.

    I plan to provide deep technical deepdive into OpenSSO on providing these functions in upcoming blogs. Earlier incarnations of OpenSSO (Access Manager 7.x) have already delved into solving this problem as part of Liberty Interaction Service implementation. For people not familiar with this protocol, Liberty Alliance's Interaction service in collaboration with Liberty Discovery Service provides similar functionality to OAuth going a step further by taking privacy and interoperabiliy into consideration, but at the expense of some complexity in its implementation.

    Hope to cover the following :
  • Basic OAuth implementation
  • Leveraging OpenSSO Policy to model admin and user controlled access control rules
  • Logging
  • Saturday Sep 06, 2008

    OpenSSO Webstart Prototype : QuickSetup

    Here is a prototype for a Java Web Start based OpenSSO installation built with Embedded GlasshfishV3 early builds and Embedded OpenDS.

    The idea is that no separate installation of a app server and directory is necessary to start exercising OpenSSO features.

    Although initially targeted for people new to OpenSSO, clearly there are several interesting possibilities going forward for such a delivery mechanism in the future. Some initial thoughts are listed below :
  • Quick evaluation of OpenSSO samples, Fedlet, Virtual Federation Proxy
  • Developer tooling : test executions
  • Pre configured OpenSSO - for demos, training
  • Upgrading / Patching of OpenSSO bits

    Please feel free to add any other suggestions you may think of.

    Initial Steps
    Step 1 : Click here to invoke QuickSetup

    Choose Java Web Start option and click OK.

    Step 2: Accept the certificate : Make sure it looks something like :

    Note : The certificate will not be self signed in later releases.

    Step 3 : Wait about 25 seconds until the the following windows show up one after another:

    This is the QuickStart main user interface. Do not close this window!

    Step 4 : No action - just be patient and wait another 25 seconds for a browser window like the following shows up :

    Thats it - simply choose the appropriate configuration option - the configurator wizard will guide thru rest of the steps.

    Trying out Federation

    You must have already noticed that the steps above automatically start a OpenSSO instance : http://localhost:28080/opensso.
    For exercising Federation functionality (Eg : SAML2) you need at least two opensso instances in two different domains.

    Initial Preparation : Setup /etc/hosts (or equivalent) to add fully qualified hostnames to represent a Service Provider and Identity Provider respectively : eg : localhost,
    Install two instances using The QuickSetup Web Start UI.
    For example :
    Enter sp , click "Deploy" - wait 25 seconds for a configrator widow similar to the one in Step 4 above to show up. Change the URL to your SP installation. E.g. :
    Configure using this OpenSSO instance configurator wizard and the use Service Provider task flow to set this instance as a Service Provider.
    Back to Webstart window - enter "idp" and click "Deploy". Same steps above, except this time change url to : and configure this instance as a Identity Provider.

    Stopping OpenSSO

    CLick "Exit OpenSSO" button on Webstart window. This will shutdown all opensso instances.

    Re-starting OpenSSO

    Invoking QuickSetup again restarts the default opensso instances - it will all use the configuration setup earier. Ie you dont need to configure it again. To restart other OpenSSO instaces configured earlier, use the QuickSetuo UI to enter the deploy uri and click "Deploy". To unconfigure a given instance, stop OpenSSO, remove the configuration directory provided during setup and reinvoke webstart.

    Misc Notes/Known Issues

  • QuickSetup creates and uses $HOME/OpenSSOQuickSetup on your desktop - and for a single instance may use up as much as 256MB disk space.
  • QuickSetp needs Java SE 1.5+ installed.
  • Linux 64bit x86 does not support Java Web Start
  • There are some issues reported on come Windows Vista and MAC systyems in that QuickSetup fails to start. Debug dumps can be found under : $HOME/OpenSSOQuickSetup directory.
  • Limiting WebSetup permissions to report and sandbox within $HOME/OpenSSOQuickSetup is being worked on.
  • Currently the jars are signed with a self signed certificate. This issue will be resolved.
  • Monday Aug 18, 2008

    OpenSSO Early Access Training is Free

    Free OpenSSO EA Training is here. Congratulations to David Goldsmith and the training team for this feat. Note that by RR this is going to be the real deal, the same premium quality training already offered to Sun SEs and paying customers. It includes valuable guidance on fairly sophisticated deployment scenarios and use cases. Learn all about it in David's blog.

    Saturday Aug 09, 2008

    OpenSSO Commercial release Early Access via OpenSSO Express build5

    This is a great opportunity for the community to provide feedback for consideration in the upcoming commercial release.



    « October 2016