Saturday Nov 10, 2007

AAAA Identity Services in OpenSSO

There have been great strides in the OpenSSO community and one of the areas I am particularly proud of is the addition of identity services. Applications that authenticate end users using identity services can securely pass their attributes to OpenSSO without the need of an agent or labor-intensive kit. Identity Services can be invoked using REST or WSDL interfaces in the IDE of your choice. This means no agent is required to protect a resource. The identity services in OpenSSO (and available in our Spring release of Federated Access Manager 8.0) include:

\* Authentication — Verification of user credentials

\* Authorization — Permission for authenticated users to access secured resources

\* Attributes — Collection of the profiles of authenticated users

\* Audit Log — Ability to audit and record operations

Below is an example of the authentication identity service being invoked using Netbeans. This service is IDE agnostic and can also be used in Eclipse and Visual Studio.

If you're interested in exploring this functionality download OpenSSO and begin playing today. Also, Aravindan Ranganathan, one of our talented software architects at Sun, wrote a nice technical article titled Securing Applications With Identity Services, Part 1: Authentication. He will be publishing three more technical articles on the remaining services shortly - Authorization, Attributes, and Audit Log.

Friday Nov 02, 2007

OpenSSO Secure Token Service

Last week I attended Catalyst Europe in Barcelona. It was a great conference and there was a lot of focus on access and federation, which made me very happy. One of the events we participated in was an OSIS interoperability event. The goal of the interop was to demonstrate interoperability with Microsoft Cardspace. For us, the true benefit of the session was to demonstrate our Secure Token Service, which is available in OpenSSO and will be released in Federated Access Manager 8.0.

A Secure Token Service is a foundational component to an organizations web services security infrastructure. The STS answers the question how does a Web service verify the credentials presented by a web services client? The STS verifies the credentials presented by a web services client, and then in response, it issues a security token that provides proof that the client has authenticated with the STS. The client presents the security token to the Web service, which then verifies that the token was issued by a trusted STS, which proves that the client has successfully authenticated with the STS. A key benefit of an STS is it can do token translation based on the security policy of the web services client and web services provider (e.g. -- request is issued in SAML 1.1 and translated to SAML 2.0).

Below are a few screenshots from the interop providing a flavor for our STS capability in OpenSSO.

1. The first step of the demonstration shows a user logging in to OpenSSO configured as a Managed Card provider.

2. Te user enters their credentials and the Managed Card Provider generates an information card that can be saved to the desktop.

3. The users saves the information card to their desktop.

4. The user uploads / imports the saved Managed card (InfoCard) into Windows CardSpace.

5. The Sun OpenSSO Test Card is now uploaded in to Cardspace and available for use.

6. The Sun OpenSSO Test Card for TestUser shows the OpenSSO STS end point under the Card ID field.

7. The user goes to the xmldap service provider to login with the OpenSSO Test Card.

8. The user select the "Login with an Infocard" link and selects the OpenSSO Test Card.

9. The user enters password and sends a WS-Trust request to OpenSSO STS.

Thursday Sep 27, 2007

Federated Access Manager 8.0 -- The Features (Part II)

In my last blog, "Federated Access Manager 8.0: The Overview," I focused on a high-level overview of the upcoming product. In this blog I'd like to outline the key objectives of the FAM 8.0 release and a short synopsis of what features we'll be delivering.

Our release is scheduled for March '08, so whyyyyyyy am I writing about this now, you ask? Because all of this functionality will be available in OpenSSO over the next month.

Think of this as our "Spring Training." We want everyone to download a stable OpenSSO build and play, play, play. (Hopefully like my beloved Yankees!) Feedback on the product will be encouraged and welcome, so stay tuned. In the meantime here's the down low on FAM 8. Enjoy . . .


Simplified Platform: Simplification! Simplification! Simplification! The FAM 8.0 release will focus on significantly simplifying functionality for the user so that they can easily complete the most commonly used tasks during pre- and post-configuration in a jiffy. These simplified workflows will be dynamic and allow the customer to very quickly deploy a completely load balanced solution in minutes. Below is a preview of one of our simplified flows.

Heterogeneity: We will continue to support a diverse range of protocols, containers, directories, WAM, Federation and OS platforms so that customers can choose what best fits their needs. In addition to supporting Active Directory and Sun Java System Directory Server, we will be expanding our directory support to include Tivoli Directory Server. We will also be conducting detailed testing of the product with not only our WAM Identity infrastructure, but also Oracle Access Manager & CA Siteminder. Basically, the goal is to provide an infrastructure agnostic solution that allows greater customer choice.

Access Management Features: The FAM 8.0 product release will focus on improving the ease of deployment of our Access Management solution by centralizing agent configuration and AM instance configuration. We will also be expanding our protocol support to include XACML support. The major access management features in the 8.0 release are as follows:

    \* Centralized Agent Configuration & Deployment
    \* Centralized Instance Configuration
    \* XACML Request/Response

Federation Management: The focus on federation will be expanding our product interoperability so that customers can implement our federation service without having to change their internal architecture or infrastructure. The goal is to make our federation offering infrastructure agnostic. The major federation features in the 8.0 release are as follows:

    \* WS-Federation 1.1
    \* Simple Federated Partner Enablement
    \* Multi-Federation Protocol Hub
    \* Secure Attribute Exchange to federate-enable legacy applications

Identity Services: Sun is taking on a leadership role in driving the adoption of identity services. Specifically, we are working with several key customers to jointly develop an identity service specification that details, down to the use case level, what functionality needs to be exposed for building business applications using composite services. In the FAM 8.0 release the following identity services will be exposed:

    \* Authentication as a service
    \* Authorization as a service
    \* Audit as a service
    \* Attribute Query as a service
    \* Generalized Trust Authority (STS that supports Liberty and WS-Trust based interactions)

Web Services Security: We are expanding our web service security story so that customers can implement plug-ins to protect web services rather than doing it programmatically. We will be releasing web service security plug-ins for the following containers in FAM 8.0:

    \* Sun Java System Application Server
    \* Sun Java System Web Server
    \* BEA Weblogic
    \* IBM Websphere



Read my extraordinary thoughts about the world of identity and access management. As an identity child prodigy, I have much to say about these subjects.


« July 2016