Tuesday May 26, 2009

Nailing Down the Definition of "Entitlement Management" with OpenSSO

Ian Glazer from the Burton Group wrote a nice blog on having a meaningful conversation around the definition of entitlement management. Ian was responding to a blog by Ian Yip and basically states we need more specificity around entitlements in the context of access controls. I agree with Ian's sentiment and thought I'd take some time to discuss how Sun thinks about entitlement management when it comes to access controls.

First, as Ian points out in his blog we agree that entitlement management is to vague a term and cuts across many facets of identity management including roles, provisioning, access controls and reporting. When it comes to access controls we've decided to refer to it as "entitlement enforcement" so that it's clear that we are talking about the run-time enforcement of access entitlements.

Second, when we refer to entitlement enforcement we believe that we are discussing the fine-grained access controls around resources. That is, rather than protecting "doorways" or coarse-grained access we provide authorization decisions around all the "objects" within an application or resource (often referred to as fine-grained authorization). For example, a common scenario we see is in the financial services area and the need to provide entitlement enforcement around specific fields within a banking portal. For instance, a banking portal may want to provide access controls that limit the amount of money that subjects such as individuals, roles or groups can transfer. I may have the ability to transfer $1 million dollars and Ian may have the ability to transfer $5. Note that the access controls I'm talking about are not only specific to urls, but also other resources such as fields, calendars, etc.

Third, entitlement enforcement requires policy enforcement points that are easy to deploy and scalable. Sun is approaching this in two ways. 1) OpenSSO can be deployed as a policy enforcement point or 2) we will be offering a Fedlet policy enforcement point, a lightweight method for embedding policy enforcement points within applications. The key to this effort is making it lightweight and performant at the same time. Basic jist is if you have all the capabilities to implement entitlement enforcement but it isn't repeatable and scalable in terms of deployment then it won't be practical to implement and could hinder adoption.

Four, Sun believes that all aspects of an entitlement enforcement solution imply scale. Your policy store needs to scale. The user interface needs to scale to allow people to manage lots o' policies and the entitlement enforcement solution needs to be performant to ensure it can handle lots and lots of authorization transactions.

Five, auditability and simulation of policies is important as well. Entitlement enforcement needs to fit in to the development process so that administrators and developers can work together to define applications, develop policies and test policies throughout development, QA, staging and production. Providing tools to do this and ensuring that admins can export policies from the entitlement solution so that they can develop error free scripts as they move from environment to environment is critical.

Six, identity services are key to entitlement enforcement. The fine-grained nature of entitlements means there is a much larger burden on developers to tie policy to a centralized system. There needs to be several options that developers can use to handle embedding entitlements in the application or container. This includes lightweight identity web services such as OAUTH/REST, standard protocols such as SAML/XACML and complete abstraction via agents. Depending on the customer, we believe you need to support multiple options. Whereas a Web 2.0 company may be very excited about REST a financial services company may be more focused on agents and completely abstracting authorization from the developer. As Gerry points out, there are many ways to do this whether it be using XACML, WS\*, OAUTH, etc, etc, etc.

Finally, Sun has a unique belief that entitlement enforcement should be part of your web access management solution. This is not specific to the definition of entitlement enforcement, but rather our belief around how to pragmatically implement it. Deploying separate WAM solution and entitlement enforcement solution adds unnecessary complexity to your identity infrastructure and vastly increases the TCO. It means that organizations have multiple products to maintain and upgrade. It also means that customers will likely have multiple policy stores within their organization. From our perspective, WAM solutions were built to handle entitlement enforcement and it is a natural extension of web access management that is more likely to lead to customer adoption rather then requiring someone to license and deploy a separate component in their environment.

Our entitlement solution is currently under construction at OpenSSO.org. It will be 100% XACML based and is focused on delivering everything I've described above. You can currently view it via the OpenSSO source code, but we will be providing more details shortly for you to test it out. We will also be showing the new capabilities at OpenSSO Community Day 3.0 in San Francisco this weekend. Make sure to attend so you can see it and provide feedback.

Tuesday May 12, 2009

POSSO iPhone App is Now Available for Download

Our first community iPhone app, POSSO, is now available for download. Great to see people thinking about how to leverage the iPhone App Store for Identity and Access Management innovation. Although POSSO is a pretty basic app it does make your mind start to think about other tools that could be created. If I was an IT Admin, I'd love to be able to see my monitoring data on my iPhone. Imagine being able to check on the fly the # of logins per minute, or number of concurrent users, or # of users provisioned in a day. Pretty funky stuff. Check out POSSO and enjoy.

Monday May 11, 2009

BFF . . . OpenSSO and Microsoft “GENEVA” Server Interoperate

Almost everywhere I go I get the question . . . "What's Geneva Server?" "How does Geneva interoperate with OpenSSO?" "Are Geneva Server and Geneva Framework the same?" "Should I store my policies in OpenSSO or Geneva?"

In the past, I've had to provide long winded answers that leave me out-of-breath and huffing and puffing for air. Now, I can simply point to our new whitepaper, jointly produced with Microsoft, to provide the answers -- Microsoft “Geneva” Server and Sun OpenSSO: Enabling Unprecedented Collaboration Across Hetergeneous IT Environments.

The whitepaper validates a number of common use cases between OpenSSO and Geneva. It shows how you can use OpenSSO and Geneva to protect Sharepoint apps. It shows how you can use the OpenSSO Fedlet, which just won the best innovation award at the European Identity Conference, to protect .NET apps. In short it's a good read and answers some pretty commonly asked questions. Enjoy!

Download Whitepaper Now

Wednesday May 06, 2009

European Identity Conference: Felix Gaehtgens Interviews Pat Patterson

. . . and captures a flattering image. :-)

European Identity Conference: Felix Gaehtgens Interviews Eve Maler

OpenSSO Fedlet Wins Best Innovation in IAM and GRC

This week I have been having a blast at the Kuppinger-Cole European Identity Conference in Munich. I've had lots of good conversations, participated in great sessions and talked to customers and press. To top it off, we were just awarded Best Innovation in IAM and GRC for THE FEDLET. As you all know, this is my favorite feature of OpenSSO. Super lightweight federation for Java or .NET apps by adding a teeny, tiny little package to your application. No infrastructure or graduate degree needed to install. Wocka Wocka Wocka!

Thursday Apr 30, 2009

OpenSSO on the iPhone

Rohan Pinto at Sun has been working on a very cool project, named PoSSO, that makes the OpenSSO Admin console available on the iPhone. The app allows you to perform basic help desk administration tasks like create user, change password, reset password right from your iPhone. Check it out. It's pretty unbelievable.

Wednesday Apr 22, 2009

Federated Single Sign-On to Google Apps in Under 4 Minutes

In our OpenSSO Express 7 release we added a new feature focused on allowing people to configure both OpenSSO and Google Apps in minutes for simple authentication. Below is a video of me doing so with the latest build. My goal was to do it in under 4 minutes. If you want to test it out download Express 7 and our Google Apps Starter Kit to begin.

Thursday Apr 16, 2009

OpenSSO Express Build 7 Now Available

As promised, Sun is proud to announce the release of OpenSSO Express Build 7. This is a supported release and the first of many Express Releases leading up to OpenSSO Enterprise 8.1.

As many of you already know, the moment we finish a feature we now test it and make it available via an Express Release, which occur every three months. Customers that subscribe to OpenSSO Enterprise get complete access to these builds with support and indemnification.

Below is a list of some of the major enhancements / features.

Google Apps Premier Customers can now download Sun OpenSSO to deploy rapid federated single sign-on to organizations that use Google Apps as their collaboration and messaging service. The OpenSSO solution allows organizations leveraging Google Apps to use enterprise logins to access Google Apps, providing increased user adoption, improved security and administration benefits.

\* GlassFish Prelude 3
\* IBM WebSphere Application Server 7.0
\* Oracle WebLogic Server 10g Release 3 (10.3)

Customers can now download and deploy OpenDS Standard Edition as a user store with OpenSSO.

To read about all the new features and enhancements in OpenSSO Express 7 check out our Express 7 Release Notes.

Download OpenSSO Express 7 now.

Monday Mar 16, 2009

Sun Everyday Provisioning Webinar -- March 18th, 2009

Skip American Idol on March 18 because there is something much more entertaining you can watch! You guessed it! Sun's Craig McDonald is going to sing, dance and talk about the Sun Identity Manager roadmap and why it is "da bomb" when it comes to identity provisioning. Don't miss out.

March 18th, 2009
10:00 PT/1:00 ET

Wednesday Mar 04, 2009

THE .NET FEDLET APPROACHES! (Make spooky sounds as you read)

What's less than 1.5MB, SAML2 compliant and allows for super lightweight federation between an Identity Provider and a .NET Service Provider application? Yup . . . you guessed it! The .NET version of our game changing Fedlet. My .NET nerd friend and colleague, Giuseppe (also known as Gui), has just blogged about an updated prototype of the .NET Fedlet for people to try.

The key benefit of the Fedlet is that it's an appliance killer. Yup. I said it. An appliance killer! How you ask? Well the key reason we get requests for an appliance is because customers are searching for a simple way to enable partner federation with little effort. This is due to the fact that they want as little overhead as possible when trying to onboard a new partner.

Well, if you ask me having to maintain a federation deployment and infrastructure is still too high of a baseline and implies cost, cost, cost. The Fedlet is truly light and requires no hardware, maintenance, upgrades or license. That's right. I said no license. When you buy OpenSSO Enterprise you can provide as many Fedlets as you want to partners at no additional cost. In fact, Fedlets can also be enabled for multi-partner federation. Partners are covered under your OpenSSO license and can receive support at no extra charge. How's that for impacting Total Cost of Ownership?

The Fedlet will be officially supported in OpenSSO Express Build 8, which will be available July 2009.

Monday Mar 02, 2009

OpenSSO Feature Release Schedule Published

I am very excited to announce that the OpenSSO Feature Release Schedule is now available on wiki.opensso.org. The coolest thing about this schedule is that we are releasing product every three months!!!! Every build listed in this schedule is also supported by Sun, so if you put it in to development or production you always have the option to buy an OpenSSO Enterprise license or subscription to receive support and indemnification. Pretty cool stuff! Check out the schedule by clicking the image below.

Thursday Feb 05, 2009

OpenSSO Enterprise 12 Month Outlook

A few weeks ago I did a customer webinar to about 150+ people on OpenSSO with Jamie Nelson, my engineering brother in arms. The preso outlines our direction over the next 12 months. Check it out. No muppet songs in this video.

Tuesday Feb 03, 2009

Roadmap Preview: 1x Password w/ Mobile Phone

At the end of last week, I did a write-up on how we are extending OpenSSO to include Service-Level Monitoring. Today I'd like to talk about 1x Password capabilities that we are adding to OpenSSO.

One time passwords are used when an organization wants a higher level of authentication for users trying to access a web application. That is, they want to require a second way to authenticate users, such as a physical token card, besides simply entering a user name and password. This is commonly seen in the financial services sector when trying to access bank accounts or when accessing a corporate intranet remotely.

The challenge with physical token cards is that they tend to be expensive to purchase and disseminate. As an alternative, we are in the process of adding capabilities to OpenSSO that allows a user to obtain a 1x password via your mobile phone (i.e. - using SMS text messages). This is not a replacement for traditional multi-factor authentication solutions, but rather a lightweight alternative for those that don't want to buy a robust offering to complement their web access management solution. The key benefit of this solution is that organizations will be able to lower operational expenses by allowing consumers to use their cell phones as a physical token device rather than buying a separate piece of hardware.

Above is a video of what we are building. The solution uses Open Authentication (OATH) to do standards-based strong authentication. It's still rough, but this will give you a taste of what we are building.

Friday Jan 30, 2009

Roadmap Preview: OpenSSO Service-Level Monitoring

A few weeks ago I blogged that I would start going in to detail on the OpenSSO roadmap. I've been a bit slow in doing this so no more procrastination on my side. Here's the skinny on service-level monitoring.

The goal of service-level monitoring is to provide standards-based way for systems management solutions to view reports on OpenSSO component behavior, quickly view a dashboard for trends and deloyment status, diagnose problems and set threshhold alarms. OpenSSO was instrumented with the Java Enterprise System Monitoring framework APIs, which is CIM compliant, but we are now expanding it to support SNMP and plain JMX to monitor deployment status.

Within the OpenSSO community we are actively working to develop robust monitoring for large-scale deployments that allows system and network administrators to proactively manage important enterprise assets that range from physical devices to systems and applications. Through our new service-level monitoring capabilities deployers will be able to monitor their deployment health, detect and diagnose problems and use reported metrics to size deployments.

The monitoring solution will use monitoring agents and leverage existing agents such as those provided with OpenDS, GlassFish and the Java Virtual Machine. The mosaic of agents will all reporting management data to a management console, which can aggregate the information and present a single consolidated view for administrators.

Data captured by the OpenSSO monitoring solution will fall into the following categories for each OpenSSO component:

\* Configuration overview : number of servers, auth modules, Realms, agent types, etc
\* Metrics related to resource usage : cache sizes, connection pools, sessions, etc
\* Counts on operations : authentication success/failures, authZ sucess/failures etc
\* Faults and diagnostics : server/agent down, ldap health, connectivity issues, etc
\* Thresholds and alerts : events emitted when certain configured limits are met -- number of authentication failures exceeds limit, number of in-memory session exceeds limit, etc.

The traditional commercial release of service-level monitoring is March 2010, but as you know we support features upon completion in OpenSSO Express Builds the moment they are done, so regularly check the OpenSSO project to "monitor" development status.


Read my extraordinary thoughts about the world of identity and access management. As an identity child prodigy, I have much to say about these subjects.


« February 2017