Friday Jul 25, 2008

OpenSSO Express Coverage

As you can see from the list of articles and blogs below, Sun's OpenSSO Express announcement caught a lot of eyes. We've been getting a lot of questions about the announcement and tremendous interest in the solution as an alternative to traditional approaches.

I think Redmonk's Michael Coté captured some of the key drivers and scenarios that initiatied our interest in creating this model.

"The idea is that companies can quicker access to new features in the OpenSSO build rather than waiting for the longer, full cycle. As a Sun watcher, I like this kind of thing because it’s a simple, straight forward implementation, if you will, of being an open source company. Developers are typically prone to download and start using open source components for projects, esp. small, “just trying this out, ooops, now it’s a big deal for us” types of projects. Providing support for scenarios like that - starting to use OpenSSO instead of Access Manager - is nice for both developers and operations people who have to support the end result."

A key factor to understand about the OpenSSO community is that it primarily consists of enterprises or large organizations that are implementing enterprise scale solutions. We were getting overwhelmed with requests from members to offer support and indemnification for these deployments. With regards to price they evaluated the solution by weighing the cost of buying an AM license versus the cost of hiring internal resources to manage the deployment on their own.

Take a look at the articles below and learn more about what people are saying.


OpenSSO Express on IdentityBuzz
RedMonk's People Over Processors
Michael Cote
July 23, 2008

Sun readies Web stack featuring choice of OSes
Paul Krill
July 23, 2008

Sun Makes Open Source Announcements: Focus on Web Stack, cloud computing, and security
Dr. Dobb's Journal
July 23, 2008

Sun Microsystems Intros Sun OpenSSO Express for the OpenSSO Project
Anshu Shrivastava
July 23, 2008

Sun Announces OpenSSO Express
Web Host Industry Review
David Hamilton
July 23, 2008

Sun Open SSO to have just one flavor
Dana Blankenhorn
July 21, 2008

Sun offering support for OpenSSO: Company standing behind new version of open source technologies
Network World
John Fontana
July 24, 2008

Sun turns on the AMP: Plus SSO, web hosting and more open sauce
The Inquirer
Dean Pullen
July 24, 2008

OpenSSO Express and the smoking simian
Pushing String:

Sun OpenSSO Express: Sun Web Stack ready to ship | D' Technology Weblog

Sun OpenSSO Express: Industry's First Enterprise Support for Open Source Identity Management
Java Entrepreneur:

OpenSSO Express
The Open Road

Sun OpenSSO Enterprise
Dennis Seah’s Weblog

Sun Microsystems Announces Sun OpenSSO Express

Free DNS Lookup: Sun offering support for OpenSSO

osdir: Sun readies Web stack featuring choice of OSes

baanmo: Sun OpenSSO Express: Sun Web Stack ready to ship

linker: Sun readies Web stack featuring choice of OSes

Database Management: Sun readies Web stack featuring choice of OSes

UOforums: Sun readies Web stack featuring choice of OSes

Sun OpenSSO Express
Sidharth's Blog

OpenSSO Express: Start your Federation project today with support from Sun
Virtual Nick

The Aquarium: Sun OpenSSO Express - Support for OpenSSO Stable Milestones!

Identity Management Buzz: Today Sun is Announcing Sun's OpenSSO Express

Sun Extends Support to Include OpenSSO Releases
On the Record Blog Entry

Tuesday Jul 22, 2008

Sun Announces OpenSSO Express

If you are wondering why I've been so quiet for the last few weeks it's because my team has been heads-down working on the launch of OpenSSO Express, an early access version of the next release of Access Manager that is fully supported and indemnified by Sun. In short, customers that buy Sun Access Manager now also receive access to OpenSSO Express under a single license.

Customer can choose what they want to deploy. If our commercial builds have all the features you need and you want a traditional offering then use Sun Access Manager. If you are focused on innovation or key features that are not yet supported in our commercial release, but are available via OpenSSO then deploy OpenSSO Express. Regardless of what you choose you get a fully tested offering that includes Sun support and indemnification.

To help explain the benefits of this model I sat down with Redmonk's Michael Coté to discuss. Check out the podcast and let me know what you think!

Also, for more information on this announcement check out . . .

OpenSSO Express Feature Article

OpenSSO Project

OpenSSO Wiki

Sun Access Manager Product Page

Monday Jun 30, 2008

OpenSSO's Embedded Direcotry

A key benefit of OpenSSO, the open source project used to derive Sun's commercial offering -- Federated Access Manager 8, is that it's 100% Java. This enables Sun to provide one offering that includes access management, federation, and secure web services in a tiny WAR file. Deploy the WAR via your container and you're done. There is no installer!

In addition to providing lots of features, Sun has also begun to leverage other open source projects to improve the usability of OpenSSO. Specifically, OpenSSO now includes an embedded version of OpenDS, an open source community project building a free and comprehensive next generation directory service, based on LDAP and DSML standards. OpenDS is 100% Java, which means it can easily be embedded in OpenSSO and made transparent to the user.

When a user installs OpenSSO they now have the option to choose OpenDS as the embedded directory for the configuration store and/or user store. In other words, a user can deploy OpenSSO without ever having to configure a directory! In Sun's commerical release we plan to support the embedded directory in production for the configuration store only. Using the embedded directory as a user store will only be supported in developer environments.

Props to the Sun engineering team and the OpenSSO community on coming up with another great innovation!

Option 1: OpenSSO Embedded Configuration Store
Option 1: OpenSSO Embedded Configuration Store

Option 2: OpenSSO Embedded User Store
Option 2: OpenSSO Embedded User Store

Wednesday Jun 11, 2008

Federated Access Manager / OpenSSO Wiki

We at Sun are doing our darnedest to constantly improve how we communicate with customers. As the only open source WAM, federation and secure web services solution in the market, Sun's Federated Access Manager has a great advantage because we are totally transparent in everything that we do. To that end, I want to share with you our latest innovation in this area -- The Sun Federated Access Manager / OpenSSO Wiki ( This is a public sight that contains everything FAM and OpenSSO. It complements our documentation by providing access to real-time information as it is made available. It also provides a lot of detail around common questions and access to all kind of multimedia. Take a look and enjoy. When you have questions that arise this is a great first stop. ENJOY!

Saturday May 24, 2008

Federated Access Manager / OpenSSO Links

Some great links . . .

  • Definitely the Best Version of AM Ever!!!
    The title of this blog entry is a direct quote from an email we received from a very happy Sun SE today. He's kindly given me permission to share it.

  • Installing / Deploying the Fedlet
    Here's some more details on the options that SP has in procuring and deploying the Fedlet (and I mentioned this briefly as part of a screencast few days back). There are two ways a Fedlet can be procured and deployed by a Service Provider, in order to be quickly SAML enabled.

  • Fedlet
    Fedlet is a lightweight Service Provider implementation of SAML2 SSO protocols, embeddable in a Java EE web application. Fedlet is a new feature, which will be part of upcoming Sun Federated Access Manager (OpenSSO) release.
  • OpenSSO on GlassFishFederated Access Manager(FAM) introduces a workflow centric approach which makes installation, deployment and administrative tasks simpler, quicker, and easier. Here's a screencast of installation on Glassfish
  • OpenSSO / Google Integration
    A few people have asked about this. I did a quick hack for a demo
    system a couple of weeks ago. Here is an initial cut for those who
    can't wait for it to get into OpenSSO proper.
  • Permanent link to this entry | Comments [0]

  • Thursday May 22, 2008

    Federate Enable, & Migrate From 3rd Party WAM Solutions

    At Sun we know that some of our competitors have a sizeable footprint in the traditional web access management space. When I say traditional, I'm referring to web access management solutions designed to support SSO and AuthZ for internal web applications. These solutions tend to be aimed at deployments of 100,000 users or less.

    One trend we are seeing is that these old solutions are no longer suitable for many organizations and we are regularly being approached as a fresh alternative to replace these existing solutions and to provide additional federation services. This is due to a number of reasons including:

    • The existing solution does not scale for the extranet
    • The existing solution has never been successfully deployed across an organization
    • The existing solution does not support federation standards or requires a major upgrade to do so

    As a result, we are coming across many deal opportunities where we are being asked to replace a proprietary web access management solution over time. That is, the organization wants to move to Sun, but they don't want to completely rip and replace their existing solution due to the fact that they have many agents deployed and do not have the budget or time to replace them all in one fell swoop. In short, when they choose to migrate to Sun's Federated Access Manager (FAM), or OpenSSO (FAM is derived from OpenSSO), they require that the old solution be able to coexist with Sun's solution over a period of time.

    The beauty of Sun's solution to this problem is that we can easily co-exist with the 3rd party solution (we've been doing this for years) and federate enable them with a single solution and a single deployment. Since we're the only self-contained java application that does web access management and federation in a single distribution, we are unique in that you can deploy a single .WAR file to address both problems.

    Easy to deply. Easy to configure. Robust in its access and federation capabilities.

    Even better, FAM's multi-protocol hub can translate federation protocols, such as SAML, WS-FED and ID-FF, and proprietary tokens, such as Oracle, Siteminder and IBM tokens, to create a single "circle of trust" between an IDP and it's partners regardless of what protocols they are using. In short, an organization can migrate to FAM through a pragmatic co-existence strategy and simultaneously federate enable the old and new solution using a single deployment of FAM to solve both problems.

    How 'bout 'dem apples!

    Tuesday May 13, 2008

    Virtual Federation: A Game of Ratios

    In many of my blogs I've written about Virtual Federation Proxy (VFP)a feature available in OpenSSO, the code base from which Sun's upcoming release Federated Access Manager 8 is derived. I've received lots of email from people asking me to explain the benefit of this feature in more detail so this blog focuses on explaining the problem that organizations are facing and how VFP can lower the overall total cost of ownership for web access management and federation infrastructure.

    Most organizations are still working toward internal single sign-on. That is, the majority of organizations still have multiple authentication points or reduced sign on (RSO). For example, an organization may still have separate sign-ons for it's Web Portal, HR System and Payroll system. It could be using Enterprise Single Sign On to simulate a SSO experience, but it still maintains three different authentication infrastructures. If that organization wants to begin federating with external service providers using all three applications it needs to deploy a federation service at each authentication point. In other words, an organization would need to deploy separate federation points for each applications -- Web Portal, HR system and Payroll system. 

    The problem with this is an organization needs to maintain more federation instances and infrastructure than it wants and would not be following federation best practices by implementing a single, centralized federation hub. In short, the ratio between an organizations authentication points to federation points would be a 1:1 ratio. That is, for every authentication point an organization maintains it would also need to deploy an additional federation point. This, oftentimes, is an inhibitor to beginning federation because many organizations believe they need to solve their internal single sign on issues before starting with federation.

    VPN allows a company to lower infrastructure costs by reducing the # of federation instances, hardware, and ongoing support/maintenance costs required to support each individual authentication point. VFP changes the ratio of authentication points to federation points from a 1:1 ratio to an X:1 ratio. For example, the organization mentioned above that has 3 authentication points (Web Portal, HR System, Payroll System) would now only require one federation deployment to manage all 3 authentication points, a 67% reduction in hardware, software, and ongoing maintenance. In short, OpenSSO's Virtual Federation Proxy (VFP) solves this problem by unhinging any dependencies between internal SSO and federated SSO.

    VPN does this by allowing organizations to add a plug-in to each authentication point that allows it to push federation data to OpenSSO when a user logs in. OpenSSO caches the federation data and then acts as a virtual proxy on behalf of each authentication point. For example, the company mentioned above that has three authentication points would deploy a basic plug-in to federate enable its Web Portal, HR System, and Payroll System. If a user logged in to the HR system and then tried to access a partner service during the authenticated session, for example an outsourced 401K service, OpenSSO would act as a proxy for the HR application and handle all communications with the 401K service using the cached data. Once the session is terminated the cached data is deleted from OpenSSO.

    Finally, as an organization makes progress toward SSO they do not need to worry about constructing, maintaining and end-of-lifing multiple federation services. Instead, it can simply change how each application interacts with a single federation hub. In short, VFP allows organizations to architect a long-term federation solution that follows best practices, simplifies their path to federated single sign on, lowers total cost of ownership, and simplifies an organizations identity infrastructure in a pragmatic manner.

    Peace out!

    Friday May 09, 2008

    Sun Identity Team Challenges PING, IBM, ORACLE, CA and Microsoft

    OK Identity Competitors!

    We had our video battle warm-up with the scrappy Ping Identity a few months ago, but now we challenge you to a little game called IDENTITY HERO!"

    My teammates at Sun believe that they can rescue more identity enterprises than our competitors. Let's throw down and see who can claim the highest score!!!


    Thursday May 01, 2008

    Simple Federation meets The Federation Validator

    My goal in life, besides world peace, is to make federation so simple my 15 month child, Taro, can do it. Now that's a lofty goal, but we're making progress towards that in Federated Access Manager 8. To give you a preview, I've prepared a screencast that shows the following:

    \* Configuring an Identity Provider (IDP)
    \* Configuring an Service Provider (SP)
    \* Creating a Circle of Trust between the IDP and SP
    \* Validating the federated connection

    The goal is to give you an idea of how simple federation has become. Keep in mind, I'm marketing and I can do it. I'm also not one of those converts from engineering to marketing (light-side to dark-side), but rather come from a business background and have a BA in Public Affairs. In short, this stuff is not designed for identity experts, but rather dimwits like myself.

    As always you can check all of this out for yourself at Enjoy the demo . . .

    Tuesday Apr 29, 2008

    OpenSSO Workshop @ CommunityOne

    Howdy Peoples!

    Next week is JavaOne and there is a lot of excitement brewing around Sun. In the world of identity we're gearing up to host a workshop titled "OpenSSO: Creating Federated Relationships with Software as a Service, Social Networking, and Web 2.0 Applications" on Monday May 5 at 4pm in Hall E 135. This session is part of CommunityOne, which is free of charge to attend. All you need to do is register. See you there!

    Thursday Apr 24, 2008

    Identity Buzz Podcast: The Fedlet and light-weight federation

    Last week, I joined Red Monk's Michale Cote and Brandon Whichard on the Identity Buzz podcast. We talked about The Fedlet, a small, light-weight way to get identity federation setup with Sun tools. Click on the link below to listen and enjoy!

    Download the episode directly here, or subscribe to the RSS feed in iTunes or other podcatcher to have it auto-downloaded.

    Friday Apr 11, 2008

    Fedlets Everywhere Video

    We're almost there folks. Here's the final teaser around Fedlets. Around this time next week you will be drinking an umbrella drink and reflecting on the power of the Fedlet.

    From the Trenches at Sun Identity, Part 3: Federated Access Management Simplified

    As Pat stated on his blog, from the shameless self-promotion dept...

    Hot on the heels of her interview with the scrappy Jamie Nelson and infamous Pat Patterson, Marina's latest subject is... lil ol' me!


    Read my extraordinary thoughts about the world of identity and access management. As an identity child prodigy, I have much to say about these subjects.


    « July 2016