Tuesday Apr 28, 2009

New and Updated Policy Agents for OpenSSO

We released four new 'version 3.0' policy agents for OpenSSO today:

These join the existing version 3.0 policy agents for Sun Glassfish Enterprise Server (formerly known as Sun Java System Application Server) 8.x/9.x (documentation, download) and Oracle/BEA WebLogic Server/Portal 10 (documentation, download). While the 3.0 agents add centralized configuration and some other features, it's important to note that all of the version 2.2 agents are tested and supported with OpenSSO.

Friday Apr 17, 2009

OpenSSO Tab Sweep - Apr 17 2009

A celebration this week and events over the next month in the world of OpenSSO...


So - there you have it - a packed few weeks in OpenSSO-land, and evidence that the OpenSSO community is as active IRL (in real life) as on IRC (Internet relay chat)

Thursday Apr 16, 2009

Out Now - OpenSSO Express Build 7!

As announced yesterday on the OpenSSO users mailing list, OpenSSO Express Build 7 is now available!. Congratulations and thanks to the OpenSSO team for their hard work, and to the whole OpenSSO community for continued support in the form of issue reports, patches and other contributions.

So, what's new in Express Build 7? Here are some highlights - full details are in the release notes

The other question going through your mind may be "What on earth is an 'Express Build', anyway?". The short answer is that an OpenSSO Express build is a supported 'snapshot' of development between full 'OpenSSO Enterprise' releases. The long answer is on the OpenSSO wiki.

Saturday Mar 28, 2009

OpenSSO on Java.net front page...

Following in Ludo's footsteps I have to say thank you to Marina for getting OpenSSO onto the java.net front page:

As Ludo mentioned, Marina is looking for new opportunities - if you need a top flight technical author, then email me at <script type="text/javascript" language="javascript"> </script> and I'll pass your message on to her.

Friday Mar 27, 2009

OpenSSO Tab Sweep - Mar 27 2009

As always, a bumper crop of OpenSSO news from the last couple of weeks...

That wraps things up for another week - I'm off to jump in the Patmobile and brave 101. See you next time!

Wednesday Mar 25, 2009

Jobs @ OpenSSO - March 2009

Sun is hiring engineers for OpenSSO and related identity products - we have a number of positions spanning engineering, QA and UI design. If you read my blog regularly, you'll know that OpenSSO is hot stuff - open source single sign-on, federation and secure Web services, delivered as Sun OpenSSO Enterprise and used in deployments large and small.

BTW, we have a referral bonus scheme at Sun, so, please, if you do apply for any of these positions, list me (Pat Patterson, <script type="text/javascript" language="javascript"> </script>) as the referrer - I'll buy you lunch once you start

UPDATE - I added another position and updated the publication time... We may have more reqs in the pipeline, so watch this space...

  • Entry Level Engineer (0-2 yrs experience) - we're looking for junior folks with some experience in Java, C++, J2EE, XML, servlets, and web technology development. Any middleware experience would be a bonus.
  • Senior Quality Engineer (6+ yrs experience) - a rare opportunity to get into one of the best QA teams in the business - OpenSSO QA team manager Indira Thangasamy talks about what's involved.
  • Interaction Designer / Information Architect (0-2 yrs experience) - anyone seeing the evolution of Access Manager into OpenSSO over the past few years will have seen our emphasis on ease of use and UI design. We're not done yet, though! We need another UI designer to work on projects across the identity management product line.
  • Senior Java-based User Interface Developer (3+ yrs experience) - JSF, RIA, Ajax - buzzword heaven in this UI developer post. The job spec currently says 'Identity Server project management', but it looks like that's a typo for 'Identity Manager' - OpenSSO's provisioning cousin. Unlike the other jobs, which are all Bay Area-based, this one is 'Any US Sun Location' - a great opportunity if you have wicked Java Web UI skills but are based in Colorado, or Massachusetts, or Texas, or...

If those links are no longer by the time you're reading this, then you can use these search links for OpenSSO jobs at Sun and identity-related jobs at Sun.

links for 2009-03-25

Thursday Mar 19, 2009

A Grand OpenSSO Community Day Out in New York

Many thanks to all who attended (I counted at least 50) and spoke at our very first OpenSSO Community Day this past Tuesday in New York City, and to NYU for making available such an excellent facility.

We had a range of speakers: some from the OpenSSO product team, some from other parts of Sun, and even one SI partner - Mike Schwartz from ID-Vault. As promised, we assembled the agenda at the start of the day, and managed to fit in nine 40 minute sessions covering pretty much every aspect of OpenSSO. Almost all the slides are online at the event wiki page (slides, please, Brad!).

If you attended the community day, please complete the Meetup survey - we'd love to have your rating and comments.

The next stop for the OpenSSO Community Day roadshow will be Munich, on May 5. Remember, if you're also planning to attend the European Identity Conference (hosts for our event), you can get 20% off your registration fee by quoting the discount code OPENSSO.

Watch this space for news of OpenSSO Community Day 3.0 - to be held in San Francisco, around the time of CommunityOne West/JavaOne.

Friday Mar 13, 2009

OpenSSO Tab Sweep - Mar 13 2009

Lots of news over the last couple of weeks from the world of OpenSSO. Events in New York, new Fedlet innovations and more; read on...

That wraps things up for this week. Don't forget, if you're planning to attend the European Identity Conference 2009 in May, the second OpenSSO Community Day will be there on the Tuesday, May 5 2009. Register at Meetup and you can pick up a discount code for 20% off the cost of your EIC registration. Bargain!

Tuesday Mar 03, 2009

Swekey Authentication Module for OpenSSO

I just finished another OpenSSO Extension - this time, an authentication module for the Swekey authentication key (README, source). The authentication module prompts the user for their username and uses the Swekey to generate a one-time password, which is validated against the Swekey authentication server.

It's interesting to contrast the Swekey with the Yubikey, which I covered here a few months ago. Where the Yubikey emulates a USB keyboard, requiring no special client software, the Swekey requires a driver. On the other hand, where the Swekey is invoked automatically by a browser plugin, requiring no user intervention apart from inserting the device into a USB port, the Yubikey requires the user to press its button and, potentially, ensure that the cursor is in the correct input field. One thing they do now have in common, though: they both work with OpenSSO

So, if you have a Swekey, grab the authentication module, deploy it (see the README) and let me know how you get on.

Friday Feb 27, 2009

OpenSSO Tab Sweep - Feb 27 2009

Wow - it's been nearly 7 weeks since the last tab sweep, not so much due to a lack of OpenSSO news, quite the reverse - so much going on that I've not had 2 minutes to sit down and document it. Anyway, here we go...

That wraps it up for February. Watch out for more exciting OpenSSO news coming soon!

XACML and SAML - a Match Made in... 2005

Over at NetworkWorld's Security: Identity Management Alert, Dave Kearns weighs in on the ongoing federated provisioning debate with Federated provisioning could exist. While Dave is right to highlight the promise of the Liberty Alliance's Identity Governance Framework (IGF), he is way off the mark regarding XACML and SAML. Dave writes:

Some have suggested that XACML (eXtensible Access Control Markup Language) might be the answer. But it [...] suffers from the same problem as SPML (no interaction with SAML) [...]

This is patently not true! Four years ago, OASIS defined the interaction between XACML and SAML in SAML 2.0 profile of XACML v2.0 [PDF], part of the XACML 2.0 specification set. Since then, SAML/XACML has been implemented in a range of products, including Sun OpenSSO Enterprise, with interoperability between seven vendors' products demonstrated at the OASIS XACML Interop Demo (held at the RSA Conference, April 2008).

XACML and SAML, best buddies since February 2005

Wednesday Feb 25, 2009

Security Geek Irony

On going to the RSA Conference website:

Wednesday Feb 18, 2009

Verizon Wireless on Improving Security and User Experience with Sun Access Manager

Last November, at the Gartner Identity and Access Management Summit 2008 in Orlando, FL, Damo Bashyam of Verizon Wireless (VZW) gave a presentation titled 'Simplify Identity Management to Improve Security and Online Customer Experience'; Daniel just pinged me to say that this presentation is now online, along with the associated slides, and what a presentation it is!

If you're looking for marketecture, then move on; if you want to know how the largest wireless telecommunications network in the United States is using Access Manager (the old name for OpenSSO Enterprise) in a high-scale, high-availability deployment, then it's all here, in just 23 minutes. Some of the numbers are staggering: over 40,000,000 users, 1,000,000 logins per day, peaking at 4,000 logins per minute. VZW deployed Access Manager into two data centers, with session failover within each data center and multi-master replication between six Sun Directory Server instances.

The preso and slides detail all this and the business benefits to VZW - for me, given my focus on federation, one highlight was the fact that they have extended single sign-on to 25 third-party application service providers (ASPs), 12 of them in a single night with just 4 hours (planned) downtime for the cutover. Another interesting aspect is that this is a Sun stack, top-to-bottom, so VZW have just one throat to choke in the event of an issue, with no intra-vendor finger pointing. Damo describes it as a partnership - one that has brought real and lasting benefits for both partners.

So... go download the slides, make yourself a nice cup of tea, and spend a few minutes watching the preso:

Saturday Feb 14, 2009

Federated Provisioning - Liberty to the Rescue???

I thought I'd throw my hat into the ring of the current federated provisioning discussion (Ian, Nishant, Ian again, James) ...

Looking at the contentious #2 in Nishant's post, the Liberty Alliance standardized one approach to this several years ago with ID-WSF.

To recap the scenario:

Suppose two companies, Acme and Omega enter into a federation agreement, whereby employees of Acme will be able to access a service at Omega using their Acme credentials. There are two scenarios here for federated provisioning.

[...]

Acme decides that they are not going to decide beforehand which employees are allowed to access Omegas service. Instead, a link to the service is available on Acmes intranet, and whenever a user decides to go to the service, they should be given an account. In this case, no pre-provisioning is taking place. Instead, the provisioning has to occur in real-time, when the user accesses the service via the intranet link for the very first time.

The idea here is that when Omegas federation server encounters the incoming SAML token for a new user, it would recognize that the user does not have a federated account, and send the SAML token to Omegas provisioning server. The provisioning server would create the account right then and there, and return the necessary result back to the federation server so that the federation server can proceed to grant the user access.

Now, in my Liberty-tinged version, when sending a new user to Omega, Acme includes a reference to their Employee Profile (EP) service - essentially the service's endpoint URL - in the SAML assertion. This endpoint reference serves as both a description of where to find the service and permission for Omega (when sent as part of the signed SAML assertion) to invoke that service.

On receiving the assertion, Omega send a signed request to the EP service, the request containing the SAML assertion it just received. Now, the EP service knows that Omega is entitled to access that employee's data, since it has a signed SAML assertion, issued by Acme itself, that says exactly that (via the presence of the EP endpoint reference). The EP can return exactly the data required (this will have been configured according to the underlying contract between Acme and Omega).

Finally, if desired, the EP can leave a marker in the employee's account that says 'account provisioned at Omega', so that Acme doesn't send the EP reference in every SAML assertion. Alternatively, Acme could deliberately send the EP reference every time. Or even reset the marker when the employee's account changes in a significant way (say, her purchasing limit is changed) so Omega can fetch the new employee data.

In scenarios where manual intervention is required on the Acme side, the EP service can return a response that says "Come back later", and the Omega service relay that to the user.

Of course, de-provisioning is a different kettle of fish, but the advantage of federated access to services is that, once the employee is gone from the Acme end, he has no way to access the Omega service anyway, so de-provisioning is a little less urgent than if the employee was logging in to Omega directly.

Like I said, ID-WSF has been around for years. Perhaps it hasn't had much adoption because businesses weren't encountering the problems that it solves. Seems like that might change now...

About

superpat

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today