Thursday Feb 22, 2007

Turkcell Deploying Mobile Strong Authentication

From Orhan Alkan comes this report of Turkcell deploying mobile strong authentication with Sun Java System Access Manager. Orhan and his colleagues in the Sun Turkey Professional Services team developed a custom authentication module to handle the signature validation in Access Manager.

Orhan was kind enough to give me some more detail by email: the subscriber's private key is in the SIM, so it is portable across phones. Authenticated subscribers can access all of Turkcell's web-based customer applications including billing, enabling services such as international calls and roaming and changing rate plans, and even access their accounts at banks such as Garanti, Akbank and Isbankasi.

Recalling an earlier entry on Turkcell's ID-WSF pilot - they certainly seem to be in the vanguard of mobile operators when it comes to identity.

Wednesday Feb 14, 2007

David Goldsmith - Federation TV Star!

Thanks to Charles for this pointer (and to Dennis for pointing it out): David Goldsmith does a great job in this video explaining the problems inherent in the proliferation of online identities and how federation and Sun's product line (Sun Java System Access Manager and Sun Java System Federation Manager) address them. After working through a couple of real-world examples, David goes on to provide useful definitions of common federation buzzwords, such as 'circle of trust', 'identity provider' and 'service provider'. Well worth watching if you want to get up to speed quickly! Click here for the video.

Tuesday Feb 06, 2007

Norway using Access Manager/Federation Manager for SAML 2.0

It being RSA week, the news comes thick and fast... I've just seen the press release announcing that the Government of Norway has deployed a whole slew of Sun hardware and software, including Access Manager and Federation Manager, for its pioneering citizen portal, MinSide (English translation: MyPage). Quoting from the press release:

[...] the MinSide [MyPage] portal will roll-out six initiatives that will enable secure, browser-based access to healthcare, tax, motor vehicle registration, social security, student loans and many other government services.


As part of the solution, Sun Java(TM) System Access Manager and Sun Java(TM) Federation Manager help the Norwegian government manage secure access to services by offering single sign-on (SSO) as well as enabling federation across trusted networks of government agencies, service providers and customers. It provides open, standards-based authentication and policy-based authorization with a single, unified framework. This improved security framework is based on the Liberty and SAML standards to protect all aspects of the portal.

The Liberty Alliance website has a presentation by Dag Efjestad that gives much more detail. Cool stuff, Norway - douze points!

Speaking at RSA Conference on Friday Feb 9 2007

I'll be speaking at the RSA Conference on Friday at 9am in Gold Room 310 on Federated SOA: Harmonizing ID Security and Web Services. I'll be looking at the role of identity in Web services, from the very basics of transport-level security to the Liberty Alliance's Identity Web Services Framework (ID-WSF), and how these are realized in Sun Java System Access Manager and Sun Java System Federation Manager. Do come along and say "Hi!"

You might also be interested in Eve Maler and Brett McDowell's session Federated Identity: Evolving Past Industry Strife - Eve and Brett will be talking about the Liberty Alliance's current course and roadmap for the future.

Thursday Dec 21, 2006

Access Manager training class in Amersfoort, Netherlands

A while ago I blogged about the Access Manager 'Configuration and Customization' training course in Burlington, MA, presented by Allan Foster. Well, I've just heard that Allan is presenting it again in Amersfoort in the Netherlands, on January 22nd. If you're in Western Europe and you want a great grounding in AM, you might just want to go...

Monday Dec 04, 2006

Sun and Microsoft Interoperate for Web Authentication, Part 1

In between all the talk of federation, PHP and web services, we sometimes lose sight of the fact that bread-and-butter single sign-on and access control still has huge value in improving both security and the user experience. Over at the Sun Developer Network, Marina Sum and I just published an article - Sun and Microsoft Interoperate for Web Authentication, Part 1 - focusing on how Sun Java System Access Manager and its policy agents integrate with Microsoft IIS to provide both single sign-on and access control - right down to Windows ACLs on files on disk.

As the article mentions, some functionality (specifically, the basic authentication plugin - from the 'Configuration of the Policy Agent for HTTP Basic Authentication' heading to the end - sorry, there is no handy name anchor in there to link to) will be released in AM Policy Agent for IIS 2.2-Hotpatch6 sometime in the next few weeks. I'll post here as soon as this is available; at that point you will be able to work through the entire article. In the meantime, much of it works with the current policy agent, so you can get started straight away.

Monday Nov 13, 2006

Access Manager training class in Burlington, MA

There are a small number of places available on the Sun Java System Access Manager: Configuration and Customization (AM-3480) at Sun's training center in Burlington, MA the week of Dec 4. This presentation of the course is taught by the most excellent Allan Foster; Allan taught the recent Federation Manager Boot Camp course on which Hubert heaped lavish praise, so you know you're in good hands.

If you're in the North-East and you feel your AM knowledge is lacking, then take a look and consider signing up - your department may well have some training budget that needs to be used or lost before the end of the year...


"Yet another OpenSSO/Access Manager/Federation Manager Blogger"

Added David Goldsmith, training maestro, to the list. Welcome, David!

Friday Oct 20, 2006

Sun OpenSSO/AM Bloggers

I posted an entry yesterday listing the 5 (so far!) bloggers from Access Manager engineering. I realized that there are a load more folks in Sun, but outside AM engineering, blogging about AM and OpenSSO. Here is a list that I will update as and when. There is a fuzzy boundary here - if you are in the list and you don't think you should be, then let me know. Similarly, if someone is not in the list and they should be, then let me know. Comments or email are fine. I'm including folks' functional area so that readers have some idea of what to expect from the different blogs - for instance - the field folk tend to have a wider focus than AM engineering :-)

UPDATE - all of the below blogs are aggregated at Planet OpenSSO.


Product Management



CTO Office

'The Field'

Monday Oct 16, 2006

Federation - Italian Style

Somehow, this passed me by back in March/April, but a presentation at Sun's Customer Engineering Conference last month brought it back into focus - Italy's Ministry of Transportation has deployed a new Motorist Portal, providing services such as online payment of vehicle registration fees and traffic tickets.

What's interesting here is that drivers log in to the Motorist Portal to view their driving record, vehicle registration etc, but make payments via another government agency, Poste Italiane. The Motorist Portal acts as a SAML identity provider, with Sun Java System Access Manager authenticating users and providing single sign-on to Poste Italiene's service provider for 40 million Italian drivers - possibly one of the biggest live SAML deployments in the world.

You can find out more in this short SunTV presentation and the Italian press release (English translation via Google).

Wednesday Sep 20, 2006

New Access Manager articles on BigAdmin

Normal blogging service was disrupted somewhat by last week's DIDW and IOS. Among many snippets in my 'to blog' pile, here are links to a couple of recent 'hands-on' articles from Sun's BigAdmin site:

If this sort of stuff lights your fire, then you probably want to subscribe to the monthly BigAdmin newsletter.

Wednesday Sep 06, 2006

Sun Developer Network Channel - Identity Management Month

Sun Developer Network's SDN Channel this month focuses on Identity Management. There's a cool video featuring my esteemed colleague - Identity Guru Aravindan Ranganathan. Aravindan looks at some of the latest web services security features in Sun Java System Access Manager 7.1, bringing a new twist to that old staple web service sample - the stock ticker - by allowing only authenticated users to obtain real-time quotes. If you want to try this at home, the beta of Access Manager 7.1 is available now in the Java EE SDK download.

There's a whole load more useful information (and a link to a short article I wrote on open source identity at Sun) in the SDN Show Notes.

Thursday Jun 29, 2006

Fresh out of college? Coding hero? Looking for a challenge?

Access Manager is hiring!

Are you a recent graduate? Know some Java? Interested in working in identity management - one of the most dynamic sectors of the software industry? Ready to show your coding skills to the world in an open source project?

Sun's Identity Management engineering group has a vacancy for an entry-level coder. Click here, and tell 'em Pat sent you.

We're looking for more experienced code wranglers, too!

Wednesday May 24, 2006

Quick Guide to Access Manager 7.0 Site Configuation

This came across the internal Access Manager mailing list today. It's too good not to post. Many thanks to David, Beomsuk and Subash for compiling this.


Site configuration in AM 7.0 provides a facility that lets Access Manager clients communicate with load-balanced Access Manager instances. While this was possible in Access Manager 6.x, site configuration provides several advantages:

  • Access Manager instance URLs are not held in state by Access Manager clients
  • Configuration is far easier and less error-prone than with Access Manager 6.x
  • Site configuration supports deployments with multiple load balancers, and with firewalls around each site, with no changes required to firewall configuration

Access Manager 6.x Naming Table on Client Side

All Access Manager clients use a naming URL stored in the client configuration (usually to retrieve a client-side naming table, which is held in state on the client. For 6.x clients, the client-side naming table holds the URLs of needed Access Manager services for each Access Manager instance. The URLs refer to the Access Manager instances. Thus, information about servers that are likely secured behind firewalls are held in client state, which is a potential security problem.

Client to Access Manager Instance Access in AM 6.x

When a 6.x Access Manager client accesses an Access Manager instance on behalf of a user attempting to access a web app, it accesses the instance directly (assuming the user has a valid SSO token). Depending on the Access Manager service required, the client dynamically build the URL for the service based on the instance ID stored in the session token and the URLs in the naming service table. A load balancer fronting the Access Manager instances is ignored in this scenario.

This works fine as long as there is not a firewall in between the client and Access Manager instances. In this case, the client is not able to get through the firewall to the required URL on the Access Manager.

So in the scenario in which multiple Access Manager instances are fronted by a load balancer, with a firewall somewhere in the mix, it is necessary for the Access Manager client to go to the load balancer instead of directly to the Access Manager instance.

You can force an Access Manager client to do this either by setting up the /etc/hosts file so that all the FQDNs of the Access Manager instances point to the IP address of the load balancer, or by setting the naming.ignoreNamingService property to true.

Therefore, each client has to have this property set, and whether the property should be set or not is dependent on the location of firewalls and load balancers in the topology.

Access Manager 7.0 Naming Table on Client Side with Sites Defined on Access Manager

For 7.0 clients, if a site is defined in the platform service, the client-side naming table holds the URLs of needed Access Manager services for each Access Manager site. The URLs refer to the Access Manager sites - load balancers - and not instances. Thus, information about servers that are likely secured behind firewalls are not held in client state, eliminating the potential security problem from 6.x.

Client to Access Manager Instance Access in AM 7.0 with Sites Defined on Access Manager

When a 7.0 Access Manager client accesses an Access Manager instance on behalf of a user attempting to access a web app, it accesses the Access Manager site (assuming the user has a valid SSO token). Depending on the Access Manager service required, the client dynamically builds the URL for the service based on the site ID stored in the session token and the URLs in the naming service table. Therefore, all requests go through a load balancer.

If there is not a firewall in between the client and Access Manager instances, it is not a problem, because the client should be able to get to the load balancer.

There is no need for any special configuration on the client to make this all work. As long as the nameing URL points to the load balancer, all is well.

Multiple Site Support in 7.0

Consider the case where you have multiple sites. Suppose you have:

  • A Web Server in San Francisco with a protected URL
  • A Web Server in Tampa with a protected URL
  • An Access Manager site with a load balancer and multiple firewalled AM instances in San Francisco
  • An Access Manager site with a load balancer and multiple firewalled AM instances in Tampa

You want an end user who has authenticated with the San Francisco site to be able to access the protected URL in the Tampa without re-authenticating.

In 7.0, with sites configured in the Platform Service, an Access Manager instance in San Francisco is able to perform session validation on an Access Manager instance in Tampa by referencing the Tampa load balancer.

In 6.3, although enabling the naming.ignoreNamingService property might let the San Francisco \*agent\* get to the Tampa load balancer, there is no way for an Access Manager instance in San Francisco to get to the Tampa load balancer for session validation. An Access Manager instance in San Francisco can only reference the Access Manager instances in Tampa defined in the platform service. So, if these instances are firewalled, the SFO AM instance cannot reach the Tampa instance.

Making a multiple site deployment work in 6.3 requires firewall configuration in ways that are likely to be unacceptable to users.

If No Sites Are Defined in 7.0

Access Manager should work identically to how it worked in 6.x. You can define configurations with multiple instances in the platform service, configure the fqdnMap, and add realm DNS aliases as needed. But if there is a firewall behind the load balancer, the deployment will fail.

Server-Side Configuration in Access Manager 7.0

To configure Access Manager 7.0 to support sites, you need only do the following:

  • Define the site and instance lists in the platform service
  • Add realm DNS aliases as required in the realm properties for the top-level realm

Server-Side Configuration in Access Manager 6.x

To configure Access Manager 6.x to support multiple instances, do the following:

  • Define instances in the Platform Service
  • Define the fqdnMap property in the file
  • Add realm DNS aliases as required in the realm properties for the top-level realm
  • Configure clients as necessary, depending on firewall locations


The 7.0 site configuration capability provides enhancements to Access Manager security and ease of configuration.

Tuesday May 23, 2006

Access Manager 7.1 Beta in Java EE Tools/NetBeans 5.5 Enterprise Pack

If you've been following Eric Leach's blog, you'll know that, just before JavaOne, we released a beta version of Sun Java System Access Manager 7.1 via a couple of bundles:

The former download is 132 MB, the latter 89 MB. The main difference between them seems to be that the Java EE 5 Tools Bundle includes NetBeans; NB EP 5.5 assumes you already have it.

Access Manager's role in this bundle is to secure web services. If you're thinking "Uh oh - this is that Liberty stuff they keep pushing at me; I've barely got my head around basic SAML assertions, let alone ID-WSF.", well - relax. We did show Access Manager working with Java Studio Enterprise and JSR 196 (Java Authentication Service Provider Interface for Containers) to secure web services via Liberty ID-WSF at last year's JavaOne (there's also a technical article on the topic); since then we have implemented WS-I BSP to secure 'plain vanilla' web services.

Here are my notes from installing the Java EE 5 Tools Bundle Beta and working through the Securing Web Services tutorial. I'm running Ubuntu 6.06 'Dapper Drake' Beta. Not an officially supported platform, but I like to surf the bleeding edge

  • Let's get started. I downloaded the Java EE 5 Tools Bundle Beta, chmod +x; ./ and I'm into the installer. I need to tell the installer where I've put Java - it doesn't seem to know. Fair enough - this is not a standard system - I have at least three versions of Java floating around.
  • The installer prompts me for ports, passwords and trundles away for a while. On completion it reports that there were some warnings. I check /tmp/netbeans-5_5-installation-20060523143837.41310.log and it looks like the installer was not able to get to Access Manager (AM) at http://myhostname:8080/amserver/configurator.jsp. Ah - that's probably because it likes your system to have a fully qualified domain name (FQDN), e.g. and I don't have a domain set. This is documented in the release notes - it doesn't seem to be a big deal, and I can get to that URL in Firefox, so we'll just carry on.
  • OK - surf to http://myhostname:8080/amserver/configurator.jsp and I get a nice configuration page:

    Those are the 5 parameters you need to set to configure AM. I left everything as default and (as expected from the release notes) got a server error. Putting a dummy domain on the end of the hostname did the trick and I'm at an Access Manager login screen.

    Cool! The simplest ever AM install/config
  • Login with the default amadmin/admin123 (we'll have to change that - I hate default passwords. We should add 'amadmin password' to the 5 configuration parameters) and I'm in the now familiar AM 7.x admin UI:
  • Ok - install and config done. On to the Securing Web Services tutorial. The tutorial notes are a little sketchy - I'll fill in the gaps here as I go along.
  • Grab the sample source and put it somewhere sensible, as suggested in the tutorial. I get two directories, stockclient and stockservice. Cool.
  • Tutorial step 2 is missing an initial steplet - you need to go to the App Server admin console at http://myhostname:4848/ and login as admin with whatever AS password you selected at install. Hmm - I don't see a 'Runtime' tab, but I can see a running App Server (in fact, I already checked that it was running by browsing http://myhostname:8080/ and, of course, I wouldn't have been able to configure AM if it wasn't running. So, according to step 2c, I can safely skip forward to step 5 in the tutorial. Except that it seems like the next thing I have to do is in step 3.
  • Tutorial step 3 - yes - done this already.
  • Step 4 - ah - you will definitely want to do this - set AM to full message debug logging. On my system, the config file was at /home/pat/SUNWappserver/addons/amserver/ Beware - there is another file for the AM server - on my machine it's at /home/pat/ If you set message debug logging at the AM server but not in the AS addons, you won't get any of the diagnostic output described below. I know - I did exactly this first time round and spent several hours trying to figure out what was wrong. Change to message and restart the App Server. Just go to wherever_you_installed_it/SUNWappserver/bin and do ./asadmin stop-domain; ./asadmin start-domain.
  • Step 5 - Run NetBeans and disable proxies as directed in the tutorial, since we'll be interacting with local services.
  • OK - now for some secure web service action... Start NetBeans and... Oh. NetBeans just shows me a blank window. That's not good. Google Google Google... Ah. I have XGL and Compiz eye candy installed. This forum post gives the answer - run the Xnest nested X server, the icewm window manager and then run NetBeans in the nested X session. Fair enough. Ubuntu recommends Xephyr rather than Xnest, so I grab that, icewm and.. great - we have NetBeans! [UPDATE: See this comment for a handy little script I wrote to run NetBeans in a nested X session.] Back to the tutorial...
  • Open the two projects. Cool - Web Service Provider (WSP) Security Configuration property page. Enable security, select SAML-HolderOfKey, sign reponses. Don't forget to change the password if you overrode the default AS 'adminadmin' password. Ooh - we'll have to fix that password entry field. This is beta, don't forget.
  • We can go look in the keystore, just to check that we are supplying the right password here, and that the s1as cert is there:
    pat@patlinux:~/SUNWappserver/domains/domain1/config$ keytool -list 
    -keystore ./keystore.jks -storepass password
    Keystore type: jks
    Keystore provider: SUN
    Your keystore contains 1 entry
    s1as, May 23, 2006, keyEntry,
  • Now to the client... Web Service Client (WSC) Security Configuration, enable security, SAML-HolderOfKey, verify response. Check that password again. And we're ready to run. Build and deploy stockservice as described in the tutorial. Build and run stockclient and we have a JSP ready for input. I had to copy the URL into the browser in my main X session, since Firefox wasn't happy running a second instance in the nested X session. I also had to change 'localhost' in the URL to my real hostname.
  • Now I just press enter to get a quote for SUNW and... I get a page of canned price data. It works!!! On my machine, ClientModule and ServerModule are in /tmp/amserver/, I can see real, honest to goodness WS-I BSP SOAP messages with SAML assertions in the headers. I've indented for clarity and elided most of the base 64 encoded signature and key info.
  • Here's the raw SOAP message as it leaves the client code (don't forget, the whole point of this is to abstract the security stuff out of the client/server code):
  • <env:Envelope xmlns:env="" xmlns:enc="" xmlns:ns0="" xmlns:xsd="" xmlns:xsi="">
  • And here is the secured SOAP message as it goes onto the wire:
  • <env:Envelope xmlns:env="" xmlns:enc="" xmlns:ns0="" xmlns:wsu="" xmlns:xsd="" xmlns:xsi="">
        <wsse:Security xmlns:wsse="">
          <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="s69f7e258e30da2b9b9f5799d4eb0c548782432bf" IssueInstant="2006-05-24T05:52:32Z" Issuer="patlinux" MajorVersion="1" MinorVersion="1">
            <saml:AuthenticationStatement AuthenticationInstant="2006-05-24T05:52:30Z" AuthenticationMethod="urn:com:sun:identity:Application">
                  <KeyInfo xmlns="">
                    <KeyName>CN=patlinux, OU=Sun Java System Application Server, O=Sun Microsystems, L=Santa Clara, ST=California, C=US</KeyName>
            <Signature xmlns="">
                <CanonicalizationMethod Algorithm=""/>
                <SignatureMethod Algorithm=""/>
                <Reference URI="#s69f7e258e30da2b9b9f5799d4eb0c548782432bf">
                    <Transform Algorithm=""/>
                    <Transform Algorithm=""/>
                  <DigestMethod Algorithm=""/>
          <Signature xmlns="">
              <CanonicalizationMethod Algorithm=""/>
              <SignatureMethod Algorithm=""/>
              <Reference URI="#se0ffabd98ecfdf194adc0c8ac8fb4edabf65cd3a">
                  <Transform Algorithm=""/>
                <DigestMethod Algorithm=""/>
              <SecurityTokenReference xmlns="" wsu:Id="STR1">
                <KeyIdentifier ValueType="" wsu:Id="sbee70b80d8b330875655b8956d13ff5a4199ca1d">s69f7e258e30da2b9b9f5799d4eb0c548782432bf</KeyIdentifier>
      <env:Body wsu:Id="se0ffabd98ecfdf194adc0c8ac8fb4edabf65cd3a">

So - in the next thrilling installment, we'll walk through that secure SOAP message and see what each bit actually does.

UPDATE - here is that next installment.




« July 2016