Thursday Jun 11, 2009

OpenSSO enables 30,000 new Google Apps business users at Valeo

Among the OpenSSO-related news items that popped up while I had my head down over the past few weeks, I noticed the Google Blog entry and Valeo press release concerning the global industrial group's Google Apps deployment - 30,000 Valeo employees now have access to a new communication and collaborative working platform based on Google Apps Premier Edition and supported by Capgemini, one of the largest enterprise deployments of Google Apps to date.

It's not mentioned in either story, but, if you a regular reader of Superpatterns, you'll already know that Capgemini deployed OpenSSO at Valeo to handle single sign-on, allowing Valeo employees to access their email at Google via their Valeo credentials, without having to manage a separate Google username/password.

If you're looking at Google Apps, click here to download the 'starter kit' we recently produced, which explains exactly how to set up single sign-on to Google Apps using OpenSSO.

Wednesday Feb 18, 2009

Verizon Wireless on Improving Security and User Experience with Sun Access Manager

Last November, at the Gartner Identity and Access Management Summit 2008 in Orlando, FL, Damo Bashyam of Verizon Wireless (VZW) gave a presentation titled 'Simplify Identity Management to Improve Security and Online Customer Experience'; Daniel just pinged me to say that this presentation is now online, along with the associated slides, and what a presentation it is!

If you're looking for marketecture, then move on; if you want to know how the largest wireless telecommunications network in the United States is using Access Manager (the old name for OpenSSO Enterprise) in a high-scale, high-availability deployment, then it's all here, in just 23 minutes. Some of the numbers are staggering: over 40,000,000 users, 1,000,000 logins per day, peaking at 4,000 logins per minute. VZW deployed Access Manager into two data centers, with session failover within each data center and multi-master replication between six Sun Directory Server instances.

The preso and slides detail all this and the business benefits to VZW - for me, given my focus on federation, one highlight was the fact that they have extended single sign-on to 25 third-party application service providers (ASPs), 12 of them in a single night with just 4 hours (planned) downtime for the cutover. Another interesting aspect is that this is a Sun stack, top-to-bottom, so VZW have just one throat to choke in the event of an issue, with no intra-vendor finger pointing. Damo describes it as a partnership - one that has brought real and lasting benefits for both partners.

So... go download the slides, make yourself a nice cup of tea, and spend a few minutes watching the preso:

Thursday Feb 12, 2009

OpenSSO Deployments Around Europe

News from Europe of some interesting OpenSSO deployments... First, in France, Capgemini has been working with Valeo, a major manufacturer of automotive components, to replace a Lotus collaborative platform with Google Apps (plus a set of custom web applications) for over 30,000 employees. If you've been keeping up with Superpatterns, you'll have guessed what they're using to provide Valeo employees with single sign-on across the whole set of web apps... Yep, OpenSSO. This French story gives some more detail [PDF].

A couple of stories came out of Norway last year on their government-to-citizen and government-to-business systems, MinID (My ID) and Altinn respectively. In April, the Norwegian Ministry of Government Administration and Reform published 'Clearing the PIN Code Chaos on Public Web Sites', describing how citizens had to manage a large number of usernames, passwords and PIN's to access Norway's various government department websites. Then in July, Accenture won the contract to implement the next generation of Altinn. The 'eID-interoperability hub' and 'advanced security solution' mentioned in the articles? You guessed it... OpenSSO.

OpenSSO - powering single sign-on and federation all around the world...

Friday Jan 09, 2009

OpenSSO Tab Sweep - Jan 10 2009

First OpenSSO tab sweep of 2009, a pretty quiet week, but a few items worth reporting...

Ah well - at least there are no hits for opensso potoroo... Yet... (Yes, it took me many many tries to find an animal that generated zero hits on Google when combined with OpenSSO. A potoroo is an Australian marsupial - much like a bandicoot. In case you're wondering, there are 28 hits for opensso bandicoot. What a strange world we live in...).

Friday Oct 31, 2008

OpenSSO Halloween Tab Sweep

I wish I could say there were spooky goings on this week in OpenSSO, but you'll have to settle for more adoption news and some fun stuff with OpenSSO and Amazon EC2...

  • First up this week, on the OpenSSO Users mailing list, we had an interesting email from Romanov Vladimir, of the R&D department of Russian telecommunications operator Scartel, saying that they are using OpenSSO as the authentication mechanism for their new Yota WiMax network. We're looking forward to hearing more as they move Yota from test mode into production.
  • Staying in Eastern Europe, I noticed the work going on at the Budapest University of Technology and Economics (BME), where they are also using OpenSSO for authentication - a nice diagram and some information on the architecture; unfortunately, Google Translate doesn't yet stretch to Hungarian, although Adam Lantos of HME (a regular participant on the mailing list) says he'll send some information in English soon.
  • Finally, Mike Hortobagyi, up in Canada, writes today about an experiment I ran last night, deploying OpenSSO onto GlassFish+OpenSolaris at Amazon EC2. Logically, it all should work ok, but it's great to try something like this and see it actually running up in the cloud. It took me less than 45 minutes to get OpenSSO and the Fedlet running, including uploading the OpenSSO WAR file to the EC2 instance. I'll leave the instance up for a few days so you can go play - try out the Fedlet (click the link to login, username demo, password changeit), or even the federation validator (same username/password). NOTE - it's a little confusing, since I gave OpenSSO and the Fedlet the same hostname, but they are independent web applications, with no shared state. You can see all the gory SAML details (WoooOOOooo! Spooky!) in the Fedlet page after you login. Go give it a try; if you get a host not found, or page not found, error, I've likely taken the instance down... I can't keep paying $0.10 per hour forever, you know!

So, there you go - I managed to squeeze in a spooky reference in the end... Happy Halloween, everyone!

Friday Oct 24, 2008

OpenSSO Tab Sweep - Oct 24 2008

Wow! OpenSSO is HOT right now...

Finally, OpenSSO is coming to the Stories blog - our first OpenSSO adoption story will run on Monday and will feature... well, you'll have to go look on Monday, or subscribe to Stories

Tuesday Oct 07, 2008

OpenSSO at CPqD

CPqD provides Operations Support and Business Support systems, training and consulting services to the telecommunications industry. Mário Celso Teixeira, of CPqD's Brazilian facility, describes their OpenSSO deployment in an email today to the mailing list:

I want share with you that CPqD have deployed the OpenSSO as a single sign-on solution for 3000 users and 75 applications in October, 2008.

After 4 months, 75 corporate applications was customizeds to use the single sign-on system where the user´s identity are provided for Windows Active Directory.

Primarily we went to install CAS server as a single sign-on product but, in April 2008, me (Mario Celso Teixeira) and Gustavo Chaves were at FISL 9.0 in RS, Brasil and saw the Pat Patterson presentation and we decided test the solution.

The strategy adopted was to install the Policy Agents in the application servers that are used for our applications (IIS 6.0, Apache, Jboss, Tomcat) and not customize each one using Opensso API, to minimize implementation efforts.

After one week live in production, the users are very satisfied because, before, each user could have 15 different accounts and passwords to access the applications.

Next, we want to implement Federation and Identity Management

Wow. 75 applications in four months, across IIS, Apache, JBoss and Tomcat. That's impressive! Thank you for sharing your OpenSSO success story, Mário

Monday Sep 29, 2008


The Cancer and Leukemia Group B (CALGB) is a national clinical research group sponsored by the National Cancer Institute, with its Central Office headquartered at the University of Chicago and its Statistical Center located at Duke University.

A couple of weeks ago, Robert Dale of CALGB contributed an OpenSSO/Spring Security integration to the OpenSSO project. I asked him how CALGB were using OpenSSO, and he was good enough to send me this explanation and allow me to publish it.

We're probably not too different than many places where we have many applications each using its own authentication mechanism from disparate data stores. The primary goal here is to unite all these applications to use the same authentication mechanism using a single data store, hence a single username and password. Because we deal with clinical data, HIPAA comes into play. So certain applications need specific restrictions, for instance having a session timeout in 15 minutes. Other applications - administrative, those for developers, IT staff - can be logged in all day long. Therefore our secondary goal is to place these policies across all the apps. We have our own authorization and audit system and won't be using those from OpenSSO.

We also have the case where we need to federate to other identity providers, such as caBIG, so our users can seamlessly use the grid applications. But we also share data with labs and other facilities that develop their own applications and need to federate identities (and authorizations) to us either through user interaction and/or web services. And in one special case, we have an authentication module that authenticates users via webservice to CTSU where they don't yet have federated identities.

This is a great mini-case study of an OpenSSO deployment - internal SSO, federation, web services and a bit of customization on the side. It's great, too, to be able to support such vital research through OpenSSO - CALGB didn't have to ask or tell us about their OpenSSO deployment - they just got on and got it done, and were good enough to share their success story with us.

Have you deployed OpenSSO? Care to share your story? <script type="text/javascript" language="javascript"> </script>

Monday Mar 10, 2008

OpenSSO Live at

At JavaPolis last year, I met with the folks from ACA IT-Solutions and (Dutch/French/English) to discuss their deployment of OpenSSO. At last, I'm able to talk about this publicly, so here we are. is Belgium's largest cable operator, providing internet access, digital TV and telecom services to millions of customers across the country. Last year, ACA IT-Solutions, an independent Java EE solution provider working across the Benelux region, built an authorization solution with a centralized policy administration point (PAP), but distributed policy enforcement points (PEPs), all built on OpenSSO's authentication. As ACA IT's Wim Van Lommel says:

"We developed the web interface and security back-end service. These modules were aligned with the underlying open source access management mechanism OpenSSO. The access to the source code of OpenSSO enabled us to reuse the access management mechanism and create an integrated security solution for Telenet."

You can read more in the inaugural February 2008 edition of LSEC's Information Security Industry Report

A great example of the difference that source code access makes to system integrators!

Friday Jun 15, 2007

OpenID @ Work - Architecture

As you might already know, has been live for a few days now. I have my shiny new OpenID ( and have already used it to log in to the Project Concordia wiki and add myself to the list of participants. Everything seems to be working as it should.

It's a fitting time, then, to start explaining how we deployed OpenID, and Hubert has started doing exactly that with this blog entry on the architecture of As you can see from Hubert's description, the OpenID deployment is based on OpenSSO and its OpenID extension, so any interested party can go grab the source and try it out for themselves. In fact, some already have.

Friday Feb 02, 2007

SSOCircle Goes Live

Hu Liu, a regular on the OpenSSO IRC channel (#opensso on freenode), has just launched SSOCircle - a SAML 2.0 identity provider (IdP), based on the Open Federation code (part of the OpenSSO project). Quoting from the home page, SSOCircle's mission is:

  • Identity Provider for everyone
  • JumpStart SingleSignOn/Federation deployments
  • Leverage federation for Web 2.0 apps
  • Providing ready-to-use solutions
  • SAML 2.0 standard based testing platform
  • Exchange of information/experience
  • Building the SSOCircle of Trust

I just registered, logged in and tried out SAML 2.0 SSO with the sample service provider site (based on Sampo Kellomäki of Symlabs' ZXID) and it all works nicely. At last there is an easy to use, public site to play with SAML 2.0.

As soon as I get a chance I'm going to add SSOCircle as the default IdP in Lightbulb and write a how-to for getting your first service provider up and running.

Thanks, Hu, and best of luck!

Monday Jan 08, 2007

Audi UK using OpenSSO to service 250,000 users

Dave 'Wavy' Holroyd of Good Technology reports on his production deployment of OpenSSO in the UK today on With his kind permission. I'll just quote Dave here, lightly edited to turn his footnotes into hyperlinks:

Ok, so, in mid 2006 we rebuilt the Audi UK site to integrate with the Audi Global Content Management solution, and upgrade the previous, pre-J2EE technology platform. One of several features from the old site not included in the first delivery was the ability to log in to access special content and tools.

Having moved from a single-application model to a raft of independent webapps, that login functionality now requires a single sign-on solution. Also, given historical needs for integration with third-party systems and components, we wanted something based on well-thought-out Web Services, and a potential upgrade path to implement Federation.

Just before Christmas 2006, we deployed an OpenSSO system adapted with custom Authentication and Data Store plugins. These make use of the site's existing relational database containing the profiles of around a quarter of a million registered users.

We integrated login and registration functions directly into our application rather than using the generic OpenSSO user interface. This enables access to functions like 'ordering a postal brochure' by both authenticated and unauthenticated users, with the option for unauthenticated users to register toward the end of the process.

This is a great example of the kind of deployment that OpenSSO makes possible - Dave leveraged his visibility into the source code to create a solution customized to his needs, flagging some bugs in the process. Good, good, good, good, good... Good Technology!




« August 2016