Tuesday Aug 11, 2009

OpenSSO Single Sign-on Extension for MediaWiki

Following the recent trio of OpenSSO Extensions targeting PHP CMS applications (see my previous entries covering the extensions for Drupal, WordPress and Joomla), I decided to look at MediaWiki, the PHP application powering Wikipedia and many other wikis across the web.

In common with the CMS apps, MediaWiki has a very pluggable architecture, making implementation of a single sign-on extension very straightforward, and I was able to get an initial implementation done in a few hours. The user interface is very like the WordPress plugin: just click on the regular 'log in' link to be sent to OpenSSO to authenticate; on returning to MediaWiki, the extension validates the OpenSSO cookie and uses it to retrieve the username from OpenSSO, setting up the MediaWiki session.

There is a README and source code - also available via CVS, and I've added the new provider plugin to the list on the OpenSSO Extensions page. As always, note that none of these extensions are supported by Sun, and all should be considered 'proof of concept' quality - they likely need a bit more polish (and lots more testing!) before being deployed into production.

I think that about wraps up the PHP extension story for the time being - we now have plugins for the four most common PHP web apps. Do leave a comment if you think there is another we should cover.

Saturday Aug 01, 2009

OpenSSO Single Sign-on Plugin for Joomla

I was lucky enough to be able to spend some time at Burton Catalyst this last week with Pamela Dingle, looking at how to get started writing an OpenSSO plugin for Joomla to complement the plugins I recently wrote for Drupal and Wordpress. Pamela, well known for her work on PHP Information Card plugins at The Pamela Project, quickly pointed me in the right direction, and it didn't take me long after that to get something working - thanks, Pam!

The Joomla plugin alters the standard process so that, on clicking the 'Login' button, users are redirected first to OpenSSO to authenticate, then back to Joomla for the plugin to retrieve the user's name from OpenSSO and create a session. I got a little bit more creative this time round; there's JavaScript to alter the Joomla login form - see the screen cap next to this paragraph.

As always, there is a README and source code - also available via CVS, and I've added the new provider plugin to the list on the OpenSSO Extensions page. Note that none of these plugins are supported by Sun, and all should be considered 'proof of concept' quality - they likely need a bit more polish (and lots more testing!) before being deployed into production.

So, that's the Drupal/Wordpress/Joomla open source PHP CMS trifecta covered... I see Pam has a MediaWiki plugin too - maybe I'll look at that next...

Monday Jul 27, 2009

OpenSSO Single Sign-on Plugin for WordPress

Encouraged by a comment on my post about the OpenSSO module for Drupal, and the amount of OpenSSO/Drupal buzz on Twitter, I decided to attack WordPress next. Although WordPress has a very different plugin model from Drupal, I was able to reuse much of the code from the Drupal module and get a basic single sign-on plugin working quite quickly. As with the Drupal module, there are certainly bugs in the WordPress plugin - in particular, I just noticed that, if you log in to OpenSSO as a user without a corresponding WordPress account, you can get into a redirect loop if you try to go to a protected page at WordPress.

As usual, there is a README and source code - also available via CVS, and I've added the new provider plugin to the list on the OpenSSO Extensions page.

So... That's two thirds of the Drupal/Joomla/Wordpress CMS trifecta covered... A competent Joomla hacker should be able to take the Drupal/WordPress work and adapt it pretty easily... Anyone want to try while I'm at Catalyst this week?

Saturday Jul 25, 2009

OpenSSO Single Sign-on Module for Drupal

Drupal is one of the leading open source content management systems - some would say the leading open source CMS. We've had a few requests over the years for OpenSSO/Drupal integration, but no one has hitherto stepped forward. Finding myself with a few spare hours over the last few days, I decided to investigate.

It turns out that, thanks to Drupal's extensibility through modules and OpenSSO's identity services, it's pretty straightforward to get something working. So I did. There is now an OpenSSO module for Drupal [ README | Source - also available via CVS]. I'm no expert in either PHP or Drupal, so there may well be bugs, but it seems to work well, checking for the OpenSSO cookie when users attempt to access Drupal, redirecting them to OpenSSO to authenticate if necessary, and retrieving a Drupal username from the user's OpenSSO profile before setting up the user's Drupal session.

If there's sufficient demand, I'll look at going through the process to contribute this to Drupal under GPL, until then, it's available under CDDL as an OpenSSO Extension.

Thursday Jul 16, 2009

New and Updated OpenSSO Extensions - CAS, Information Cards and VALid

I've written many times over the past couple of years on OpenSSO's Extensions - modules, mainly contributed from the wider community, that extend or interoperate with OpenSSO in interesting ways - from a Ruby SAML 2.0 service provider to authentication modules for Yubikey, Hitachi Finger Vein Biometric and more.

I just got done adding an authentication module for JA-SIG CAS, kindly contributed by Qingfeng Zhang, so it seems like a good time to have a round up of recent extensions news...

If you have an idea for an OpenSSO Extension, just leave a comment or <script type="text/javascript" language="javascript"> </script> and I'll fix you up with a directory in the OpenSSO CVS tree and appropriate access.

Tuesday Mar 03, 2009

Swekey Authentication Module for OpenSSO

I just finished another OpenSSO Extension - this time, an authentication module for the Swekey authentication key (README, source). The authentication module prompts the user for their username and uses the Swekey to generate a one-time password, which is validated against the Swekey authentication server.

It's interesting to contrast the Swekey with the Yubikey, which I covered here a few months ago. Where the Yubikey emulates a USB keyboard, requiring no special client software, the Swekey requires a driver. On the other hand, where the Swekey is invoked automatically by a browser plugin, requiring no user intervention apart from inserting the device into a USB port, the Yubikey requires the user to press its button and, potentially, ensure that the cursor is in the correct input field. One thing they do now have in common, though: they both work with OpenSSO

So, if you have a Swekey, grab the authentication module, deploy it (see the README) and let me know how you get on.

Friday Feb 27, 2009

OpenSSO Tab Sweep - Feb 27 2009

Wow - it's been nearly 7 weeks since the last tab sweep, not so much due to a lack of OpenSSO news, quite the reverse - so much going on that I've not had 2 minutes to sit down and document it. Anyway, here we go...

That wraps it up for February. Watch out for more exciting OpenSSO news coming soon!

Sunday Dec 07, 2008

links for 2008-12-07

Wednesday Nov 19, 2008

Yubikey Authentication Module for OpenSSO

I just committed a new OpenSSO Extension - the Yubikey Authentication Module (README, source). The authentication module prompts the user for their username and the one time password (OTP) from the Yubikey, calls the Yubikey authentication server to verify the OTP and authenticates the user (or not!) according to the response.

Many thanks to Jeff Bounds for inspiring me with his VIP authentication module and to Stina Ehrensvärd of Yubico for supplying me with a Yubikey to get started.

If you have a Yubikey, grab the authentication module, deploy it (see the README) and let me know how you get on.

Monday Sep 15, 2008

OpenSSO+Spring - an Open Source Community in Action

On Friday morning, Jim Gellman of the Institute for Systems Biology asked a question on the OpenSSO Users mailing list about OpenSSO/Spring Security (formerly known as Acegi) integration:

We'd like to use opensso with an app that's using Spring Security currently, but we don't have the resources at the moment to develop a module to do this.

Instead we're hoping we can use Spring Security's container adapter for tomcat along with the OpenSSO agent. Does anyone know for sure whether this is a reasonable approach?

Just a few minutes later, Robert Dale of CALGB replied:

I actually have code based on acegi-security 1.0.3 that provides an AuthenticationProvider, LogoutHandler, AuthenticationProcessingFilter, and AuthenticationProcessingFilterEntryPoint. I would be more than happy to donate to OpenSSO extensions if they want it.

How can you refuse an offer like that? Actually, it turns out that Robert had also done some work with Seraph (Atlassian's security framework, used by Jira and Confluence). So, this morning I created two new 'Authentication Provider' OpenSSO Extensions - one for Spring and one for Seraph - and Robert checked in his code. If you've been scratching your head, wondering how to integrate OpenSSO with Spring or Seraph, go check 'em out!

Friday Sep 05, 2008

OpenSSO Integration with Atlassian Jira

Alexey Abashev, a Sun ISV engineer in Moscow, Russia, sent an email to the OpenSSO users mailing list a few weeks ago, announcing his Atlassian Jira extension for OpenSSO. The plugin page details how to deploy the extension and enable single sign-on to Jira via OpenSSO. Cool stuff!

I haven't had a chance to try this yet, but, if you have, let me know in the comments how you got on...

Thursday Sep 04, 2008

OpenSSO Authentication Modules - Hitachi Finger Vein Biometric, Verisign Identity Protection, RSA Access Manager

I've blogged before on OpenSSO Extensions - useful modules that do not fit into the OpenSSO 'core'. Among the various categories of extension are 'authentication modules' - one of the most common customizations for OpenSSO and Access Manager. An authentication module supports a particular mechanism for collecting and verifying a user's credentials - common mechanisms that are supported out-of-the-box include username/password against LDAP, client certificates (encompassing browser certs and smartcards) and Windows Desktop SSO (aka SPNEGO, aka Kerberos).

Of course, technology refuses to stand still, and new authentication mechanisms are constantly being developed and deployed - new biometrics, hardware tokens, even whole new authentication protocols. Over the past few months, we've seen a clutch of new authentication modules in OpenSSO, so it's time to take a look at what's new...

So, three very different authentication modules. Maybe you have an idea for a fourth?

Friday Apr 18, 2008

Living with Sun Open-Source - OpenSSO

This will only be useful if you know MUCH more Japanese than I do, but here's Yasushi Iwakata introducing OpenSSO at a Java Hot-Topic Seminar in Tokyo, as blogged by Takayuki Okazaki:

You'll be able to download the slides soon - I'll update this entry with the link.

As he mentions in the video, Iwakata-san has also been working on an OpenSSO Extension for Hitachi Finger Vein Authentication. You can find the code in the OpenSSO CVS at opensso/extensions/authnhfvb, or browse it online. I'll write more about this extension when I get back home from Brazil.

Monday Mar 03, 2008

Long Live simpleSAMLphp!

A somewhat bittersweet moment today as I sent this email to the OpenSSO lists:

Some time ago (October 2006), we released 'Lightbulb', a simple SAML 2.0 service provider/relying party implemented in PHP, as a proof-of-concept, to show that it was indeed possible to write a 'pure' (no custom modules required) SAML 2.0 implementation in PHP.

Later, Lightbulb became an OpenSSO Extension, and was used by Andreas Solberg at FEIDE as the inspiration for simpleSAMLphp - a much more complete SAML 2.0 implementation, again in PHP, but this time including identity provider functionality, Shibboleth 1.3 and more.

Andreas has done a great job, devoting considerable time and effort to simpleSAMLphp, to the great benefit of the wider SAML 2.0 community. Over the months, simpleSAMLphp has become widely deployed in the academic community, to the extent that there are now events such as simpleSAMLphp workshops.

Consequently, we have decided to mark the OpenSSO SAML2/PHP Extension as 'deprecated' in favor of simpleSAMLphp. The old code will be left in place in CVS, but there is now a prominent README directing people to simpleSAMLphp.

Long live simpleSAMLphp!

Kind of like seeing one of your kids moving out of the family home and starting their own life, I guess...

Friday Feb 15, 2008

More on ActivIdentity 4TRESS and OpenSSO

Marc Puverel at ActivIdentity emailed me today to point out that ActivIdentity provides an online service for 4TRESS evaluation. As Marc says, it's all in the docs:

ActivIdentity provides an online service that you may use to evaluate the Sun OpenSSO integration with ActivIdentity 4TRESS Authentication Server. In such case make sure your platform has access to Internet, then you can use the following settings:

  • 4Tress URL Endpoint:
  • 4Tress Channel Code: CH_WEB
  • 4Tress Authentication Type Code: DYNMC_AUTH
  • 4Tress Authentication Mode Synchronous : SYNCH
  • 4Tress Security Domain: DOMAIN1

You will have to log out of AM as the administrator before you can test the login module.

To test the login Module, use the URL http://<FAM_HOST>:<FAM_PORT>/opensso/UI/Login?module=<MODULE_NAME>. You should see the following login page:4Tress LoginPage

If you use ActivIdentity 4TRESS Online service you can use the following credentials to test user authentication:

  • Username: CUSTOMER
  • Password: OpenSSO

You may want to evaluate Sun Access Manager authentication using Strong Authentication. Send an email to OpenSSO@ActivIdentity.com with the following information:

  • Company
  • First Name
  • Last Name
  • Email
  • Telephone
  • Country

ActivIdentity will provide you a personal user account and a list of One Time Passwords. You may use these pre-generated One Time Password to have an overview of the end user experience and the associated security.

So, you can give the new authentication module a try, even if you don't have 4TRESS installed.




« June 2016