Friday Feb 08, 2008

ActivIdentity 4TRESS Authentication Module for OpenSSO/Access Manager

Marina Sum (who must be just about the busiest tech author at Sun Developer Network these days!) has co-written an article with Michelle Cope, of Sun's ISV Engineering team, on integrating Sun Java System Access Manager with ActivIdentity 4TRESS Authentication Server.

The article shows how you can use Access Manager's session upgrade feature to protect particularly sensitive resources with the one-time password (OTP) authentication schemes in 4TRESS.

What is particularly interesting about this integration is that the complete source code is available as an OpenSSO Extension; if you already have ActivIdentity 4TRESS, you can read the article, download the source, build the authentication module and deploy it into Access Manager or OpenSSO. If you don't have 4TRESS, then call the good people at ActivIdentity, and tell them Pat sent you

Wednesday Feb 06, 2008

Paul Bryan Interviewed at Sun Developer Network

As I just mentioned over at The Aquarium, Marina Sum recently published a short interview with Paul Bryan, in which Paul talks about OpenID, OpenSSO and the fight against phishing and identity theft.

OpenSSO participants and regular readers will recognize Paul's name - he was the very first external committer on the OpenSSO project, back in 2006. Paul went on to write the OpenID Extension for OpenSSO (since deployed at before joining Sun in October 2007. While we were sad to 'lose' an external committer, we were very happy to welcome Paul to Sun.

Go read the interview and be sure to leave a comment - this short interview format is new and Marina is looking for your feedback.

Tuesday Jun 19, 2007

Single Logout with SAML 2.0 and PHP

Back in February, Marina Sum and I co-wrote an article on the OpenSSO SAML 2.0 PHP Extension, or Lightbulb, as it was then known. The sequel to that article - Single Logout: A Demo just went live at Sun Developer Network: Marina and I provide an update on Project Lightbulb's evolution into an OpenSSO Extension as well as a look at circles of trust and single logout in SAML 2.0. As before, we look at a simple example message flow, then delve down into the PHP code to see how it all works. Click here for the article.

Monday Jun 18, 2007

Sun Shines on Open ID

I just listened to my good friends Don Bowen and Eve Maler discussing Sun's OpenID deployment with Brandon Whichard- the latest in Sun's Identity Management Buzz podcast series.

Worth the listen - Eve goes into some detail on the lessons that Sun has already learnt from - and there are some insights into Eve, Don and Brandon's music buying habits. Show tunes, Don? Listen Now or Subscribe via iTunes.

Sunday Jun 17, 2007

SAML 2.0 HTTP-SimpleSign Support in OpenSSO SAML 2.0 PHP Extension

You might be aware of the SAML 2.0 HTTP-SimpleSign binding from blog posts by Jeff Hodges (co-author of the spec, with Scott Cantor) and George Fletcher. Put simply, HTTP-SimpleSign offers a simpler way to sign SAML 2.0 data, by simply signing the XML and other text data to be sent to the service provider verbatim, without any canonicalization. It works quite neatly, since the XML is base64 encoded and sent from the identity provider to the service provider via browser POST, so there are no intermediaries who might benignly munge it about and cause signature verification to fail.

George's report of AOL's HTTP-SimpleSign implementation prompted me to go add it to OpenSSO's SAML 2.0/PHP Extension (formerly known as 'Lightbulb'). It took about an hour, all told, since the main difference from the traditional HTTP POST signature verification:

function checkXMLSignature($token) {
	$objXMLSecDSig = new XMLSecurityDSig();
	$objXMLSecDSig->idKeys[] = 'ID';
	$objDSig = $objXMLSecDSig->locateSignature($token);

	/\* Must check certificate fingerprint now - validateReference removes it \*/        
	if ( ! validateCertFingerprint($token) )
		throw new Exception("Fingerprint Validation Failed");

	/\* Canonicalize the signed info \*/

	$retVal = NULL;
	if ($objDSig) {
		$retVal = $objXMLSecDSig->validateReference();
	if (! $retVal) {
		throw new Exception("SAML Validation Failed");

	$key = NULL;
	$objKey = $objXMLSecDSig->locateKey();
	if ($objKey) {
		if ($objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig)) {
			/\* Handle any additional key processing such as encrypted keys here \*/
	if (empty($objKey)) {
		throw new Exception("Error loading key to handle Signature");

	return ($objXMLSecDSig->verify($objKey)==1);

is to just verify the signature directly on the SAML XML text and other parameters:

function checkSimpleSignature($params,$cert) {
	$rawSignature = $params['Signature'];
	$relayState = $params['RelayState'];
	$sigAlg = $params['SigAlg'];

	$samlResponse = base64_decode( $params['SAMLResponse'] );
	$signature = base64_decode($rawSignature);

	if (strcmp($sigAlg,XMLSecurityKey::RSA_SHA1) != 0) {
		throw new Exception("Signature algorithm ".$sigAlg." is not supported");

	if ( isset($params['RelayState'] ) ) {
		$signedData = "SAMLResponse=".$samlResponse."&RelayState=".$relayState."&SigAlg=".$sigAlg;
	} else {
		$signedData = "SAMLResponse=".$samlResponse."&SigAlg=".$sigAlg;

	return (openssl_verify($signedData, $signature, $cert) == 1);

The difference in complexity may not look substantial, due to the excellent XML Signature support from Rob Richards' XML Security library, but it's a huge difference if you're implementing from scratch.

I've done some informal testing and everything seems to check out. If you are working with HTTP-SimpleSign on the IdP end, please do grab the SAML2.0/PHP code, check it against your implementation and report back.

Friday Jun 15, 2007

OpenID @ Work - Architecture

As you might already know, has been live for a few days now. I have my shiny new OpenID ( and have already used it to log in to the Project Concordia wiki and add myself to the list of participants. Everything seems to be working as it should.

It's a fitting time, then, to start explaining how we deployed OpenID, and Hubert has started doing exactly that with this blog entry on the architecture of As you can see from Hubert's description, the OpenID deployment is based on OpenSSO and its OpenID extension, so any interested party can go grab the source and try it out for themselves. In fact, some already have.

Thursday May 24, 2007

New Iteration of the SAML 2.0 PHP SP

Many thanks to Andreas Ă…kre Solberg of the FEIDE project for this latest iteration of the SAML 2.0 PHP service provider (SP) OpenSSO Extension (you might remember it as 'Lightbulb'). I spent Thursday afternoon running through some tests with the PHP SP and OpenSSO as the identity provider - apart from one very minor bug (already fixed , it all works great!

Changes since the initial implementation:

  • Code restructured with SPIs for session handling and name mapping
  • Single logout listener
  • Support for transient identifiers
  • A new, simpler, sample
  • Documentation!
  • Several bugfixes

Grab the code via CVS from (it's in opensso/extensions/saml2php/). Instructions for getting the code via CVS.

Monday May 07, 2007

OpenID at Sun

Already lighting up the blogosphere this morning are posts from Tatsuo, Gerry, Rich and Scott all about Sun's new OpenID Provider. Briefly, Sun is launching an OpenID Provider (OP) for all of its employees.

Why just employees? Well - there are any number of sites that offer OpenIDs, and anyone can start their own, but we wanted to try something different. With this service, we are exploring the use of OpenIDs in a business context - what could it mean to have an OpenID that says you are an employee of Sun Microsystems (or, for that matter, any company)? We'll be learning over the next few weeks and months, and, of course, sharing the lessons with the wider community.

On the technical side, we are deploying the OpenSSO Extension for OpenID on OpenSSO. In case the bulbs aren't lighting yet... this means that anyone can grab those components, do a little tweaking round the edges, and roll this out for themselves. In fact, that's exactly what SSOCircle has done, but in a non-enterprise context.

Monday Apr 30, 2007

New Drop of the OpenSSO OpenID Provider Code

Back in March, Paul Bryan released the first version of the OpenID Extension for OpenSSO, implementing an OpenID Provider for OpenSSO, Sun's open source single sign-on/access control/federation project. You might also recall that, at the beginning of this month, SSOCircle put this into production, enabling OpenID Provider services on their public identity provider.

Last night, Paul announced the second drop of his OpenID provider on OpenSSO's developer mailing list. For those of you not subscribed, here is the full text of his announcement:

Hi all:
I have just checked-in the source to the OpenID provider 1.0 alpha2. The following are excerpts from the README file:


The OpenID provider provides a complete OpenID Authentication 1.1 protocol compliant identity provider implementation, complete with full support for OpenID Simple Registration Extension 1.0.


This release includes the following enhancements over 1.0 alpha1:
  • Standalone web application as deployable WAR file
  • OpenID message object model; supports future consumer implementation
  • Trust management user interface (non-persistent trust decisions)
  • Simple Registration Extension user interface
  • On-the-fly l10n and i18n (English, French and German included)
  • Full decoupling from authentication infrastructure through getUserPrincipal
  • Integration with OpenSSO through servlet filter implementation
  • Configurable OpenID identity regular expression pattern
  • Configurable authentication provider principal mapping
  • No more dependencies on OpenSSO internal classes


This is the second release in a planned series of releases. Version 1.0 alpha3 targets to include the following enhancements:
  • Persistent trust decisions (via pluggable persistence SPI)
  • Persistent persona management and associated user interface
  • Integration with other authentication infrastructures
  • Response to errors through published openid.error mechanism
  • Further refinement in preparation for OpenID 2.0 ratification
  • Full supporting documentation
  • Comprehensive logging
For more information, see: As always, any comments and feedback will be most appreciated.
Paul C. Bryan

As soon as I get a chance, I need to go grab this and have a play...

Wednesday Apr 04, 2007

SSOCircle Latest - SAML2.0/PHP and OpenID

Looks like Hu's been busy - not only has he deployed a sample SAML 2.0 service provider based on the SAML 2.0/PHP OpenSSO Extension (formerly known as Lightbulb), he's also rolled out Paul's OpenID code (another OpenSSO Extension). So, now you can go register at SSOCircle and use either SAML 2.0 or OpenID to authenticate to relying parties/service providers, all through the magic of OpenSSO. Cool!

Friday Mar 23, 2007

New Podcast Posted - OpenSSO: Bridging the Gap

Catching up on the blogging - it's amazing how time flies by when you're doing 'real work'!

Last Friday, Brandon Whichard, Don Bowen and I recorded a podcast in Sun's Identity Management Buzz series. There was no agenda - Brandon, Don and I just chatted about what's new, including OpenSSO, its Extensions sub-project and OpenID. As the podcast was recorded on St Patrick's Eve, we even get to the subject of leprechauns and their gold...

Listen Now [MP3] or Subscribe via iTunes

Tuesday Mar 20, 2007

Latest OpenSSO Extension: SAML 2.0 on Ruby

UPDATE 21 March 2007 - I missed a couple of steps, including, ironically, installing the SAML 2.0 Ruby code. All should be well now.

Hot on the heels of our launch of OpenSSO Extensions comes the latest extension, contributed by Todd Saxton from New Zealand: a SAML 2.0 relying party implementation in Ruby (already noticed by the sharp-eyed Tatsuo Kudo, here). Todd used the existing SAML 2.0 PHP relying party (formerly known as Lightbulb) as a starting point and ported it to Ruby, using Roland Schmitt's WSS4R to handle the XML Security chores. Note that both the Ruby and PHP SAML 2.0 relying party implementations are very much 'proofs of concept'. They successfully complete SAML 2.0 single sign-on and single logout, but are not to be considered production quality. In particular, Andreas Solberg has identified some bugs and shortcomings in the PHP implementation and kindly offered to contribute his fixes (nudge!).

I just downloaded the Ruby SAML 2.0 code and... it works! I made one minor fix to account for differences in my environment, but everything else was just configuration. Here is a checklist of what you'll need (I used this very useful HOWTO on Rails installation as a base):

  • Install Ruby - I have version 1.8.4, installed into Ubuntu via apt-get.
  • Install RubyGems - I have version 0.9.2.
  • Install Rails - I have version 1.2.3, installed via gem.
  • (Optional) Install Mongrel - I have version 1.0.1, installed via gem.
  • Install WSS4R - I downloaded the tarball and ran ruby setup.rb.
  • Install LOG4R (needed by WSS4R) - I used gem install log4r.
  • Checkout the SAML 2.0 Ruby source from (it's in opensso/extensions/saml2ruby/source). Instructions for getting the code via CVS.
  • Patch the WSS4R library's xmlcanonicalizer.rb according to the instructions in saml2ruby's INSTALL file.
  • Edit saml2ruby/source/examples/rails/SimpleSAMLRP/config/environment.rb and change RAILS_GEM_VERSION to match what you have. There may be cleaner ways of doing this, but this is what worked for me.
  • Edit saml2ruby/source/examples/rails/SimpleSAMLRP/app/controllers/account_controller.rb and change the SP and IdP settings to match your environment.
  • Run the server - from saml2ruby/source/examples/rails/SimpleSAMLRP do mongrel_rails start or ruby script/server.
  • Now browse to and you should be redirected to authenticate at the IdP. On successful authentication you should be sent back to the Ruby SP example app which will report a successful login.

So - if you're a Ruby-ist (Ruby-ite? Rubier?) and you need SAML 2.0, go grab saml2ruby!

Monday Mar 12, 2007

Lightbulb is Dead; Long Live OpenSSO Extensions!

Last October, we released the first SAML 2.0 implementation in PHP, codenamed 'Project Lightbulb' (because Lightbulb fits into LAMP) and a sub-project of OpenSSO. In the few months since then, other folks have proposed similar extensions to OpenSSO, and the 'Lightbulb' name has looked increasingly anachronistic, particularly since the core OpenSSO project has always fully supported LAMP with its Apache HTTP Server and Tomcat policy agents.

Today, we launch OpenSSO Extensions, OpenSSO's code incubator, with three initial modules:

So - what is an OpenSSO Extension? Well, it's any piece of code that either

  • extends OpenSSO to provide new functionality, for example, the OpenID identity provider, or
  • interfaces with OpenSSO, extending other systems, such as the PHP Client SDK and SAML 2.0 relying party.

If you have an idea for extending OpenSSO in an interesting way, then click here to participate!




« July 2016