Monday Jun 08, 2009

Deep Dive: Sun GlassFish WebSpace Server (Part Deux)

Deep Dive: Sun GlassFish WebSpace Server, An Interview With James Falkner

As part of the the WebSpace Server 10 release, Ed Ort (from and I sat down to do a deep dive webcast for GlassFish WebSpace Server. Parts 1 and 2 were originally published a few weeks ago. Now, parts 3 and 4 are now available and cover development tooling, and end user social collaboration techniques.


Friday Aug 29, 2008

OpenSSO Express and Identity Services at SDN

OpenSSO Diagram

Things have been pretty quiet on the identity front here at The Aquarium over the summer vacation season - time to kick things up a notch with a look at the recent feast of OpenSSO-related articles on the Sun Developer Network's identity pages:

In part 4 of the 'Securing Applications With Identity Services' series: 'Single Sign-On and Logout', Prashant, Aravindan and Marina show how OpenSSO's REST-based identity services can be put to use in integrating a sample Java web application with OpenSSO. This approach was used in Prashant's integration of Liferay with OpenSSO, which also works in WebSynergy.

'Integrating Applications With OpenSSO', by Tatsuo, Aravindan and Marina, covers integration with OpenSSO via policy agents, reverse proxies, the client SDK, and identity services. There's a great worked example of integrating Ruby on Rails with OpenSSO, applying OpenSSO's identity services beyond the world of Java.

The fifth interview 'From the Trenches at Sun Identity' has Marina talking to OpenSSO senior product manager Nick Wooler on Support for OpenSSO, explaining how customers can now buy support for OpenSSO via OpenSSO Express.

Finally, Aravindan Ranganathan talks to Marina about Identity Services for Securing Web Applications. As you can probably tell, identity services is one of the hottest components in OpenSSO right now!

For all the latest OpenSSO articles and more, subscribe to the SDN Identity Feed - there's plenty more in the pipeline!

Friday Apr 18, 2008

Fetching User Attributes With Identity Services

Identity Services Screenshot

Over the past few months, Aravindan Ranganathan, Lakshman Abburi and Marina Sum have been working on a series of articles covering the new identity services functionality available now in OpenSSO and coming soon in Sun Federated Access Manager 8.0. This week sees the publication of part 3, covering retrieval of user attributes.

One notable feature of the series is it's presentation of both SOAP/WSDL and REST patterns for accessing OpenSSO's identity services. Which do you use, and why?

Wednesday Apr 16, 2008

Federated Access Management Simplified

Daniel Raskin

Third in Sun Developer Network tech author Marina Sum's series of interviews with Sun's identity team is Daniel Raskin, senior product line manager for access and federation management at Sun.

Daniel lifts the lid on some of the cool new features coming up in Sun Federated Access Manager 8.0 (and, of course, available NOW in OpenSSO) specifically designed to simplify federation deployments, including Fedlets, Virtual Federation, the Federation Validator and more.

Read the article for the inside scoop!

Tuesday Apr 01, 2008

OpenSSO, a Thriving Community

Pat Patterson

In the second article of her 'From the Trenches' series of interviews with folks from Sun's Identity team, Sun Developer Network tech author Marina Sum chats with me about OpenSSO's evolution over the past couple of years. We get into some of the challenges inherent in opening up a commercial software product and my aspirations for OpenSSO's future.

I mention in the interview that "I'd like whoever desires access control and federated SSO to immediately think of OpenSSO as the preferred choice." This seems to be coming true already - we've already covered integrations with JBoss Portal and Liferay; yesterday I noticed a new integration with PAL Portal.

Tuesday Mar 18, 2008

SDN Interview with OpenSSO Project Manager Jamie Nelson

Jamie Nelson

Following up on her recent interviews with Sun identity folk, Sun Developer Network tech author Marina Sum kicks off a new series of interviews, this week featuring OpenSSO Project Manager Jamie Nelson, Sun's director of engineering for access and federation management (and my boss - Hi Jamie!) Read the interview for Jamie's take on securing web applications.

While we're on the OpenSSO/Access Manager topic, Marina also recently published two new sections of the Access Manager FAQ, this time covering Identity Management (from the Access Manager point of view) and the Service Management SDK. Lots of useful little nuggets in there.

Wednesday Feb 13, 2008

Automating Directory Server Install & Config with Perl

Directory Server mesh

Although the open source directory server action is at OpenDS, Sun's existing Directory Server Enterprise Edition is widely deployed and integrated in products such as Sun Java System Access Manager and it's open source twin, OpenSSO. One of the many reasons for its popularity is its implementation of multi-master replication (MMR), the ability to deploy a cluster of Directory Server instances, each synchronizing data with the rest.

Installing and configuring such a fully-connected mesh of Directory Servers is quite a laborious task, so Sun identity architect Jonathan Gershater devised a Perl script to do the legwork, then wrote it up as a Sun Developer Network article with technical author Marina Sum. Discover how Perl scripts automate Directory Server installation and configuration.

Friday Jan 18, 2008

Fine-Grained Authorization with Sun Java System Access Manager

Access Manager Authorization Architecture

As I just mentioned over at Superpatterns, Marina and Robert recently published Developing Secure Applications with Sun Java System Access Manager, Part 2: Advanced Authorization, continuing their case study of implementing fine-grained authorization at a fictional health-care company. A great article, with lots for the identity-focused developer.

Friday Dec 14, 2007

OpenSSO Build 2 plus New Identity Services Article

Yellow Road Roller

As Michael and I already reported, OpenSSO v1 build 2 is now available at the OpenSSO download page. There are some pretty major advances in this build, most notably the centralized server and agent configuration. My blog entry gives more detail, while Michael's has a vintage TV commercial - take your pick

Once you've downloaded the new build, you can go work through the latest tutorial over at the Sun Developer Network Identity Pages. Regular authors Aravindan and Marina are joined by Lakshman Abburi to cover authorization with identity services. Now that the nights are drawing in (if you're in the Northern hemisphere!), what could be better than settling down with a nice cup of hot chocolate and working through a tutorial or two?

Friday Nov 02, 2007

Authentication with Identity Services

Identity Services Slide

While standarda such as SAML and XACML provide flexible, interoperable frameworks for exchanging authentication and authorization data, developers are sometimes left wanting something simpler - "Just give me an easy way to authenticate a user and check if they are authorized to access a resource".

We've been working on this in OpenSSO these past few months, building a simple set of identity services; web services for authentication, authorization, attribute retrieval and logging. With SOAP and REST endpoints, just about any application can manipulate identities in a very simple, robust way. Check out Aravindan and Marina's recent article on authentication with identity services. Subscribe to the Sun Developer Network identity feed to catch further article in this series.

Friday Sep 14, 2007

Single Sign-On from Access Manager to OWA 2003

Outlook Web Access

Completing our trilogy of articles on integrating Sun Java System Access Manager with Microsoft web applications, Marina Sum, our resident technical author, and Madan Ranganath, Access Manager policy agent engineer, focus on single sign-on from Access Manager to Outlook Web Access 2003.

If you work your way through the first two installments, covering IIS and SharePoint Portal Server 2003, and this final article, you'll know pretty much all there is to know about single sign-on between Access Manager and Microsoft's web applications.

Thursday Aug 30, 2007

Apply Web Services Security to EJB Applications

Stock quote sample application

Back in May, at JavaOne 2007, Aravindan Ranganathan and Malla Simhachalam presented a hands-on lab titled Securing Identity Web Services. The lab showed how to provide different levels of stock quote service according to the identity of an end-user - authenticated users see real-time stock data while 'guests' see delayed quotes.

Since then, Malla, Mrudul Uchil and Marina Sum have written up the lab tutorial as a three-part series of articles at the Sun Developer Network showing how identity can be carried from an incoming web services request right through to an EJB. The sample application shows the request and response messages graphically, and provides links to the XML message data - a particularly nice feature that shows exactly what is going on.

Thursday Jul 26, 2007

SSO from Sun Java System Access Manager to SharePoint Portal Server 2003

SharePoint screenshot

If you've tried to configure single sign-on with Microsoft SharePoint Portal Server 2003, you'll know that can be a bit... non-trivial. The Sun Java System Access Manager policy agent engineering team have been working on extending the existing agent for IIS to allow single sign-on into SharePoint (and Outlook Web Access, but that's another story...).

Robertis Tongbram and Marina Sum just wrote this scenario as an article over at Sun Developer Network.

Of course, all Access Manager policy agents also work with OpenSSO, Access Manager's open source alter ego, so when Policy Agent for IIS 6 Hotpatch 8 hits the street it'll work with OpenSSO, too.

Friday Jul 13, 2007

1: Share Stuff. 2: ??? 3: Profit!

Picture of a U.S. Dollar

Fans of Slashdot and South Park, rejoice! A solution to the infamous three-part business model has finally been discovered.

Well, sort of... It won't make you rich, but Sun's SDN Share Program will reward you for sharing your programming knowledge. Anyone can post tech tips, code samples, or full-blown articles. Then anyone else can vote, tag, and comment on those submissions. Bottom line: the best stuff floats to the top, and the best submitters can earn gift certificates. (Okay, it's not cash--but close enough to be called profiting.)

The program started back in April and, as Lou has noted, is seeing some nice usage momentum. It's built with technologies from the GlassFish community, including Slynkr. Give it a look. You might just learn something--or earn something.

Monday Jun 25, 2007

New OpenSSO Articles at Sun Developer Network

Access Manager Authorization Architecture

Over at the Sun Developer Network, Marina Sum has been on a tear this past week or so, with two articles on OpenSSO and its sister product, Sun Java System Access Manager. Last week, she and I published Single Logout: A Demo, a follow-up to February's article Switch on SAML for PHP With Project Lightbulb, covering Project Lightbulb's evolution into OpenSSO Extensions and its implementation of SAML 2.0 single logout. Much discussion of the mechanics of single logout and its implementation in the OpenSSO SAML 2.0/PHP Extension.

Today, Marina and Robert Skoczylas of Indigo Consulting published Developing Secure Applications with Sun Java System Access Manager, Part 1: Basic Authorization. This article, part 1 of a series, presents a case study of implementing authentication, single sign-on, and authorization at a fictional health-care insurance company. Great stuff, working from a high-level description of the problem right down to specific Access Manager customizations.