Superpatterns

They Said It Couldn't Be Done

Behold - a picture of the IdentiCat - clear evidence of its existence! Close examination of this video, revealed today by IdentiCat witness Daniel Raskin, shows the creature frolicking on Sun Island in Second Life, rehearsing his forthcoming presentation on OpenSSO Enterprise 8. Click here to reserve your place in the audience, in Second Life, on September 30. Now, if you'll excuse me, I have a gross of gentleman's jackets to load onto my tractor...

Alexey Abashev, a Sun ISV engineer in Moscow, Russia, sent an email to the OpenSSO users mailing list a few weeks ago, announcing his Atlassian Jira extension for OpenSSO. The plugin page details how to deploy the extension and enable single sign-on to Jira via OpenSSO. Cool stuff!

I haven't had a chance to try this yet, but, if you have, let me know in the comments how you got on...

I've blogged before on OpenSSO Extensions - useful modules that do not fit into the OpenSSO 'core'. Among the various categories of extension are 'authentication modules' - one of the most common customizations for OpenSSO and Access Manager. An authentication module supports a particular mechanism for collecting and verifying a user's credentials - common mechanisms that are supported out-of-the-box include username/password against LDAP, client certificates (encompassing browser certs and smartcards) and Windows Desktop SSO (aka SPNEGO, aka Kerberos).

Of course, technology refuses to stand still, and new authentication mechanisms are constantly being developed and deployed - new biometrics, hardware tokens, even whole new authentication protocols. Over the past few months, we've seen a clutch of new authentication modules in OpenSSO, so it's time to take a look at what's new...

So, three very different authentication modules. Maybe you have an idea for a fourth?

Another entry from the 'While-I-was-on-vacation' department... Video from my JavaPolis ID-WSF 2.0 session was posted at Parleys.com. This is the third and final session I did at JavaPolis last year, the previous two covering OpenSSO and SAML 2.0.

There's also a short report from the JavaPolis 2007 Speaker and JUG Dinner - you can catch a couple of glimpses of me enjoying the JavaPolis hospitality, though Harold and Alexis get speaking parts...

Prompted by James' post, I just joined Kiva - a microfinance clearing house connecting individual lenders in developed countries (or indeed anywhere) with entrepreneurs from impoverished communities around the world. These are people who want to change their lives, but have little or no access to capital from traditional sources such as banks and credit cards. It's a great concept - as it's repaid, you can relend the money to other borrowers again and again and again.

What with vacation and work on OpenSSO, I've built up quite a backlog of blogworthy news. Now that I've got a couple of hours spare, it's time to take a look at what's been happening over at Sun Developer Network's Identity pages...

The 'Securing Applications With Identity Services' series continues with part 4: 'Single Sign-On and Logout'. Prashant, Aravindan and Marina show how OpenSSO's REST-based identity services can be put to use in integrating a sample Java web application 'directly' with OpenSSO, without deploying a policy agent. This approach was used in Prashant's integration of Liferay with OpenSSO, which also works in WebSynergy. While the policy agent is a great solution for SSO-enabling existing web apps, the REST mechanism allows you to build OpenSSO support right into an app so it works 'out of the box' with no additional components. In 'Integrating Applications With OpenSSO', Tatsuo, Aravindan and Marina cover integration with OpenSSO via policy agents, reverse proxies, the client SDK, and identity services. There's a great worked example of integrating Ruby on Rails with OpenSSO, applying OpenSSO's identity services beyond the world of Java. As if that wasn't enough, there have been a couple more articles in the 'From the Trenches at Sun Identity' series. In her fifth interview with OpenSSO folks, Marina (does she never sleep?) talks to OpenSSO senior product manager Nick Wooler on Support for OpenSSO, explaining how customers can now buy support for OpenSSO via OpenSSO Express. Interview number six has the almost-as-ubiquitous-as-Marina Aravindan Ranganathan on Identity Services for Securing Web Applications. Can you tell that identity services are a big focus for OpenSSO right now?

Lots to catch up with there! To stay current, you can subscribe to a feed of identity management goodness from Sun Developer Network - just point your feed reader here.

Tonnes and tonnes (just back from the very metric New Zealand) of OpenSSO news from the last few weeks, but this just in - OpenSSO training maestro David Goldsmith has just released a FREE (as in beer) training course: WSPL-AM-3508-D: OpenSSO Deployment. As David mentions on the OpenSSO Training Page, all you need to do is grab a My Sun account (if you haven't already got one) and get stuck in.

I've been in to take a look around, and it's classy stuff - a 138 page student workbook plus a downloadable VM with Solaris 10, all the tarballs you'll need and even Solaris Zones and ZFS all set up to let you skip sections, roll back from mistakes, try alternate scenarios - whatever you like. If you've been itching to move beyond the basic "Deploy WAR file, configure identity provider, create Fedlet, deploy Fedlet, marvel at its magnificence" recipe and into the strange and exciting world of multiple OpenSSO instances, load balancers, failover and more, let David be your guide...

I fly off today on my summer vacation, but I wanted to blog one last entry to point you to Planet OpenSSO (feed) for all the OpenSSO news over the next few weeks. We have some exciting announcements coming up - stay tuned!!!

As Arun just blogged, SOA World magazine has just announced the finalists for its 2008 Readers' Choice Awards. Sun Access Manager/OpenSSO is nominated for the 'Best Security Solution' category. In fact, a whole bunch of Sun products and projects were nominated across several categories - Arun has a list.

As Arun also mentions, it seems like SOA World haven't sorted out the voting process yet - the site still invites you to nominate products, even though nominations closed June 22, so you can't go vote for OpenSSO just yet. Watch this space for an update when voting starts.

Interesting post from James on the possibilities of Windows desktop systems being SAML identity providers (IdPs). Currently, a similar mechanism exists for desktop single sign-on from Windows (via SPNEGO, using Kerberos tokens, which, by the way, OpenSSO and Access Manager support directly, no IIS 'bounce' required), but this is limited to a single enterprise's AD infrastructure and can be pretty tricky to deploy. It's easy to imagine IE submitting SAML assertions to service providers at Internet scale in the way James describes. Microsoft seem to be reconsidering the case for supporting SAML 2.0, so they may even be receptive to something like this.

Where James does get things twisted (to use one of his favorite expressions ) is in imagining that Sun and Oracle have much influence on our friends in Redmond. Microsoft's paying customers have MUCH more clout than their competitors/partners. I'd suggest, James, that you band together with your peers at enterprises such as GM and Boeing, who I know, from their participation in Concordia, have very similar desires. Heck, you could even roll up your sleeves and dive right in to Concordia - it's free, very enterprisey and Microsoft participate with open ears...

Via Tatsuo Kudo - Gartner recently published their latest vendor rating for Sun. The overall picture is, well, sunny, if you'll pardon the pun, but I'm particularly pleased with their ratings in the areas of Identity and Access Management and Open Source - 'Strong Positive'^* for both, which means that OpenSSO and OpenDS must be doubly blessed

* Strong Positive: Is viewed as a provider of strategic products, services or solutions:

I just uploaded my slides and photos from last week's RMLL conference in Mont-de-Marsan. This was a great event - amazing to see the strength of the open source community in France!

It's been a while since Build 4 of OpenSSO, as we work towards an early access (EA) build of Sun Federated Access Manager 8.0, OpenSSO's commercial 'twin'. Our plan designates OpenSSO build 5 as the FAM 8.0 EA, but we still have some minor issues to iron out before we're ready for EA, hence the release of OpenSSO 1.0 Build 4.5.

Here are some of the new features in Build 4.5, compared to Build 4:

Many more enhancements are listed at the bottom of the Build 4.5 release notes. Watch the OpenSSO blogosphere for more details on these new features.

The more I work on OpenSSO, the more I realize the nuances of open source development. The fact that we released this 'interim' stable build between builds 4 and 5 is one example of this - the demand for build 4.5 has come from the OpenSSO community, which is now MUCH larger than the FAM team within Sun.

A few days ago, the good people at JavaPolis (which now seems to be called Javoxx) posted the video for my OpenSSO session from JavaPolis 07 at Parleys.com. Go take a look and see how it compares with the SAML 2.0 session they posted back in February.