A Realm is a Bin for Data When You Need to Store
opensso is configured as the root realm. A realm (under the Access Control tab) is a group of authentication properties and authorization policies that can be associated with a user or group of users, or a collection of protected resources. For example, you can create a realm that groups all servers and services accessed by employees in one region. Within that regional realm, you can group all servers and services accessed regularly by employees in a specific division, such as Human Resources. And even more fine-grained, you can add constraints that allow users to access a particular service from Monday through Friday, 9:00 a.m. to 5:00 p.m.
The root realm is where you configure user (identity) data stores, manage policies and create authentication chains globally. A Realm Administrator can do all these operations in the root realm while the Policy Administrator can only create and manage policies. Under the root realm, you configure sub-realms. Sub-realms enable the following scenarios.
- You need an administrator who can create policies for a sub-set of resources only. For example, let's assume you want an administrator to create policies for resources that reside at
https://paycheck.sun.com/paycheck.- Create a subrealm under
openssonamedpaycheck. - Under the
openssoroot realm, create a policy referral with the Resource Name defined ashttps://paycheck.sun.com/paycheck. - Under the
paychecksub-realm, create a group under Subjects calledPaycheckAdminand select the appropriate privilege (Read and write access only for policy properties) under Privileges. - Modify the appropriate user profile and policy under the sub-realm to reflect this new privilege and the user can then login to the sub-realm and create policies for the defined resources. The sub-realm, in this case, is mainly for the policy administrator to manage the policies for the configured resources.
paycheckwill have the same data store and authentication chains asopensso, its parent realm. If configurations change in the parent realm, a corresponding change in the sub-realm policy might be needed. - Create a subrealm under
- You need each sub-realm to have its own set of data stores (identities), authentication chains and policy administrators. Ideally there would be nothing in common between the root and the sub-realm except for the referral policy created under the root realm to delegate all, or a subset of, resources to the sub-realm. With this scenario, users would be created within, and authenticate to, their sub-realm. Agents would also have to be configured to redirect user authentication to the sub-realm.
Posted at 2008-05-16 08:53:00.0 from DocTeger
Virtual Federation: A Game of Ratios
In many of my blogs I've written about Virtual Federation Proxy (VFP)a feature available in OpenSSO, the code base from which Sun's upcoming release Federated Access Manager 8 is derived. I've received lots of email from people asking me to explain the benefit of this feature in more detail so this blog focuses on explaining the problem that organizations are facing and how VFP can lower the overall total cost of ownership for web access management and federation infrastructure.
THE PROBLEM
Most organizations are still working toward internal single sign-on. That is, the majority of organizations still have multiple authentication points or reduced sign on (RSO). For example, an organization may still have separate sign-ons for it's Web Portal, HR System and Payroll system. It could be using Enterprise Single Sign On to simulate a SSO experience, but it still maintains three different authentication infrastructures. If that organization wants to begin federating with external service providers using all three applications it needs to deploy a federation service at each authentication point. In other words, an organization would need to deploy separate federation points for each applications -- Web Portal, HR system and Payroll system.

The problem with this is an organization needs to maintain more federation instances and infrastructure than it wants and would not be following federation best practices by implementing a single, centralized federation hub. In short, the ratio between an organizations authentication points to federation points would be a 1:1 ratio. That is, for every authentication point an organization maintains it would also need to deploy an additional federation point. This, oftentimes, is an inhibitor to beginning federation because many organizations believe they need to solve their internal single sign on issues before starting with federation.
THE SOLUTION: VIRTUAL FEDERATION PROXY (VFP)
VPN allows a company to lower infrastructure costs by reducing the # of federation instances, hardware, and ongoing support/maintenance costs required to support each individual authentication point. VFP changes the ratio of authentication points to federation points from a 1:1 ratio to an X:1 ratio. For example, the organization mentioned above that has 3 authentication points (Web Portal, HR System, Payroll System) would now only require one federation deployment to manage all 3 authentication points, a 67% reduction in hardware, software, and ongoing maintenance. In short, OpenSSO's Virtual Federation Proxy (VFP) solves this problem by unhinging any dependencies between internal SSO and federated SSO.

VPN does this by allowing organizations to add a plug-in to each authentication point that allows it to push federation data to OpenSSO when a user logs in. OpenSSO caches the federation data and then acts as a virtual proxy on behalf of each authentication point. For example, the company mentioned above that has three authentication points would deploy a basic plug-in to federate enable its Web Portal, HR System, and Payroll System. If a user logged in to the HR system and then tried to access a partner service during the authenticated session, for example an outsourced 401K service, OpenSSO would act as a proxy for the HR application and handle all communications with the 401K service using the cached data. Once the session is terminated the cached data is deleted from OpenSSO.
Finally, as an organization makes progress toward SSO they do not need to worry about constructing, maintaining and end-of-lifing multiple federation services. Instead, it can simply change how each application interacts with a single federation hub. In short, VFP allows organizations to architect a long-term federation solution that follows best practices, simplifies their path to federated single sign on, lowers total cost of ownership, and simplifies an organizations identity infrastructure in a pragmatic manner.
Peace out!
Posted at 2008-05-13 16:16:19.0 from Virtual Daniel
Spinning for Swag at JavaOne
Although Moscone Center was the place in San Francisco last week for the kick-off of JavaOne, you also had the opportunity to attend virtually (Second Life) and via webcasts. CommunityOne (with attendees numbering 50% more than last year) started the week with a full-day of free technical sessions pertaining to open-source projects. (There was a soft opening, as it was referred to by the Moscone Center employees, on Sunday for start-ups.)
SWAG ALERT: OpenSolaris cloth bag with new logo!
First thing I noticed when I arrived for the CommunityOne General Session was the lack of food. Last year, a big breakfast buffet was generously laid out but not this year so I quickly grabbed a spinach/egg/feta burrito and found out a seat for the General Session. (Food is swag but maybe we should consider ourselves lucky that there was none.)
SPOTTED: Peter Fernandez calling out my cap.
Ian Murdock opened the CommunityOne General Session and then brought Jonathan Schwartz up for some remarks. The general theme of all these speeches (including the panel discussion) was the dichotomy between open and closed (monolithic, proprietary) software. Sun is fully committed to opening the source code for all its applications, thus allowing innovation everywhere rather than in one place. Sun software is becoming simple, small pieces loosely joined together to produce a whole that is greater than the sum of its parts.
SWAG ALERT: CommunityOne water bottle (stacked at a water fountain)
A shout out to Stormy Peters for mentioning the need to document code and lamenting that there were not enough technical writers in the world.
SWAG ALERT: Netbeans cloth bag and cap
The big software of the day (besides OpenSolaris) was Netbeans which had different sessions all day. I attended the first to find out what was new with the product.
SWAG ALERT: GOOD CommunityOne t-shirt
SPOTTED: Paul Davies, Emily Xu, Shih-Yun Huang, Robertis Tongbram, and the real-life Ken Harper chatting during the lunch break.
Other CommunityOne sessions I attended were An Introduction to Web 2.0, Examining a Sample Application Built in Three Ways (very enlightening), Liberating Web Services, and Open Sourcing Music. Finally, our very own SuperPat Patterson moderated the OpenSSO Workshop with Daniel Raskin and Nick Wooler.
SWAG ALERT: GOOD Glassfish t-shirt
On Tuesday, JavaOne began with it's General Session (which included an appearance by Neil Young).
Following this I was through learning and ready to work the Spinning Duke game. All attendees can spin the wheel and win an appropriate prize, depending on the level at which the wheel stopped. The top-level prize was a JavaOne backpack from last year's conference.
SWAG ALERT: JavaOne backpack from last year's conference - legitimately won via a spin of the wheel
At one point, a gent walked up to me to ask about the backpack. "Is that the backpack from the 2006 JavaOne Conference?"
"Actually, I believe it is from last year's conference." I answered.
"Hmmm. I don't think so. Let me check." Out came his iPhone and the gent started scrolling.
"Tell me you have a picture of every JavaOne backpack on your iPhone?" I asked.
"Kind of geeky." he stated sheepishly.
He showed me the screen of his iPhone and I said, "Considering you have a picture of the backpack with a Post-It attached that reads 06?, I will take your word that it is from two years ago."
"Actually, I did that last night from memory so you could be right."
"Last night?"
"Yea. I felt the need to organize my swag."
SPOTTED: Shripad Pakti and Diann Olden checking out the Pavilion
People and their swag. I couldn't even keep count of how many spinners asked me for an extra commuter mug or a second dangling sea anemone because they have two kids who will fight over it. (Believe me, no child was hurt over a dangling sea anemone.)
SWAG ALERT: GOOD Google t-shirt
SPOTTED: JohnD, John Spencer, and Scott Carver checking out the Pavilion on Sun employee night.
SWAG ALERT: Ericsson yo-yo with enough string for a three foot tall person
By the time my two days of spinning and swagging were finished I was ready for a long weekend. While walking to Muni, I ignored a man playing a long, brass instrument for change in the subway underpass. It sounded like a clarinet but was NOT a clarinet and he was playing badly. Or maybe I had just given too much already.
OK, I'll give one more thing: a look at Dame Shirley Bassey hitting the notes in her version of Spinning Wheel.
Posted at 2008-05-12 14:27:12.0 from DocTeger
Sun Identity Team Challenges PING, IBM, ORACLE, CA and Microsoft
OK Identity Competitors!
We had our video battle warm-up with the scrappy Ping Identity a few months ago, but now we challenge you to a little game called IDENTITY HERO!"
My teammates at Sun believe that they can rescue more identity enterprises than our competitors. Let's throw down and see who can claim the highest score!!!
BOOOYAH!!!
Posted at 2008-05-09 13:00:33.0 from Virtual Daniel
OpenSSO at JavaOne
Marina is covering JavaOne 2008 for the Sun Developer Network - she's written a review of our Monday OpenSSO session, which also appears in the today's 'JavaOne Today' newspaper. Lucas Jellema at AMIS Technology also wrote a nice review, even including a screenshot of OpenSSO.
If you're at JavaOne, come along to the Sun stand in the pavilion - we're on pod 181, just under the poster of an old geezer with a red pickup. I'll be here today (Wednesday) and tomorrow (Thursday) from 11am to 2pm, but feel free to stop by any time the pavilion is open for a demo and a chat.
Posted at 2008-05-07 11:25:14.0 from Superpatterns
Policy Agent Configuration with Agent 99
famadm command line interface.
To set the configuration on the command line, use famadm to set the new property (see table below) com.sun.identity.agents.config.repository.location with a value equal to local. (The default value is centralized.)
The console uses human-readable property labels rather than the programmatic property names; for example, com.sun.identity.agents.config.login.url is displayed as FAM Login URL in the console. When using famadm for configuration, you need to use the 3.0 property names. For version 3.0 web agents, the property names have been changed; for J2EE agents, the property names for 2.2 and 3.0 are the same. Following is a mapping of the old and new web agent properties.
| Old Name | New Name |
| com.sun.am.naming.url | com.sun.identity.agents.config.naming.url |
| com.sun.am.log.level | com.sun.identity.agents.config.log.level |
| com.sun.am.policy.agents.config.local.log.file | com.sun.identity.agents.config.local.logfile |
| com.sun.am.policy.am.username | com.sun.identity.agents.config.username |
| com.sun.am.policy.am.password | com.sun.identity.agents.config.password |
| com.sun.am.sslcert.dir | com.sun.identity.agents.config.sslcert.dir |
| com.sun.am.certdb.prefix | com.sun.identity.agents.config.certdb.prefix |
| com.sun.am.certdb.password | com.sun.identity.agents.config.certdb.password |
| com.sun.am.auth.certificate.alias | com.sun.identity.agents.config.certificate.alias |
| com.sun.am.trust_server_certs | com.sun.identity.agents.config.trust.server.certs |
| com.sun.am.receive_timeout | com.sun.identity.agents.config.receive.timeout |
| com.sun.am.connect_timeout | com.sun.identity.agents.config.connect.timeout |
| com.sun.am.tcp_nodelay.enable | com.sun.identity.agents.config.tcp.nodelay.enable |
| com.sun.am.policy.am.login.url | com.sun.identity.agents.config.login.url |
| com.sun.am.cookie.name | com.sun.identity.agents.config.cookie.name |
| com.sun.am.cookie.secure | com.sun.identity.agents.config.cookie.secure |
| com.sun.am.policy.agents.config.local.log.rotate | com.sun.identity.agents.config.local.log.rotate |
| com.sun.am.policy.agents.config.local.log.size | com.sun.identity.agents.config.local.log.size |
| com.sun.am.policy.agents.config.audit.accesstype | com.sun.identity.agents.config.audit.accesstype |
| com.sun.am.policy.agents.config.remote.log | com.sun.identity.agents.config.remote.logfile |
| com.sun.am.policy.agents.config.deny_on_log_failure | com.sun.identity.agents.config.deny.access.log.failure |
| com.sun.am.notification.enable | com.sun.identity.agents.config.notification.enable |
| com.sun.am.policy.am.url_comparison.case_ignore | com.sun.identity.agents.config.url.comparison.case.ignore |
| com.sun.am.policy.am.polling.interval | com.sun.identity.agents.config.policy.cache.polling.interval |
| com.sun.am.sso.polling.period | com.sun.identity.agents.config.sso.cache.polling.interval |
| com.sun.am.policy.am.userid.param | com.sun.identity.agents.config.userid.param |
| com.sun.am.policy.am.userid.param.type | com.sun.identity.agents.config.userid.param.type |
| com.sun.am.policy.agents.config.profile.attribute.fetch.mode | com.sun.identity.agents.config.profile.attribute.fetch.mode |
| com.sun.am.policy.agents.config.profile.attribute.map | com.sun.identity.agents.config.profile.attribute.mapping |
| com.sun.am.policy.agents.config.session.attribute.fetch.mode | com.sun.identity.agents.config.session.attribute.fetch.mode |
| com.sun.am.policy.agents.config.session.attribute.map | com.sun.identity.agents.config.session.attribute.mapping |
| com.sun.am.policy.agents.config.response.attribute.fetch.mode | com.sun.identity.agents.config.response.attribute.fetch.mode |
| com.sun.am.policy.agents.config.response.attribute.map | com.sun.identity.agents.config.response.attribute.mapping |
| com.sun.am.load_balancer.enable | com.sun.identity.agents.config.load.balancer.enable |
| com.sun.am.policy.agents.config.agenturi.prefix | com.sun.identity.agents.config.agenturi.prefix |
| com.sun.am.policy.agents.config.locale | com.sun.identity.agents.config.locale |
| com.sun.am.policy.agents.config.do_sso_only | com.sun.identity.agents.config.sso.only |
| com.sun.am.policy.agents.config.accessdenied.url | com.sun.identity.agents.config.access.denied.url |
| com.sun.am.policy.agents.config.fqdn.check.enable | com.sun.identity.agents.config.fqdn.check.enable |
| com.sun.am.policy.agents.config.fqdn.default | com.sun.identity.agents.config.fqdn.default |
| com.sun.am.policy.agents.config.fqdn.map | com.sun.identity.agents.config.fqdn.mapping |
| com.sun.am.policy.agents.config.cookie.reset.enable | com.sun.identity.agents.config.cookie.reset.enable |
| com.sun.am.policy.agents.config.cookie.reset.list | com.sun.identity.agents.config.cookie.reset |
| com.sun.am.policy.agents.config.cookie.domain.list | com.sun.identity.agents.config.cookie.domain |
| com.sun.am.policy.agents.config.anonymous_user | com.sun.identity.agents.config.anonymous.user.id |
| com.sun.am.policy.agents.config.anonymous_user.enable | com.sun.identity.agents.config.anonymous.user.enable |
| com.sun.am.policy.agents.config.notenforced_list | com.sun.identity.agents.config.notenforced.url |
| com.sun.am.policy.agents.config.notenforced_list.invert | com.sun.identity.agents.config.notenforced.url.invert |
| com.sun.am.policy.agents.config.notenforced_client_ip_list | com.sun.identity.agents.config.notenforced.ip |
| com.sun.am.policy.agents.config.ignore_policy_evaluation_if_notenforced | com.sun.identity.agents.config.notenforced.url.attributes.enable |
| com.sun.am.policy.agents.config.postdata.preserve.enable | com.sun.identity.agents.config.postdata.preserve.enable |
| com.sun.am.policy.agents.config.postcache.entry.lifetime | com.sun.identity.agents.config.postcache.entry.lifetime |
| com.sun.am.policy.agents.config.client_ip_validation.enable | com.sun.identity.agents.config.client.ip.validation.enable |
| com.sun.am.policy.agents.config.profile.attribute.cookie.prefix | com.sun.identity.agents.config.profile.attribute.cookie.prefix |
| com.sun.am.policy.agents.config.profile.attribute.cookie.maxage | com.sun.identity.agents.config.profile.attribute.cookie.maxage |
| com.sun.am.policy.agents.config.cdsso.enable | com.sun.identity.agents.config.cdsso.enable |
| com.sun.am.policy.agents.config.cdcservlet.url | com.sun.identity.agents.config.cdsso.cdcservlet.url |
| com.sun.am.policy.agents.config.logout.url | com.sun.identity.agents.config.logout.url |
| com.sun.am.policy.agents.config.logout.cookie.reset.list | com.sun.identity.agents.config.logout.cookie.reset |
| com.sun.am.policy.am.fetch_from_root_resource | com.sun.identity.agents.config.fetch.from.root.resource |
| com.sun.am.policy.agents.config.get_client_host_name | com.sun.identity.agents.config.get.client.host.name |
| com.sun.am.policy.agents.config.convert_mbyte.enable | com.sun.identity.agents.config.convert.mbyte.enable |
| com.sun.am.policy.agents.config.encode_url_special_chars.enable | com.sun.identity.agents.config.encode.url.special.chars.enable |
| com.sun.am.policy.agents.config.ignore_path_info | com.sun.identity.agents.config.ignore.path.info |
| com.sun.am.policy.agents.config.override_protocol | com.sun.identity.agents.config.override.protocol |
| com.sun.am.policy.agents.config.override_host | com.sun.identity.agents.config.override.host |
| com.sun.am.policy.agents.config.override_port | com.sun.identity.agents.config.override.port |
| com.sun.am.policy.agents.config.override_notification.url | com.sun.identity.agents.config.override.notification.url |
| com.sun.am.policy.agents.config.connection_timeout | com.sun.identity.agents.config.connection.timeout |
| com.sun.am.ignore_server_check | com.sun.identity.agents.config.ignore.server.check |
| com.sun.am.poll_primary_server | com.sun.identity.agents.config.poll.primary.server |
| com.sun.am.ignore.preferred_naming_url | com.sun.identity.agents.config.ignore.preferred.naming.url |
| com.sun.am.policy.agents.config.proxy.override_host_port | com.sun.identity.agents.config.proxy.override.host.port |
| com.sun.am.policy.agents.config.domino.check_name_database | com.sun.identity.agents.config.domino.check.name.database |
| com.sun.am.policy.agents.config.iis.auth_type | com.sun.identity.agents.config.iis.auth.type |
| com.sun.am.replaypasswd.key | com.sun.identity.agents.config.replaypasswd.key |
| com.sun.am.policy.agents.config.iis.filter_priority | com.sun.identity.agents.config.iis.filter.priority |
| com.sun.am.policy.agents.config.iis.owa_enabled | com.sun.identity.agents.config.iis.owa.enable |
| com.sun.am.policy.agents.config.iis.owa_enabled_change_protocol | com.sun.identity.agents.config.iis.owa.enable.change.protocol |
| com.sun.am.policy.agents.config.iis.owa_enabled_session_timeout_url | com.sun.identity.agents.config.iis.owa.enable.session.timeout.url |
| NEW | com.sun.identity.agents.config.repository.location |
| NEW | com.sun.identity.agents.config.freeformproperties |
| NEW | com.sun.identity.agents.config.polling.interval |
| NEW | com.sun.identity.agents.config.cleanup.interval |
Posted at 2008-05-02 14:57:25.0 from DocTeger
OpenSSO Fedlet Roundup
|
As I mentioned on my blog yesterday, if you're following OpenSSO at all, you can't have failed to notice the recent chat around the Fedlet, a nifty mechanism for federation-enabling web applications. Briefly, the 'Fedlet' is a package that a SAML 2.0 identity provider can create to quickly federation-enable a small service provider. If you're trying to federation-enable a single web application, you need the Fedlet. |
Here is the buzz:
• Watch the FEDLET Now! REALLY! - Daniel Raskin
• Federation in the diminutive - Eve Maler
• The Fedlet has Arrived - Mark Dixon
• Latest news on the Fedlet - Mark Herring
• OpenSSO の最新ビルドに Fedlet が入ってる - Tatsuo Kudo
• Fedlet comes out with a (Head) Bang - Derrick Harcey
• How to Efficiently Accomplish Identity Federation With Fedlets - Marina Sum
• Finally...The Fedlet has Arrived - Daniel Tse
• The Fedlet - Sun Identity Buzz Episode - Michael Coté
• The Fedlet: Federated SSO Made Easy - Enrico Bianco
|
I'll be presenting OpenSSO and the Fedlet at CommunityOne on Monday May 5 2008 at 4pm in Hall E 135. As you must be aware by now, CommunityOne is free of charge to attend, though you do need to register. See you there! |
|
Posted at 2008-05-02 14:00:00.0 from The Aquarium
Simple Federation meets The Federation Validator
My goal in life, besides world peace, is to make federation so simple my 15 month child, Taro, can do it. Now that's a lofty goal, but we're making progress towards that in Federated Access Manager 8. To give you a preview, I've prepared a screencast that shows the following:
* Configuring an Identity Provider (IDP)
* Configuring an Service Provider (SP)
* Creating a Circle of Trust between the IDP and SP
* Validating the federated connection
The goal is to give you an idea of how simple federation has become. Keep in mind, I'm marketing and I can do it. I'm also not one of those converts from engineering to marketing (light-side to dark-side), but rather come from a business background and have a BA in Public Affairs. In short, this stuff is not designed for identity experts, but rather dimwits like myself.
As always you can check all of this out for yourself at www.opensso.org. Enjoy the demo . . .
Posted at 2008-05-01 18:03:00.0 from Virtual Daniel
The Fedlet Lives!!!
If you're following OpenSSO at all, you can't have failed to notice the recent buzz around the Fedlet - from Daniel (complete with screencast), Eve Mark D, Mark H, Tatsuo, Derrick, Marina and Daniel at Sun to Coté at RedMonk and Enrico at Tenthline.
Briefly, the 'Fedlet' is a package that a SAML 2.0 identity provider can create to quickly federation-enable a small service provider. The idea is that, if you're running a single web application, you're not going to want to deploy a whole 'nother server to run a standalone service provider. What you want is a little package of code and configuration to federation-enable your web app. You want the Fedlet.
I've been wrapped up in demos and travel for the past month or so, so I haven't had much of a chance to play with the Fedlet. Since I'm planning to demo it in my session at CommunityOne on Monday, I thought I'd better do so - I set aside this afternoon to get it working. Turns out I was a little pessimistic there - here's what I did, in less than an hour:
-
Update from OpenSSO CVS (
cvs -q update -dP) -
Cleaned out previous build detritus and built the WAR file (
ant clean && ant server-war) -
Deployed onto Glassfish (don't forget to change GF's
-clientJVM option to-server, as detailed in the release notes!) - Pointed Flock (my preferred web browser du jour) at the newly deployed OpenSSO at http://demo.example.com:8000/opensso (I alias demo.example.com to 127.0.0.1 in /etc/hosts), configured OpenSSO to use the embedded OpenDS instance for its configuration and user stores.
- Logged in as amadmin, created a SAML 2.0 identity provider and a Fedlet.
- Unzipped the Fedlet, deployed it into Glassfish.
- Ran the Federation validator to check that SSO is operational.
-
And...
When you spend your time in the weeds of a project, you always half expect any given step to fail due to some issue or another. Perhaps some recent fix destabilized something; perhaps some errant process has eaten my laptop's memory; whatever. So it was extremely gratifying when all of the above passed off without a hitch. I won't tell you what I muttered under my breath as the federation validator completed and gave me the thumbs up, but the second word was "cool!"
Posted at 2008-05-01 15:19:37.0 from Superpatterns
OpenSSO Workshop @ CommunityOne
Howdy Peoples!
Next week is JavaOne and there is a lot of excitement brewing around Sun. In the world of identity we're gearing up to host a workshop titled "OpenSSO: Creating Federated Relationships with Software as a Service, Social Networking, and Web 2.0 Applications" on Monday May 5 at 4pm in Hall E 135. This session is part of CommunityOne, which is free of charge to attend. All you need to do is register. See you there!
Posted at 2008-04-29 16:12:19.0 from Virtual Daniel
CommunityOne OpenSSO Session - Monday May 5, 4pm, E135
I mentioned our upcoming CommunityOne session back when I posted my Spring/Summer schedule; now I have a time and place, since the CommunityOne schedule was just published. We'll be presenting "OpenSSO Workshop: Creating Federated Relationships with Software as a Service, Social Networking, and Web 2.0 Applications" on Monday May 5 at 4pm in Hall E 135.
By the way, CommunityOne is free of charge to attend, though you do need to register. See you there!
Posted at 2008-04-28 14:38:31.0 from Superpatterns
OpenSSO @ FISL 9.0
Nice pic of me kicking off my OpenSSO preso at FISL - thanks, boaglio!
Posted at 2008-04-28 10:06:45.0 from Superpatterns
Sticky Cookies and Sticky Fingers
com.iplanet.am.lbcookie property to the name of the cookie; amlbcookie is the default name of the sticky cookie. When cookie stickiness is enabled, you will get better performance from OpenSSO by avoiding back channel communications, and the OpenSSO console will work properly behind the load balancer. More information on cookies and sticky sessions can be found in the official Access Manager 7.1 documentation.
And since sticky cookies give you sticky fingers, here's a live video of The Rolling Stones singing a song (which shall remain nameless in this entry) from their 1971 LP, Sticky Fingers.
Posted at 2008-04-28 08:14:43.0 from DocTeger
Identity Buzz Podcast: The Fedlet and light-weight federation
Last week, I joined Red Monk's Michale Cote and Brandon Whichard on the Identity Buzz podcast. We talked about The Fedlet, a small, light-weight way to get identity federation setup with Sun tools. Click on the link below to listen and enjoy!
Download the episode directly here, or subscribe to the RSS feed in iTunes or other podcatcher to have it auto-downloaded.
Posted at 2008-04-24 11:09:41.0 from Virtual Daniel
Centralized Agent Configuration and Eurovision
AMAgent.properties file that resides on the same machine as the agent. With centralized agent configuration, OpenSSO moves most of the agent configuration properties to the configuration data store.
Agent profiles can be configured to store properties locally (on the machine to which the agent was deployed) or centrally (in the configuration data store), making this new function compatible with both older 2.x agents and newer 3.0 agents. Agent configuration data is now relegated to the following:
FAMAgentBootstrap.properties* contains bootstrap data and is stored on the agent machine. This file indicates the location from where the configuration properties need to be retrieved. It is used by agents profiles configured locally or centrally.FAMAgentConfiguration.properties* contains local configuration data and is stored on the agent machine. It is only used by agent profiles configured locally.- The configuration data store holds the remainder of the agent configuration data.
Now that you've got an idea about centralized agent configuration in OpenSSO, how about checking out the Icelandic entry in Eurovision 2008. Here's Euroband singing This Is My Life.
*UPDATE: Thanks to Sean for the properties files update.Posted at 2008-04-24 09:49:38.0 from DocTeger
OpenSSO の最新ビルドに Fedlet が入ってる
前に言及した Fedlet が, いよいよ最近の OpenSSO で使える状態になってる.
試してみた感じでは,
- OpenSSO の Common Tasks から Create Hosted Identity Provider を実行し, Fedlet の親となるアイデンティティ・プロバイダ (IdP) を設定
- その流れで Create Fedlet を実行し, Fedlet の配備先となるサービス・プロバイダ (SP) の情報 (URL とか) を指定して, その SP 特有の設定情報が詰まった Fedlet.zip を生成
- 産みおとされた Fedlet.zip から fedlet.war を抽出し, SP 側のアプリケーション・サーバに配備
- IdP と SP との間での疎通テスト
という具合に, 簡単に SP 側の 「SAML の受け口」 を設定することができて, ちょっと感動. Fedlet 入り OpenSSO のダウンロードは以下からどうぞ.
Posted at 2008-04-24 01:46:57.0 from tkudo's weblog
UPDATED: Watch the FEDLET Now! REALLY!
OK. Had some video problems, but here it is. REALLY!
You've been patient. You've survived our teaser campaigns. As promised, you've earned the privilege to see the fedlet. So . . . sit back, pour yourself a glass of wine (or a shot of Jägermeister) and enjoy an overview of THE FEDLET.
Posted at 2008-04-22 17:17:54.0 from Virtual Daniel
The FAM Technical Overview and the Shuttered Palace
Posted at 2008-04-22 14:46:28.0 from DocTeger
CommunityOne, Second LIfe and Three Dog Night
- CommunityOne is coming on May 5, 2008. This FREE open-source conference is piggy-fronted on the Monday before JavaOne begins. There are many, many workshops and sessions to choose from. Those that might interest users of OpenSSO include:
- Getting Started with OpenDS
- Glassfish Status and Roadmap
- A full day of sessions on NetBeans
- Building a Web-Scale Open Source High-Performance Computing Stack
- and of course our very own SuperPat has an OpenSSO workshop scheduled with Daniel Raskin and Nick Wooler called Creating Federated Relationships with Software as a Service, Social Networking, and Web 2.0 Applcations
- Second Life is a three-dimensional virtual world. Sun Microsystems now has a few islands in Second Life and are planning a big employee party on April 29. (Sorry non-Sun employees. The party though is only on one of Sun's islands; the other islands are open to all.) I'm not a gamer so I don't usually play around with these types of things but I am attending the employee party. I've already created my avatar - which took forever to finish and looks as much like me as a cartoon character can. Sun employees only can check out the internal web site but everyone can follow along at the external virtual worlds blog.
- And to turn this couplet into a triumverate, here's a video of Three Dog Night singing Out in the Country. Sad how relevant this song is today, almost forty years after it was initially written.
Posted at 2008-04-21 08:26:45.0 from DocTeger
Slides from OpenSSO Presentation at FISL 9.0 - April 19 2008
As promised, here are the slides to my presentation this evening at FISL 9.0. I've had a great time here in Brazil - wonderful people, fabulous food and kicking cachaça. I'll definitely be back sometime in the future.
Posted at 2008-04-19 15:29:58.0 from Superpatterns
Fetching User Attributes With Identity Services
As I just blogged over at The Aquarium, Aravindan, Lakshman and Marina just published part 3 of their series on the new identity services functionality available now in OpenSSO and coming soon in Sun Federated Access Manager 8.0: Securing Applications With Identity Services, Part 3: User Attributes.
User attributes are key for delivering personalized services, and are often the main reason for authenticating the user in the first place. Go read the article - whether you're a RESTafarian or on the SOAPy side - you can quickly and easily put OpenSSO's identity services to work.
Posted at 2008-04-18 19:31:19.0 from Superpatterns
Fetching User Attributes With Identity Services
|
Over the past few months, Aravindan Ranganathan, Lakshman Abburi and Marina Sum have been working on a series of articles covering the new identity services functionality available now in OpenSSO and coming soon in Sun Federated Access Manager 8.0. This week sees the publication of part 3, covering retrieval of user attributes. One notable feature of the series is it's presentation of both SOAP/WSDL and REST patterns for accessing OpenSSO's identity services. Which do you use, and why? |
Posted at 2008-04-18 19:02:18.0 from The Aquarium
Living with Sun Open-Source - OpenSSO
This will only be useful if you know MUCH more Japanese than I do, but here's Yasushi Iwakata introducing OpenSSO at a Java Hot-Topic Seminar in Tokyo, as blogged by Takayuki Okazaki:
You'll be able to download the slides soon - I'll update this entry with the link.
As he mentions in the video, Iwakata-san has also been working on an OpenSSO Extension for Hitachi Finger Vein Authentication. You can find the code in the OpenSSO CVS at opensso/extensions/authnhfvb, or browse it online. I'll write more about this extension when I get back home from Brazil.
Posted at 2008-04-18 07:45:20.0 from Superpatterns
Federated Access Management Simplified
|
Third in Sun Developer Network tech author Marina Sum's series of interviews with Sun's identity team is Daniel Raskin, senior product line manager for access and federation management at Sun. Daniel lifts the lid on some of the cool new features coming up in Sun Federated Access Manager 8.0 (and, of course, available NOW in OpenSSO) specifically designed to simplify federation deployments, including Fedlets, Virtual Federation, the Federation Validator and more. |
Posted at 2008-04-16 12:49:37.0 from The Aquarium
Spring/Summer 2008 Event Calendar
A packed schedule over the next few months - I'll be spreading the OpenSSO gospel on three continents:
|
April 19 (this coming Saturday!) | Porto Alegre, Brazil | Open Source Identity Integration with OpenSSO |
|
May 5 | San Francisco, CA |
OpenSSO Workshop: Creating Federated Relationships with Software as a Service, Social Networking, and Web 2.0 Applications.
I'll also be attending JavaOne 2008, May 6-9 at the same location. |
|
May 12-14 | Mountain View, CA | I'll probably do a session on the Fedlet. |
|
June 25 | Zurich, Switzerland | Who's On The Other End of the Wire? Identity-Enabling Java Web Applications with OpenSSO |
|
July 4 | Mont-de-Marsan, France | Open Source Identity Integration with OpenSSO |
I'll also be at the Liberty Alliance plenary meeting in Stockholm, Sweden from July 8-10. Then I'll be taking a much-needed vacation!
Posted at 2008-04-16 10:54:33.0 from Superpatterns
Using the amunixd Daemon and Me
amunixd, which opens a socket to localhost:58946 in order to listen for Unix authentication requests. It is a separate process from the FAM process. At startup, this daemon listens on a port for configuration information.
Previously documented for Access Manager 7.1 incorrectly, this entry takes the information from the filed bug to rectify that faux-pas. The correct syntax for amunixd is:
amunixd -i #-of-addrs -a ipaddr-1 -a ipaddr-2 ... -a ipaddr-N
In an instance of Federated Access Manager deployed in a web container, amunixd can be found in any of the following directories:
/fam/tools/helpers/bin/fam/tools/helpers/sparc/fam/tools/helpers/x86
amunixd or, if you'd like to, use something else - as Bill Withers so eloquently sings in the video below.
Posted at 2008-04-16 08:03:15.0 from DocTeger
SDC の IdM 連載 (11): OpenSSO ではじめる SAML 2.0 (後編)
ということで前回予告した通り, 今月の SDC 連載 「アイデンティティ管理の基礎と応用」 では, IdP / SP / ブラウザの間に流れる SAML なメッセージを読み解く悦びをお届けします.
前回設定した OpenSSO の 「SAML2 サンプル」 を使って、SAML 2.0 によるアイデンティティ・フェデレーションと、同じくフェデレーテッド・シングル・サインオン (SSO) の動作を確認してみます。
アイデンティティ管理の基礎と応用(11):OpenSSO の SAML 機能を試してみる (2/2)
書き上げてから言うのもなんだけど, 本稿では SAML の説明自体をかなりはしょってるので, 実際に OpenSSO の 「SAML2 サンプル」 をさわってみる際には, 以下を参考にしながら進めるといいと思う.
- SAMLについて自由勝手に紹介 - snippets from shinichitomita’s journal の, 「メッセージ」 と 「プライバシー」 の節
- 第一回 Liberty Alliance 技術セミナー 『SAML 2.0 アイデンティティ連携技術』 の, スライド #22 以降
Posted at 2008-04-15 22:03:43.0 from tkudo's weblog
From the Trenches - Daniel Raskin on Simplifying Federated Access Management
Tech author Marina Sum over at Sun Developer Network continues her series of interviews; this time in the hot seat is Daniel Raskin, senior product line manager for access and federation management at Sun.
In the interview, Daniel lifts the lid on some of the cool new features coming up in Sun Federated Access Manager 8.0 (and, of course, available NOW in OpenSSO), including Fedlets, Virtual Federation, the Federation Validator and more. Exciting stuff!
Posted at 2008-04-14 14:40:54.0 from Superpatterns
GlassFish is to SJSAS as OpenSSO is to FAM...
GlassFish and OpenSSO play very similar roles; they are OpenSource, transparent, community-driven efforts to create enterprise products, except OpenSSO has an extra twist...
|
GlassFish is the Community for SJS AppServer 9.x> and OpenSSO does the same for Sun Federated Access Manager (FAM). The twist is that FAM is not yet out. FAM is the combination of the Access Manager and the Federation Manager. Once FAM is out, you can say: GF/SJSAS == OpenSSO/FAM. |
So, go ahead and Download, Evaluate and Deploy OpenSSO!
Posted at 2008-04-12 23:00:00.0 from The Aquarium
Creating user Data Stores in opensso using famadm CLI
NOTE: This procedure has been validated with OpenSSO promoted build4(Apr 1, 2008)
Create AD datastore
- ./famadm create-datastore -m "AD_STORE" -t LDAPv3ForAD -D datastore_AD_attrs.txt -v -u amadmin -f /tmp/pass
-e /
Create Data store with SunDS+AM Schema
- ./famadm create-datastore -m "DSEE_STORE" -t LDAPv3ForAMDS -D datastore_dsee_attrs.txt -v -u amadmin -f
/tmp/pass -e /
Create Datastore for generic LDAPv3(OpenLDAP)
- ./famadm create-datastore -m "LDAPv3_STORE" -t LDAPv3 -D datastore_ldapv3_attrs.txt -v -u amadmin -f
/tmp/pass -e /
Create Datastore for IBM Tivoli Directory Server
Prerequisites
To create and manage successfully identies in Tivoli, you need to load the following schema using ldapmodify
.
- ./famadm create-datastore -m "IBM_TIVOLI_STORE" -t LDAPv3 -D datastore_ldapv3_attrs.txt -v -u amadmin -f
/tmp/pass -e /
Update Datastore
- ./famadm update-datastore -m "DSEE_STORE" -D datastore_update_attrs.txt -v -u amadmin -f
/tmp/pass -e /
The above command will update the bind DN and the password for the data store named "DSEE_STORE" in the root realm
Delete Data Store
- ./famadm delete-datastores -m LDAPv3_STORE -v -u amadmin -f /tmp/pass -e /
- ./famadm delete-datastores -m IBM_TIVOLI_STORE -v -u amadmin -f /tmp/pass -e /
Posted at 2008-04-12 10:42:20.0 from Indira's blog









