OpenSSO – Availability of Session Architecture Document and Project Sources

The second OpenSSO roadmap milestone has been reached on schedule.

Briefly, the architecture document and associated source code for the ‘Session’ module is now available at For more details, see the announcement.

Some ‘exclusive’ information:

  • The project sources contain about 565 source files out of which 550 are the core system and the rest are for demo purposes.
  • All this compiles in under a minute 🙂 and can be compiled on any platform.
  • The demo works on all platforms and does not require any ldap. It uses the flat file database and is fairly easy to get up and running quickly.

Congratulations to Arvind and the rest of the OpenSSO team!

Building Identity-Enabled Web Services

I recently coauthored a technical article on Liberty ID-WSF, JSR 196 and Sun Java Studio Enterprise entitled Building Identity-Enabled Web Services. The article just went live at – here is a slightly adapted version of the intro:

Last October, the article Federated Identity: Single Sign-On Among Enterprises introduced identity federation as it relates to single sign-on (SSO) and demonstrated how Security Assertion Markup Language (SAML) and the Liberty Identity Federation Framework (ID-FF) offer standard mechanisms for crossdomain SSO. That article also briefly described the Liberty Alliance Project’s Identity Web Service Framework (ID-WSF) and its capabilities for identity-enabling Web services.

At a technical session at JavaOne 2005 in San Francisco, we delved into ID-WSF and the new developments in the Java Community Process and in Sun’s products that enable you to efficiently build identity-enabled Web services. This article recaps the content of that session. Specifically, you’ll learn the following:

  • How Liberty ID-WSF identity-enables Web services
  • How components that are based on the J2EE platform, such as JSR 196, insulate you from the mechanics of ID-WSF
  • How Sun Java Studio Enterprise will automate the creation of identity-enabled Web services

Mmmmm… Upgrade

My car has been in the shop for weeks now – don’t ask. I can work from home most of the time, but about one day a week, I get a rental from the Hertz neighbourhood office round the corner. Hertz seem to like me. I’ve been renting cars from them for years, and I can’t remember the last time I got what I paid for. Let me explain…
I always book a compact (“Ford Focus or similar”). With my AAA discount, it comes out at $33 a day, tax included. In the past few weeks I’ve had a Mustang (very disappointing), a Mazda 6 (impressive), a Hyundai Sonata (ordinary), a PT Cruiser (very ordinary) and this week, a Toyota Celica GT.

Wow – what a fun car. It’s only 1.8L, 150bhp, but it weighs next to nothing. Pin-sharp steering, and it loves to rev. Just bags of fun to drive. I can only imagine what the GT-S must be like, with 30 extra bhp and a 6 speed stick shift (GT is auto).
Thank you Mr Hertz!

Speaking on Identity, Interoperability, Web Services at JavaOne Tokyo 2005

I co-presented two sessions at JavaOne in San Francisco in June. I’m honoured to be invited to repeat them at JavaOne Tokyo next month. Here are the details:

Session ID: JITO000-05
Session Title: Developing and Deploying Secure Identity Web Services in a Federated Environment
Session Abstract: The Liberty Alliance Project (LAP) defines specifications to address cross business web single sign-on (ID-FF) and provides a framework for building web services (ID-WSF). These specifications are by far the most comprehensive security framework available today to build secure identity-enabled web services. ID-WSF addresses the need to build interoperable, identity-based, identity-consuming, and standard web services.This session focuses on developing client- and server-side components of a secure identity web service based on Liberty ID-WSF specifications and deploying them in a Liberty-enabled environment. This session covers several Java™ standard technologies: Java 2 Platform, Enterprise Edition (J2EE™ platform), XML parsing, JAX-RPC, XML digital signing and encryption, and others, such as Liberty Java APIs built on top of SAML and WS-Security.
Date: Tuesday November 8 2005
Time: 5:00pm – 5:45pm

Session ID: JTES205-03
Session Title: Multiple Platforms, Single Identity: Interoperable identity
Session Abstract: Single sign-on between an enterprise’s web-based resources, such as applications based on Java™ 2 Platform, Enterprise Edition (J2EE™ platform) and .NET, has existed in proprietary form for some time. The need to allow access across enterprise boundaries prompted the development of standards, such as SAML and Liberty ID-FF for identity federation, providing capabilities such as single sign-on and account linking across enterprise boundaries.This session provides a brief overview of the standards for identity federation, shows how to integrate SAML and Liberty ID-FF with J2EE platform Security, and explains how Java technology-based access management products, such as Sun Java System Access Manager, can provide interfaces even into a .NET infrastructure such as Active Directory.
Date: Thursday November 10 2005
Time: 3:00pm – 3:45pm

So – come along and find out the latest about getting your J2EE infrastructure interoperating with AD and .NET, and implementing ID-WSF web service providers and consumers in Java.

Sun Federation Manager Demonstration

My previous job at Sun (until January 2005) was as technical product manager for Access Manager. The main reason I moved back to engineering to take a technical architect role was so that my business card didn’t read like a tongue-twister :-). Anyway – I still dabble on the technical marketing side, helping out when things get busy over there, like last month’s technical sales training boondoggle event in Las Vegas – two days of lectures and labs bringing together Sun’s identity management marketing team and the Sun system engineers (=sales engineers) affiliated with identity management.
My contribution (no – I didn’t get to go to Vegas!) was a new front end for the Federation Manager Liberty Identity Federation Framework (ID-FF) single sign-on (SSO) sample. This sample, shipped with Federation Manager, shows how to get Liberty ID-FF SSO working between an Identity Provider and a Service Provider. Out-of-the-box, this sample comprised a set of functional, yet plain, JSPs. I re-used some old demo layouts to give the sample a bit of pizazz so the SEs could take something away as the basis for a demo. I was going to just put up a few screenshots here to walk you, the reader, through a simple SSO scenario, but then I realised that it would actually be less work to use Qarbon‘s Viewletbuilder to whip up a flash presentation. So – here it is – just click on the screen below and discover the magic of federated single sign-on…

Click to view Flash presentation

Sun Identity Manager Comes Out On Top

Thanks to Phil Windley for pointing to InfoWorld‘s Identity Management Challenge. It’s a thorough comparison of products from six vendors – Courion, IBM, Microsoft, Novell, Sun and Thor. I’ll point out that Sun’s Identity Manager is the only product that can answer an unqualified ‘yes’ in each column of the product comparison matrix:

Click for larger view.

Here’s the final word from the article:

Sun Identity Manager seemed the most mature overall, with strong integration and management capabilities, but still lacks the reporting and front-end polish we were expecting. IBM and Courion have similar work to do on the manageability front. Indeed, Courion needs to keep working on making the flexibility of its solution more accessible. Novell has paid much attention to its front-end tools, producing the easiest solution to configure and manage by far, but it still needs work on the back end to match the depth of Courion or Thor. Finally, Thor was strong from stem to stern, although their implementation process required a good share of custom coding as well.

I’m sure the Identity Manager engineering team are working on the front end with the Mr Sheen as I type this :-).

Open source != open standards

Robin Wilton astutely points out that Apache’s TSIK incubator project‘s roadmap is somewhat off the mark in its description of Infocard in relation to the Liberty Alliance Project specifications (and others):

Some of the initial ideas of TSIK is to implement WS-* standards as they are developed, in particular the ones related to implementation of a federated ID protocol such as Microsoft’s InfoCard. (There are other federated ID protocols, for example, Liberty Alliance, Sxip networks, Identity Commons, LID NetMesh,, but only InfoCard seems to be based on open web services standards.)

This does indeed seem to be a case of “The World Turned Upside Down“. What I find most strange is that there is no mention in this list of the grandaddy of them all – SAML – now in its 2.0 version and as openly standardised as an open standard can be, at OASIS.
Deeply puzzling…