Liberty Alliance Day – Tokyo – Oct 30 2006

The Liberty Alliance is presenting Liberty Alliance Day 2006 (Google translated link) in Tokyo next Monday (Oct 30 2006). The theme for the day is ‘Identity in the Web 2.0 Age’. There is a packed program of speakers, including Roger Sullivan of Oracle, Paul Madsen of NTT, Takashi Shitamichi of Sun, my good self, Conor Cahill and many more. Come along, learn about Liberty’s People Service, open source identity projects and the latest work on advanced client technology and enjoy a cocktail reception with the speakers afterwards.

Sign up here!

Sun OpenSSO/AM Bloggers

I posted an entry yesterday listing the 5 (so far!) bloggers from Access Manager engineering. I realized that there are a load more folks in Sun, but outside AM engineering, blogging about AM and OpenSSO. Here is a list that I will update as and when. There is a fuzzy boundary here – if you are in the list and you don’t think you should be, then let me know. Similarly, if someone is not in the list and they should be, then let me know. Comments or email are fine. I’m including folks’ functional area so that readers have some idea of what to expect from the different blogs – for instance – the field folk tend to have a wider focus than AM engineering 🙂

UPDATE – all of the below blogs are aggregated at Planet OpenSSO.


Product Management



CTO Office

‘The Field’

Q&A on the OpenSSO SAML 2.0 PHP work

Yesterday I announced the first drop of my SAML 2.0 PHP code. I’ve had a few questions since then – here they are, with answers:

  • Q: Can I contribute to this?
    A: Of course! This was the whole point of releasing this code as open source. I know a little about SAML 2.0, but I’m no PHP expert. I’d welcome PHP folks to take a look and suggest/make improvements. See the OpenSSO governance for more information on contributing.
  • Q: Is this ‘pure’ PHP?
    A: That depends on your definition of ‘pure’. No custom modules are required. It does use openssl, mysql, dom and xml, but support for these is pretty standard. The default PHP5 in my Ubuntu 6.06 had everything I needed.

Please do leave comments with any further questions – I’ll update this entry with the answers.

Switching on the Lightbulb

Over the past few months I’ve had a side project – implementing a SAML 2.0 service provider (SP) in PHP. I originally set out using PHP/Java Bridge and got something working (I even presented it [pdf] at Identity Open Space in Vancouver), but I was inspired by Kim Cameron‘s success in implementing InfoCard in PHP to try a more direct approach.

Rob Richard‘s XML Security implementation provided the impetus I needed to get a ‘pure’ PHP SAML 2.0 SP working. Rob kindly allowed me to adopt the XML Security code into OpenSSO (note that the base XML security code is still, and will continue to be, available, in its original public domain form, at Rob’s page) and I set forth hacking away.

Well – I’m done with an initial version. SAML 2.0 POST profile works. There is no artifact profile, no single log out, no bells or whistles. It does verify the assertion signature (via PHP’s integration with openssl) and checks that the certificate fingerprint matches what it expects from that identity provider.

There is some general documentation on SAML-enabling PHP [odt], and some specific documentation on this code [odt]. I’ll write a step-by-step guide to getting it up and running next…

UPDATEsome FAQs here.

Welcome Indira – Another Access Manager/OpenSSO Blogger

Indira Thangasamy has been blogging about Access Manager and OpenSSO for a few weeks now. Indira has some great tips on configuring and deploying AM and OpenSSO – essential reading if this is your thing.

This brings the current count of bloggers in the AM/OpenSSO engineering team to 5:

If you’re working with AM and/or OpenSSO, you’ll want to subscribe to all of these!

Federation – Italian Style

Somehow, this passed me by back in March/April, but a presentation at Sun’s Customer Engineering Conference last month brought it back into focus – Italy’s Ministry of Transportation has deployed a new Motorist Portal, providing services such as online payment of vehicle registration fees and traffic tickets.

What’s interesting here is that drivers log in to the Motorist Portal to view their driving record, vehicle registration etc, but make payments via another government agency, Poste Italiane. The Motorist Portal acts as a SAML identity provider, with Sun Java System Access Manager authenticating users and providing single sign-on to Poste Italiene’s service provider for 40 million Italian drivers – possibly one of the biggest live SAML deployments in the world.

You can find out more in this short SunTV presentation and the Italian press release (English translation via Google).

CSO Article – The Truth About Federated Identity Management

I just finished reading The Truth About Federated Identity Management by Sarah D. Scalet at CSO. It’s a good read, focussing on the importance of the business case in deploying federated identity and the fact that 80% of the work in any federation deployment is on the business side. The technology, by comparison, pretty much “just works”. Make sure you hit the sidebar too: Thinking of Doing Federated Identity Management?.