Podcasting and Webcasting

It’s been quite a week already and it’s only Wednesday night! Yesterday, I was interviewed by Aldo Castañeda for ‘The Story of Digital Identity‘ – Aldo’s regular podcast. The conversation centered on Project Lightbulb (a sub-project of OpenSSO) – the PHP implementation of SAML 2.0. We covered a lot of ground, looking at the motivation behind Lightbulb and what I’m working on right now – figuring out how we can bring together some aspects of OpenID with SAML 2.0. There are some interesting synergies here, and I’m looking forward to talking about them at IIW2006b next week in Mountain View. If you’re not too interested in digital identity, you can always skip to about 47″50′ to hear all about single malt Scotch whisky

This was my first podcast experience and a lot of fun it was, much less intense than a webcast (no slides!). Aldo is doing a great job, and I felt quite honored to be a part of ‘STODID‘. This series of podcasts really is required listening if you want to keep up with what’s going on in digital identity.

By the way, you’ll need iTunes or Quicktime to play the podcast. I didn’t have any luck with Windows Media Player or RealPlayer. Other players might also work – feel free to leave a comment.

Today’s event was a webcast for the Liberty Alliance, again focusing on Project Lightbulb, but this time with slides and a demo. In the demo I show how to SAML 2.0 enable a simple PHP application by dragging in the Lightbulb files and editing 4 PHP scripts. I fall off the high wire one time , but recover quite gracefully

The webcast is archived (you might need to scroll down a bit – look for ‘Open Source Identity for the Web 2.0 Era’), but you have to download the Webex player to watch it.

I wonder what the rest of the week will bring…

Open Source Identity for the Web 2.0 Era

Regular readers might recall I gave a presentation in Japan last month titled ‘Open Source Identity for the Web 2.0 Era’. The Liberty Alliance folks liked it so much, they’ve asked me to repeat it as a webcast next Wednesday – 11/29/2006 – details here (if you’re interested, better sign up fast, places are limited!).

The presentation focuses on OpenSSO and Project Lightbulb – the OpenSSO sub-project that implements a SAML 2.0 service provider in straight PHP – no custom extensions required. I’m planning to SAML 2.0-enable a simple PHP application, live on-the-air, no safety net

Johannes has already picked up on the webcast announcement and wonders what the Web 2.0 angle is. Let me explain…

Web 2.0 is a difficult term; it means something different to almost everyone you ask. Some focus on particular technologies – Ajax (just pasted that link in – do you realize, that essay, that coined the term ‘Ajax’, is only 21 months old!) being the most common example. Others focus on particular companies – Flickr, YouTube, any number of social networking sites – or business models – for example, combining your users’ individual efforts to create something bigger than the sum of their parts.

For me, ‘Web 2.0’ is simply a shorthand for ‘the Web today is very different from the Web of 5 years ago’. It’s a whole world of change wrapped into a somewhat glib phrase. The Tokyo Liberty Alliance Day took Web 2.0 as its theme – my angle on it with this presentation is that a large part of Web 2.0 is participation – notably open source and lightweight languages – look at any ‘Web 2.0 company’ and you’ll find lots of LAMP. It’s this aspect that I focus on in ‘Open Source Identity for the Web 2.0 Era’ – bridging the gap between the enterprise/telco/square world of SAML 2.0 and the bloggy/scripty/hip world of PHP.

Having said all that, Johannes is spot on that “putting control in the hands of the end user — the essence of Web 2.0 — is not typically compatible with the way SAML projects tend to end up”. There is much work to do in figuring out how the core of SAML 2.0 can be leveraged in wider settings than the typical (but no less important for that) enterprise/telco use cases. We’re seeing some great thinking in this area from the likes of Paul and Eve. I suspect that this will be a key topic of the upcoming Internet Identity Workshop 2006b.


These pictures are so fantastic I just had to post them:

This is one of our OpenSSO team members engaging in Yakshagana, a sequence of dance and dialogs based on Indian mythological stories. See if you can guess who. Hint: just for once, it’s not me!

Announcing Open Federation

Right from the very inception of OpenSSO, the most frequently asked question has been “When are you open sourcing the federation code?”. Well, today, the answer is… “Today!” Here is the text of the announcement:

The OpenSSO project is pleased to announce the availabilty of the Java source code for the identity federation and web services framework of the Sun Java System Access Manager and Sun Java System Federation Manager. The name of this effort is Open Federation.

Following is a list of links to help you get started:

The OpenSSO project and code will be updated constantly with bug fixes, new features, modules and accompanying documentation. Please check back often. In fact, OpenSSO is a growing community of developers, both inside of, and outside of, Sun. Be a part of OpenSSO and sign up at https://opensso.dev.java.net.

Go grab it, play with it, and build cool stuff!

Open All The Way Up

It’s just one of those days – the bloggable thoughts are coming thick and fast…

For some time now, Sun has been unusual in providing the entire stack of hardware and software, from the metal right on up to the product on which I work, Sun Java System Access Manager:

Web SSO Sun Java System Access Manager
Web Container Sun Java System Application Server
Computing Platform Java
Operating System Solaris
Processor Architecture UltraSPARC

Well, now there is an open analogue to every one of those layers:

Web Container GlassFish
Computing Platform Java (now open sourced!)
Operating System OpenSolaris
Processor Architecture OpenSPARC

Open all the way up the stack – now that is cool!

Access Manager training class in Burlington, MA

There are a small number of places available on the Sun Java System Access Manager: Configuration and Customization (AM-3480) at Sun’s training center in Burlington, MA the week of Dec 4. This presentation of the course is taught by the most excellent Allan Foster; Allan taught the recent Federation Manager Boot Camp course on which Hubert heaped lavish praise, so you know you’re in good hands.

If you’re in the North-East and you feel your AM knowledge is lacking, then take a look and consider signing up – your department may well have some training budget that needs to be used or lost before the end of the year…

OpenSSO on Tomcat in Ubuntu

The ‘single WAR’ deployment of OpenSSO allows you to simply deploy a WAR file into a web container such as Glassfish or Tomcat. The first time you hit the OpenSSO URL, a configurator runs, collecting some basic parameters, saving them to configuration files and setting up OpenSSO for use. You can save this configuration anywhere in the file system; the configurator saves that location in a file in the home directory of user as which the web container is running (that’s a really clumsy way to put it, but hopefully the meaning is almost clear).

Numerous folks are deploying OpenSSO on Tomcat. In a typical ‘developer’ installation, where you run Tomcat from the command line, all works well – you get a file named something like AMConfig_localhost_opensso_ in your home directory. AMConfig is a constant prefix and _localhost_opensso_ is OpenSSO’s deployment location (/localhost/opensso/) with slashes replaced by underscores. Ubuntu installs Tomcat on ‘localhost‘, and I deployed the OpenSSO war file into /opensso, so I get a file called AMConfig_localhost_opensso_ whose content is simply the path to the main configuration data. Your mileage will vary!

Now – I’m running Ubuntu on my laptop, with the default Ubuntu distribution of Tomcat 5.5. The first time I tried to deploy OpenSSO it failed – looking at Tomcat’s logs, I could see

localhost_2006-11-03.log:java.security.AccessControlException: access denied (java.util.PropertyPermission user.home read)

Tomcat is running with the Security Manager and is denying access to the user.home property. From previous experience, the quickest way round this (short of completely disabling the security manager) is to grant your web application all rights. I added the following to /etc/tomcat5.5/policy.d/99examples.policy:

grant codeBase "file:${catalina.home}/webapps/opensso/-" {
permission java.security.AllPermission;

You could, of course, specify much more granular permissions, but this gets you going with the minimum fuss.

So – try again. This time, OpenSSO gets a little further, but fails again with

java.io.FileNotFoundException: /usr/share/tomcat5.5/AMConfig_localhost_opensso_ (Permission denied)

Although OpenSSO can now locate the user’s home directory, it can’t actually write to a file there, since, in this configuration, Tomcat is running as the tomcat5 user, whose home directory (/usr/share/tomcat5.5) is owned by root and is not writable by tomcat5. One solution is to temporarily make that directory writable by all (sudo chmod 777 /usr/share/tomcat5.5), flipping it back after OpenSSO configures itself successfully (sudo chmod 755 /usr/share/tomcat5.5). A more elegant approach, and one which doesn’t require you to go back and tidy up, is to do

sudo touch /usr/share/tomcat5.5/AMConfig_localhost_opensso_
sudo chown tomcat5 /usr/share/tomcat5.5/AMConfig_localhost_opensso_

Now, you just need to ensure that you give the configurator a directory that is writable by tomcat5 and all is well – a working OpenSSO and an interesting excursion through the mechanisms that Tomcat and Ubuntu use to prevent web applications from running arbitrary code.