New Iteration of the SAML 2.0 PHP SP

Many thanks to Andreas Åkre Solberg of the FEIDE project for this latest iteration of the SAML 2.0 PHP service provider (SP) OpenSSO Extension (you might remember it as ‘Lightbulb‘). I spent Thursday afternoon running through some tests with the PHP SP and OpenSSO as the identity provider – apart from one very minor bug (already fixed , it all works great!

Changes since the initial implementation:

  • Code restructured with SPIs for session handling and name mapping
  • Single logout listener
  • Support for transient identifiers
  • A new, simpler, sample
  • Documentation!
  • Several bugfixes

Grab the code via CVS from opensso.dev.java.net (it’s in opensso/extensions/saml2php/). Instructions for getting the code via CVS.

Silos, Schmilos!

Ben Laurie posts flame-bait this morning, with an entry titled ‘Liberty Loves Silos‘. I always find it amazing how folks ascribe the most sinister motivations to Liberty – maybe now that a load of our (previously private) mailing lists are publicly visible, people will see that we are really fluffy and cuddly (except Conor, of course, he’s a bit prickly).

Anyway – back to the point… My understanding (I wasn’t there for a lot of the early work, so I’m happy to be corrected here) is that the motivation for automated discovery was a seamless user experience. Asking the user for the location of her identity provider, discovery service, calendar service or whatever was seen as a bump in the road, rather than user empowerment. What we’re seeing now is a lot of thinking around how we can combine ideas of user identifiers (URLs or i-names) with SAML 2.0 for SSO and ID-WSF 2.0 for Web services. For example, YADIS/SAML or OpenID/ID-WSF.

In any case, user privacy, consent and control has always been foremost – hence all the work on defining how a user can consent to attributes being shared between providers [PDF], not to mention security and privacy [another PDF, I’m afraid].

Identity and Web Services: A Marriage Made in Heaven?

Don Bowen, Wizard of IdM

Although I don’t have a technical session this year, I will be up at JavaOne tomorrow, presenting “Identity and Web Services: A Marriage Made in Heaven?” with my good friend, the Wizard of IdM, Don Bowen, at 1:05pm in the Pavilion Theater. We’ll spend about 20 minutes exploring the different ways that identity and web services impact each other. If you’ve heard Don on the Sun IdM podcasts, you know this’ll be fun

UPDATEhere are the slides [PDF].

OpenID at Sun

Already lighting up the blogosphere this morning are posts from Tatsuo, Gerry, Rich and Scott all about Sun’s new OpenID Provider. Briefly, Sun is launching an OpenID Provider (OP) for all of its employees.

Why just employees? Well – there are any number of sites that offer OpenIDs, and anyone can start their own, but we wanted to try something different. With this service, we are exploring the use of OpenIDs in a business context – what could it mean to have an OpenID that says you are an employee of Sun Microsystems (or, for that matter, any company)? We’ll be learning over the next few weeks and months, and, of course, sharing the lessons with the wider community.

On the technical side, we are deploying the OpenSSO Extension for OpenID on OpenSSO. In case the bulbs aren’t lighting yet… this means that anyone can grab those components, do a little tweaking round the edges, and roll this out for themselves. In fact, that’s exactly what SSOCircle has done, but in a non-enterprise context.

Tomcat on Ubuntu Feisty

A while ago, I blogged about running OpenSSO on Tomcat in Ubuntu. I recently upgraded Ubuntu to 7.04 ‘Feisty Fawn’, which, while most things work great, seems to have caused some issues with Tomcat…

The first is this bug – when you start Tomcat, it just hangs. Apparently it’s to do with /var/lib/tomcat5.5/logs/catalina.out being a named pipe. The workaround that works for me is to add the following line (shown in bold) to the start block in /etc/init.d/tomcat5.5

$DAEMON -user "$TOMCAT5_USER" -cp "$JSVC_CLASSPATH" \
-outfile "$LOGFILE"  -errfile '&1' \
-pidfile "$CATALINA_PID" $JAVA_OPTS "$BOOTSTRAP_CLASS"
cat /var/log/tomcat5.5/catalina.out > /dev/null &
else
log_progress_msg "(already running)"
fi

The second issue is that Tomcat seems to have changed where it puts its web applications. They were in /usr/share/tomcat5.5/webapps; they are now in /var/lib/tomcat5.5/webapps. This breaks the security policy I blogged about last time – you now need to add the following to /etc/tomcat5.5/policy.d/50user.policy:

grant codeBase "file:${catalina.base}/webapps/openfm/-" {
permission java.security.AllPermission;
};

(i.e. switch from ${catalina.home} to ${catalina.base})

And before anyone asks “Why aren’t you using Glassfish?” – I am, I’m just using Tomcat as well, since a lot of the OpenSSO contributors use it. Their pain is my pain