From the Trenches – Jamie Nelson on Web Access Management

Sun Developer Network tech author Marina Sum starts a new series of interviews this week with OpenSSO‘s benevolent dictator and Sun’s director of engineering for access and federation management, Jamie Nelson (my boss, so I’d better be careful here!).

In the interview, Jamie explains how web developers need to consider security, but, at the same time, avoid hard-coding it into their apps. Some great tips and useful links for any web developer – read the article here!


Kaliya wonders “if OpenID has been used for activism yet?”, then, in a footnote:

Sorry – I am really trying to get openID to work on this hoster (well my tech person Lucy is) there is still something not working. So if you want to comment either link to this blog post and say it on your own site or send me e-mail kaliya (at) mac (dot) com. If any of you OpenID tech folks want to see if you can help her solve the problem let me know I will put you in touch.

There’s really nothing I can add…

OpenSSO Live at

At JavaPolis last year, I met with the folks from ACA IT-Solutions and (Dutch/French/English) to discuss their deployment of OpenSSO. At last, I’m able to talk about this publicly, so here we are. is Belgium’s largest cable operator, providing internet access, digital TV and telecom services to millions of customers across the country. Last year, ACA IT-Solutions, an independent Java EE solution provider working across the Benelux region, built an authorization solution with a centralized policy administration point (PAP), but distributed policy enforcement points (PEPs), all built on OpenSSO’s authentication. As ACA IT’s Wim Van Lommel says:

“We developed the web interface and security back-end service. These modules were aligned with the underlying open source access management mechanism OpenSSO. The access to the source code of OpenSSO enabled us to reuse the access management mechanism and create an integrated security solution for Telenet.”

You can read more in the inaugural February 2008 edition of LSEC‘s Information Security Industry Report

A great example of the difference that source code access makes to system integrators!

Federated Identity Through the Eyes of the Deployer

As I just reported over at The Aquarium, Eve and Marina recently published Federated Identity Through the Eyes of the Deployer – what it is, why you might want it and what questions to ask as you architect a federated identity system.

As I mentioned on The Aquarium, Eve was a key player in defining XML, SAML and more. What you might not know is that Eve is also a talented musician, shining even when accompanied by those less gifted in the art, such as here, at IIW2006b:

Here be the lyrics.

Credentica U-Prove Acquired by Microsoft – Zero Knowledge Proofs For All?

Across the wires this morning comes news from Kim and Stefan that Microsoft has acquired Credentica‘s U-Prove technology and the services of Stefan and his Credentica colleagues. I’m curious as to why the news isn’t simply ‘Microsoft acquires Credentica’, but business is sometimes like that, I guess.

Anyway, congratulations to Stefan and co! I’ve been following their technology for a few years now (I even worked my way through Stefan’s book – well, most of it – some of the formal proofs were a little beyond my mathematical abilities) and have met Stefan and Greg a couple of times – super guys, cool technology – it will be great to see it get wider exposure.

Long Live simpleSAMLphp!

A somewhat bittersweet moment today as I sent this email to the OpenSSO lists:

Some time ago (October 2006), we released ‘Lightbulb’, a simple SAML 2.0 service provider/relying party implemented in PHP, as a proof-of-concept, to show that it was indeed possible to write a ‘pure’ (no custom modules required) SAML 2.0 implementation in PHP.

Later, Lightbulb became an OpenSSO Extension, and was used by Andreas Solberg at FEIDE as the inspiration for simpleSAMLphp – a much more complete SAML 2.0 implementation, again in PHP, but this time including identity provider functionality, Shibboleth 1.3 and more.

Andreas has done a great job, devoting considerable time and effort to simpleSAMLphp, to the great benefit of the wider SAML 2.0 community. Over the months, simpleSAMLphp has become widely deployed in the academic community, to the extent that there are now events such as simpleSAMLphp workshops.

Consequently, we have decided to mark the OpenSSO SAML2/PHP Extension as ‘deprecated’ in favor of simpleSAMLphp. The old code will be left in place in CVS, but there is now a prominent README directing people to simpleSAMLphp.

Long live simpleSAMLphp!

Kind of like seeing one of your kids moving out of the family home and starting their own life, I guess…