OpenSSO in Second Life

I went to the launch of OpenSSO Enterprise 8.0 (press release) this morning in Second Life, hosted by none other than the IdentiCatDaniel Raskin, and my boss, director of engineering for OpenSSO – Jamie Nelson. It was definitely a different experience from a traditional webinar – there was audio and slides, but somehow it was more immersive, sitting in the hall with the other attendees. Some technical glitches, but, all in all, a great event.

(Confession – the image (click on it for a larger version) is a composite – when that slide was up, Daniel was off flying somewhere, and when he was sitting down, I just had a gray screen where the slide should have been).

UPDATE – if you missed the Second Life event, you can catch the replay!


The Cancer and Leukemia Group B (CALGB) is a national clinical research group sponsored by the National Cancer Institute, with its Central Office headquartered at the University of Chicago and its Statistical Center located at Duke University.

A couple of weeks ago, Robert Dale of CALGB contributed an OpenSSO/Spring Security integration to the OpenSSO project. I asked him how CALGB were using OpenSSO, and he was good enough to send me this explanation and allow me to publish it.

We’re probably not too different than many places where we have many applications each using its own authentication mechanism from disparate data stores. The primary goal here is to unite all these applications to use the same authentication mechanism using a single data store, hence a single username and password. Because we deal with clinical data, HIPAA comes into play. So certain applications need specific restrictions, for instance having a session timeout in 15 minutes. Other applications – administrative, those for developers, IT staff – can be logged in all day long. Therefore our secondary goal is to place these policies across all the apps. We have our own authorization and audit system and won’t be using those from OpenSSO.

We also have the case where we need to federate to other identity providers, such as caBIG, so our users can seamlessly use the grid applications. But we also share data with labs and other facilities that develop their own applications and need to federate identities (and authorizations) to us either through user interaction and/or web services. And in one special case, we have an authentication module that authenticates users via webservice to CTSU where they don’t yet have federated identities.

This is a great mini-case study of an OpenSSO deployment – internal SSO, federation, web services and a bit of customization on the side. It’s great, too, to be able to support such vital research through OpenSSO – CALGB didn’t have to ask or tell us about their OpenSSO deployment – they just got on and got it done, and were good enough to share their success story with us.

Have you deployed OpenSSO? Care to share your story?

links for 2008-09-26

OpenSSO+Spring – an Open Source Community in Action

On Friday morning, Jim Gellman of the Institute for Systems Biology asked a question on the OpenSSO Users mailing list about OpenSSO/Spring Security (formerly known as Acegi) integration:

We’d like to use opensso with an app that’s using Spring Security currently, but we don’t have the resources at the moment to develop a module to do this.

Instead we’re hoping we can use Spring Security’s container adapter for tomcat along with the OpenSSO agent. Does anyone know for sure whether this is a reasonable approach?

Just a few minutes later, Robert Dale of CALGB replied:

I actually have code based on acegi-security 1.0.3 that provides an AuthenticationProvider, LogoutHandler, AuthenticationProcessingFilter, and AuthenticationProcessingFilterEntryPoint. I would be more than happy to donate to OpenSSO extensions if they want it.

How can you refuse an offer like that? Actually, it turns out that Robert had also done some work with Seraph (Atlassian‘s security framework, used by Jira and Confluence). So, this morning I created two new ‘Authentication Provider’ OpenSSO Extensions – one for Spring and one for Seraph – and Robert checked in his code. If you’ve been scratching your head, wondering how to integrate OpenSSO with Spring or Seraph, go check ’em out!

Be the 800th OpenSSO Member – Win OpenSSO Goodies!!!

Back in June, OpenSSO reached 700 members. Less than three months later, we’re getting close to the 800 mark. For a bit of fun, we’re offering a $50 gift certificate for the CafePress OpenSSO store to our 800th member. But, there’s a twist. There’s more to it than just signing up for a account and requesting the Observer role in OpenSSO – we need to know how the deployment went for you, so you’ll have to download OpenSSO and deploy it on your favourite Java web container (we like GlassFish, but Tomcat, JBoss, WebSphere and many more work fine – see the release notes [PDF]), or simply click here to install and run the Java Web Start version (it has its own embedded instance of GlassFish v3).

Once you’re signed up and have played with OpenSSO, subscribe to the mailing list and let us know your username, which version of OpenSSO you downloaded (e.g. build 5), which container you used, and your general impressions. We’re working hard to make the deploy/configure process rock solid, so reports of problems are even more valuable than “It works great!” – much as we like to hear that