Slides and Blog Reaction from Tokyo Liberty Alliance Day 2008

Here are the slides [PDF] from my presentation at the Tokyo Liberty Alliance Day last month. The picture on the right is of the Microsoft speaker, Shigeya Tanabe, talking about Microsoft’s recent commitment to SAML 2.0, which he illustrated by a screen cap from my blog entry on the subject.

There was some blog coverage too, (all in Japanese):

I’ll be taking tomorrow off to extend the Thanksgiving break a little, so you’ll probably not hear from me until next week. To all those in the USA – Happy Thanksgiving!

OpenSSO and ldapvi

WARNING – guru level information in this blog entry. Don’t try ANY of this unless you’re CERTAIN you know what you’re doing. Editing OpenSSO’s configuration directly can easily lead to an unusable deployment. You have been warned!

The Suretec guys blogged about ldapvi the other day, which prompted me to deploy ldapvi and point it at OpenSSO‘s embedded OpenDS instance.

Deploying ldapvi on a Mac is very simple, thanks to MacPorts. Just do

sudo port install ldapvi

Now you can point it at your OpenSSO deployment like so:

ldapvi -d --host ldap://localhost:50389 -D "cn=Directory Manager" -w password

I get a screen like this:

One neat feature is that ldapvi transparently deals with the base64 encoded XML data in the directory – you can see it if you search for sunKeyValue:;

Now you can do some serious configuration hacking, especially with vi's global search and replace! But remember, with great power comes great responsibility. Backup your configuration before you try anything, and restart OpenSSO after any change you make in the directory. OpenSSO caches its configuration, and it won't notice changes you make 'under the covers'.

Yubikey Authentication Module for OpenSSO

I just committed a new OpenSSO Extension – the Yubikey Authentication Module (README, source). The authentication module prompts the user for their username and the one time password (OTP) from the Yubikey, calls the Yubikey authentication server to verify the OTP and authenticates the user (or not!) according to the response.

Many thanks to Jeff Bounds for inspiring me with his VIP authentication module and to Stina Ehrensvärd of Yubico for supplying me with a Yubikey to get started.

If you have a Yubikey, grab the authentication module, deploy it (see the README) and let me know how you get on.

Federated Single Sign-On for Google Apps in OpenSSO

Hot on the heels of the OpenSSO Enterprise 8.0 release comes Wajih Ahmed and Marina Sum‘s article on configuring Federated Single Sign-On for Google Apps in OpenSSO. With just a few minutes of work, you can be authenticating users in OpenSSO and giving them access to their accounts in Google Apps, including Google Mail, Google Documents and Google Calendar. Take a look at the demo we recorded with Michael Coté a few weeks ago to see the end result.

While this integration has been possible ever since we introduced SAML 2.0 support in Access Manager, it used to require a small amount of custom code to copy the user id into the SAML 2.0 NameID element. With OpenSSO Enterprise 8.0, it’s now a simple matter of configuration in the administration console.

To illustrate the article, Wajih has captured the configuration process on video – settle back and enjoy the show.

OpenSSO Enterprise 8.0 Released!

Funny how things turn out, after over three years of work (OpenSSO was announced on July 13, 2005), we end up releasing three days early (November 11 2008 rather than the planned November 14 2008)… Still, OpenSSO Enterprise 8.0 is now officially DONE:

Blog coverage… (will add more as time goes on)

So… What’s next for OpenSSO? Well, coming up we have carrier-grade monitoring, more ease-of-use work, task flows for SaaS federation (think Google and federation setup with the absolute minimum number of clicks) and entitlement management. Oh, and Express Build 7 will be coming up in about 3 months, too. Fun times… 🙂

GlassFish v3 Prelude – Out Now!

So, GlassFish V3 Prelude was announced last week, just as I was wrapping up my week in Tokyo (Liberty Alliance plenary meeting and Liberty Alliance Day 2008 – more on the latter in another blog entry), so I missed the blog fest. Oh well. Here’s my contribution anyway…

You’ll know by now that GlassFish v3 features a modular architecture based on OSGi, Rails/Grails support, RESTful web services and much, much more. Well, here in OpenSSO-land we particularly like v3’s embeddability and the fact that, as far as we’ve observed, OpenSSO ‘just works’ with no changes for v3. GlassFish v3 isn’t yet on the supported platform list for OpenSSO Enterprise 8.0, but we’ll be adding it in the near future.

links for 2008-11-05

Selling Trust

Brad Cox, a regular in the OpenSSO IRC channel just came out with a line that, I think, perfectly encapsulates the spirit of open source at Sun:

“Sun used to sell bits. Now you’re selling trust. Interesting times!”

Interesting times indeed!