From the Trenches – Jamie Nelson on Web Access Management

Sun Developer Network tech author Marina Sum starts a new series of interviews this week with OpenSSO‘s benevolent dictator and Sun’s director of engineering for access and federation management, Jamie Nelson (my boss, so I’d better be careful here!).

In the interview, Jamie explains how web developers need to consider security, but, at the same time, avoid hard-coding it into their apps. Some great tips and useful links for any web developer – read the article here!

FAMTalk 02: Federation

I just uploaded the second FAMTalk podcast – this time, I have the host’s seat, presenting ‘Federation’, with a particular focus on SAML 2.0. You can download a PDF plus MP3 or AAC files from, or simply subscribe to FAMTalk via iTunes or RSS.

We had some frustrating technical problems recording this episode – the Sony USB headset (UAB-260) I was using developed an annoying crackle about halfway through the program. Unplugging, replugging, rebooting – nothing made it work for more than a few minutes at a time. After wrestling with it for an hour, we decided to just record the outro segment together and I ordered a Griffin iMic to replace the Sony USB Audio box (the headset itself seemed ok) to fill in the gap on my own.

The funny thing was, I got a bit of a cold between the first recording and the second, so the transitions between the different segments are quite obvious – you can hear me get sick and recover, all within an hour

Fine-Grained Authorization with Sun Java System Access Manager

Following on from last June’s Sun Developer Network article on Basic Authorization with Sun Java System Access Manager, Robert Skoczylas of Indigo Consulting and Sun tech author Marina Sum recently published a second article, Developing Secure Applications with Sun Java System Access Manager, Part 2: Advanced Authorization.

This time, Robert and Marina look at how Sun Java System Access Manager can be used as a general purpose policy store, and, with some customization, can provide fine-grained authorization for UI elements rendered by both Java and .NET web applications. This is a great article to read if you’ve wondered how Access Manager can be used to authorize access to resources other that the usual web page URLs.

Introducing FAMTalk

As Terry Sigle blogs today, FAMTalk (feed) went live this week. FAMTalk is a monthly podcast focusing on federation and access management (the FAM of the title) and their implementation in Sun Java System Federated Access Manager (the forthcoming next version of Access Manager) and OpenSSO. Your regular hosts will be Tim Campbell (Sun Partner Enablement), Steven Jarosz (Sun Americas Software SE – Federal), Terry (Sun Americas Software SE – Telco) and me (OpenSSO ‘community guy’).

In episodes 1a and 1b (we split the original 1hr 40mins or so in two), Tim presents Access Manager 101. You can download a PDF plus MP3 or AAC files from, or simply subscribe to FAMTalk via iTunes or RSS. Apparently the AAC files include the slides, which should play in sync with the audio on many iPods. I need to go check it out on my iPhone and see how it looks…

FAM 8.0 Puts the ‘Full’ in ‘Full-Matrix SAML 2.0 Interoperability Testing’

As you might have just read, Liberty Alliance recently completed its first ‘full matrix’ SAML 2.0 interoperability test. Not only was Sun amongst the successful participants with its upcoming Federated Access Manager 8.0 product, we were the only participant to successfully test every conformance mode. Daniel, of course, beat me to the punch on this one, though I like to think my entry is laid out a little more neatly

I’ll also take this opportunity to point out that, although Federated Access Manager 8.0 is scheduled for release next year, you can get the code and binaries right now via the OpenSSO project – in fact, we just released ‘build 2‘ of OpenSSO v1, which includes the tested code.

I’m the Leader, I’m the Leader…

…I’m the Leader of the Gang (I Am)!!! I know – Gary Glitter has fallen long and hard, but it’s still a great song and appropriate for today – Gartner has placed Sun Java System Access Manager in the leader quadrant of their Magic Quadrant for Web Access Management, 2H07 [PDF]. I happen to think that they have under-rated us somewhat on our completeness of vision, but I can’t argue with the rating on ability to execute.

One thing worth mentioning is that one of the ‘cons’ listed for Sun – “Sun does not support ADFS/WS-Federation in its federation tools” – will be addressed in the next release – Federated Access Manager 8.0 – and is already in OpenSSO. So, if your existing infrastructure leans to the MS side, but you need world-class web access management, federation, identity web services and more, scoot on over to OpenSSO and take a look.

Access Manager FAQs and Identity Services at Sun Developer Network

It’s been a busy couple of weeks, what with a trip to Tokyo, a typhoon on the day I flew out, an earthquake at home and the usual backlog of 1000 emails that follows any trip away from the office, so please excuse the recent dearth of blog entries!

On returning, I was pleased to see Sun Developer Network‘s identity pages have continued their expansion. The latest additions are:

Kudos to Marina and Aravindan for their tireless work on the Sun Developer Network identity pages – if you’re working with Sun Java System Access Manager and related products, you should definitely subscribe to the feed .

FAM 8.0 Build 1 is here!

Last Friday we declared ‘build 1‘ of Sun Java System Federated Access Manager 8.0. This is the initial build (from the OpenSSO code) that we (engineering) handed off to QA to start the official countdown to FAM 8.0. Congratulations to both the FAM engineering team and the wider OpenSSO community on this huge milestone.

You might have seen Daniel‘s outline of the new features in FAM 8.0 – some of these goodies, such as WS-Federation and web services security, are in build 1; others, such as centralized server and agent config, will arrive later. As Daniel mentions, heterogeneity is a big focus in this release – the release notes cover installation on a host of containers – Glassfish v2/Sun Java System Application Server 9.1, Sun Java System Web Server 7.0 U1, BEA WebLogic Server 9.2 and 10.0, IBM Websphere Application Server 6.1, Oracle Application Server 10g, and Apache Tomcat 5.5.x.

So, grab the zip, throw it on your favorite container and let us know of any issues! (You’ll need to be a project member to file an issue – join OpenSSO here.)

SSO from Sun Java System Access Manager to Outlook Web Access 2003

Completing our trilogy of articles on integrating Sun Java System Access Manager with Microsoft web applications is Sun and Microsoft Interoperate for Web Authentication, Part 3 – Sun Java System Access Manager and Microsoft Outlook Web Access for Exchange Server 2003. This time, Marina Sum, our resident technical author, and Madan Ranganath, Access Manager policy agent engineer, focus on single sign-on from Access Manager to OWA 2003.

If you work your way through the first two installments, covering IIS and SharePoint Portal Server 2003, and this final article, you’ll know pretty much all there is to know about single sign-on between Access Manager and Microsoft’s web applications.