Welcome Indira – Another Access Manager/OpenSSO Blogger

Indira Thangasamy has been blogging about Access Manager and OpenSSO for a few weeks now. Indira has some great tips on configuring and deploying AM and OpenSSO – essential reading if this is your thing.

This brings the current count of bloggers in the AM/OpenSSO engineering team to 5:

If you’re working with AM and/or OpenSSO, you’ll want to subscribe to all of these!

Recently Asked Questions on OpenSSO

OpenSSO is really taking off now – the number of participants continues to grow daily, we’ve had some really interesting discussions on the IRC channel, and folks around the world are writing their own how-to guides.

A couple of related questions have arisen recently: “How, exactly, are OpenSSO, Access Manager and Federation Manager related?” and “Can I get support on OpenSSO?”. These questions are almost answered in the OpenSSO FAQ – I’ll provide full answers here and push them into the FAQ for future reference.

Q1: How, exactly, are OpenSSO, Access Manager and Federation Manager related?

OpenSSO is based on the Access Manager 7.0 codebase. There are some changes – for example, Access Manager contains some third party source code which we cannot redistribute – but we have worked to minimize these. The next versions of Federation Manager and Access Manager will be built from the OpenSSO source – just like Sun Java System Application Server is built from the Glassfish source. When we are happy that OpenSSO contains the features we want to release in the next AM/FM product release, we will branch the code and stabilise the release branch – all in public. New feature development can continue on the trunk, and fixes in the release branch will be copied to the trunk.

Q2: Can I get support on OpenSSO?

The short answer is “No.” Sun will support Access Manager and Federation Manager, which will, as noted above, be built from the OpenSSO source. However, we never say never. If there is sufficient demand, we will consider other support offerings.

The best place for follow-up discussion on these topics is the OpenSSO users mailing list (click here, login and scroll down to the users@opensso.dev.java.net to subscribe), but feel free to leave comments here also.

Q3: Is opensso exactly same as Sun AM 7.1 from end user perspective? Can I use all Sun AM 7.1 beta docs for OpenSSO? If there are differences, what are they? (Added 12/8/2006)

Right now (Dec 8 2006), there are some deltas between AM 7.1 and OpenSSO. Due to schedules and logistics, work on AM 7.1 and OpenSSO proceeded in parallel. We are porting all AM 7.1 features and fixes to OpenSSO right now. For the most part, you can use AM 7.1 beta docs, but there are some differences:

  • Policy Agent 2.2 for Web Services. To be added to OpenSSO.
  • Java Management Extensions (JMX) support. To be added to OpenSSO.
  • There is no federation console in the Open Federation build of OpenSSO, although all federation features are present and configurable from the command line. We are migrating the entire console from JATO (Sun’s previous, proprietary web application framework) to JavaServer Faces (JSF) – the federation console will be the first to move over.
  • Numerous minor bug fixes and RFEs. To be added to OpenSSO.

OpenSSO – the Brazilians are here!

Wow – I just received an email from Rodrigo Urubatan on the dev@opensso.dev.java.net mailing list:

I have just wrote an step by step start up for OpenSSO in Portuguese. The link is here Do not know if I`ll use it yet, but I have loved this piece of software 😀

I’m blown away – we already have a truly global OpenSSO community. I guess this is what James Gosling refers to as ‘the Brazilian effect‘. (Actually, Google tells me that Jonathan coined that phrase in this blog posting, but you get the jist.)

OpenSSO T-Shirts and Meet Up Next Week at DIDW

We’ll be having an OpenSSO meet up next week at the Digital ID World Conference at the Santa Clara Marriott. We’ll meet at the Sun booth (#300, located at the front of the exhibit hall) at 6pm on Monday September 11th. Anyone registered on the OpenSSO project is welcome. After t-shirt distribution (see below) we’ll adjourn to the nearest bar.

We’ll also be giving away t-shirts (photo to follow – they’re arriving today) to OpenSSO participants (hint – sign up here!) throughout DIDW. Just come to the Sun booth, log in to the OpenSSO site to demonstrate your bona fides and claim your shirt.

See you next week!

OpenSSO: “It’s alive! Alive, I tell you!”

Where does that line come from? I just tried googling using the Google search engine to search for it, and all I get is usage, no citation…

Anyway – the point of this post is that we have ‘thrown the switch’ on OpenSSO – we are turning on write access to the source tree. Here is the text of the official announcement:

Welcome to the official launch of the OpenSSO project and community site. OpenSSO is an open source access management software distribution that provides the means to build authentication, authorization, and session management for Java and web applications and web services. OpenSSO is the result of a close collaboration between a community of developers and Sun engineers working to promote the evaluation, use, and innovation of identity and access management technology. And, since Sun will be basing the Sun Java System Access Manager product on OpenSSO, eventually everything that is committed to the OpenSSO source will end up running in real, production deployments.

So what happened today? In simple terms, we are finally turning on full read and write access to the source code. What does that mean for you, the developer?

Through the OpenSSO project site, we invite you to participate in the development process by reviewing source code, providing input on features, submitting bug fixes, requesting new functionality, and spearheading other improvements. You can check out source. You can download and deploy the J2EE web application archive. You can break it, fix it, write about it, and talk about it. Or, simply join in the technical discussions.

We thank you for participating.

Right now we are assembling the initial list of committers – mostly the Sun engineers that built Access Manager and OpenSSO, but also likely some external folks with a history of working Access Manager at a low level.

If you’d like to get more deeply involved with OpenSSO, perhaps even to the extent of submitting code and then even becoming a committer, check out the governance.

IRC Channel for OpenSSO

I just established an IRC channel for OpenSSO on Freenode#opensso. The idea is that this will server as a ‘virtual watercooler’ – a venue for informal chat on any topic connected to OpenSSO. It will probably take a few days to get going, but, it should soon become a useful venue for anyone using or developing OpenSSO.

Fire up your IRC client and I’ll see you there! 🙂

UPDATE – btw – if you see ‘metadaddy’ on the IRC channel – that would be me.

OpenSSO Limitations?

Marty‘ (I’m guessing this is Marty Heyman of Symas) has posted an entry regarding OpenSSO. I can’t see a way to post comments or respond in any way on Marty’s blog, so I’ll do so here. Marty says

[…] OpenSSO … from the same blog … Web SSO, Of Course. You knew that.It’s a centrally controlled service that creates and mainains a verifiable user session and creates an audit trail. Applications use the central service to verify that the user is in session and to report audit events [from the architecture document).

Let’s see, you have to modify every app to use the service, like that’s going to happen, and you’re going to introduce another single point of failure server.

If you read a little more of the linked architecture document, you will discover that OpenSSO uses agents to SSO enable web containers. The agent is essentially a filter that refers to the central service to determine the user’s identity and whether she should be given access to the requested resource. Section 4 of the architecture describes this in the context of OpenSSO. The reference to ‘applications’ as well as agents recognizes that any application accessed via HTTP can participate in SSO. So yes, if you have a custom HTTP app, you’ll have to do some enabling. If your app runs in a web container you just have to deploy and configure an agent. Access Manager (OpenSSO’s ‘parent product’) provides agents for a huge variety of containers. We will be releasing the code for a couple of agents into OpenSSO in March.

Marty goes on to say

Under Limited scope of SSO we find “web applications that are hosted on servers that do not reside in the domain of OpenSSO services deployment will not be able to participate in SSO” …. a small and probably disqualifying limitation. Children and their toys.

I would hardly describe OpenSSO as a toy – it is based on Sun’s Java System Access Manager. OpenSSO provides SSO across systems in a single domain, so you could SSO across www.example.com, www.subdomain.example.com, hr.example.com etc. This limitation is a consequence of the cookie-based implementation that OpenSSO uses – cookies only work within a single internet domain. To cross domains to, say, www.partner.com, you need federation. Federation capability is not currently in the OpenSSO roadmap.

More OpenSSO Goodness – Authentication Source and Demo

We hit another OpenSSO milestone earlier this week, opening up the Authentication Service (announcement and instructions for getting it). A good place to start is probably the Authentication Service Architecture document, but who ever reads the docs first? Download the source, build it, run the demo, think about how you can bend it to your needs.

Here’s an exclusive snippet from an internal email from one of our QA engineers today (Hi Indira!). By the way, these are really hard guys to impress…

I have just validated the SSO token created by the opensso server using the demo app. It works just GREAT!! right now I have only good things to say

  • Compiled just in 49 secs on solaris 10 sparc
  • Docs are pretty good
  • Used 2 physical hosts
  • Client and Server both are deployed on tomcat 5.5

Great work !!

If you haven’t already got a java.net ID, here’s a handy link to the registration page. If you already have an ID on java.net, you’ll need to join the project to post in the forums. (Thanks, cmort, for pointing out that this last constraint isn’t entirely obvious on the site).