Identity

OpenAM – The Book

Ludo2 Comments

For many years, I’ve been working in collaboration with the Sun access management product team,  as it started working on the Directory Server Access Management Edition (DSAME) product that years later became Sun Access Manager and OpenSSO. And now that I’m at ForgeRock, I have the pleasure to keep working with some members of that team, on OpenAM, the continuation of the OpenSSO open source project.

My knowledge of the product is rather shallow as I’ve worked on several case studies or issues related to customers and LDAP directory servers, but I never had a chance to deploy a service for production use or even extensive testing.

So when I learnt that Packt Publishing was releasing a book on “OpenAM”, writen by Indira Thangasamy, an ex-colleague of mine and manager of the Quality Assurance team, I asked if I could get a copy for review, which Packt kindly agreed to.

I haven’t finished the book yet, as it’s over 250 pages of content, covering all aspects of the OpenAM software, from its history, its components and services, to its integration with Google Apps or SalesForce… But from what I’ve read (about 2/3 of the book), I can say that the book is easy to read and well organized. It helps a beginner to grasp the concepts and starts using the product, thanks to the detailed explanations and diagrams. As the chapters advance and dive into specific technical areas, Indira uses real-world examples and simple code or commands, followed by detailed description to illustrate what OpenAM does or does not, giving a comprehensive picture of the fully featured product.

Some of the features of OpenAM are not covered in the book, like Federation or the most recent Entitlement Services or Secure Token Services. I hope they will be covered in a revised edition or may be another book, as these features are becoming more used and important to enterprise security and access management.

In summary, if you’re about to, or have just started to engage on a project with OpenAM, this book will help you understand the technology and ease your ramping up. But even for the more experienced users of OpenAM, the book contains full of details, tips and example that will save you time and make you more efficient.

You can find the book on Pack-Publishing web site or Amazon.

New releases of OpenAM and OpenDJ !

Ludo7 Comments

It’s the happy hour, with a double release day at ForgeRock.

OpenAM 9.5.2 has just been released, along with the J2EE Agents 3.0.3 and are now available for downloads from ForgeRock. You can find the release details in the Release Notes.

OpenDJ 2.4.1 has also been released today. The patch release can be found on the Downloads page in various forms: Java WebStart Installer, Zip package or SVR4 package. The Release Notes have been posted on the Documentation wiki.

The First OpenAM Book

Ludo1 Comment

OpenAM Book CoverThe first book on OpenAM, the open source web single sign-on and federation project, will be released very soon (it should be Jan 21st 2011), and it’s been written by one of my former and well esteemed colleague Indira Thangasamy.

I haven’t reviewed the book yet, but I’m expecting to have a review copy in my hands pretty soon (thanks again Indira and Packt Publishing).

However, if you want to get a feel of the book content, Indira has posted a very detailed table of content of the book, and some background information about it. I’m really looking forward reading the book and discovering some hidden gems of OpenAM. Also, this will help me to rethink the way the Configuration Store and User Store are considered and help improving the integration with OpenDJ, the Open source LDAP Directory services in Java, currently used as the embedded configuration store.

The book is already available for Pre-Order.

OpenSSO Community changes

LudoLeave a comment

Hubert LVGI just saw that my colleague Hubert Le Van Gong has been elected to replace Pat Patterson as the OpenSSO Community Lead.

It is sad to see Pat leaving Sun. Pat has been a source of inspiration in my role as OpenDS Community Manager and we’ve been collaborating in numerous occasions.

Hubert definitely has the skills and the experience to lead the OpenSSO community and oversee all Sun Identity related open source projects. Another good thing is that Hubert and I are both working out of the Grenoble Engineering Center, in France. So I’m expecting some tighter collaborations between the projects and the communities.

Welcome on the community leadership side, Hubert !

Technorati Tags: , ,

OpenDS, OpenSSO and Identity at large

LudoLeave a comment

On the first week of May, I was in Munich for the European Identity Conference hosted by Kuppinger-Cole.

This was my first participation and I was delighted to meet with several of the experts in the area as well as some OpenDS customers or users, whom I’ve mostly "known" only through blogs or emails. I had discussions with Kim Cameron, Jackson Shaw and James McGovern. We shared tea with Felix Gaehtgens and Prateek Mishra. The conference was also the opportunity to talk with and listen to some of my Sun colleagues that I don’t get to see often like Fulup Ar Foll and Eve Maler. I must say that both of them did pretty interesting presentations.

Eve

Eve’s keynote on the first day of the conference brought the case for "permissioned data sharing" and was very well argued. It was the first time that I heard about User Centric identity and VRM tied together and even with a proposed solution.

Fulup

On Wednesday, Fulup did a very thought provocative (and fast forward) presentation about Digital Identity in the cloud, where he explained the identity management concepts are inherited from a centralized vision of the world and they would not fit well with the cloud, nor scale to the internet. He proposes to look at how mobile operators are solving massive identity scale and to leverage existing SAML2 and Liberty defined services to build the "lazy" identity architecture.

On Thursday I was to take part of a panel discussion on the subject of "The Identity Bus" or the future of Directory Services (should I say Identity Services ?), moderated by Felix Gaehtgens. The panel was an opportunity to see again Steve Shoaff, CEO of Unboundid but previously my manager, and to meet both Dale Olds of Novell and Prateek Mishra of Oracle. I don’t know if we’ve been able to give a good idea of what this "Identity Bus" would look like, but it’s definitely "something" in between applications and the data layer, and will probably use a set of protocols like SAML2 and XACML. After the panel, James McGovern asked me when OpenDS will support IGF and CARML. Since both are abstractions and APIs for applications to express their need in term of identity related data, I don’t think they are appropriate for an LDAPv3 directory server. But I do see a layer on top of Virtual Directories or Directories that is able to consume those and translate them into appropriate functions.

Right after that Panel, Mark Craig was taking part on a panel discussion on Virtual Directories, along with Sampo Kellomäki of Symlabs, Michel Prompt of Radiant Logic and Keith Grayson of SAP.

On the Tuesday, Pat Patterson and Daniel Raskin hosted the second OpenSSO Community Day, and it was a great success, with over 50 attendees, a day packed of presentations with a very good balance of users and deployers talks vs Sun employees’ talks.

Like in New-York, I talked about OpenDS, its goals and roadmap and why it’s the perfect companion to OpenSSO as the Users identity store. Most of the presentations from the OpenSSO Community Day have been posted on the event wiki page. And if you could not make it to New-York or Munich, we’re having a 3rd OpenSSO / OpenDS / Identity Connectors Community Day in San Francisco on Sunday May 31st at the Moscone center, starting at 1pm. The event is free, but please RSVP. And I hope to see you there.

Photo

And congratulations to Pat, Daniel and the whole OpenSSO team, for the Fedlet, winner of the "Best Innovation Award".

Overall, I found the conference really good and interesting and it helped me to put back the work we’re doing in the Directory Services engineering team, in the larger picture of Identity management.

Technorati Tags: , , , , ,

Sun OpenSSO Enterprise 8.0 is out

LudoLeave a comment

Around 2001, I was collaborating with Jamie’s team to build iPlanet Directory Server Access Manager Edition, an addition on top of the successful iPlanet Directory Server.

Many years later, after many branding changes, a tons of new functionalities and supported standards, a successful open sourcing of the code and much investment in ease of use, Sun has just released the first commercial version of the OpenSSO project : Sun OpenSSO Enterprise 8.0.

Sun OpenSSO Enterprise

OpenSSO still makes a great use of LDAP directory servers, but has even gone one step further as it includes an embedded OpenDS directory that can be used as a user store or configuration store, providing an unmatched out of the box user experience.

You can get Sun OpenSSO Enterprise 8.0 now, and if you want to learn more about it refer to the Product page.

Technorati Tags: , , , ,

OpenSSO Enterprise 8 unveiled…

LudoLeave a comment

OpenSSO Enterprise 8.0 visual
Yesterday, OpenSSO Enterprise 8.0 was launched in SecondLife.

In a very well attended session, Daniel Raskins and Jamie Nelson showed how OpenSSO Enterprise 8.0, known in its last release as Sun Access Manager, adds many new features, as well as being the first commercial release from the open source OpenSSO project.

What impress me most with OpenSSO Enterprise is the amount of work that has been put on user experience, simplifying the life of developers, deployers and administrators. With new features such as the embedded OpenDS LDAP server as the configuration store, the Fedlet, the Identity Services or the Java Web Start Installer

Check out a replay of the SecondLife Launch to get a sense of all the cool new features and capabilities.

Technorati Tags: , , , ,

Paris Identity Management User Group (March 21st 2007)

LudoLeave a comment

Last week a Sun Identity Management User Group meeting was held in Paris. The attendance was really good, and in fact exceeded the room capacity as several customers turned out without pre-registering. I was really impressed by the diversity of customers, and the fact that they were coming from all over Europe (Czech republic, Slovakia, Lithuania, Poland, Greece, Italy, Portugal, Germany, Netherlands, Belgium, UK, France, …).

The Identity Marketing team came in force with Andy Land, Don Bowen and Etienne Remillon (left to right).

Identity Management Marketing Team

Etienne, Directory Senior product manager, presented Directory Server Enterprise Edition 6.0 and demoed the new graphical console : Directory Service Control Center, and Virtual Directory Server.

Overall it was a good day of interaction with our customers, trying to understand their needs and their issues with our identity management products. If you’re a Sun customer, using Directory Server or other Sun Identity product, I would strongly encourage you to participate. Your feedback is important for us.

Question and Ansers

IETF meeting in Paris

Ludo1 Comment

This week I was in Paris for the 63rd IETF meeting.

Though I mainly go to the IETF to work on LDAP (both with the LDAPBis working
group and as an individual contributor -for example with the LDAP
password policy- ), I often go to other working groups and BOF sessions
to get a sense of what’s going on in the Internet community (at least
in the areas that I understand).
And this time, the buz was clearly around the recent vulnerabilities
with the use of one-way hash functions such as MD5 and SHA1. With the
increasing computation power of computers and the ease of deployment of
man-in-the-middle attack, these functions are no longer considered as
secure enough. And so are authentication mechanisms based on cleartext
challenge-response exchanges. For Directory Server’s customers, this
means that the way to secure their authentication t0 LDAP is to use TLS
either via the use of StartTLS extended operation or LDAP over SSL.
Once the connection is secured, the authention could be based on the
Simple bind, Sasl Bind with Digest-MD5 mechanism or with exchanged
certificates.

On the LDAP front, the participation is diminishing (mainly remains
Novell, OpenLDAP and Sun) but the work of revising the LDAPv3
specification for clarification and better interoperability is mainly
done. The last remaining issues were hammered this week (hopefully) and
we are expecting RFC publication before or around next IETF meeting.


LDAPers in IETF action: Roger, Kurt, Jim and Ludo (left to right).

Tags: LDAP IETF Directory Server

Planet Identity

LudoLeave a comment

I’ve been running a Sun internal version of Planet Identity for about 6
months now, as a way to follow the very interesting discussions about
Identity that are covered in several blogs.
And then came SuperPat and in a couple of days he registered the planetidentity.org domain, got the Planet software installed and configured and Planet Identity is now live.
There are already lots of feeds aggregated on Planet Identity, but if you know some that should be there send a note to Pat.

Victim of Identity theft ?

LudoLeave a comment

Just hilarious.

Pretty close to be the winner

LudoLeave a comment

Sun Java Directory Server Enterprise Edition 2004Q2 was a finalist in the annual eWeek Excellence Award competition, in the Authentication and User Management category but in the end didn’t win, RSA Federated Identity Manager did.

Anyway, Sun won 2 awards in this competition:

The use (or non-use) of DSML…

Ludo7 Comments

SuperPat aka Pat Patterson, one of our expert on Sun Java System Access Manager,  is asking if anyone uses DSML ?
After co-authoring the DSMLv2 specifications with Microsoft, we implemented it in the Sun Java System Directory Server 5.2 nearly 2 years ago, provided some client tools in the Directory Server Resource Kit,  and still we haven’t heard of any customer’s deployment using DSML.
I did get some reports from the field of some evaluation of DSMLv2, got
a few questions with regards to security and authentication, a couple
of queries on the performances… but still I have not heard from any
use in production.
And the last time I discussed about DSML with a friend who works for Novell, he basically said the same thing.

Still DSML is coming back in conversations some time to time, like
today as DSML was mentioned on the OpenLDAP mailing list with a proposed implementation of the client and the server side.

So, I’ll re-iterate Pat’s question: Is anyone using DSML ?

National secure digital identity card in France

LudoLeave a comment

The french goverment is planning on introducing (following some
european requirements) a secure digital national Identity program.
The idea is to replace the current national id with a smartcard
containing fingerprints and photo (digitally signed) and potentially to
use the card for other applications such as medical records, e-voting
or banking services…
To make sure
that the french government understands  what are the people concerns, it has launched a website for information and discussion including  a forum.

The rest is in french on the site for the “Debat National sur la carte d’identite electronique

Debat national sur la carte d’identite electronique

L’opinion publique est notamment sollicitee sur les themes suivants : 

  • Le principe de la mise en place d’une carte nationale
    d’identite electronique sur laquelle une puce electronique contiendrait
    l’empreinte digitale et la photo du detenteur ;
  • Les garanties souhaitees en termes de protection de la vie privee ;
  • L’acces, depuis cette carte, a d’™autres applications comme des services
    administratifs (teleprocedures, e-vote…), ou encore des services
    marchands (services bancaires, achats en ligne, abonnements divers…) ;
  • Les modalites pratiques souhaitees  : lieu de delivrance, prix eventuel d’une telle carte, etc.

A quick and not so dirty HowTo documentation for Directory Server configuration

Ludo

Dave recently blogged A quick and dirty HowTo manually configure Directory Server, where he explained how to configure Java Enterprise System Directory Server on Sparc from the command line.
The good news is that all of what he said was not only fully accurate but based on public interfaces and thus fully supported.
The explainations stand for the Java ES version of Directory Server on Solaris (sparc or x86), installed as native packages, and the steps described in his entry are written in our Installation and Tuning Guide.
The same steps will also work with Java Enterprise System 2004Q2 Directory Server on Linux, since we also support RPM packages and delivered the directoryserver utility (the path is different though: /opt/sun/sbin/directoryserver).
And of course, this will continue to work with Java Enterprise System 2005Q1 which is currently in the beta phase.