ForgeRock Community Blog Syndicate

This is a big milestone for ForgeRock and the OpenAM project, an open source WebSSO, Authentication, Authorization, Federation and Entitlements solution. After months of development (a few more than we anticipated), we’ve finally released OpenAM 10.0.0, a major version of the product.

OpenAM 10 brings a set of new features, including support for OAuth 2.0 client authentication, the ForgeRock Identity Gateway (built out of project OpenIG), enhanced SAML 2 identity provider capabilities, a new Risk Based Authentication module, …  It also now relies on OpenDJ 2.4.5, the latest stable release of OpenDJ the open source LDAP directory server, and supports the internet-draft based LDAP password policy. You can find more details  in the press announcement, or the product release notes. The documentation of the OpenAM 10 release can be read at http://docs.forgerock.org/en/index.html?product=openam&version=10.0.0.

The OpenAM 10 release owes a lot to the OpenAM community, for the issues raised : a total of 41 issues fixed in OpenAM 10 were raised by 26 different persons, and for the generous patches offered to fix over a dozen of these issues.
To each and every contributor : THANK YOU !

Filed under: Identity Tagged: ForgeRock, openam, opensource, opensso, release, security, websso

For many years, I’ve been working in collaboration with the Sun access management product team,  as it started working on the Directory Server Access Management Edition (DSAME) product that years later became Sun Access Manager and OpenSSO. And now that I’m at ForgeRock, I have the pleasure to keep working with some members of that team, on OpenAM, the continuation of the OpenSSO open source project.

My knowledge of the product is rather shallow as I’ve worked on several case studies or issues related to customers and LDAP directory servers, but I never had a chance to deploy a service for production use or even extensive testing.

So when I learnt that Packt Publishing was releasing a book on “OpenAM”, writen by Indira Thangasamy, an ex-colleague of mine and manager of the Quality Assurance team, I asked if I could get a copy for review, which Packt kindly agreed to.

I haven’t finished the book yet, as it’s over 250 pages of content, covering all aspects of the OpenAM software, from its history, its components and services, to its integration with Google Apps or SalesForce… But from what I’ve read (about 2/3 of the book), I can say that the book is easy to read and well organized. It helps a beginner to grasp the concepts and starts using the product, thanks to the detailed explanations and diagrams. As the chapters advance and dive into specific technical areas, Indira uses real-world examples and simple code or commands, followed by detailed description to illustrate what OpenAM does or does not, giving a comprehensive picture of the fully featured product.

Some of the features of OpenAM are not covered in the book, like Federation or the most recent Entitlement Services or Secure Token Services. I hope they will be covered in a revised edition or may be another book, as these features are becoming more used and important to enterprise security and access management.

In summary, if you’re about to, or have just started to engage on a project with OpenAM, this book will help you understand the technology and ease your ramping up. But even for the more experienced users of OpenAM, the book contains full of details, tips and example that will save you time and make you more efficient.

You can find the book on Pack-Publishing web site or Amazon.

Filed under: Identity Tagged: access-management, authentication, authorization, book, federation, ForgeRock, identity, openam, opensource, opensso, review, security, sun

Norway is in a nice place when it comes to national identity federation. Aside from having the will to make it work, there are the very practical advantages of a unique national identifier and a trusting population to match. The child of these factors was a project called “MyID” that provided citizens with an authentication solution based on reusable pin codes and federating according the SAML2 standard.

Since it’s inception the solution has developed; or rather it’s goal has moved and the system has adapted. Back in the day, MyID was created to meet a specific need: authentication for the service aggregation portal “MyPage” that would support magic links (read: single sign on with aggregated services). Today, MyID has been superseded by ID-Porten which wraps the original pin code solution in a solution which also offers other authentication methods from smart-card based identity providers as of version 2.0, and that provides authentication for over 180 public service providers.

My personal satisfaction comes from seeing a national federation solution succeed so grandly; the majority of the Norwegian population over 13 use MyID/ID-Porten when interacting with the government! And did I mention that it is running on some fantastic open source access management software?

PS: I mentioned the Norwegian national identifier as a practical advantage, but didn’t claim that this was the right way to do it. Certainly the direction has to be away from using a single identifier even if it does make life easier, and thankfully this is where I understand ID-Porten to be headed.

The first book on OpenAM, the open source web single sign-on and federation project, will be released very soon (it should be Jan 21st 2011), and it’s been written by one of my former and well esteemed colleague Indira Thangasamy.

I haven’t reviewed the book yet, but I’m expecting to have a review copy in my hands pretty soon (thanks again Indira and Packt Publishing).

However, if you want to get a feel of the book content, Indira has posted a very detailed table of content of the book, and some background information about it. I’m really looking forward reading the book and discovering some hidden gems of OpenAM. Also, this will help me to rethink the way the Configuration Store and User Store are considered and help improving the integration with OpenDJ, the Open source LDAP Directory services in Java, currently used as the embedded configuration store.

The book is already available for Pre-Order.

Filed under: Identity Tagged: access, authentication, authorization, book, ForgeRock, openam, opendj, opensource, opensso

Names come in all forms and sizes; official and informal, first middle and last, identifiers and labels. And here is a new type of the name: the ForgeRock name.

As Joe Brockmeier discussed in a blog entry last year, Open Source does not normally say anything about the trademarks that may apply to the software. The current situation in Sun-Oracle may leave a number of Open Source projects out in the cold – and when crunch time comes (is it here already?) then this may be a hot issue.

As Oracle recently removed all open downloads from opensso.org, ForgeRock are the new home of binary downloads for the OpenSSO community, providing essentially the same compiled code as before. Except for the name.

So – OpenAM is the new OpenSSO. Remember the name next time you need a build

One month has passed since Oracle completed their takeover of Sun. That month began with announcements of which products would be “strategic”, and a new company called ForgeRock was born. Relative quiet ensued as Oracle and Sun apparently got down to the internal bit and bolts of merging two organizations. It looks like the time has now come for Oracle to put their Open Source strategy into practice.

On February 24th, the OpenSSO Express builds were removed from opensso.org and the only remaining OpenSSO Enterprise download links to a protected page that requires a support contract with Oracle. At about the same time, the product roadmap on the same site was deleted entirely. Reports about this have started appearing in the media over the last few days, like here and here.

It is too early to draw conclusions, but if this is indicating a future direction then it does not bode well for the community. I don’t believe you can seriously run an Open Source project without providing any binaries. A member of the community who wants to get involved on opensso.org now faces a long series of tasks to check out the source code, set up their build environment and compile the binaries themselves – all this instead of the simple binary download before.

ForgeRock is stepping up to the plate here and providing OpenAM binaries built from the OpenSSO code (the product name is a potential issue so we are using different names), but this still does not change that the steps Oracle have taken over the last few days are in my opinion aimed at stifling the community rather than allowing it to continue to thrive.

Everything starts somewhere, and this blog is starting for a reason. We at ForgeRock have recently launched our business and have a lot to say – this blog is one of those ways

So I can start off by saying that the purchase of Sun by Oracle took a long time but was finally completed on January 27th. As you will see from www.forgerock.com, ForgeRock has it’s roots in the software side of Sun, with almost all our employees having a background from Sun. Naturally we have been interested to see how the takeover would play out, especially with regards to Sun’s open source strategy. Oracle has made several statements about the direction they will be taking including these webcasts.

One of open source products we are particularly involved in is OpenSSO – a fully-featured, enterprise-class product for authentication, authorization, federation and much more. Oracle has said that OpenSSO will continue as an open source project but that Oracle Access Manager will be their strategic product for web single sign-on, and Oracle Federated Identity Manager for federated single sign-on.

What does the “strategic” product choice mean in practice? Nishant Kaushik (architect for Identity Management products at Oracle) in his blog answers like this:

“Strategic” means that this is the product that we will be innovating and developing new features for.

So according to this Oracle will not be innovating and developing new features for OpenSSO, but still hosting the open source project. This can also be seen on the employee side of Oracle where key players from the OpenSSO team are apparently either no longer working there or have been transferred to other teams.

What is the next step for OpenSSO then?

ForgeRock